The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, 3rd Edition

Length: 512 pages
Edition: 3
Language: English
Publisher: CRC Press
Publication Date: 2021-09-22
ISBN-10: 103204165X
ISBN-13: 9781032041650
Sales Rank: #4945972 (See Top 100 Books)

Conducted properly, information security risk assessments provide managers with the feedback needed to understand threats to corporate assets, determine vulnerabilities of current controls, and select appropriate safeguards. Performed incorrectly, they can provide the false sense of security that allows potential threats to develop into disastrous losses of proprietary information, capital, and corporate value. Picking up where its bestselling predecessors left off, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Third Edition gives you detailed instruction on how to conduct a risk assessment effectively and efficiently. Supplying wide-ranging coverage that includes security risk analysis, mitigation, and risk assessment reporting.

The third edition has expended coverage essential topics such as threat analysis, data gathering, risk analysis, and risk assessment methods and added coverage of new topics essential for current assessment projects (e.g., cloud security, supply chain management, security risk assessment methods). This edition includes detailed guidance on gathering data and analyzing over 200 administrative, technical, and physical controls using the RIIOT data gathering method; introduces the RIIOT FRAME (risk assessment method), includes hundreds of tables, over 70 new diagrams and figures, over 80 exercises, and provides a detailed analysis of many of the popular security risk assessment methods in use today. The companion website (infosecurityrisk.com) provides downloads for checklists, spreadsheets, figures, and tools. The security risk assessment handbook walks you through the process of conducting an effective security assessment, it provides the tools, methods, and up-to-date understanding you need to select the security measures best suited to your organization.

Trusted to assess security for small companies, leading organizations and government agencies, including the CIA, NSA, and NATO, Douglas Landoll unveils the little-known tips, tricks, and techniques used by savvy security professionals in the field. He details time-tested methods to help you:

Better negotiate the scope and rigor of security assessments
Effectively interface with security assessment teams
Gain an improved understanding of final report recommendations
Deliver insightful comments on draft reports

Cover
Half Title
Title Page
Copyright Page
Dedication
Table of Contents
List of Tables
List of Figures
Author
Chapter 1: Introduction
	1.1 The Role of the Chief Information Security Officer
		1.1.1 Audit as a Driver for Security Initiatives
		1.1.2 Technology as a Driver for Security Initiatives
		1.1.3 Compliance as a Driver for Security Initiatives
		1.1.4 Security Risk as a Driver for Security Initiatives
	1.2 Ensuring a Quality Information Security Risk Assessment
	1.3 Security Risk Assessment
		1.3.1 The Role of the Security Risk Assessment
		1.3.2 Definition of a Security Risk Assessment
		1.3.3 The Need for a Security Risk Assessment
			1.3.3.1 Checks and Balances
			1.3.3.2 Periodic Review
			1.3.3.3 Risk-Based Spending
			1.3.3.4 Requirement
		1.3.4 Security Risk Assessment Secondary Benefits
	1.4 Related Activities
		1.4.1 Gap Assessment
		1.4.2 Compliance Audit
		1.4.3 Security Audit
		1.4.4 Vulnerability Scanning
		1.4.5 Penetration Testing
		1.4.6 Ad Hoc Testing
		1.4.7 Social Engineering
		1.4.8 War Dialing
	1.5 The Need for This Book
	1.6 Who Is This Book For?
	Exercises
	Note
	Bibliography
Chapter 2: Information Security Risk Assessment Basics
	2.1 Phase 1: Project Definition
	2.2 Phase 2: Project Preparation
	2.3 Phase 3: Data Gathering
	2.4 Phase 4: Risk Analysis
		2.4.1 Assets
		2.4.2 Threat Agents and Threat Actions
			2.4.2.1 Threat Agents
			2.4.2.2 Threat Actions
		2.4.3 Vulnerabilities
		2.4.4 Security Risk
	2.5 Phase 5: Risk Mitigation
		2.5.1 Safeguards
		2.5.2 Residual Security Risk
	2.6 Phase 6: Risk Reporting and Resolution
		2.6.1 Risk Resolution
	Exercises
	Notes
	Biliography
Chapter 3: Project Definition
	3.1 Ensuring Project Success
		3.1.1 Success Definition
			3.1.1.1 Customer Satisfaction
			3.1.1.2 Identifying the Customer
			3.1.1.3 Quality of Work
				3.1.1.3.1 Quality Aspects
			3.1.1.4 Completion within Budget
		3.1.2 Setting the Budget
		3.1.3 Determining the Objective
		3.1.4 Limiting the Scope
			3.1.4.1 Under-scoping
			3.1.4.2 Over-scoping
			3.1.4.3 Security Controls
				3.1.4.3.1 Administrative Security Controls
				3.1.4.3.2 Physical Security Controls
				3.1.4.3.3 Technical Security Controls
			3.1.4.4 Assets
				3.1.4.4.1 Tangible Assets
				3.1.4.4.2 Intangible Assets
			3.1.4.5 Reasonableness in Limiting the Scope
		3.1.5 Identifying System Boundaries
			3.1.5.1 Physical Boundary
			3.1.5.2 Logical Boundaries
		3.1.6 Specifying the Rigor
		3.1.7 Sample Scope Statements
	3.2 Project Description
		3.2.1 Project Variables
		3.2.2 Statement of Work (SOW)
			3.2.2.1 Specifying the Service Description
			3.2.2.2 Scope of Security Controls
			3.2.2.3 Specifying Deliverables
			3.2.2.4 Contract Type
				3.2.2.4.1 Time and Materials Contract
				3.2.2.4.2 Firm-Fixed-Price Contract
			3.2.2.5 Contract Terms
				3.2.2.5.1 Determining Needs
				3.2.2.5.2 Determining Next-Best Alternative
				3.2.2.5.3 Negotiating Project Membership
	Exercises
	Bibliography
Chapter 4: Security Risk Assessment Preparation
	4.1 Introduce the Team
		4.1.1 Introductory Letter
		4.1.2 Project Kickoff Call
		4.1.3 Pre-Assessment Briefing
		4.1.4 Obtain Proper Permission
			4.1.4.1 Policies Required
			4.1.4.2 Permission Required
			4.1.4.3 Scope of Permission
			4.1.4.4 Accounts Required
	4.2 Review Business Mission
		4.2.1 What Is a Business Mission?
		4.2.2 Obtaining Business Mission Information
	4.3 Identify Critical Systems
		4.3.1 Determining Criticality
			4.3.1.1 Determine Protection Requirements
			4.3.1.2 Determine Mission Criticality
			4.3.1.3 Define Critical Systems
	4.4 Identify Asset Classes
		4.4.1 Checklists and Judgment
		4.4.2 Asset Sensitivity/Criticality Classification
			4.4.2.1 Approach 1: Find Asset Classification Information Elsewhere
			4.4.2.2 Approach 2: Create Asset Classification Information
			4.4.2.3 Approach 3: Determine Asset Criticality
		4.4.3 Asset Valuation
			4.4.3.1 Approach 1: Binary Asset Valuation
			4.4.3.2 Approach 2: Classification-Based Asset Valuation
			4.4.3.3 Approach 3: Rank-Based Asset Valuation
			4.4.3.4 Approach 4: Consensus Asset Valuation
			4.4.3.5 Approaches 5–7: Accounting Valuation Approaches
				4.4.3.5.1 Approach 5: Cost Valuation
				4.4.3.5.2 Approach 6: Market Valuation
				4.4.3.5.3 Approach 7: Income Valuation
	4.5 Identifying Threats
		4.5.1 Threat Components
			4.5.1.1 Threat Agent
			4.5.1.2 Threat Action
			4.5.1.3 Threat Agent and Threat Action Pairing
		4.5.2 Threat Statements
		4.5.3 Validating Threat Statements
			4.5.3.1 Factors Affecting Threat Statement Validity
	4.6 Determine Expected Controls
	Exercises
	Note
	Bibliography
Chapter 5: Data Gathering
	5.1 Security Control Representation
		5.1.1 Data Gathering on the Population
		5.1.2 Data Gathering on a Sample
			5.1.2.1 Determining Sample Size
			5.1.2.2 Sampling Objectives
			5.1.2.3 Sampling Types
		5.1.3 Use of Sampling in Security Testing
			5.1.3.1 Approach 1: Representative Testing
			5.1.3.2 Approach 2: Selected Sampling
			5.1.3.3 Approach 3: Random Sampling
	5.2 Evidence Depth
	5.3 The RIIOT Method of Data Gathering
		5.3.1 RIIOT Method Benefits
		5.3.2 RIIOT Method Approaches
			5.3.2.1 Review Documents or Designs
				5.3.2.1.1 The Importance of Security Documents
				5.3.2.1.2 Documents to Request
				5.3.2.1.3 Policy Review within Regulated Industries
				5.3.2.1.4 RIIOT Document Review Technique
			5.3.2.2 Interview Key Personnel
				5.3.2.2.1 Selecting the Interviewer
				5.3.2.2.2 Interview Requests
				5.3.2.2.3 Preparing for the Interview
				5.3.2.2.4 Conducting the Interview
				5.3.2.2.5 Documenting the Interview
				5.3.2.2.6 Flexibility in the Process
				5.3.2.2.7 Questionnaire Preparation
			5.3.2.3 Inspect Security Controls
			5.3.2.4 Observe Personnel Behavior
				5.3.2.4.1 Observation Guidance
			5.3.2.5 Test Security Controls
				5.3.2.5.1 Security Testing Documentation
				5.3.2.5.2 Coverage of Testing
				5.3.2.5.3 Types of Security Testing
					5.3.2.5.3.1 Information Accuracy Testing
					5.3.2.5.3.2 Vulnerability Testing
					5.3.2.5.3.3 Penetration Testing
		5.3.3 Using the RIIOT Method
			5.3.3.1 Determining Appropriate RIIOT Approaches
			5.3.3.2 Assigning RIIOT Activities
			5.3.3.3 RIIOT Applied to Administrative, Physical, and Technical Controls
	Exercises
	Bibliography
Chapter 6: Administrative Data Gathering
	6.1 Administrative Threats and Safeguards
		6.1.1 Human Resources
			6.1.1.1 Human Resource Threats
			6.1.1.2 Human Resource Safeguards
				6.1.1.2.1 Recruitment
				6.1.1.2.2 Employment
				6.1.1.2.3 Termination
		6.1.2 Organizational Structure
			6.1.2.1 Organizational Structure Threats
			6.1.2.2 Organizational Structure Safeguards
				6.1.2.2.1 Senior Management
				6.1.2.2.2 Security Program
				6.1.2.2.3 Security Operations
				6.1.2.2.4 Audit
		6.1.3 Information Control
			6.1.3.1 Information Control Threats
			6.1.3.2 Information Control Safeguards
				6.1.3.2.1 Sensitive Information
				6.1.3.2.2 User Accounts
				6.1.3.2.3 User Error
				6.1.3.2.4 Asset Control
		6.1.4 Business Continuity
			6.1.4.1 Business Continuity Threats
			6.1.4.2 Business Continuity Safeguards
				6.1.4.2.1 Contingency Planning
				6.1.4.2.2 Incident Response Program
		6.1.5 System Security
			6.1.5.1 System Security Threats
			6.1.5.2 Organizational Structure Safeguards
				6.1.5.2.1 System Controls
				6.1.5.2.2 Application Security
				6.1.5.2.3 Configuration Management
				6.1.5.2.4 Third-