Risk and Control Self-Assessment
by Robert Johnson,
Chuck Easttom
Security Policies and Implementation Issues, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Brief Contents
- Contents
- Dedication
- Preface
- Acknowledgments
- About the Authors
- CHAPTER 1 Information Systems Security Policy Management
- What Is Information Systems Security?
- What Is Information Assurance?
- What Is Governance?
- Why Is Governance Important?
- What Are Information Systems Security Policies?
- Creating Policies
- Where Do Information Systems Security Policies Fit Within an Organization?
- Why Information Systems Security Policies Are Important
- When Do You Need Information Systems Security Policies?
- Why Enforcing and Winning Acceptance for Policies Is Challenging
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 1 ASSESSMENT
- ENDNOTES
- CHAPTER 2 Business Drivers for Information Security Policies
- CHAPTER 3 Compliance Laws and Information Security Policy Requirements
- U.S. Compliance Laws
- Whom Do the Laws Protect?
- Which Laws Require Proper Security Controls to Be Included in Policies?
- Which Laws Require Proper Security Controls for Handling Privacy Data?
- Aligning Security Policies and Controls with Regulations
- Industry Leading Practices and Self-Regulation
- Some Important Industry Standards
- International Laws
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- ENDNOTES
- CHAPTER 4 Business Challenges Within the Seven Domains of IT Responsibility
- CHAPTER 5 Information Security Policy Implementation Issues
- Human Nature in the Workplace
- Organizational Structures
- The Challenge of User Apathy
- The Importance of Executive Management Support
- The Role of Human Resources Policies
- Policy Roles, Responsibilities, and Accountability
- When Policy Fulfillment Is Not Part of Job Descriptions
- Impact on Entrepreneurial Productivity and Efficiency
- Tying Security Policy to Performance and Accountability
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 5 ASSESSMENT
- ENDNOTES
- CHAPTER 6 IT Security Policy Frameworks
- What Is an IT Policy Framework?
- What Is a Program Framework Policy or Charter?
- Business Considerations for the Framework
- Information Assurance Considerations
- Information Systems Security Considerations
- Best Practices for IT Security Policy Framework Creation
- Case Studies in Policy Framework Development
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- ENDNOTES
- CHAPTER 7 How to Design, Organize, Implement, and Maintain IT Security Policies
- Policies and Standards Design Considerations
- Document Organization Considerations
- Considerations for Implementing Policies and Standards
- Maintaining Your Policy and Standards Library
- Best Practices for Policies and Standards Maintenance
- Case Studies and Examples of Designing, Organizing, Implementing, and Maintaining IT Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- ENDNOTES
- CHAPTER 8 IT Security Policy Framework Approaches
- IT Security Policy Framework Approaches
- Roles, Responsibilities, and Accountability for Personnel
- Separation of Duties
- Governance and Compliance
- Best Practices for IT Security Policy Framework Approaches
- Case Studies and Examples of IT Security Policy Framework Approaches
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- ENDNOTES
- CHAPTER 9 User Domain Policies
- The Weakest Link in the Information Security Chain
- Seven Types of Users
- Why Govern Users with Policies?
- Acceptable Use Policy (AUP)
- The Privileged-Level Access Agreement (PAA)
- Security Awareness Policy (SAP)
- Best Practices for User Domain Policies
- Understanding Least Access Privileges and Best Fit Access Privileges
- Case Studies and Examples of User Domain Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 9 ASSESSMENT
- CHAPTER 10 IT Infrastructure Security Policies
- Anatomy of an Infrastructure Policy
- Workstation Domain Policies
- Mobile Device Domain Policies
- LAN Domain Policies
- LAN-to-WAN Domain Policies
- WAN Domain Policies
- Remote Access Domain Policies
- System/Application Domain Policies
- Telecommunications Policies
- Best Practices for IT Infrastructure Security Policies
- Cloud Security Policies
- Case Studies and Examples of IT Infrastructure Security Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Data Classification and Handling Policies and Risk Management Policies
- Data Classification Policies
- Data Handling Policies
- Identifying Business Risks Related to Information Systems
- Risk and Control Self-Assessment
- Risk Assessment Policies
- Quality Assurance Versus Quality Control
- Best Practices for Data Classification and Risk Management Policies
- Case Studies and Examples of Data Classification and Risk Management Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Incident Response Team (IRT) Policies
- Incident Response Policy
- Incident Classification
- The Response Team Charter
- Incident Response Team Members
- Responsibilities During an Incident
- Business Impact Analysis (BIA) Policies
- Procedures for Incident Response
- Discovering an Incident
- Reporting an Incident
- Containing and Minimizing the Damage
- Cleaning Up After the Incident
- Documenting the Incident and Actions
- Analyzing the Incident and Response
- Creating Mitigation to Prevent Future Incidents
- Handling the Media and Deciding What to Disclose
- Business Continuity Planning Policies
- Dealing with Loss of Systems, Applications, or Data Availability
- Response and Recovery Time Objectives Policies Based on the BIA
- Best Practices for Incident Response Policies
- Disaster Recovery Plan Policies
- Case Studies and Examples of Incident Response Policies
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 IT Security Policy Implementations
- Simplified Implementation Process
- Target State
- Executive Buy-in, Cost, and Impact
- Policy Language
- Employee Awareness and Training
- Information Dissemination—How to Educate Employees
- Policy Implementation Issues
- Governance and Monitoring
- Best Practices for IT Security Policy Implementations
- Case Studies and Examples of IT Security Policy Implementations
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 13 ASSESSMENT
- ENDNOTES
- CHAPTER 14 IT Security Policy Enforcement
- Organizational Support for IT Security Policy Enforcement
- An Organization’s Right to Monitor User Actions and Traffic
- Compliance Law: Requirement or Risk Management?
- What Is Law and What Is Policy?
- What Automated Security Controls Can Be Implemented Through Policy?
- Legal Implications of IT Security Policy Enforcement
- Who Is Ultimately Accountable for Risks, Threats, and Vulnerabilities?
- Best Practices for IT Security Policy Enforcement
- Case Studies and Examples of Successful and Unsuccessful IT Security Policy Enforcement
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 14 ASSESSMENT
- CHAPTER 15 IT Policy Compliance and Compliance Technologies
- Creating a Baseline Definition for Information Systems Security
- Tracking, Monitoring, and Reporting IT Security Baseline Definition and Policy Compliance
- Automating IT Security Policy Compliance
- Compliance Technologies and Solutions
- Best Practices for IT Security Policy Compliance Monitoring
- Case Studies and Examples of Successful IT Security Policy Compliance Monitoring
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 15 ASSESSMENT
- APPENDIX A Answer Key
- APPENDIX B Standard Acronyms
- Glossary of Key Terms
- References
- Index
Risk and Control Self-Assessment
A risk and control self-assessment (RCSA) is an effective tool in the risk management arsenal. It allows the organization to understand its risks and their potential effects on the business. It’s a formal exercise many organizations conduct annually.
An RCSA can be a time-consuming exercise requiring engagement from the business’s senior leadership and technology teams; however, the benefits are enormous. By the end of the day a common view emerges on the challenges and risks that face an organization, including:
- What the major known risks are
- Which of these risks will limit the ability of the organization to complete its mission
- What plans are in place to deal with these risks
- Who “owns” the management and monitoring of these risks
The RCSA process is often not well understood or leveraged. It contains the business leaders’ view of their risks. Consequently, they are an ideal source of information to support your risk management program. If you demonstrate how managing risks to data reduces the risks identified in the RCSA, you will get the attention of management and increased opportunity to win their support.
The RCSA contains detailed risk information that shows the impact on an organization in the event that key processes and technology are not available. You use the RCSA to develop risk management plans, such as where to place quality assurance and quality control routines. The RCSA also contains multiple scenarios. Each scenario details the risks and effects on the business. The main intent of an RCSA is to ensure that these risks are identified and assigned to an individual executive to manage.
The RCSA approach is not a standard used across all industries. Although any organization can use the RCSA, and many use some form of it under a different name, it’s only one of many approaches used to manage risk. Which approach to use is less important than having a systematic approach to managing risk in the first place. That said, the RCSA can provide an organization with a new opportunity to identify and plan for unexpected or emerging risks. These may include new operational risks resulting from shifts in the regulatory or market environment. Additionally, this approach can be used to align thinking about risk and awareness of it across the enterprise.
-
No Comment