© Sai Chan/Shutterstock
Contents
PART ONE Risk Management Business Challenges
CHAPTER 1 Risk Management Fundamentals
Compromise of Business Functions
Threats, Vulnerabilities, Assets, and Impact
Risks Posed by a Lack of Process
Risk Identification Techniques
Assessing Impact and Likelihood
Profitability Versus Survivability
CHAPTER 2 Managing Risk: Threats, Vulnerabilities, and Exploits
Understanding and Protecting Assets
Understanding and Managing Threats
Uncontrollable Nature of Threats
Best Practices for Managing Risk Within an IT Infrastructure
EY Global Information Security Survey 2018–2019
Understanding and Managing Vulnerabilities
Vulnerabilities Can Be Mitigated
Best Practices for Managing Vulnerabilities Within an IT Infrastructure
Understanding and Managing Exploits
How Do Perpetrators Initiate an Exploit?
Where Do Perpetrators Find Information About Vulnerabilities and Exploits?
Best Practices for Managing Exploits Within an IT Infrastructure
U.S. Federal Government Risk Management Initiatives
National Institute of Standards and Technology
Department of Homeland Security
National Cybersecurity and Communications Integration Center
U.S. Computer Emergency Readiness Team
The MITRE Corporation and the CVE List
CHAPTER 3 Understanding and Maintaining Compliance
Federal Information Security Modernization Act
Health Insurance Portability and Accountability Act
Family Educational Rights and Privacy Act
Children’s Internet Protection Act
Children’s Online Privacy Protection Act
Regulations Related to Compliance
Securities and Exchange Commission
Federal Deposit Insurance Corporation
Department of Homeland Security
Organizational Policies for Compliance
Standards and Guidelines for Compliance
Payment Card Industry Data Security Standard
National Institute of Standards and Technology
Generally Accepted Information Security Principles
Control Objectives for Information and Related Technology
International Organization for Standardization
International Electrotechnical Commission
Information Technology Infrastructure Library
Capability Maturity Model Integration
General Data Protection Regulation
Department of Defense Information Assurance Certification and Accreditation Process
CHAPTER 4 Developing a Risk Management Plan
Objectives of a Risk Management Plan
Objectives Example: HIPAA Compliance
Scope of a Risk Management Plan
Scope Example: HIPAA Compliance
Responsibilities Example: Website
Responsibilities Example: HIPAA Compliance
Describing Procedures and Schedules for Accomplishment
Procedures Example: HIPAA Compliance
Documenting Management Response to Recommendations
Documenting and Tracking Implementation of Accepted Recommendations
Charting the Progress of a Risk Management Plan
Steps of the NIST Risk Management Framework
CHAPTER 5 Defining Risk Assessment Approaches
Understanding Risk Assessments
Importance of Risk Assessments
Critical Components of a Risk Assessment
Comparing Quantitative and Qualitative Risk Assessments
Using a Static Process to Evaluate a Moving Target
Availability of Resources and Data
Providing Results That Support Resource Allocation and Risk Acceptance
Best Practices for Risk Assessment
CHAPTER 6 Performing a Risk Assessment
Selecting a Risk Assessment Methodology
Identifying the Management Structure
Identifying Assets and Activities Within Risk Assessment Boundaries
System Access and Availability
Identifying and Evaluating Relevant Threats
Identifying and Evaluating Relevant Vulnerabilities
Identifying and Evaluating Controls
Selecting a Methodology Based on Assessment Needs
Developing Mitigating Recommendations
Estimate of Cost and Time to Implement
Estimate of Operational Impact
Presenting Risk Assessment Results
Best Practices for Performing Risk Assessments
CHAPTER 7 Identifying Assets and Activities to Be Protected
System Access and Availability
System Functions: Manual and Automated
Data Warehousing and Data Mining
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
Identifying Facilities and Supplies Needed to Maintain Business Operations
Mission-Critical Systems and Applications Identification
Business Impact Analysis Planning
Business Liability Insurance Planning
Asset Replacement Insurance Planning
CHAPTER 8 Identifying and Analyzing Threats, Vulnerabilities, and Exploits
Techniques for Identifying Threats
Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure
Review of System Logs, Audit Trails, and Intrusion Detection and Prevention System Outputs
Vulnerability Scans and Other Assessment Tools
Audits and Personnel Interviews
Process Analysis and Output Analysis
Mitigating Exploits with a Gap Analysis and Remediation Plan
Implementing Configuration or Change Management
Verifying and Validating the Exploit Has Been Mitigated
Best Practices for Performing Exploit Assessments Within an IT Infrastructure
CHAPTER 9 Identifying and Analyzing Risk Mitigation Security Controls
Background and Financial Checks
Education, Training, and Awareness
Data Range and Reasonableness Checks
Locked Doors, Guards, Access Logs, and Closed-Circuit Television
Fire Detection and Suppression
Temperature and Humidity Detection
Electrical Grounding and Circuit Breakers
Best Practices for Risk Mitigation Security Controls
CHAPTER 10 Planning Risk Mitigation Throughout an Organization
Where Should an Organization Start with Risk Mitigation?
What Is the Scope of Risk Management for an Organization?
Mission-Critical Business Systems, Applications, and Data Access
Seven Domains of a Typical IT Infrastructure
Information Systems Security Gap
Understanding and Assessing the Impact of Legal and Compliance Issues on an Organization
Legal Requirements, Compliance Laws, Regulations, and Mandates
Assessing the Impact of Legal and Compliance Issues on an Organization’s Business Operations
Translating Legal and Compliance Implications for an Organization
Assessing How Security Countermeasures, Controls, and Safeguards Can Assist With Risk Mitigation
Understanding the Operational Implications of Legal and Compliance Requirements
Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization
Performing a Cost-Benefit Analysis
Best Practices for Planning Risk Mitigation Throughout an Organization
CHAPTER 11 Turning a Risk Assessment into a Risk Mitigation Plan
Reviewing the Risk Assessment for the IT Infrastructure
Risk Assessments: Understanding Threats and Vulnerabilities
Translating a Risk Assessment into a Risk Mitigation Plan
Prioritizing Risk Elements That Require Risk Mitigation
Using a Threat Likelihood/Impact Matrix
Verifying Risk Elements and How They Can Be Mitigated
Performing a Cost-Benefit Analysis on the Identified Risk Elements
Implementing a Risk Mitigation Plan
Following Up on the Risk Mitigation Plan
Ensuring Countermeasures Have Been Implemented
Ensuring Security Gaps Have Been Closed
Best Practices for Enabling a Risk Mitigation Plan from the Risk Assessment
PART THREE Risk Mitigation Plans
CHAPTER 12 Mitigating Risk with a Business Impact Analysis
What Is a Business Impact Analysis?
Varying Data Collection Methods
Defining the Scope of the Business Impact Analysis
Objectives of a Business Impact Analysis
Identifying Critical Business Functions
Identifying Critical Resources
Identifying the MAO and Impact
Identifying Recovery Requirements
Steps of a Business Impact Analysis Process
Identifying Critical Business Functions
Identifying Critical Resources
Identifying Recovery Priorities
Identifying Mission-Critical Business Functions and Processes
Mapping Business Functions and Processes to IT Systems
Best Practices for Performing a BIA for an Organization
CHAPTER 13 Mitigating Risk with a Business Continuity Plan
What Is a Business Continuity Plan?
Assumptions and Planning Principles
System Description and Architecture
Notification and Activation Phase
Reconstitution Phase (Return to Normal Operations)
Plan Training, Testing, and Exercises
How Does a BCP Mitigate an Organization’s Risk?
Best Practices for Implementing a BCP for an Organization
CHAPTER 14 Mitigating Risk with a Disaster Recovery Plan
What Is a Disaster Recovery Plan?
Disaster Recovery Financial Budget
Disaster/Emergency Declaration
Critical Operations, Customer Service, and Operations Recovery
How Does a DRP Mitigate an Organization’s Risk?
Best Practices for Implementing a DRP for an Organization
CHAPTER 15 Mitigating Risk with a Computer Incident Response Team Plan
What Is a Computer Incident Response Team Plan?
Communication Escalation Procedures
How Does a CIRT Plan Mitigate an Organization’s Risk?
Best Practices for Implementing a CIRT Plan for an Organization