Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Darril Gibson, Andy Igonor
Managing Risk in Information Systems, 3rd Edition
Cover
Title Page
Copyright Page
Brief Contents
Contents
Dedication
Preface
Acknowledgments
About the Authors
CHAPTER 1 Risk Management Fundamentals
What Is Risk?
Compromise of Business Functions
Threats, Vulnerabilities, Assets, and Impact
Classify Business Risks
Risks Posed by People
Risks Posed by a Lack of Process
Risks Posed by Technology
Risk Identification Techniques
Identifying Threats
Identifying Vulnerabilities
Assessing Impact and Likelihood
Risk Management Process
Cost-Benefit Analysis
Profitability Versus Survivability
Risk-Handling Strategies
Avoiding
Sharing or Transferring
Mitigating
Accepting
Residual Risk
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 1 ASSESSMENT
CHAPTER 2 Managing Risk: Threats, Vulnerabilities, and Exploits
Understanding and Protecting Assets
Understanding and Managing Threats
Uncontrollable Nature of Threats
Unintentional Threats
Intentional Threats
Best Practices for Managing Risk Within an IT Infrastructure
EY Global Information Security Survey 2018–2019
Understanding and Managing Vulnerabilities
Threat/Vulnerability Pairs
Vulnerabilities Can Be Mitigated
Mitigation Techniques
Best Practices for Managing Vulnerabilities Within an IT Infrastructure
Understanding and Managing Exploits
What Is an Exploit?
How Do Perpetrators Initiate an Exploit?
Where Do Perpetrators Find Information About Vulnerabilities and Exploits?
Mitigation Techniques
Best Practices for Managing Exploits Within an IT Infrastructure
U.S. Federal Government Risk Management Initiatives
National Institute of Standards and Technology
Department of Homeland Security
National Cybersecurity and Communications Integration Center
U.S. Computer Emergency Readiness Team
The MITRE Corporation and the CVE List
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 2 ASSESSMENT
CHAPTER 3 Understanding and Maintaining Compliance
U.S. Compliance Laws
Federal Information Security Modernization Act
Health Insurance Portability and Accountability Act
Gramm-Leach-Bliley Act
Sarbanes-Oxley Act
Family Educational Rights and Privacy Act
Children’s Internet Protection Act
Children’s Online Privacy Protection Act
Regulations Related to Compliance
Securities and Exchange Commission
Federal Deposit Insurance Corporation
Department of Homeland Security
Federal Trade Commission
State Attorney General
U.S. Attorney General
Organizational Policies for Compliance
Standards and Guidelines for Compliance
Payment Card Industry Data Security Standard
National Institute of Standards and Technology
Generally Accepted Information Security Principles
Control Objectives for Information and Related Technology
International Organization for Standardization
International Electrotechnical Commission
Information Technology Infrastructure Library
Capability Maturity Model Integration
General Data Protection Regulation
Department of Defense Information Assurance Certification and Accreditation Process
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 3 ASSESSMENT
CHAPTER 4 Developing a Risk Management Plan
Objectives of a Risk Management Plan
Objectives Example: Website
Objectives Example: HIPAA Compliance
Scope of a Risk Management Plan
Scope Example: Website
Scope Example: HIPAA Compliance
Assigning Responsibilities
Responsibilities Example: Website
Responsibilities Example: HIPAA Compliance
Describing Procedures and Schedules for Accomplishment
Procedures Example: Website
Procedures Example: HIPAA Compliance
Reporting Requirements
Presenting Recommendations
Documenting Management Response to Recommendations
Documenting and Tracking Implementation of Accepted Recommendations
Plan of Action and Milestones
Charting the Progress of a Risk Management Plan
Milestone Plan Chart
Gantt Chart
Critical Path Chart
Steps of the NIST Risk Management Framework
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 4 ASSESSMENT
CHAPTER 5 Defining Risk Assessment Approaches
Understanding Risk Assessments
Importance of Risk Assessments
Purpose of a Risk Assessment
Critical Components of a Risk Assessment
Identifying Scope
Identifying Critical Areas
Identifying Team Members
Types of Risk Assessments
Quantitative Risk Assessments
Qualitative Risk Assessments
Comparing Quantitative and Qualitative Risk Assessments
Risk Assessment Challenges
Using a Static Process to Evaluate a Moving Target
Availability of Resources and Data
Data Consistency
Estimating Impact Effects
Providing Results That Support Resource Allocation and Risk Acceptance
Best Practices for Risk Assessment
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 5 ASSESSMENT
CHAPTER 6 Performing a Risk Assessment
Selecting a Risk Assessment Methodology
Defining the Assessment
Reviewing Previous Findings
Identifying the Management Structure
Identifying Assets and Activities Within Risk Assessment Boundaries
System Access and Availability
System Functions
Hardware and Software Assets
Personnel Assets
Data and Information Assets
Facilities and Supplies
Identifying and Evaluating Relevant Threats
Reviewing Historical Data
Performing Threat Modeling
Identifying and Evaluating Relevant Vulnerabilities
Vulnerability Assessments
Exploit Assessments
Identifying and Evaluating Controls
In-Place and Planned Controls
Control Categories
Selecting a Methodology Based on Assessment Needs
Quantitative Method
Qualitative Method
Developing Mitigating Recommendations
Threat/Vulnerability Pairs
Estimate of Cost and Time to Implement
Estimate of Operational Impact
Cost-Benefit Analysis
Presenting Risk Assessment Results
Best Practices for Performing Risk Assessments
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 6 ASSESSMENT
CHAPTER 7 Identifying Assets and Activities to Be Protected
System Access and Availability
System Functions: Manual and Automated
Manual Methods
Automated Methods
Hardware Assets
Software Assets
Personnel Assets
Data and Information Assets
Organization
Customer
Intellectual Property
Data Warehousing and Data Mining
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
User Domain
Workstation Domain
LAN Domain
LAN-to-WAN Domain
WAN Domain
Remote Access Domain
System/Application Domain
Identifying Facilities and Supplies Needed to Maintain Business Operations
Mission-Critical Systems and Applications Identification
Business Impact Analysis Planning
Business Continuity Planning
Disaster Recovery Planning
Business Liability Insurance Planning
Asset Replacement Insurance Planning
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 7 ASSESSMENT
CHAPTER 8 Identifying and Analyzing Threats, Vulnerabilities, and Exploits
Threat Assessments
Techniques for Identifying Threats
Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure
Vulnerability Assessments
Review of Documentation
Review of System Logs, Audit Trails, and Intrusion Detection and Prevention System Outputs
Vulnerability Scans and Other Assessment Tools
Audits and Personnel Interviews
Process Analysis and Output Analysis
System Testing
Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure
Exploit Assessments
Identifying Exploits
Mitigating Exploits with a Gap Analysis and Remediation Plan
Implementing Configuration or Change Management
Verifying and Validating the Exploit Has Been Mitigated
Best Practices for Performing Exploit Assessments Within an IT Infrastructure
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 8 ASSESSMENT
CHAPTER 9 Identifying and Analyzing Risk Mitigation Security Controls
In-Place Controls
Planned Controls
Control Categories
NIST Control Families
Procedural Control Examples
Policies and Procedures
Security Plans
Insurance and Bonding
Background and Financial Checks
Data Loss Prevention Program
Education, Training, and Awareness
Rules of Behavior
Software Testing
Technical Control Examples
Logon Identifier
Session Time-Out
System Logs and Audit Trails
Data Range and Reasonableness Checks
Firewalls and Routers
Encryption
Public Key Infrastructure
Physical Control Examples
Locked Doors, Guards, Access Logs, and Closed-Circuit Television
Fire Detection and Suppression
Water Detection
Temperature and Humidity Detection
Electrical Grounding and Circuit Breakers
Best Practices for Risk Mitigation Security Controls
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 9 ASSESSMENT
CHAPTER 10 Planning Risk Mitigation Throughout an Organization
Where Should an Organization Start with Risk Mitigation?
What Is the Scope of Risk Management for an Organization?
Critical Business Operations
Customer Service Delivery
Mission-Critical Business Systems, Applications, and Data Access
Seven Domains of a Typical IT Infrastructure
Information Systems Security Gap
Understanding and Assessing the Impact of Legal and Compliance Issues on an Organization
Legal Requirements, Compliance Laws, Regulations, and Mandates
Assessing the Impact of Legal and Compliance Issues on an Organization’s Business Operations
Translating Legal and Compliance Implications for an Organization
Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure
Assessing How Security Countermeasures, Controls, and Safeguards Can Assist With Risk Mitigation
Understanding the Operational Implications of Legal and Compliance Requirements
Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization
Performing a Cost-Benefit Analysis
Best Practices for Planning Risk Mitigation Throughout an Organization
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 10 ASSESSMENT
CHAPTER 11 Turning a Risk Assessment into a Risk Mitigation Plan
Reviewing the Risk Assessment for the IT Infrastructure
Overlapping Countermeasures
Risk Assessments: Understanding Threats and Vulnerabilities
Identifying Countermeasures
Translating a Risk Assessment into a Risk Mitigation Plan
Cost to Implement
Time to Implement
Operational Impact
Prioritizing Risk Elements That Require Risk Mitigation
Using a Threat Likelihood/Impact Matrix
Prioritizing Countermeasures
Verifying Risk Elements and How They Can Be Mitigated
Performing a Cost-Benefit Analysis on the Identified Risk Elements
Calculating the CBA
A CBA Report
Implementing a Risk Mitigation Plan
Staying Within Budget
Staying on Schedule
Following Up on the Risk Mitigation Plan
Ensuring Countermeasures Have Been Implemented
Ensuring Security Gaps Have Been Closed
Best Practices for Enabling a Risk Mitigation Plan from the Risk Assessment
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 11 ASSESSMENT
CHAPTER 12 Mitigating Risk with a Business Impact Analysis
What Is a Business Impact Analysis?
Collecting Data
Varying Data Collection Methods
Defining the Scope of the Business Impact Analysis
Objectives of a Business Impact Analysis
Identifying Critical Business Functions
Identifying Critical Resources
Identifying the MAO and Impact
Identifying Recovery Requirements
Steps of a Business Impact Analysis Process
Identifying the Environment
Identifying Stakeholders
Identifying Critical Business Functions
Identifying Critical Resources
Identifying the MAO
Identifying Recovery Priorities
Developing the BIA Report
Identifying Mission-Critical Business Functions and Processes
Mapping Business Functions and Processes to IT Systems
Best Practices for Performing a BIA for an Organization
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
CHAPTER 13 Mitigating Risk with a Business Continuity Plan
What Is a Business Continuity Plan?
Elements of a BCP
Purpose
Scope
Assumptions and Planning Principles
System Description and Architecture
Responsibilities
Notification and Activation Phase
Recovery Phase
Reconstitution Phase (Return to Normal Operations)
Plan Training, Testing, and Exercises
Plan Maintenance
How Does a BCP Mitigate an Organization’s Risk?
Best Practices for Implementing a BCP for an Organization
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 13 ASSESSMENT
CHAPTER 14 Mitigating Risk with a Disaster Recovery Plan
What Is a Disaster Recovery Plan?
Need for a DRP
Purpose of a DRP
Critical Success Factors
What Management Must Provide
What DRP Developers Need
Primary Concerns
Disaster Recovery Financial Budget
Elements of a DRP
Purpose
Scope
Disaster/Emergency Declaration
Communications
Emergency Response
Activities
Recovery Procedures
Critical Operations, Customer Service, and Operations Recovery
Restoration and Normalization
Testing
Maintenance and DRP Update
How Does a DRP Mitigate an Organization’s Risk?
Best Practices for Implementing a DRP for an Organization
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 14 ASSESSMENT
CHAPTER 15 Mitigating Risk with a Computer Incident Response Team Plan
What Is a Computer Incident Response Team Plan?
Purpose of a CIRT Plan
Elements of a CIRT Plan
CIRT Members
CIRT Policies
Incident Handling Process
Communication Escalation Procedures
Incident Handling Procedures
How Does a CIRT Plan Mitigate an Organization’s Risk?
Best Practices for Implementing a CIRT Plan for an Organization
CHAPTER SUMMARY
KEY CONCEPTS AND TERMS
CHAPTER 15 ASSESSMENT
APPENDIX A Answer Key
APPENDIX B Standard Acronyms
Glossary of Key Terms
References
Index
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Title Page
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset