O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Managing Risk in Information Systems, 2nd Edition

Book Description

PART OF THE JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES Revised and updated with the latest data in the field, the Second Edition of Managing Risk in Information Systems provides a comprehensive overview of the SSCP® Risk, Response, and Recovery Domain in addition to providing a thorough overview of risk management and its implications on IT infrastructures and compliance. Written by industry experts, and using a wealth of examples and exercises, this book incorporates hands-on activities to walk the reader through the fundamentals of risk management, strategies and approaches for mitigating risk, and the anatomy of how to create a plan that reduces risk. Instructor's Material for Managing Risk in Information Systems include: PowerPoint Lecture Slides Instructor's Guide Course Syllabus Quiz & Exam Questions Case Scenarios/Handouts

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Contents
  5. Dedication
  6. Preface
  7. Acknowledgments
  8. About the Author
  9. Part One: Risk Management Business Challenges
    1. Chapter 1 Risk Management Fundamentals
      1. What Is Risk?
        1. Compromise of Business Functions
        2. Compromise of Business Assets
        3. Driver of Business Costs
        4. Profitability Versus Survivability
      2. What Are the Major Components of Risk to an IT Infrastructure?
        1. Seven Domains of a Typical IT Infrastructure
        2. Threats, Vulnerabilities, and Impact
      3. Risk Management and Its Importance to the Organization
        1. How Risk Affects an Organization’s Survivability
        2. Reasonableness
        3. Balancing Risk and Cost
        4. Role-Based Perceptions of Risk
      4. Risk Identification Techniques
        1. Identifying Threats
        2. Identifying Vulnerabilities
        3. Pairing Threats with Vulnerabilities
      5. Risk Management Techniques
        1. Avoidance
        2. Share or Transfer
        3. Mitigation
        4. Acceptance
        5. Cost-Benefit Analysis
        6. Residual Risk
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 1 Assessment
    2. Chapter 2 Managing Risk: Threats, Vulnerabilities, and Exploits
      1. Understanding and Managing Threats
        1. The Uncontrollable Nature of Threats
        2. Unintentional Threats
        3. Intentional Threats
        4. Best Practices for Managing Threats Within Your IT Infrastructure
      2. Understanding and Managing Vulnerabilities
        1. Threat/Vulnerability Pairs
        2. Vulnerabilities Can Be Mitigated
        3. Mitigation Techniques
        4. Best Practices for Managing Vulnerabilities Within Your IT Infrastructure
      3. Understanding and Managing Exploits
        1. What Is an Exploit?
        2. How Do Perpetrators Initiate an Exploit?
        3. Where Do Perpetrators Find Information About Vulnerabilities and Exploits?
        4. Mitigation Techniques
        5. Best Practices for Managing Exploits Within Your IT Infrastructure
      4. U.S. Federal Government Risk Management Initiatives
        1. National Institute of Standards and Technology
        2. Department of Homeland Security
        3. National Cybersecurity and Communications Integration Center
        4. US Computer Emergency Readiness Team
        5. The MITRE Corporation and the CVE List
      5. Chapter Summary
      6. Key Concepts and Terms
      7. Chapter 2 Assessment
    3. Chapter 3 Maintaining Compliance
      1. U.S. Compliance Laws
        1. Federal Information Security Management Act
        2. Health Insurance Portability and Accountability Act
        3. Gramm-Leach-Bliley Act
        4. Sarbanes-Oxley Act
        5. Family Educational Rights and Privacy Act
        6. Children’s Internet Protection Act
      2. Regulations Related to Compliance
        1. Securities and Exchange Commission
        2. Federal Deposit Insurance Corporation
        3. Department of Homeland Security
        4. Federal Trade Commission
        5. State Attorney General
        6. U.S. Attorney General
      3. Organizational Policies for Compliance
      4. Standards and Guidelines for Compliance
        1. Payment Card Industry Data Security Standard
        2. National Institute of Standards and Technology
        3. Generally Accepted Information Security Principles
        4. Control Objectives for Information and Related Technology
        5. International Organization for Standardization
        6. International Electrotechnical Commission
        7. Information Technology Infrastructure Library
        8. Capability Maturity Model Integration
        9. Department of Defense Information Assurance Certification and Accreditation Process
      5. Chapter Summary
      6. Key Concepts and Terms
      7. Chapter 3 Assessment
    4. Chapter 4 Developing a Risk Management Plan
      1. Objectives of a Risk Management Plan
        1. Objectives Example: Web Site
        2. Objectives Example: HIPAA Compliance
      2. Scope of a Risk Management Plan
        1. Scope Example: Web Site
        2. Scope Example: HIPAA Compliance
      3. Assigning Responsibilities
        1. Responsibilities Example: Web Site
        2. Responsibilities Example: HIPAA Compliance
      4. Describing Procedures and Schedules for Accomplishment
        1. Procedures Example: Web Site
        2. Procedures Example: HIPAA Compliance
      5. Reporting Requirements
        1. Presenting Recommendations
        2. Documenting Management Response to Recommendations
        3. Documenting and Tracking Implementation of Accepted Recommendations
      6. Plan of Action and Milestones
      7. Charting the Progress of a Risk Management Plan
        1. Milestone Plan Chart
        2. Gantt Chart
        3. Critical Path Chart
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 4 Assessment
  10. Part Two: Mitigating Risk
    1. Chapter 5 Defining Risk Assessment Approaches
      1. Understanding Risk Assessment
        1. Importance of Risk Assessments
        2. Purpose of a Risk Assessment
      2. Critical Components of a Risk Assessment
        1. Identifying Scope
        2. Identifying Critical Areas
        3. Identifying Team Members
      3. Types of Risk Assessments
        1. Quantitative Risk Assessments
        2. Qualitative Risk Assessments
        3. Comparing Quantitative and Qualitative Risk Assessments
      4. Risk Assessment Challenges
        1. Using a Static Process to Evaluate a Moving Target
        2. Availability of Resources and Data
        3. Data Consistency
        4. Estimating Impact Effects
        5. Providing Results That Support Resource Allocation and Risk Acceptance
      5. Best Practices for Risk Assessment
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 5 Assessment
    2. Chapter 6 Performing a Risk Assessment
      1. Selecting a Risk Assessment Methodology
        1. Defining the Assessment
        2. Reviewing Previous Findings
      2. Identifying the Management Structure
      3. Identifying Assets and Activities Within Risk Assessment Boundaries
        1. System Access and System Availability
        2. System Functions
        3. Hardware and Software Assets
        4. Personnel Assets
        5. Data and Information Assets
        6. Facilities and Supplies
      4. Identifying and Evaluating Relevant Threats
        1. Reviewing Historical Data
        2. Performing Threat Modeling
      5. Identifying and Evaluating Relevant Vulnerabilities
        1. Vulnerability Assessments
        2. Exploit Assessments
      6. Identifying and Evaluating Countermeasures
        1. In-Place and Planned Countermeasures
        2. Control Categories
      7. Selecting a Methodology Based on Assessment Needs
        1. Quantitative
        2. Qualitative
      8. Developing Mitigating Recommendations
        1. Threat/Vulnerability Pairs
        2. Estimate of Cost and Time to Implement
        3. Estimate of Operational Impact
        4. Cost-Benefit Analysis
      9. Presenting Risk Assessment Results
      10. Best Practices for Performing Risk Assessments
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 6 Assessment
    3. Chapter 7 Identifying Assets and Activities to Be Protected
      1. System Access and Availability
      2. System Functions: Manual and Automated
        1. Manual Methods
        2. Automated Methods
      3. Hardware Assets
      4. Software Assets
      5. Personnel Assets
      6. Data and Information Assets
        1. Organization
        2. Customer
        3. Intellectual Property
        4. Data Warehousing and Data Mining
      7. Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
        1. User Domain
        2. Workstation Domain
        3. LAN Domain
        4. LAN-to-WAN Domain
        5. WAN Domain
        6. Remote Access Domain
        7. System/Application Domain
      8. Identifying Facilities and Supplies Needed to Maintain Business Operations
        1. Identifying Mission-Critical Systems and Applications
        2. Business Impact Analysis Planning
        3. Business Continuity Planning
        4. Disaster Recovery Planning
        5. Business Liability Insurance Planning
        6. Asset Replacement Insurance Planning
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 7 Assessment
    4. Chapter 8 Identifying and Analyzing Threats, Vulnerabilities, and Exploits
      1. Threat Assessments
        1. Techniques for Identifying Threats
        2. Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure
      2. Vulnerability Assessments
        1. Documentation Review
        2. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs
        3. Vulnerability Scans and Other Assessment Tools
        4. Audits and Personnel Interviews
        5. Process Analysis and Output Analysis
        6. System Testing
        7. Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure
      3. Exploit Assessments
        1. Identifying Exploits
        2. Mitigating Exploits with a Gap Analysis and Remediation Plan
        3. Implementing Configuration or Change Management
        4. Verifying and Validating the Exploit Has Been Mitigated
        5. Best Practices for Performing Exploit Assessments Within an IT Infrastructure
      4. Chapter Summary
      5. Key Concepts and Terms
      6. Chapter 8 Assessment
    5. Chapter 9 Identifying and Analyzing Risk Mitigation Security Controls
      1. In-Place Controls
      2. Planned Controls
      3. Control Categories
        1. NIST Control Families
      4. Procedural Control Examples
        1. Policies and Procedures
        2. Security Plans
        3. Insurance and Bonding
        4. Background Checks and Financial Checks
        5. Data Loss Prevention Program
        6. Awareness and Training
        7. Rules of Behavior
        8. Software Testing
      5. Technical Control Examples
        1. Logon Identifier
        2. Session Timeout
        3. System Logs and Audit Trails
        4. Data Range and Reasonableness Checks
        5. Firewalls and Routers
        6. Encryption
        7. Public Key Infrastructure (PKI)
      6. Physical Control Examples
        1. Locked Doors, Guards, Access Logs, and Closed-Circuit Television (CCTV)
        2. Fire Detection and Suppression
        3. Water Detection
        4. Temperature and Humidity Detection
        5. Electrical Grounding and Circuit Breakers
      7. Best Practices for Risk Mitigation Security Controls
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 9 Assessment
    6. Chapter 10 Planning Risk Mitigation Throughout Your Organization
      1. Where Should Your Organization Start with Risk Mitigation?
      2. What Is the Scope of Risk Management for Your Organization?
        1. Critical Business Operations
        2. Customer Service Delivery
        3. Mission-Critical Business Systems, Applications, and Data Access
        4. Seven Domains of a Typical IT Infrastructure
        5. Information Systems Security Gap
      3. Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization
        1. Legal Requirements, Compliance Laws, Regulations, and Mandates
        2. Assessing the Impact of Legal and Compliance Issues on Your Business Operations
      4. Translating Legal and Compliance Implications for Your Organization
      5. Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure
      6. Assessing How Security Countermeasures and Safeguards Can Assist with Risk Mitigation
      7. Understanding the Operational Implications of Legal and Compliance Requirements
      8. Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization
      9. Performing a Cost-Benefit Analysis
      10. Best Practices for Planning Risk Mitigation Throughout Your Organization
      11. Chapter Summary
      12. Key Concepts and Terms
      13. Chapter 10 Assessment
    7. Chapter 11 Turning Your Risk Assessment into a Risk Mitigation Plan
      1. Reviewing the Risk Assessment for Your IT Infrastructure
        1. Overlapping Countermeasures
        2. Matching Threats with Vulnerabilities
        3. Identifying Countermeasures
      2. Translating Your Risk Assessment into a Risk Mitigation Plan
        1. Cost to Implement
        2. Time to Implement
        3. Operational Impact
      3. Prioritizing Risk Elements That Require Risk Mitigation
        1. Using a Threat/Likelihood-Impact Matrix
        2. Prioritizing Countermeasures
      4. Verifying Risk Elements and How These Risks Can Be Mitigated
      5. Performing a Cost-Benefit Analysis on the Identified Risk Elements
        1. Calculating the CBA
        2. A CBA Report
      6. Implementing a Risk Mitigation Plan
        1. Staying Within Budget
        2. Staying on Schedule
      7. Following Up on the Risk Mitigation Plan
        1. Ensuring Countermeasures Are Implemented
        2. Ensuring Security Gaps Have Been Closed
      8. Best Practices for Enabling a Risk Mitigation Plan from Your Risk Assessment
      9. Chapter Summary
      10. Key Concepts and Terms
      11. Chapter 11 Assessment
  11. Part Three: Risk Mitigation Plans
    1. Chapter 12 Mitigating Risk with a Business Impact Analysis
      1. What Is a Business Impact Analysis?
        1. Collecting Data
        2. Varying Data Collection Methods
      2. Defining the Scope of Your Business Impact Analysis
      3. Objectives of a Business Impact Analysis
        1. Identifying Critical Business Functions
        2. Identifying Critical Resources
        3. Identifying MAO and Impact
        4. Identifying Recovery Requirements
      4. The Steps of a Business Impact Analysis Process
        1. Identifying the Environment
        2. Identifying Stakeholders
        3. Identifying Critical Business Functions
        4. Identifying Critical Resources
        5. Identifying the Maximum Downtime
        6. Identifying Recovery Priorities
        7. Developing the BIA Report
      5. Identifying Mission-Critical Business Functions and Processes
      6. Mapping Business Functions and Processes to IT Systems
      7. Best Practices for Performing a BIA for Your Organization
      8. Chapter Summary
      9. Key Concepts and Terms
      10. Chapter 12 Assessment
    2. Chapter 13 Mitigating Risk with a Business Continuity Plan
      1. What Is a Business Continuity Plan?
      2. Elements of a BCP
        1. Purpose
        2. Scope
        3. Assumptions and Planning Principles
        4. System Description and Architecture
        5. Responsibilities
        6. Notification/Activation Phase
        7. Recovery Phase
        8. Reconstitution Phase (Return to Normal Operations)
        9. Plan Training, Testing, and Exercises
        10. Plan Maintenance
      3. How Does a BCP Mitigate an Organization’s Risk?
      4. Best Practices for Implementing a BCP for Your Organization
      5. Chapter Summary
      6. Key Concepts and Terms
      7. Chapter 13 Assessment
    3. Chapter 14 Mitigating Risk with a Disaster Recovery Plan
      1. What Is a Disaster Recovery Plan?
        1. Need
        2. Purpose
      2. Critical Success Factors
        1. What Management Must Provide
        2. What DRP Developers Need
        3. Primary Concerns
        4. Disaster Recovery Financial Budget
      3. Elements of a DRP
        1. Purpose
        2. Scope
        3. Disaster/Emergency Declaration
        4. Communications
        5. Emergency Response
        6. Activities
        7. Recovery Procedures
        8. Critical Operations, Customer Service, and Operations Recovery
        9. Restoration and Normalization
        10. Testing
        11. Maintenance and DRP Update
      4. How Does a DRP Mitigate an Organization’s Risk?
      5. Best Practices for Implementing a DRP for Your Organization
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 14 Assessment
    4. Chapter 15 Mitigating Risk with a Computer Incident Response Team Plan
      1. What Is a Computer Incident Response Team Plan?
      2. Purpose of a CIRT Plan
      3. Elements of a CIRT Plan
        1. CIRT Members
        2. CIRT Policies
        3. Incident Handling Process
        4. Communication Escalation Procedures
        5. Incident Handling Procedures
      4. How Does a CIRT Plan Mitigate an Organization’s Risk?
      5. Best Practices for Implementing a CIRT Plan for Your Organization
      6. Chapter Summary
      7. Key Concepts and Terms
      8. Chapter 15 Assessment
  12. Appendix A: Answer Key
  13. Appendix B: Standard Acronyms
  14. Glossary of Key Terms
  15. References
  16. Index