book

Managing Risk in Information Systems, 2nd Edition

Name: Managing Risk in Information Systems, 2nd Edition
Author: Darril Gibson
ISBN: 9781284055962

by Darril Gibson

July 2014

Intermediate to advanced

462 pages

14h 40m

English

Jones & Bartlett Learning

Read now

Unlock full access

Cover
Title Page
Copyright
Contents
Dedication
Preface
Acknowledgments
About the Author
Part One: Risk Management Business Challenges
Chapter 1 Risk Management Fundamentals
What Is Risk?Compromise of Business FunctionsCompromise of Business AssetsDriver of Business CostsProfitability Versus SurvivabilityWhat Are the Major Components of Risk to an IT Infrastructure?Seven Domains of a Typical IT InfrastructureThreats, Vulnerabilities, and ImpactRisk Management and Its Importance to the OrganizationHow Risk Affects an Organization’s SurvivabilityReasonablenessBalancing Risk and CostRole-Based Perceptions of RiskRisk Identification TechniquesIdentifying ThreatsIdentifying VulnerabilitiesPairing Threats with VulnerabilitiesRisk Management TechniquesAvoidanceShare or TransferMitigationAcceptanceCost-Benefit AnalysisResidual RiskChapter SummaryKey Concepts and TermsChapter 1 Assessment

Chapter 2 Managing Risk: Threats, Vulnerabilities, and Exploits
Understanding and Managing ThreatsThe Uncontrollable Nature of ThreatsUnintentional ThreatsIntentional ThreatsBest Practices for Managing Threats Within Your IT InfrastructureUnderstanding and Managing VulnerabilitiesThreat/Vulnerability PairsVulnerabilities Can Be MitigatedMitigation TechniquesBest Practices for Managing Vulnerabilities Within Your IT InfrastructureUnderstanding and Managing ExploitsWhat Is an Exploit?How Do Perpetrators Initiate an Exploit?Where Do Perpetrators Find Information About Vulnerabilities and Exploits?Mitigation TechniquesBest Practices for Managing Exploits Within Your IT InfrastructureU.S. Federal Government Risk Management InitiativesNational Institute of Standards and TechnologyDepartment of Homeland SecurityNational Cybersecurity and Communications Integration CenterUS Computer Emergency Readiness TeamThe MITRE Corporation and the CVE ListChapter SummaryKey Concepts and TermsChapter 2 Assessment
Chapter 3 Maintaining Compliance
U.S. Compliance LawsFederal Information Security Management ActHealth Insurance Portability and Accountability ActGramm-Leach-Bliley ActSarbanes-Oxley ActFamily Educational Rights and Privacy ActChildren’s Internet Protection ActRegulations Related to ComplianceSecurities and Exchange CommissionFederal Deposit Insurance CorporationDepartment of Homeland SecurityFederal Trade CommissionState Attorney GeneralU.S. Attorney GeneralOrganizational Policies for ComplianceStandards and Guidelines for CompliancePayment Card Industry Data Security StandardNational Institute of Standards and TechnologyGenerally Accepted Information Security PrinciplesControl Objectives for Information and Related TechnologyInternational Organization for StandardizationInternational Electrotechnical CommissionInformation Technology Infrastructure LibraryCapability Maturity Model IntegrationDepartment of Defense Information Assurance Certification and Accreditation ProcessChapter SummaryKey Concepts and TermsChapter 3 Assessment
Chapter 4 Developing a Risk Management Plan
Objectives of a Risk Management PlanObjectives Example: Web SiteObjectives Example: HIPAA ComplianceScope of a Risk Management PlanScope Example: Web SiteScope Example: HIPAA ComplianceAssigning ResponsibilitiesResponsibilities Example: Web SiteResponsibilities Example: HIPAA ComplianceDescribing Procedures and Schedules for AccomplishmentProcedures Example: Web SiteProcedures Example: HIPAA ComplianceReporting RequirementsPresenting RecommendationsDocumenting Management Response to RecommendationsDocumenting and Tracking Implementation of Accepted RecommendationsPlan of Action and MilestonesCharting the Progress of a Risk Management PlanMilestone Plan ChartGantt ChartCritical Path ChartChapter SummaryKey Concepts and TermsChapter 4 Assessment
Part Two: Mitigating Risk
Chapter 5 Defining Risk Assessment Approaches
Understanding Risk AssessmentImportance of Risk AssessmentsPurpose of a Risk AssessmentCritical Components of a Risk AssessmentIdentifying ScopeIdentifying Critical AreasIdentifying Team MembersTypes of Risk AssessmentsQuantitative Risk AssessmentsQualitative Risk AssessmentsComparing Quantitative and Qualitative Risk AssessmentsRisk Assessment ChallengesUsing a Static Process to Evaluate a Moving TargetAvailability of Resources and DataData ConsistencyEstimating Impact EffectsProviding Results That Support Resource Allocation and Risk AcceptanceBest Practices for Risk AssessmentChapter SummaryKey Concepts and TermsChapter 5 Assessment
Chapter 6 Performing a Risk Assessment
Selecting a Risk Assessment MethodologyDefining the AssessmentReviewing Previous FindingsIdentifying the Management StructureIdentifying Assets and Activities Within Risk Assessment BoundariesSystem Access and System AvailabilitySystem FunctionsHardware and Software AssetsPersonnel AssetsData and Information AssetsFacilities and SuppliesIdentifying and Evaluating Relevant ThreatsReviewing Historical DataPerforming Threat ModelingIdentifying and Evaluating Relevant VulnerabilitiesVulnerability AssessmentsExploit AssessmentsIdentifying and Evaluating CountermeasuresIn-Place and Planned CountermeasuresControl CategoriesSelecting a Methodology Based on Assessment NeedsQuantitativeQualitativeDeveloping Mitigating RecommendationsThreat/Vulnerability PairsEstimate of Cost and Time to ImplementEstimate of Operational ImpactCost-Benefit AnalysisPresenting Risk Assessment ResultsBest Practices for Performing Risk AssessmentsChapter SummaryKey Concepts and TermsChapter 6 Assessment
Chapter 7 Identifying Assets and Activities to Be Protected
System Access and AvailabilitySystem Functions: Manual and AutomatedManual MethodsAutomated MethodsHardware AssetsSoftware AssetsPersonnel AssetsData and Information AssetsOrganizationCustomerIntellectual PropertyData Warehousing and Data MiningAsset and Inventory Management Within the Seven Domains of a Typical IT InfrastructureUser DomainWorkstation DomainLAN DomainLAN-to-WAN DomainWAN DomainRemote Access DomainSystem/Application DomainIdentifying Facilities and Supplies Needed to Maintain Business OperationsIdentifying Mission-Critical Systems and ApplicationsBusiness Impact Analysis PlanningBusiness Continuity PlanningDisaster Recovery PlanningBusiness Liability Insurance PlanningAsset Replacement Insurance PlanningChapter SummaryKey Concepts and TermsChapter 7 Assessment
Chapter 8 Identifying and Analyzing Threats, Vulnerabilities, and Exploits
Threat AssessmentsTechniques for Identifying ThreatsBest Practices for Threat Assessments Within the Seven Domains of a Typical IT InfrastructureVulnerability AssessmentsDocumentation ReviewReview of System Logs, Audit Trails, and Intrusion Detection System OutputsVulnerability Scans and Other Assessment ToolsAudits and Personnel InterviewsProcess Analysis and Output AnalysisSystem TestingBest Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT InfrastructureExploit AssessmentsIdentifying ExploitsMitigating Exploits with a Gap Analysis and Remediation PlanImplementing Configuration or Change ManagementVerifying and Validating the Exploit Has Been MitigatedBest Practices for Performing Exploit Assessments Within an IT InfrastructureChapter SummaryKey Concepts and TermsChapter 8 Assessment
Chapter 9 Identifying and Analyzing Risk Mitigation Security Controls
In-Place ControlsPlanned ControlsControl CategoriesNIST Control FamiliesProcedural Control ExamplesPolicies and ProceduresSecurity PlansInsurance and BondingBackground Checks and Financial ChecksData Loss Prevention ProgramAwareness and TrainingRules of BehaviorSoftware TestingTechnical Control ExamplesLogon IdentifierSession TimeoutSystem Logs and Audit TrailsData Range and Reasonableness ChecksFirewalls and RoutersEncryptionPublic Key Infrastructure (PKI)Physical Control ExamplesLocked Doors, Guards, Access Logs, and Closed-Circuit Television (CCTV)Fire Detection and SuppressionWater DetectionTemperature and Humidity DetectionElectrical Grounding and Circuit BreakersBest Practices for Risk Mitigation Security ControlsChapter SummaryKey Concepts and TermsChapter 9 Assessment
Chapter 10 Planning Risk Mitigation Throughout Your Organization
Where Should Your Organization Start with Risk Mitigation?What Is the Scope of Risk Management for Your Organization?Critical Business OperationsCustomer Service DeliveryMission-Critical Business Systems, Applications, and Data AccessSeven Domains of a Typical IT InfrastructureInformation Systems Security GapUnderstanding and Assessing the Impact of Legal and Compliance Issues on Your OrganizationLegal Requirements, Compliance Laws, Regulations, and MandatesAssessing the Impact of Legal and Compliance Issues on Your Business OperationsTranslating Legal and Compliance Implications for Your OrganizationAssessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT InfrastructureAssessing How Security Countermeasures and Safeguards Can Assist with Risk MitigationUnderstanding the Operational Implications of Legal and Compliance RequirementsIdentifying Risk Mitigation and Risk Reduction Elements for the Entire OrganizationPerforming a Cost-Benefit AnalysisBest Practices for Planning Risk Mitigation Throughout Your OrganizationChapter SummaryKey Concepts and TermsChapter 10 Assessment
Chapter 11 Turning Your Risk Assessment into a Risk Mitigation Plan
Reviewing the Risk Assessment for Your IT InfrastructureOverlapping CountermeasuresMatching Threats with VulnerabilitiesIdentifying CountermeasuresTranslating Your Risk Assessment into a Risk Mitigation PlanCost to ImplementTime to ImplementOperational ImpactPrioritizing Risk Elements That Require Risk MitigationUsing a Threat/Likelihood-Impact MatrixPrioritizing CountermeasuresVerifying Risk Elements and How These Risks Can Be MitigatedPerforming a Cost-Benefit Analysis on the Identified Risk ElementsCalculating the CBAA CBA ReportImplementing a Risk Mitigation PlanStaying Within BudgetStaying on ScheduleFollowing Up on the Risk Mitigation PlanEnsuring Countermeasures Are ImplementedEnsuring Security Gaps Have Been ClosedBest Practices for Enabling a Risk Mitigation Plan from Your Risk AssessmentChapter SummaryKey Concepts and TermsChapter 11 Assessment
Part Three: Risk Mitigation Plans
Chapter 12 Mitigating Risk with a Business Impact Analysis
What Is a Business Impact Analysis?Collecting DataVarying Data Collection MethodsDefining the Scope of Your Business Impact AnalysisObjectives of a Business Impact AnalysisIdentifying Critical Business FunctionsIdentifying Critical ResourcesIdentifying MAO and ImpactIdentifying Recovery RequirementsThe Steps of a Business Impact Analysis ProcessIdentifying the EnvironmentIdentifying StakeholdersIdentifying Critical Business FunctionsIdentifying Critical ResourcesIdentifying the Maximum DowntimeIdentifying Recovery PrioritiesDeveloping the BIA ReportIdentifying Mission-Critical Business Functions and ProcessesMapping Business Functions and Processes to IT SystemsBest Practices for Performing a BIA for Your OrganizationChapter SummaryKey Concepts and TermsChapter 12 Assessment
Chapter 13 Mitigating Risk with a Business Continuity Plan
What Is a Business Continuity Plan?Elements of a BCPPurposeScopeAssumptions and Planning PrinciplesSystem Description and ArchitectureResponsibilitiesNotification/Activation PhaseRecovery PhaseReconstitution Phase (Return to Normal Operations)Plan Training, Testing, and ExercisesPlan MaintenanceHow Does a BCP Mitigate an Organization’s Risk?Best Practices for Implementing a BCP for Your OrganizationChapter SummaryKey Concepts and TermsChapter 13 Assessment
Chapter 14 Mitigating Risk with a Disaster Recovery Plan
What Is a Disaster Recovery Plan?NeedPurposeCritical Success FactorsWhat Management Must ProvideWhat DRP Developers NeedPrimary ConcernsDisaster Recovery Financial BudgetElements of a DRPPurposeScopeDisaster/Emergency DeclarationCommunicationsEmergency ResponseActivitiesRecovery ProceduresCritical Operations, Customer Service, and Operations RecoveryRestoration and NormalizationTestingMaintenance and DRP UpdateHow Does a DRP Mitigate an Organization’s Risk?Best Practices for Implementing a DRP for Your OrganizationChapter SummaryKey Concepts and TermsChapter 14 Assessment
Chapter 15 Mitigating Risk with a Computer Incident Response Team Plan
What Is a Computer Incident Response Team Plan?Purpose of a CIRT PlanElements of a CIRT PlanCIRT MembersCIRT PoliciesIncident Handling ProcessCommunication Escalation ProceduresIncident Handling ProceduresHow Does a CIRT Plan Mitigate an Organization’s Risk?Best Practices for Implementing a CIRT Plan for Your OrganizationChapter SummaryKey Concepts and TermsChapter 15 Assessment
Appendix A: Answer Key
Appendix B: Standard Acronyms
Glossary of Key Terms
References
Index

Content preview from Managing Risk in Information Systems, 2nd Edition

Standard Acronyms

APPENDIX

ACD	automatic call distributor
AES	Advanced Encryption Standard
ALE	annual loss expectancy
ANSI	American National Standards Institute
AO	authorizing official
AP	access point
API	application programming interface
APT	advanced persistent threat
ARO	annual rate of occurrence
ATM	asynchronous transfer mode
AUP	acceptable use policy
AV	antivirus
B2B	business to business
B2C	business to consumer
BBB	Better Business Bureau
BC	business continuity
BCP	business continuity plan
BGP4	Border Gateway Protocol 4 for IPv4
BIA	business impact analysis
BYOD	Bring Your Own Device
C2C	consumer to consumer
CA	certificate authority
CAC	Common Access Card
CAN	computer network attack
CAN-SPAM	Controlling ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Managing Risk in Information Systems, 3rd Edition

Publisher Resources

ISBN: 9781284055955

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Managing Risk in Information Systems, 2nd Edition

by Darril Gibson

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.