book

The Best Damn IT Security Management Book Period

by Susan Snedaker, Robert McCrie

April 2011

Intermediate to advanced

960 pages

27h 50m

English

Syngress

Read now

Unlock full access

Copyright
About the Authors
1. From Vulnerability to Patch
1. Windows of Vulnerability
IntroductionWhat Are Vulnerabilities?Understanding the Risks Posed by VulnerabilitiesSummary
2. Vulnerability Assessment 101
IntroductionWhat Is a Vulnerability Assessment?Step 1: Information Gathering/DiscoveryStep 2: EnumerationStep 3: DetectionSeeking Out VulnerabilitiesDetecting Vulnerabilities via Security TechnologiesDeciphering VA Data Gathered by Security TechnologiesAccessing Vulnerabilities via Remediation (Patch) TechnologiesExtracting VA Data from Remediation RepositoriesLeveraging Configuration Tools to Assess VulnerabilitiesThe Importance of Seeking Out VulnerabilitiesLooking Closer at the NumbersSummary
3. Vulnerability Assessment Tools
IntroductionFeatures of a Good Vulnerability Assessment ToolUsing a Vulnerability Assessment ToolStep 1: Identify the Hosts on Your NetworkStep 2: Classify the Hosts into Asset GroupsStep 3: Create an Audit PolicyStep 4: Launch the ScanStep 5: Analyze the ReportsStep 6: Remediate Where NecessarySummary
4. Vulnerability Assessment: Step One
IntroductionKnow Your NetworkClassifying Your AssetsI Thought This Was a Vulnerability Assessment ChapterSummary
5. Vulnerability Assessment: Step Two
IntroductionAn Effective Scanning ProgramScanning Your NetworkWhen to ScanSummary
6. Going Further
IntroductionTypes of Penetration TestsScenario: An Internal Network AttackClient NetworkStep 1: Information GatheringOperating System DetectionDiscovering Open Ports and EnumeratingStep 2: Determine VulnerabilitiesSetting Up the VAInterpreting the VA ResultsPenetration TestingStep 3: Attack and PenetrateUploading Our DataAttack and PenetrateSearching the Web Server for InformationDiscovering Web ServicesVulnerability Assessment versus a Penetration TestTips for Deciding between Conducting a VA or a Penetration TestInternal versus ExternalSummary
7. Vulnerability Management
IntroductionThe Vulnerability Management PlanThe Six Stages of Vulnerability ManagementStage One: IdentifyStage Two: AssessStage Three: RemediateStage Four: ReportStage Five: ImproveStage Six: MonitorGovernance (What the Auditors Want to Know)Measuring the Performance of a Vulnerability Management ProgramCommon Problems with Vulnerability ManagementSummary

8. Vulnerability Management Tools
IntroductionThe Perfect Tool in a Perfect WorldEvaluating Vulnerability Management ToolsCommercial Vulnerability Management ToolseEye Digital SecuritySymantec (BindView)Attachmate (NetIQ)StillSecureMcAfeeOpen Source and Free Vulnerability Management ToolsAsset Management, Workflow, and KnowledgebaseHost DiscoveryVulnerability Scanning and Configuration ScanningConfiguration and Patch ScanningVulnerability NotificationSecurity Information ManagementManaged Vulnerability ServicesSummary
9. Vulnerability and Configuration Management
IntroductionPatch ManagementSystem InventoriesSystem ClassificationSystem BaselinesCreating a BaselineBaseline ExampleThe Common Vulnerability Scoring SystemBuilding a Patch Test LabEstablish a Patch Test Lab with “Sacrificial Systems”VirtualizationEnvironmental SimulationPatch Distribution and DeploymentLogging and ReportingConfiguration ManagementChange ControlSummary
10. Regulatory Compliance
IntroductionRegulating Assessments and Pen TestsThe Payment Card Industry (PCI) StandardThe Health Insurance Portability and Accountability Act of 1996 (HIPAA)The Sarbanes-Oxley Act of 2002 (SOX)Compliance RecapDrafting an Information Security ProgramSummary
11. Tying It All Together
IntroductionA Vulnerability Management MethodologyStep One: Know Your AssetsWhat You Need to DoWhy You Need to Do ItHow to Do ItWhat Tools Exist to Help You Do ItStep Two: Categorize Your AssetsWhat You Need to DoWhy You Need to Do ItHow to Do ItWhat Tools Exist to Help You Do ItStep Three: Create a Baseline Scan of AssetsWhat You Need to DoWhy You Need to Do ItHow to Do ItWhat Tools Exist to Help You Do ItStep Four: Perform a Penetration Test on Certain AssetsWhat You Need to DoWhy You Need to Do ItHow to Do ItWhat Tools Exist to Help You Do ItStep Five: Remediate Vulnerabilities and RiskWhat You Need to DoWhy You Need to Do ItHow to Do ItWhat Tools Exist to Help You Do ItStep Six: Create a Vulnerability Assessment ScheduleWhat You Need to DoWhy You Need to Do ItHow to Do ItStep Seven: Create a Patch and Change Management ProcessWhat You Need to DoWhy You Need to Do ItHow to Do ItWhat Tools Exist to Help You Do ItStep Eight: Monitor for New Risks to AssetsWhat You Need to DoWhy You Need to Do ItHow to Do ItWhat Tools Exist to Help You Do It
2. Network Security Evaluation
12. Introducing the INFOSEC Evaluation Methodology
IntroductionWhat Is the IEM?Tying the Methodologies TogetherWhat the IEM Is NotThe IEM Is Not an Audit or InspectionThe IEM Is Not a Risk AssessmentStandards and RegulationsLack of ExpertiseCertification Does Not Give You ExpertiseSummary
13. Before the Evaluation Starts
IntroductionThe Evaluation RequestWhy Are Evaluations Requested?Compliance With Laws and RegulationsThe Sarbanes-Oxley ActFederal Information Security Management ActHealth Insurance Portability and Accountability Act of 1996The Gramm-Leach-Bliley ActThe Family Educational Rights and Privacy ActThe DoD Information Technology Security Certification and Accreditation ProcessThe National Information Assurance Certification and Accreditation ProcessDefense Information Assurance Certification and Accreditation ProcessISO 17799The North American Electric Reliability CouncilResponse to Suspicious ActivitiesRecent Successful PenetrationSuspected Possible PenetrationUnsuccessful Penetration Attempt“I Don’t Know If Our Organization Has Been Penetrated”Third-Party Independent Reviews of Security PostureCustomer-Required ReviewsInsurance-Required ReviewsSLA-Required ReviewsIt’s The Right Thing To DoHow Are Evaluations Requested?Validating the Evaluation RequestSources of Information for ValidationValidating with the CustomerThe Engagement Scoping QuestionnaireCustomer Discussions and Information ConfirmationPublicly Available InformationUnderstanding the Level of EffortThe Formal Engagement AgreementNondisclosure AgreementsEngagement Agreement CompositionMinimum Engagement Agreement ContentsUnderstanding the Pricing OptionsGovernment ContractingCommercial ContractingFixed Price vs. Hourly RateAdditional Engagement Agreement ContentsDealing with Contract Pitfalls“Scope Creep” and TimelinesUneducated SalespeopleEvaluations 101Bad AssumptionsAssumption Topic AreasPoorly Written ContractsPoor Scope DefinitionUnderbid or Overbid: The Art of Poor Cost EstimatingCustomer and Evaluation Team ApprovalThe Customer Approval ProcessThe Evaluation Team Approval ProcessSummary
14. Setting Expectations
IntroductionObjectives of the Pre-Evaluation PhaseUnderstanding Concerns and ConstraintsWhat Are the Requirements?Other Significant RegulationsBudgetary ConcernsCyber-InsuranceSystem AccreditationFISMADoD Information Technology Security Certification and Accreditation ProcessNational Information Assurance Certification and Accreditation ProcessDefense Information Assurance Certification and Accreditation ProcessResponse to Suspected Threats or IntrusionsObtaining Management Buy-InObtaining Technical Staff Buy-InEstablishing Points of ContactSummary
15. Scoping the Evaluation
IntroductionFocusing the EvaluationThe Power of ExpectationsWhat Does the Customer Expect for Delivery?Adjusting Customer ExpectationsWhen Scoping Fails“Scope Creep” and Time LinesRestricting Scope Slippage in the ContractContracting DifferencesUneducated SalespeopleEvaluations 101Bad AssumptionsAssumption Topic AreasPoorly Written ContractsPoor Scope DefinitionUnderbid or Overbid: The Art of Poor Cost EstimatingIdentifying the Rules of EngagementCustomer ConcernsStating the Evaluation PurposeCustomer ConstraintsImpact Resistance and Acceptable Levels of InvasivenessIdentifying Scanning TimesOff-Limit NodesEvaluation Tool LimitationsNotification ProceduresEvaluation AddressingReporting Level of DetailClear and Concise WritingEstablishing the Evaluation BoundariesPhysical BoundariesLogical BoundariesCritical Path and Critical ComponentsFinding the Sources of Scoping InformationCustomerThe Scoping QuestionnaireInformation Gained from the QuestionnaireValue of the QuestionnaireExample Responses on a Scoping QuestionnaireEvaluation RequestorCustomer Senior LeadershipAdministrative Customer ContactTechnical Customer ContactsEvaluation TeamEvaluation Team LeadEvaluation Team MembersValidating Scoping InformationStaffing Your ProjectJob RequirementsNetworking and Operating SystemsHardware KnowledgePicking the Right PeopleMatching Consultants to CustomersPersonality IssuesSummary
16. Legal Principles for Information Security Evaluations
IntroductionUncle Sam Wants You: How Your Company’s Information Security Can Affect U.S. National SecurityLegal Standards Relevant to Information SecuritySelected Federal LawsGramm-Leach-Bliley ActHealth Insurance Portability and Accountability ActSarbanes-OxleyFederal Information Security and Management ActFERPA and the TEACH ActElectronic Communications Privacy Act and Computer Fraud and Abuse ActState LawsUnauthorized AccessDeceptive Trade PracticesEnforcement ActionsThree Fatal FallaciesThe “Single Law” FallacyThe Private Entity FallacyThe “Pen Test Only” FallacyDo It Right or Bet the Company: Tools to Mitigate Legal LiabilityWe Did our Best; What is the Problem?The Basis for LiabilityNegligence and the “Standard of Care”What Can Be Done?Understand your Legal EnvironmentComprehensive and Ongoing Security Assessments, Evaluations, and ImplementationUse Contracts to Define Rights and Protect InformationUse Qualified Third-party ProfessionalsMaking Sure Your Standards-of-care Assessments Keep Up with Evolving LawPlan for the WorstInsuranceWhat to Cover in IEM ContractsWhat, Who, When, Where, How, and How MuchWhatDescription of the Security Evaluation and Business ModelDefinitions Used in the ContractDescription of the ProjectAssumptions, Representations, and WarrantiesBoundaries and LimitationsIdentification of DeliverablesWhoStatement of Parties to the Contractual AgreementAuthority of Signatories to the Contractual AgreementRoles and Responsibilities of Each Party to the Contractual AgreementNon-disclosure and Secrecy AgreementsAssessment PersonnelCrisis Management and Public CommunicationsIndemnification, Hold Harmless, and Duty to DefendOwnership and Control of InformationIntellectual Property ConcernsLicensesWhenActions or Events that Affect ScheduleWhereHowHow MuchFees and CostBilling MethodologyPayment Expectations and ScheduleRights and Procedures to Collect PaymentInsurance for Potential Damage During EvaluationMurphy’s Law (When Something Goes Wrong)Governing LawActs of God, Terror Attacks, and other Unforeseeable EvenWhen Agreement is Breached and RemediesLiquidated DamagesLimitation on LiabilitySurvival of ObligationsWaiver and SeverabilityAmendments to the ContractWhere the Rubber Meets the Road: The LOA as Liability ProtectionBeyond You and Your CustomerSoftware License AgreementsYour Customer’s CustomerThe First Thing We Do...? Why You Want Your Lawyers Involved From Start to FinishAttorney-client PrivilegeAdvice of Counsel DefenseEstablishment and Enforcement of Rigorous Assessment, Interview, and Report-writing StandardsCreating a Good Record for Future LitigationMaximizing Ability to Defend LitigationDealing with Regulators, Law Enforcement, Intelligence, and Homeland Security OfficialsThe Ethics of Information Security Evaluation
17. Building the Technical Evaluation Plan
IntroductionPurpose of the Technical Evaluation PlanThe IEM TEP as an AgreementThe TEP as Road MapBuilding the Technical Evaluation PlanSource of the Technical Evaluation Plan InformationTEP Section I: Points of ContactEvaluation Team ContactsCustomer ContactsTEP Section II: Methodology OverviewPurpose of the IEMDescription of the IEMEvaluation Tools to Be UsedTEP Section III: Criticality InformationOrganizational Criticality MatricesSystem Criticality InformationTEP Section IV: Detailed Network InformationTEP Section V: Customer ConcernsTEP Section VI: Customer ConstraintsTEP Section VII: Rules of EngagementEvaluation Team RequirementsExternal RequirementsInternal RequirementsCustomer RequirementsTEP Section VIII: Coordination AgreementsLevel of Detail of RecommendationsList of Agreed-On DeliverablesThe Coordination Agreements Section: A CatchallTEP Section IX: Letter of AuthorizationTEP Section X: Timeline of EventsCustomizing and Modifying the Technical Evaluation PlanModifying the Ten NSA-Defined AreasLevel of DetailFormatGetting the SignaturesCustomer ApprovalEvaluation Team ApprovalSummary
18. Starting Your Onsite Efforts
IntroductionPreparing for the Onsite Evaluation PhaseSchedulingDay One AccomplishmentsDay Two AccomplishmentsDay Three AccomplishmentsDay Four AccomplishmentsDay Five AccomplishmentsFlexibility and AdaptationAdministrative PlanningTechnical PlanningIAM vs. IEMVulnerability DefinitionsOnsite Evaluation Phase ObjectivesVerification of “Known” and “Rogue” ComponentsDiscovery of Technical VulnerabilitiesValidation = Value Add?IEM Baseline ActivitiesI. Port ScanningII. SNMP ScanningIII. Enumeration and Banner GrabbingIV. Wireless EnumerationV. Vulnerability ScanningVI. Host EvaluationVII. Network Device AnalysisVIII. Password Compliance TestingIX. Application-Specific ScanningX. Network SniffingOther ActivitiesThe Role of CVE and CANThe In-BriefPresenting the TEPCultural SensitivitySummary
19. Network Discovery Activities
IntroductionGoals and ObjectivesResults as Findings and Evaluation Task AttributesSystem MappingTool BasicsExpected Usage and RequirementsPort ScanningNmapNMAP OptionsTCP SYNUDP ScanningPing ScanningBasic Nmap OptionsSuperScanScanLineSolarWindsPort Scan System MappingSNMP ScanningSolarWindsSNMPSweepMIB WalkMIB BrowserSNScanWS_Ping Pro-PakSNMP Scan System MappingEnumeration and Banner GrabbingNmapTHC-AmapNBTScanSuperScanWS_Ping Pro-PakUNIX EnumerationTelnetDNS QueriesEnumeration and Banner-Grabbing System MappingWireless EnumerationWireless Enumeration ObstaclesKismetNetStumblerWireless Encryption EvaluationWireless Enumeration System MappingSummary
20. Collecting the Majority of Vulnerabilities
IntroductionVulnerability and Attack TrendsVulnerability Scanning’s Role in the IEMConducting Vulnerability ScansBreaking Out the Scanning ToolsVulnerability Scanners: Commercial and FreewareConducting Host EvaluationsHost Evaluation Example Tools and ScriptsBenchmark Scripts and Custom ScriptsHost Evaluations: What to Look ForAuditingFile/Directory PermissionsOS and Application ServicesUser Rights AssignmentsPatch ManagementMapping the Findings to the IEM ProcessVulnerability Scans and Host Evaluations: Correlating the DataSummarize and Validate FindingsSummary
21. Fine-Tuning the Evaluation
IntroductionNetwork Device AnalysisApproaches Used in Network Device AnalysisEvaluating the Perimeter Design and DefensesEvaluating Network Device ConfigurationsPassword-Compliance TestingPassword-Compliance Testing MethodsMethods of Obtaining the Password FilePassword-Compliance Testing ToolsApplication-Specific ScanningThe DMZTypes of Applications to Be ScannedNetwork Protocol AnalysisWhy Perform Network Protocol Analysis?Introducing Network Protocol AnalyzersSummary
22. The Onsite Closing Meeting
IntroductionOrganizing the MeetingTime and LocationEvaluation Team and Customer InvolvementThe CustomerThe Evaluation TeamPresentation NeedsThe AgendaTEP OverviewThe Evaluation ProcessHow Was Information Collected?The ToolsCustomer DocumentationCustomer ConcernsWhat Is Driving the Evaluation?Customer ConstraintsProtecting Testing DataSetting TimelinesImportant Events During TestingFinal Report DeliveryOverview of Critical FindingsHow Does the Vulnerability Impact the System?What Is the Likelihood That a Threat Will Exploit the Vulnerability?Mapping to Business Mission and ObjectivesPositive vs. Negative FindingsPoints of Immediate ResolutionShort Term vs. Long TermWhat Do You Do With the Information That You Have Collected?Summary
23. Post-Evaluation Analysis
IntroductionGetting OrganizedAnalysis NeedsReporting NeedsCategorization, Consolidation, Correlation, and ConsultationFalse Positives and False NegativesEvaluation PerspectivesExternal ExposuresInternal ExposuresSystem BoundariesConducting Additional ResearchResourcesConsulting Subject Matter ExpertsOther Team MembersExternal ResourcesAnalyzing Customer DocumentationINFOSEC Policies and ProceuresPrevious Evaluations/VA/Penetration-Testing ResultsDeveloping Practical RecommendationsLevel of DetailFindingDescriptionReferencesCriticality RatingBusiness ImpactThreat LikelihoodRecommendationsTying in Regulations, Legislation, Organizational Policies, and Industry Best PracticesSummary
24. Creating Measurements and Trending Results
IntroductionThe Purpose and Goal of the MatrixesInformation TypesCommon Vulnerabilities and ExposuresNIST ICATDeveloping System Vulnerability Criticality MatrixesDeveloping Overall Vulnerability Criticality MatrixesUsing the OVCM and SVCMSummary
25. Trending Metrics
IntroductionMetrics and Their UsefulnessReturn on InvestmentHow Do We Compare?The INFOSEC Posture ProfileDefense in DepthAdversaries or ThreatsProtectDetectRespondSustainPeopleTechnologyDefense in Multiple PlacesLayered DefensesSpecify the Security RobustnessRobust Key ManagementEvent CorrelationOperationsDeveloping the INFOSEC Posture ProfileThe INFOSEC Posture RatingValue-Added TrendingSummary
26. Final Reporting
IntroductionPulling All the Information TogetherThe Team MeetingResearchThe SVCM and OVCMReviewMaking RecommendationsFindingsRecommendationsCreating the Final ReportOrganizing the DataDiscussion of FindingsFinal Report Delivery DateThe Cover LetterThe Executive SummaryThe INFOSEC ProfileThe IntroductionINFOSEC AnalysisTechnical AreasHigh-Criticality FindingsMedium-Criticality FindingsLow-Criticality FindingsThe ConclusionPosture DescriptionPosture ProfileSecurity PracticesPresenting the Final ReportSummary
27. Summing Up the INFOSEC Evaluation Methodology
IntroductionThe Pre-Evaluation PhaseThe Onsite EvaluationThe Post-Evaluation PhaseExamples of INFOSEC Tools by Baseline ActivityPort ScanningSNMP ScanningEnumeration and Banner GrabbingWireless Enumeration*Vulnerability ScanningHost EvaluationNetwork Device AnalysisPassword-Compliance TestingApplication-Specific ScanningNetwork Protocol AnalysisTechnical Evaluation Plan Outline and SampleSample Technical Evaluation PlanI. Evaluation Points of ContactII. Methodology OverviewIII. Organizational and System Criticality InformationThe OUCH MissionOUCH Impact DefinitionsOUCH Organizational CriticalitySystem Information CriticalityIV. Detailed Network InformationV. Customer ConcernsVI. Customer ConstraintsVII. Rules of EngagementVIII. Internal and External Customer RequirementsIX. Coordination AgreementsLevel of Detail of RecommendationsDeliverablesOther AgreementsX. Letter of AuthorizationXI. Timeline of Evaluation Events
3. Business Continuity & Disaster Recovery
28. Business Continuity and Disaster Recovery Overview
IntroductionBusiness Continuity and Disaster Recovery DefinedComponents of BusinessPeople in BC/DR PlanningProcess in BC/DR PlanningTechnology in BC/DR PlanningThe Cost of Planning versus the Cost of FailurePeopleProcessTechnologyTypes of DisastersNatural HazardsCold Weather Related HazardsWarm Weather Related HazardsGeological HazardsHuman-Caused HazardsAccidents and Technological HazardsElectronic Data ThreatsPersonal PrivacyPrivacy Standards and LegislationGramm-Leach-Bliley Act (GLBA)Health Insurance Portability and Accountability Act (HIPAA)Social EngineeringFraud and TheftGeneral Business FraudManaging AccessBusiness Continuity and Disaster Recovery Planning BasicsProject InitiationRisk AssessmentBusiness Impact AnalysisMitigation Strategy DevelopmentPlan DevelopmentTraining, Testing, AuditingPlan MaintenanceSummary
29. Project Initiation
IntroductionElements of Project SuccessExecutive SupportUser InvolvementExperienced Project ManagerClearly Defined Project ObjectivesClearly Defined Project RequirementsClearly Defined ScopeShorter Schedule, Multiple MilestonesClearly Defined Project Management ProcessProject Plan ComponentsProject DefinitionProblem and Mission StatementPotential SolutionsRequirements and ConstraintsSuccess CriteriaProject ProposalEstimatesProject SponsorForming the Project TeamOrganizationalTechnicalLogisticalPoliticalProject OrganizationProject ObjectivesBusiness Continuity PlanContinuity of Operations PlanDisaster Recovery PlanCrisis Communication PlanCyber Incident Response Plan (CIRP)Occupant Emergency PlanProject StakeholdersProject RequirementsProject ParametersProject InfrastructureProject ProcessesTeam MeetingsReportingEscalationProject ProgressChange ControlQuality ControlProject Communication PlanProject PlanningWork Breakdown StructureCritical PathProject ImplementationManaging ProgressManaging ChangeProject TrackingProject Close OutKey Contributors and ResponsibilitiesInformation TechnologyExperience Working on a Cross-Departmental TeamAbility to Communicate EffectivelyAbility to Work Well with a Wide Variety of PeopleExperience with Critical Business and Technology SystemsIT Project Management LeadershipHuman ResourcesFacilities/SecurityFinance/LegalWarehouse/Inventory/Manufacturing/ResearchPurchasing/LogisticsMarketing and SalesPublic RelationsProject DefinitionBusiness RequirementsFunctional RequirementsTechnical RequirementsBusiness Continuity and Disaster Recovery Project PlanProject Definition, Risk AssessmentBusiness Impact AnalysisRisk Mitigation StrategiesPlan DevelopmentEmergency PreparationTraining, Testing, AuditingPlan MaintenanceSummary
30. Risk Assessment
IntroductionRisk Management BasicsRisk Management ProcessThreat AssessmentVulnerability AssessmentImpact AssessmentRisk Mitigation Strategy DevelopmentPeople, Process, Technology, and Infrastructure in Risk ManagementPeopleProcessTechnologyInfrastructureIT-Specific Risk ManagementIT Risk Management ObjectivesThe System Development Lifecycle ModelRisk Assessment ComponentsInformation Gathering MethodsNatural and Environmental ThreatsFireFloodsSevere Winter StormsElectrical StormsDroughtEarthquakeTornadosHurricanes/Typhoons/CyclonesTsunamisVolcanoesAvian Flu/PandemicsHuman ThreatsFireTheft, Sabotage, VandalismLabor DisputesWorkplace ViolenceTerrorismChemical or Biological HazardsWarCyber ThreatsCyber CrimeLoss of Records or Data—Theft, Sabotage, VandalismIT System Failure—Theft, Sabotage, VandalismInfrastructure ThreatsBuilding Specific FailuresPublic Transportation DisruptionLoss of UtilitiesDisruption to Oil or Petroleum SuppliesFood or Water ContaminationRegulatory or Legal ChangesLooking BackThreat ChecklistThreat Assessment MethodologyQuantitative Threat AssessmentQualitative Threat AssessmentVulnerability AssessmentPeople, Process, Technology, and InfrastructurePeopleProcessTechnologyInfrastructureVulnerability AssessmentSummary
31. Business Impact Analysis
IntroductionBusiness Impact Analysis OverviewUpstream and Downstream LossesUnderstanding the Human ImpactKey PositionsHuman NeedsUnderstanding Impact CriticalityCriticality CategoriesMission-CriticalVitalImportantMinorRecovery Time RequirementsIdentifying Business FunctionsFacilities and SecurityFinanceHuman ResourcesITLegal/ComplianceManufacturing (Assembly)Marketing and SalesOperationsResearch and DevelopmentWarehouse (Inventory, Order Fulfillment, Shipping, Receiving)Other AreasGathering Data for the Business Impact AnalysisData Collection MethodologiesQuestionnairesInterviewsWorkshopsDetermining the ImpactBusiness Impact Analysis Data PointsUnderstanding IT ImpactExample of Business Impact Analysis For Small BusinessPreparing the Business Impact Analysis ReportSummary
32. Mitigation Strategy Development
IntroductionTypes of Risk Mitigation StrategiesRisk AcceptanceRisk AvoidanceRisk LimitationRisk TransferenceThe Risk Mitigation ProcessRecovery RequirementsRecovery OptionsAs NeededPrearrangedPreestablishedRecovery Time of OptionsCost versus Capability of Recovery OptionsRecovery Service Level AgreementsReview Existing ControlsDeveloping Your Risk Mitigation StrategySample 1: Section from Mitigation Strategy for Critical DataSample 2: Section from Mitigation Strategy for Critical DataPeople, Buildings, and InfrastructureIT Risk MitigationCritical Data and RecordsCritical Systems and InfrastructureReviewing Critical System PrioritiesBackup and Recovery ConsiderationsAlternate Business ProcessesIT Recovery SystemsAlternate SitesFully Mirrored SiteHot SiteWarm SiteMobile SiteCold SiteReciprocal SiteDisk SystemsRAIDRemote JournalingReplicationElectronic VaultingStandby Operating SystemsNetwork-Attached Storage (NAS)Storage Area Network (SAN)Desktop SolutionsSoftware and LicensingWeb SitesSummary
33. Business Continuity/Disaster Recovery Plan Development
IntroductionPhases of the Business Continuity and Disaster RecoveryActivation PhaseMajor Disaster or DisruptionIntermediate Disaster or DisruptionMinor Disaster or DisruptionActivating BC/DR TeamsDeveloping TriggersTransition Trigger—Activation to RecoveryRecovery PhaseTransition Trigger—Recovery to ContinuityBusiness Continuity PhaseMaintenance/Review PhaseDefining BC/DR Teams and Key PersonnelCrisis Management TeamManagementDamage Assessment TeamOperations Assessment TeamIT TeamAdministrative Support TeamTransportation and Relocation TeamMedia Relations TeamHuman Resources TeamLegal Affairs TeamPhysical/Personnel Security TeamProcurement Team (Equipment and Supplies)General Team GuidelinesBC/DR Contact InformationDefining Tasks, Assigning ResourcesAlternate SiteSelection CriteriaContractual TermsComparison ProcessAcquisition and TestingContracts for BC/DR ServicesDevelop Clear Functional and Technical RequirementsDetermine Required Service LevelsCompare Vendor Proposal/Response to RequirementsIdentify Requirements Not Met by Vendor ProposalIdentify Vendor Options Not Specified in RequirementsCommunications PlansInternalEmployeeCustomers and VendorsShareholdersThe Community and the PublicEvent Logs, Change Control, and AppendicesEvent LogsChange ControlDistributionAppendicesAdditional ResourcesWhat’s NextSummary
34. Emergency Response and Recovery
IntroductionEmergency Management OverviewEmergency Response PlansEmergency Response TeamsCrisis Management TeamEmergency Response and Disaster RecoveryAlternate Facilities Review and ManagementCommunicationsHuman ResourcesLegalInsuranceFinanceDisaster RecoveryActivation ChecklistsRecovery ChecklistsIT Recovery TasksComputer Incident ResponseCIRT ResponsibilitiesMonitorAlert and MobilizeAssess and StabilizeResolveReviewBusiness ContinuitySummary
35. Training, Testing, and Auditing
IntroductionTraining for Disaster Recovery and Business ContinuityEmergency ResponseDisaster Recovery and Business Continuity Training OverviewTraining Scope, Objectives, Timelines, and RequirementsPerforming Training Needs AssessmentDeveloping TrainingScheduling and Delivering TrainingMonitoring and Measuring TrainingTraining and Testing for Your Business Continuity and Disaster Recovery PlanPaper Walk-throughDevelop Realistic ScenariosDevelop Evaluation CriteriaProvide Copies of the PlanDivide Participants by TeamUse ChecklistsTake NotesIdentify Training NeedsDevelop Summary and Lessons LearnedFunctional ExercisesField ExercisesFull Interruption TestTraining Plan ImplementersTesting the BC/DR PlanUnderstanding of ProcessesValidation of Task IntegrationConfirm StepsConfirm ResourcesFamiliarize with Information FlowIdentify Gaps or WeaknessesDetermines Cost and FeasibilityTest Evaluation CriteriaRecommendationsPerforming IT Systems and Security AuditsIT Systems and Security AuditsSummary
36. BC/DR Plan Maintenance
IntroductionBC/DR Plan Change ManagementTraining, Testing, and AuditingChanges in Information TechnologiesChanges in OperationsCorporate ChangesLegal, Regulatory, or Compliance ChangesStrategies for Managing ChangeMonitor ChangePeopleProcessTechnologyEvaluate and Incorporate ChangeBC/DR Plan AuditPlan Maintenance ActivitiesProject Close OutSummary
37. BC/DR Checklists
Risk AssessmentThreat and Vulnerability AssessmentBusiness Impact AnalysisMitigation StrategiesCrisis Communications ChecklistCommunication ChecklistMessage ContentBusiness Continuity and Disaster Recovery Response ChecklistEmergency and Recovery Response ChecklistActivation ChecklistsInitial ResponseDamage and Situation AssessmentDisaster Declaration and NotificationEmergency Response ChecklistsEmergency Checklist One—General Emergency ResponseEmergency Checklist Two—Evacuation or Shelter-in-Place ResponseEmergency Checklist Three—Specific Emergency ResponsesEmergency Checklist Four—Emergency Response Contact List, Maps, Floor PlansEmergency Checklist Five—Emergency Supplies and EquipmentRecovery ChecklistsRecovery Checklist One—GeneralRecovery Checklist Two—Inspection, Assessment, and SalvageBusiness Continuity ChecklistResuming WorkResuming WorkHuman ResourcesInsurance and LegalManufacturing, Warehouse, Production, and OperationsResuming Normal OperationsExisting FacilityNew FacilityTransition to Normalized ActivitiesIT Recovery ChecklistsIT Recovery Checklist One—InfrastructureRecovery Checklist Two—ApplicationsRecovery Checklist Three—Office Area and End-User RecoveryRecovery Checklist Four—Business Process RecoveryRecovery Checklist Five—Manufacturing, Production, and Operations RecoveryTraining, Testing, and Auditing ChecklistsTraining and TestingIT AuditingBC/DR Plan Maintenance ChecklistChange Management

Content preview from The Best Damn IT Security Management Book Period

Chapter 30. Risk Assessment

Introduction

In this chapter, we’re going to discuss the concept and practical application of risk management. We’ll look at the broad business perspective, the practical business continuity and disaster recovery planning perspective, and the IT-centric perspective. We’ll look at risk management to understand the overall process, then delve into the risk assessment process. This is where the first phase of project work begins.

To help you keep track of where we are in our overall planning ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781597492270

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

The Best Damn IT Security Management Book Period

by Susan Snedaker, Robert McCrie

Chapter 30. Risk Assessment

Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.