Muutke küpsiste eelistusi

Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition 2nd edition [Kõva köide]

3.82/5 (39 hinnangut Goodreads-ist)
(Lantego, LLC, Austin, Texas, USA)
  • Formaat: Hardback, 495 pages, kõrgus x laius: 234x156 mm, kaal: 816 g, 95 Tables, black and white; 33 Illustrations, black and white
  • Ilmumisaeg: 20-May-2011
  • Kirjastus: CRC Press Inc
  • ISBN-10: 1439821488
  • ISBN-13: 9781439821480
Teised raamatud teemal:
  • Kõva köide
  • Hind: 185,50 €*
  • * saadame teile pakkumise kasutatud raamatule, mille hind võib erineda kodulehel olevast hinnast
  • See raamat on trükist otsas, kuid me saadame teile pakkumise kasutatud raamatule.
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Lisa soovinimekirja
Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition 2nd editionSuurem pilt
  • Formaat: Hardback, 495 pages, kõrgus x laius: 234x156 mm, kaal: 816 g, 95 Tables, black and white; 33 Illustrations, black and white
  • Ilmumisaeg: 20-May-2011
  • Kirjastus: CRC Press Inc
  • ISBN-10: 1439821488
  • ISBN-13: 9781439821480
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781439821480.html
Märksõnad:
"The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments provides detailed insight into precisely how to conduct an information security risk assessment from a practical point of view. Designed for security professionals who want a more in-depth understanding of the risk assessment process, this volume contains real-world advice that promotes professional development and experience. It also enables security consumers to better negotiate the scope and rigor of a security assessment, effectively interface with a security assessment team, deliver insightful comments on a draft report, and have a greater understanding of final report recommendations"--

"The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments provides detailed insight into precisely how to conduct an information security risk assessment. Designed for security professionals and their customers who want a more in-depth understanding of the risk assessment process, this volume contains real-world advice that promotes professional development. It also enables security consumers to better negotiate the scope and rigor of a security assessment, effectively interface with a security assessment team, deliver insightful comments on a draft report, and have a greater understanding of final report recommendations.This book can save time and money by eliminating guesswork as to what assessment steps to perform, and how to perform them. In addition, the book offers charts, checklists, examples, and templates that speed up data gathering, analysis, and document development. By improving the efficiency of the assessment process, security consultants can delivera higher-quality service with a larger profit margin.

The text allows consumers to intelligently solicit and review proposals, positioning them to request affordable security risk assessments from quality vendors that meet the needs of their organizations"--

Provided by publisher.

Arvustused

this book, now in its second edition, covers a lot of ground for its 450 or so pages: information security, physical and environmental exposures, personnel risk and business continuity. Its author, a one-time senior analyst at the NSA, is clearly highly experienced in managing very large-scale risk assessment exercises. a valuable guide for those commissioning or planning risk assessment exercises. Michael Barwise, BSc, CEng, CITP, MBCS, in InfoSec Reviews, July 2011

Biography xix
1 Introduction
1(22)
1.1 The Role of the Information Security Manager
1(2)
1.1.1 Audit as a Driver for Security Initiatives
2(1)
1.1.2 Technology as a Driver for Security Initiatives
2(1)
1.1.3 Compliance as a Driver for Security Initiatives
2(1)
1.1.4 Security Risk as a Driver for Security Initiatives
2(1)
1.2 Ensuring a Quality Information Security Risk Assessment
3(1)
1.3 Security Risk Assessment
3(8)
1.3.1 The Role of the Security Risk Assessment
4(1)
1.3.2 Definition of a Security Risk Assessment
5(2)
1.3.3 The Need for a Security Risk Assessment
7(1)
1.3.3.1 Checks and Balances
7(1)
1.3.3.2 Periodic Review
7(1)
1.3.3.3 Risk-Based Spending
8(2)
1.3.3.4 Requirement
10(1)
1.3.4 Security Risk Assessment Secondary Benefits
10(1)
1.4 Related Activities
11(5)
1.4.1 Gap Assessment
11(2)
1.4.2 Compliance Audit
13(1)
1.4.3 Security Audit
14(1)
1.4.4 Vulnerability Scanning
14(1)
1.4.5 Penetration Testing
15(1)
1.4.6 Ad Hoc Testing
15(1)
1.4.7 Social Engineering
15(1)
1.4.8 War Dialing
15(1)
1.5 The Need for This Book
16(2)
1.6 Who Is This Book For?
18(5)
Exercises
19(1)
Notes
20(1)
References
21(1)
Bibliography
21(2)
2 Information Security Risk Assessment Basics
23(16)
2.1 Phase 1: Project Definition
23(2)
2.2 Phase 2: Project Preparation
25(1)
2.3 Phase 3: Data Gathering
25(1)
2.4 Phase 4: Risk Analysis
25(6)
2.4.1 Assets
26(1)
2.4.2 Threat Agents and Threats
27(1)
2.4.2.1 Threat Agents
27(1)
2.4.2.2 Threats
28(1)
2.4.3 Vulnerabilities
29(1)
2.4.4 Security Risk
30(1)
2.5 Phase 5: Risk Mitigation
31(2)
2.5.1 Safeguards
31(2)
2.5.2 Residual Security Risk
33(1)
2.6 Phased: Risk Reporting and Resolution
33(6)
2.6.1 Risk Resolution
34(1)
Exercises
35(1)
Notes
36(1)
References
37(2)
3 Project Definition
39(34)
3.1 Ensuring Project Success
39(23)
3.1.1 Success Definition
40(1)
3.1.1.1 Customer Satisfaction
40(4)
3.1.1.2 Quality of Work
44(5)
3.1.1.3 Completion within Budget
49(1)
3.1.2 Setting the Budget
50(1)
3.1.3 Determining the Objective
51(1)
3.1.4 Limiting the Scope
52(1)
3.1.4.1 Underscoping
52(1)
3.1.4.2 Overscoping
53(1)
3.1.4.3 Security Controls
54(1)
3.1.4.4 Assets
55(1)
3.1.4.5 Reasonableness in Limiting the Scope
56(1)
3.1.5 Identifying System Boundaries
56(1)
3.1.5.1 Physical Boundary
57(1)
3.1.5.2 Logical Boundaries
58(2)
3.1.6 Specifying the Rigor
60(1)
3.1.7 Sample Scope Statements
60(2)
3.2 Project Description
62(11)
3.2.1 Project Variables
62(1)
3.2.2 Statement of Work
63(1)
3.2.2.1 Specifying the Service Description
63(1)
3.2.2.2 Scope of Security Controls
63(1)
3.2.2.3 Specifying Deliverables
64(2)
3.2.2.4 Contract Type
66(1)
3.2.2.5 Contract Terms
67(3)
Exercises
70(1)
Notes
71(1)
References
72(1)
4 Security Risk Assessment Preparation
73(38)
4.1 Introduce the Team
73(5)
4.1.1 Introductory Letter
74(1)
4.1.2 Pre-Assessment Briefing
74(1)
4.1.3 Obtain Proper Permission
75(1)
4.1.3.1 Policies Required
76(1)
4.1.3.2 Permission Required
76(1)
4.1.3.3 Scope of Permission
77(1)
4.1.3.4 Accounts Required
78(1)
4.2 Review Business Mission
78(3)
4.2.1 What Is a Business Mission?
79(1)
4.2.2 Obtaining Business Mission Information
80(1)
4.3 Identify Critical Systems
81(4)
4.3.1 Determining Criticality
81(2)
4.3.1.1 Approach 1: Find the Information Elsewhere
83(1)
4.3.1.2 Approach 2: Create the Information on a High Level
83(1)
4.3.1.3 Approach 3: Classify Critical Systems
83(2)
4.4 Identify Assets
85(10)
4.4.1 Checklists and Judgment
86(1)
4.4.2 Asset Sensitivity/Criticality Classification
86(1)
4.4.2.1 Approach 1: Find Asset Classification Information Elsewhere
86(1)
4.4.2.2 Approach 2: Create Asset Classification Information
86(3)
4.4.2.3 Approach 3: Determine Asset Criticality
89(2)
4.4.3 Asset Valuation
91(1)
4.4.3.1 Approach 1: Binary Asset Valuation
91(1)
4.4.3.2 Approach 2: Classification-Based Asset Valuation
91(1)
4.4.3.3 Approach 3: Rank-Based Asset Valuation
92(1)
4.4.3.4 Approach 4: Consensus Asset Valuation
93(1)
4.4.3.5 Approaches 5-7: Accounting Valuation Approaches
93(2)
4.5 Identifying Threats
95(9)
4.5.1 Threat Components
96(1)
4.5.1.1 Threat Agent
96(1)
4.5.1.2 Undesirable Events
96(1)
4.5.2 Listing Possible Threats
96(3)
4.5.2.1 Checklists and Judgment
99(1)
4.5.2.2 Threat Agent and Undesirable Event Pairing
99(2)
4.5.3 Threat Statements
101(1)
4.5.4 Validating Threat Statements
102(1)
4.5.4.1 Factors Affecting Threat Statement Validity
102(2)
4.6 Determine Expected Controls
104(7)
Exercises
108(1)
Notes
108(2)
References
110(1)
Bibliography
110(1)
5 Data Gathering
111(34)
5.1 Sampling
112(5)
5.1.1 Sampling Objectives
114(1)
5.1.2 Sampling Types
115(1)
5.1.3 Use of Sampling in Security Testing
116(1)
5.1.3.1 Approach 1: Representative Testing
116(1)
5.1.3.2 Approach 2: Selected Sampling
116(1)
5.1.3.3 Approach 3: Random Sampling
117(1)
5.2 The RIIOT Method of Data Gathering
117(28)
5.2.1 RIIOT Method Benefits
118(1)
5.2.2 RIIOT Method Approaches
118(1)
5.2.2.1 Review Documents or Designs
119(6)
5.2.2.2 Interview Key Personnel
125(7)
5.2.2.3 Inspect Security Controls
132(2)
5.2.2.4 Observe Personnel Behavior
134(2)
5.2.2.5 Test Security Controls
136(4)
5.2.3 Using the RIIOT Method
140(1)
Exercises
141(1)
Notes
141(2)
References
143(2)
6 Administrative Data Gathering
145(70)
6.1 Threats and Safeguards
145(22)
6.1.1 Human Resources
146(1)
6.1.1.1 Recruitment
146(5)
6.1.1.2 Employment
151(3)
6.1.1.3 Termination
154(1)
6.1.2 Organizational Structure
154(1)
6.1.2.1 Senior Management
155(1)
6.1.2.2 Security Program
156(1)
6.1.2.3 Security Operations
156(1)
6.1.2.4 Audit
157(1)
6.1.3 Information Control
158(1)
6.1.3.1 User Accounts
158(1)
6.1.3.2 User Error
159(1)
6.1.3.3 Asset Control
160(1)
6.1.3.4 Sensitive Information
160(1)
6.1.4 Business Continuity
161(1)
6.1.4.1 Contingency Planning
162(1)
6.1.4.2 Incident Response Program
163(1)
6.1.5 System Security
163(1)
6.1.5.1 System Controls
163(2)
6.1.5.2 Application Security
165(1)
6.1.5.3 Configuration Management
166(1)
6.1.5.4 Third-Party Access
166(1)
6.2 The RIIOT Method: Administrative Data Gathering
167(48)
6.2.1 Review Administrative Documents
173(1)
6.2.1.1 Documents to Request
173(1)
6.2.1.2 Review Documents for Clarity, Consistency, and Completeness
173(4)
6.2.1.3 Reviewing Documents Other than Policies
177(9)
6.2.2 Interview Administrative Personnel
186(1)
6.2.2.1 Administrative Interview Topics
186(1)
6.2.2.2 Administrative Interview Subjects
187(1)
6.2.2.3 Administrative Interview Questions
188(4)
6.2.3 Inspect Administrative Security Controls
192(1)
6.2.3.1 Listing Administrative Security Controls
192(1)
6.2.3.2 Verify Information Gathered
192(2)
6.2.3.3 Determine Vulnerabilities
194(1)
6.2.3.4 Document and Review Findings
194(1)
6.2.3.5 Inspect the Security Organization
194(5)
6.2.4 Observe Administrative Behavior
199(1)
6.2.5 Test Administrative Security Controls
200(1)
6.2.5.1 Information Labeling Testing
200(1)
6.2.5.2 Media Destruction Testing
200(7)
6.2.5.3 Account and Access Control Procedures Testing
207(2)
6.2.5.4 Outsourcing and Information Exchange
209(2)
Exercises
211(1)
Notes
212(2)
References
214(1)
Bibliography
214(1)
7 Technical Data Gathering
215(72)
7.1 Technical Threats and Safeguards
215(16)
7.1.1 Information Control
215(1)
7.1.1.1 User Error
215(4)
7.1.1.2 Sensitive and Critical Information
219(1)
7.1.1.3 User Accounts
219(1)
7.1.2 Business Continuity
220(1)
7.1.2.1 Contingency Planning
221(1)
7.1.3 System Security
221(1)
7.1.3.1 System Controls
221(1)
7.1.3.2 Application Security
222(1)
7.1.3.3 Change Management
223(1)
7.1.4 Secure Architecture
223(1)
7.1.4.1 Topology
224(1)
7.1.4.2 Transmission
225(1)
7.1.4.3 Perimeter Network
226(1)
7.1.5 Components
227(1)
7.1.5.1 Access Control
227(1)
7.1.5.2 Intrusion Detection
228(1)
7.1.6 Configuration
229(1)
7.1.6.1 System Settings
229(1)
7.1.7 Data Security
230(1)
7.1.7.1 Storage
230(1)
7.1.7.2 Transit
230(1)
7.2 The RIIOT Method: Technical Data Gathering
231(56)
7.2.1 Review Technical Documents
231(1)
7.2.1.1 Technical Documents to Request
231(1)
7.2.1.2 Review Technical Documents for Information
231(5)
7.2.1.3 Review Technical Security Designs
236(12)
7.2.2 Interview Technical Personnel
248(1)
7.2.2.1 Technical Interview Topics
248(1)
7.2.2.2 Technical Interview Subjects
248(1)
7.2.2.3 Technical Interview Questions
248(1)
7.2.3 Inspect Technical Security Controls
249(2)
7.2.3.1 List Technical Security Controls
251(4)
7.2.3.2 Verify Information Gathered
255(7)
7.2.3.3 Determine Vulnerabilities
262(1)
7.2.3.4 Document and Review Findings
262(1)
7.2.4 Observe Technical Personnel Behavior
262(3)
7.2.5 Test Technical Security Controls
265(1)
7.2.5.1 Monitoring Technology
265(1)
7.2.5.2 Audit Logs
266(1)
7.2.5.3 Anti-Virus Systems
266(1)
7.2.5.4 Automated Password Policies
267(1)
7.2.5.5 Virtual Private Network
267(1)
7.2.5.6 Firewalls, IDS, and System Hardening
268(1)
7.2.5.7 Vulnerability Scanning
268(11)
7.2.5.8 Penetration Testing
279(1)
7.2.5.9 Testing Specific Technology
280(3)
Exercises
283(1)
Notes
283(2)
Reference
285(1)
Bibliography
285(2)
8 Physical Data Gathering
287(78)
8.1 Physical Threats and Safeguards
288(37)
8.1.1 Utilities and Interior Climate
288(1)
8.1.1.1 Power
288(4)
8.1.1.2 Heat
292(1)
8.1.1.3 Humidity
293(1)
8.1.2 Fire
293(2)
8.1.2.1 Fire Impact and Likelihood
295(1)
8.1.2.2 Fire Safeguards
295(1)
8.1.2.3 Fire Alarm Systems
296(5)
8.1.2.4 Fire Alarm Installation Types
301(2)
8.1.2.5 Fire Suppression
303(2)
8.1.2.6 Fire Evacuation
305(1)
8.1.3 Flood and Water Damage
306(2)
8.1.4 Lightning
308(1)
8.1.5 Earthquakes
309(1)
8.1.6 Volcanoes
310(1)
8.1.7 Landslides
310(1)
8.1.8 Hurricanes
310(2)
8.1.9 Tornadoes
312(1)
8.1.10 Natural Hazards Summary
312(1)
8.1.11 Human Threats to Physical Security
312(2)
8.1.11.1 Personnel Screening
314(1)
8.1.11.2 Barriers
315(1)
8.1.11.3 Lighting
316(1)
8.1.11.4 Intrusion Detection
317(4)
8.1.11.5 Physical Access Control
321(1)
8.1.11.6 Preventing Unauthorized Entry
321(4)
8.1.11.7 Preventing Unauthorized Removal
325(1)
8.2 The RIIOT Method: Physical Data Gathering
325(40)
8.2.1 Review Physical Documents
325(3)
8.2.1.1 Physical Documents to Request
328(1)
8.2.1.2 Review Physical Documents for Information
328(9)
8.2.2 Interview Physical Personnel
337(1)
8.2.2.1 Physical Security Interview Topics
337(1)
8.2.2.2 Physical Security Interview Subjects
337(1)
8.2.2.3 Physical Security Interview Questions
338(1)
8.2.3 Inspect Physical Security Controls
338(1)
8.2.3.1 Listing Physical Security Controls
338(3)
8.2.3.2 Verify Information Gathered
341(7)
8.2.3.3 Determine Physical Vulnerabilities
348(1)
8.2.3.4 Document and Review Physical Findings
348(1)
8.2.4 Observe Physical Personnel Behavior
348(4)
8.2.5 Test Physical Security Safeguards
352(1)
8.2.5.1 Doors and Locks
352(1)
8.2.5.2 Intrusion Detection
352(1)
Exercises
352(10)
Notes
362(1)
References
363(2)
9 Security Risk Analysis
365(16)
9.1 Determining Security Risk
365(9)
9.1.1 Uncertainty and Reducing Uncertainty
366(3)
9.1.1.1 Review Available Data
369(1)
9.1.1.2 Examine Historical Data
369(1)
9.1.1.3 Use Judgment
369(2)
9.1.1.4 Use Tools
371(1)
9.1.1.5 Use Conditional Probabilities
371(3)
9.2 Creating Security Risk Statements
374(1)
9.3 Team Review of Security Risk Statements
375(6)
9.3.1 Obtaining Consensus
375(3)
9.3.2 Deriving Overall Security Risk
378(1)
Exercises
378(1)
Notes
378(1)
References
379(2)
10 Security Risk Mitigation
381(14)
10.1 Selecting Safeguards
381(2)
10.1.1 Method 1: Missing Control Leads to Implementing Safeguard
382(1)
10.1.2 Method 2: People, Process, Technology
382(1)
10.1.3 Method 3: Administrative, Physical, Technical
382(1)
10.1.4 Method 4: Preventive, Detective, Corrective
382(1)
10.1.5 Method 5: Available Technology
383(1)
10.2 Safeguard Solution Sets
383(6)
10.2.1 Safeguard Cost Calculations
385(1)
10.2.2 Justifying Safeguard Selections
386(1)
10.2.2.1 Justification through Judgment
386(1)
10.2.2.2 Cost-Benefit Analysis
387(2)
10.3 Establishing Security Risk Parameters
389(6)
Exercises
392(1)
Notes
392(1)
Bibliography
393(2)
11 Security Risk Assessment Reporting
395(14)
11.1 Cautions in Reporting
395(2)
11.2 Pointers in Reporting
397(1)
11.3 Report Structure
397(3)
11.3.1 Executive-Level Report
398(1)
11.3.2 Base Report
398(1)
11.3.3 Appendices and Exhibits
399(1)
11.4 Document Review Methodology: Create the Report Using a Top-Down Approach
400(5)
11.4.1 Document Specification
401(3)
11.4.2 Draft
404(1)
11.4.3 Final
405(1)
11.5 Assessment Brief
405(1)
11.6 Action Plan
406(3)
Exercises
406(1)
Note
407(1)
References
407(1)
Bibliography
407(2)
12 Security Risk Assessment Project Management
409(26)
12.1 Project Planning
409(15)
12.1.1 Project Definition
409(1)
12.1.2 Project Planning Details
410(1)
12.1.2.1 Project Phases and Activities
410(1)
12.1.2.2 Phases and Activities Scheduling
411(1)
12.1.2.3 Allocating Hours to Activities
412(1)
12.1.3 Project Resources
413(1)
12.1.3.1 Objectivity vs. Independence
413(2)
12.1.3.2 Internal vs. External Team Members
415(1)
12.1.3.3 Skills Required
416(1)
12.1.3.4 Team Skills
416(1)
12.1.3.5 Team Member Skills
416(8)
12.2 Project Tracking
424(4)
12.2.1 Hours Tracking
424(1)
12.2.2 Calendar Time Tracking
424(3)
12.2.3 Project Progress Tracking
427(1)
12.3 Taking Corrective Measures
428(2)
12.3.1 Obtaining More Resources
428(1)
12.3.2 Using Management Reserve
428(2)
12.4 Project Status Reporting
430(1)
12.4.1 Report Detail
430(1)
12.4.2 Report Frequency
430(1)
12.4.3 Status Report Content
431(1)
12.5 Project Conclusion and Wrap-Up
431(4)
12.5.1 Eliminating "Scope Creep"
431(1)
12.5.2 Eliminating Project Run-On
432(1)
Exercises
432(1)
Notes
433(1)
Reference
433(2)
13 Security Risk Assessment Approaches
435(20)
13.1 Quantitative vs. Qualitative Analysis
436(10)
13.1.1 Quantitative Analysis
436(1)
13.1.1.1 Expected Loss
437(1)
13.1.1.2 Single Loss Expectancy
437(1)
13.1.1.3 Annualized Loss Expectancy
438(1)
13.1.1.4 Safeguard Value
438(1)
13.1.1.5 Quantitative Analysis Advantages
439(2)
13.1.1.6 Quantitative Analysis Disadvantages
441(2)
13.1.2 Qualitative Analysis
443(1)
13.1.2.1 Qualitative Analysis Advantages
444(2)
13.1.2.2 Qualitative Analysis Disadvantages
446(1)
13.2 Tools
446(1)
13.2.1 Lists
447(1)
13.2.2 Templates
447(1)
13.3 Security Risk Assessment Methods
447(8)
13.3.1 FAA Security Risk Management Process
448(1)
13.3.2 OCTAVE
448(1)
13.3.3 FRAP
448(3)
13.3.4 CRAMM
451(1)
13.3.5 NSAIAM
451(1)
Exercises
451(1)
Notes
452(1)
References
452(3)
Index 455
Douglas Landoll has nearly two decades of information security experience. He has led security risk assessments and established security programs for top corporations and government agencies. He is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs. His background includes evaluating security at the National Security Agency (NSA), North Atlantic Treaty Organization (NATO), Central Intelligence Agency (CIA), and other government agencies; co-founding the Arca Common Criteria Testing Laboratory, co-authoring the systems security engineering capability maturity model (SSE-CMM); teaching at NSAs National Cryptologic School; and running the southwest security services division for Exodus Communications.

Mr. Landoll is currently the president of Veridyn, a provider of network security solutions. He is a certified information systems security professional (CISSP) and certified information systems auditor (CISA). He holds a BS degree from James Madison University and an MBA from the University of Texas at Austin. He has published numerous information security articles, speaks regularly at conferences, and serves as an advisor for several high-tech companies.