The Binomial Bookstore

THE SECURITY RISK ASSESSMENT HANDBOOK
A COMPLETE GUIDE FOR PERFORMING SECURITY RISK ASSESSMENTS
by Douglas J Landoll

- Provides detailed insight into precisely how to conduct an information security risk
assessment from a practical point of view
- Contains real examples, step-by-step descriptions, checklists, decision techniques and
other
tricks of the trade
- Explores administrative, technical, and physical data gathering, including the RIIOT
Method
- Covers security risk analysis and mitigation, as well as security risk assessment
reporting
- Describes the steps of assessment project management, including planning, tracking,
correcting, reporting, and wrap-up
- Examines various risk assessment tools and methods, and compares quantitative vs.
qualitative analysis

THE SECURITY RISK ASSESSMENT HANDBOOK: A COMPLETE GUIDE FOR
PERFORMING
SECURITY RISK ASSESSMENTS provides detailed insight into precisely how to conduct an
information security risk assessment. Designed for security professionals and their
customers who want
a more in-depth understanding of the risk assessment process, this volume contains
real-world advice
that promotes professional development. It also enables security consumers to better
negotiate the
scope and rigor of a security assessment, effectively interface with a security assessment
team, deliver
insightful comments on a draft report, and have a greater understanding of final report
recommendations.

This book can save time and money by eliminating guesswork as to what assessment steps
to perform,
and how to perform them. In addition, the book offers charts, checklists, examples, and
templates that
speed up data gathering, analysis, and document development. By improving the efficiency of
the
assessment process, security consultants can deliver a higher-quality service with a larger
profit margin.

The text allows consumers to intelligently solicit and review proposals, positioning them to
request
affordable security risk assessments from quality vendors that meet the needs of their
organizations.

- - - - - - - -

CONTENTS

Introduction
The Need for an Information Security Program
Elements of an Information Security Program
Common Core Information Security Practices
Security Risk Assessment
Related Activities
The Need for This Book
Who Is This Book For?

Information Security Risk Assessment Basics
Phase 1: Project Definition
Phase 2: Project Preparation
Phase 3: Data-gathering
Phase 4: Risk Analysis
Phase 5: Risk Mitigation
Phase 6: Risk Reporting and Resolution

Project Definition
Ensuring Project Success
Project Description

Security Risk Assessment Preparation
Introduce the Team
Review Business Mission
Identify Critical Systems
Identify Assets
Identifying Threats
Determine Expected Controls

Data Gathering
Sampling
The RIIOT Method of Data Gathering

Administrative Data Gathering
Threats and Safeguards
The RIIOT Method: Administrative Data Gathering

Technical Data Gathering
Technical Threats and Safeguards
The RIIOT Method: Technical Data Gathering

Physical Data Gathering
Physical Threats and Safeguards
The RIIOT Method: Physical Data Gathering

Security Risk Analysis
Determining Risk
Creating Risk Statements
Team Review of Security Risk Statements

Security Risk Mitigation
Selecting Safeguards
Safeguard Solution Sets
Establishing Risk Parameters

Security Risk Assessment Reporting
Cautions in Reporting
Pointers in Reporting
Report Structure
Document Review Methodology: Create the Report Using
a Top-Down Approach
Assessment Brief
Action Plan

Security Risk Assessment Project Management
Project Planning
Project Tracking
Taking Corrective Measures
Project Status Reporting
Project Conclusion and Wrap-up

Security Risk Assessment Approaches
Quantitative vs. Qualitative Analysis
Tools
Security Risk Assessment Methods

Appendix: Relevant Standards and Regulations
GAISP
COBIT
ISO 17799
NIST Handbook
HIPAA: Security
Gramm-Leach-Bliley Act (GLB Act)

- - - - - - - -

EXCERPT FROM THE INTRODUCTION

“Heavy financial losses, breaches of privacy, and even the downfall of corporations have
recently been
attributed to the inability of corporations to protect themselves from cyber-risks. Cyber-risks
are
generated from hackers, malicious software, disgruntled employees, competitors, and many
other
sources both internal. and external. These external-and internal-cyber-attacks on corporate
assets and
an increasingly technology-savvy,. corporate management have led to a more appropriate
awareness of
the information security risks to corporate information than ever previously experienced in
corporations
and government agencies.

“Understandably, information security is now a major concern for most corporations. A recent
survey
reported that computer security is the critical attribute of corporate networks for 78.percent of
corporate
executives. Another survey reported that security outweighed other concerns by a factor of
three as the
driving concern for IT improvements.

“Many corporations are putting their money where their mouth is by increasing security
spending. In a
survey of chief security officers, corporations have increased .their information security budget
fivefold to
10 percent of their IT budget from 2002 to 2003. Another survey reported that information
security
spending has increased by 28 percent globally from.2001 to 2003. But even with all this
spending, many
corporate executives are unsure about the effectiveness of their information security programs
or the
security controls that have been put in place. A 2003 survey found that 34 percent of
organizations see
their own security controls as inadequate to detect a security breach.

“It should be rather clear from the discussion above that organizations need a reliable
method. for
measuring the.. effectiveness of their information security program. An information security
risk
assessment is designed specifically for that task. An information security risk assessment,
when
performed correctly, can give corporate manages the information they need to understand and
control
the risks correctly, efficiently and effectively.”

- - - - - - - -

ABOUT THE AUTHOR

DOUGLAS LANDOLL has 17 years of information security experience. He has led security
risk
assessments establishing security programs within top corporations and government
agencies. He is an
expert in security risk assessment, security risk management, security criteria, and building
corporate
security programs.

His background includes evaluating security at the National Security Agency (NSA), North
Atlantic Treaty
Organization (NATO), Central Intelligence Agency (CIA), and other government agencies;
co-founding
the Arca Common Criteria Testing laboratory, co-authoring the sustems security engineering
capability
maturity model (SSE-CMM); teaching at NSA’s National Cryptologic School; and running the
southwest
security services division for Exodus Communications.

Presently he is the president of Veridyn, a provider of network security solutions. He is a
certified
information systems security professional (CISSP) and certified information systems auditor
(CISA). He
holds a BS degree from James Madison University and an MBA from the University of Texas
at Austin.
He has published numerous information security articles, speaks regularly at conferences,
and serves as
an advisor for several high-tech companies.

- - - - - - - -
2006, 494 pages. Order #DR780
- - - - - - - -

The Binomial Bookstore

Info & Network Security, Info Protection

Rothstein Associates Inc.