Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams / Edition 1

Hardcover (Print)
Buy Used
Buy Used from BN.com
$72.86
(Save 32%)
Item is in good condition but packaging may have signs of shelf wear/aging or torn packaging.
Condition: Used – Good details
Used and New from Other Sellers
Used and New from Other Sellers
from $23.54
Usually ships in 1-2 business days
(Save 78%)
Other sellers (Hardcover)
  • All (22) from $23.54   
  • New (8) from $43.19   
  • Used (14) from $23.54   

Overview

  • Discusses all types of corporate risks and practical means of defending against them.
  • Security is currently identified as a critical area of Information Technology management by a majority of government, commercial, and industrial organizations.
  • Offers an effective risk management program, which is the most critical function of an information security program.
Read More Show Less

Editorial Reviews

From the Publisher
"Throughout, practical examples are included from various healthcare, manufacturing, and retail industries that demonstrate key concepts, implementation guidance to get started, as well as tables of risk indicators and metrics, physical structure diagrams, and graphs". (PR-Inside.com, 29 March 2011)
Read More Show Less

Product Details

  • ISBN-13: 9780471762546
  • Publisher: Wiley
  • Publication date: 1/7/2010
  • Edition number: 1
  • Pages: 421
  • Sales rank: 621,756
  • Product dimensions: 6.40 (w) x 9.40 (h) x 1.00 (d)

Meet the Author

JAKE KOUNS is cofounder, CEO, and CFO of the Open Security Foundation. He holds an MBA in information security from James Madison University and a number of certifications, including ISC2's CISSP, ISACA's CISM, CISA, and CGEIT.

DANIEL MINOLI is an expert in the fields of IT, telecommunications, and networking, with work experience at Capital One Financial, Prudential Securities, and AT&T, among others. He is the founder and President Emeritus of the IPv6 Institute. He is the author or coauthor of several books on IT, security, and networking, including Minoli-Cordovana's Authoritative Computer and Network Security Dictionary and Network Infrastructure and Architecture: Designing High Availability Networks, both published by Wiley.

Read More Show Less

Table of Contents

Preface xiii

About the authors xv

Part I Industry Practices in Risk Management 1

1 Information Security Risk Management Imperatives and Opportunities 3

1.1 Risk Management Purpose and Scope 3

1.1.1 Purpose of Risk Management 3

1.1.2 Text Scope 17

References 24

Appendix 1A Bibliography of Related Literature 25

2 Information Security Risk Management Defined 33

2.1 Key Risk Management Definitions 33

2.1.1 Survey of Industry Definitions 33

2.1.2 Adopted Definitions 37

2.2 A Mathematical Formulation of Risk 40

2.2.1 What is Risk? A Formal Definition 44

2.2.2 Risk in IT Environments 44

2.2.3 Risk Management Procedures 49

2.3 Typical Threats/Risk Events 56

2.4 What is an Enterprise Architecture? 61

References 65

Appendix 2A The CISSPforum/ISO27k Implementers Forum Information Security Risk List for 2008 66

Appendix 2B What is Enterprise Risk Management (ERM)? 71

3 Information security risk management standards 73

3.1 ISO/IEC 13335 77

3.2 ISO/IEC 17799 (ISO/IEC 27002:2005) 78

3.3 ISO/IEC 27000 Series 78

3.3.1 ISO/IEC 27000, Information Technology-Security Techniques-Information Security Management Systems-Fundamentals and Vocabulary 79

3.3.2 ISO/IEC 27001:2005, Information Technology-Security Techniques-Specification for an information Security Management, System- 79

3.3.3 ISO/IEC 27002:2005, Information Technology-Security Techniques-Code of Practice for Information Security Management 84

3.3.4 ISO/IEC 27003 Information Technology-Security Techniques-Information Security Management System Implementation Guidance 90

3.3.5 ISO/IEC 27004 Information Technology-Security Techniques-Information Security Management-Measurement 91

3.3.6 ISO/IEC 27005:2008 Information Technology-Security Techniques-Information Security Risk Management 92

3.4 ISO/ICE 31000 92

3.5 NIST STANDARDS 94

3.5.1 NIST SP 800-16 96

3.5.2 NIST SP 800-30 99

3.5.3 NIST SP 800-39 101

3.6 AS/NZS 4360 105

References 106

Appendix 3A Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems and Networks: Toward a Culture of Security 107

4 A Survey of Available Information Security Risk Management Methods and Tools 111

4.1 Overview 111

4.2 Risk Management/Risk Analysis Methods 114

4.2.1 Austrian IT Security Handbook 114

4.2.2 CCTA Risk Assessment and Management Methodology (CRAMM) 115

4.2.3 Dutch A&K Analysis 117

4.2.4 EBIOS 117

4.2.5 ETSI Threat Vulnerability and Risk Analysis (TVRA) Method 119

4.2.6 FAIR (Factor Analysis of Information Risk) 122

4.2.7 FIRM (Fundamental Information Risk Management) 124

4.2.8 FMEA (Failure Modes and Effects Analysis) 125

4.2.9 FRAP (Facilitated Risk Assessment Process) 128

4.2.10 ISAMM (Information Security Assessment and Monitoring Method) 129

4.2.11 ISO/IEC Baselines 130

4.2.12 ISO 31000 Methodology 130

4.2.13 IT-Grundschutz (IT Baseline Protection Manual) 136

4.2.14 MAGERIT (Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion) (Methodology for Information Systems Risk Analysis and Management) 137

4.2.15 MEHARI (M?thode Harmonis?e d'Analyse de Risques-Harmonised Risk Analysis Method) 142

4.2.16 Microsoft's Security Risk Management Guide 146

4.2.17 MIGRA (Metodologia Integrata per la Gestione del Rischio Aziendale) 152

4.2.18 NIST 153

4.2.19 National Security Agency (NSA) IAM / IEM / IA-CMM 153

4.2.20 Open Source Approach 155

4.2.21 PTA (Practical Threat Analysis) 158

4.2.22 SOMAP (Security Officers Management and Analysis Project) 160

4.2.23 Summary 161

References 162

5 Methodologies examples: COBIT and octave 164

5.1 Overview 164

5.2 COBIT 166

5.2.1 COBIT Framework 172

5.2.2 The Need for a Control Framework for IT Governance 173

5.2.3 How COBIT Meets the Need 175

5.2.4 COBIT's Information Criteria 175

5.2.5 Business Goals and IT Goals 176

5.2.6 COBTT Framework 177

5.2.7 IT Resources 178

5.2.8 Plan and Organize (PO) 180

5.2.9 Acquire and Implement (AI) 180

5.2.10 Deliver and Support (DS) 180

5.2.11 Monitor and Evaluate (ME) 181

5.2.12 Processes Need Controls 181

5.2.13 COBIT Framework 181

5.2.14 Business and IT Controls 184

5.2.15 IT General Controls and Application Controls 185

5.2.16 Maturity Models 187

5.2.17 Performance Measurement 194

5.3 OCTAVE 205

5.3.1 The OCTAVE Approach 205

5.3.2 The OCTAVE Method 208

References 210

Part II Developing Risk Management Teams 211

6 Risk Management Issues and Organization Specifics 213

6.1 Purpose and Scope 213

6.2 Risk Management Policies 216

6.3 A Snapshot of Risk Management in the Corporate World 219

6.3.1 Motivations for Risk Management 224

6.3.2 Justifying Risk Management Financially 225

6.3.3 The Human Factors 230

6.3.4 Priority-Oriented Rational Approach 232

6.4 Overview of Pragmatic Risk Management Process 234

6.4.1 Creation of a Risk Management Team, and Adoption of Methodologies 234

6.4.2 Iterative Procedure for Ongoing Risk Management 236

6.5 Roadmap to Pragmatic Risk Management 236

References 239

Appendix 6A Example of a Security Policy 239

7 Assessing Organization and Establishing Risk Management Scope 243

7.1 Assessing the Current Enterprise Environment 244

7.2 Soliciting Support from Senior Management 248

7.3 Establishing Risk Management Scope and Boundaries 259

7.4 Defining Acceptable Risk for Enterprise 260

7.5 Risk Management Committee 263

7.6 Organization-Specific Risk Methodology 264

7.6.1 Quantitative Methods 265

7.6.2 Qualitative Methods 267

7.6.3 Other Approaches 269

7.7 Risk Waivers Programs 272

References 274

Appendix 7A Summary of Applicable Legislation 275

8 Identifying Resources and Implementing the Risk Management Team 280

8.1 Operating Costs to Support Risk Management and Staffing Requirements 281

8.2 Organizational Models 286

8.3 Staffing Requirements 287

8.3.1 Specialized Skills Required 290

8.3.2 Sourcing Options 291

8.4 Risk Management Tools 295

8.5 Risk Management Services 296

8.5.1 Alerting and Analysis Services 296

8.5.2 Assessments, Audits, and Project Consulting 296

8.6 Developing and Implementing the Risk Management/ Assessment Team 298

8.6.1 Creating Security Standards 298

8.6.2 Defining Subject Matter Experts 300

8.6.3 Determining Information Sources 300

References 301

Appendix 8A Sizing Example for Risk Management Team 302

Appendix 8B Example of Vulnerability Alerts by Vendors and CERT 331

Appendix 8C Examples of Data Losses-A One-Month Snapshot 336

9 Identifying Assets and Organization Risk Exposures 338

9.1 Importance of Asset Identification and Management 338

9.2 Enterprise Architecture 340

9.3 Identifying IT Assets 346

9.4 Assigning Value to IT Assets 353

9.5 Vulnerability Identification/Classification 354

9.5.1 Base Parameters 360

9.5.2 Temporal Parameters 362

9.5.3 Environmental Parameters 363

9.6 Threat Analysis: Type of Risk Exposures 367

9.6.1 Type of Risk Exposures 368

9.6.2 Internal Team Programs (to Uncover Risk Exposures) 371

9.7 Summary 371

References 371

Appendix 9A Common Information Systems Assets 372

10 Remediation planning and compliance reporting 377

10.1 Determining Risk Value 377

10.2 Remediation Approaches 380

10.3 Prioritizing Remediations 384

10.4 Determining Mitigating Timeframes 385

10.5 Compliance Monitoring and Security Metrics 387

10.6 Compliance Reporting 390

References 391

Basic Glossary of Terms Used in This Text 392

Index 415

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)