Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

Paperback (Print)
Rent
Rent from BN.com
$10.36
(Save 79%)
Est. Return Date: 10/21/2014
Buy New
Buy New from BN.com
$33.96
Used and New from Other Sellers
Used and New from Other Sellers
from $29.95
Usually ships in 1-2 business days
(Save 40%)
Other sellers (Paperback)
  • All (9) from $29.95   
  • New (6) from $29.95   
  • Used (3) from $33.95   

Overview

The goal of Security Risk Management is to teach you practical techniques that will be used on a daily basis, while also explaining the fundamentals so you understand the rationale behind these practices. Security professionals often fall into the trap of telling the business that they need to fix something, but they can’t explain why. This book will help you to break free from the so-called "best practices" argument by articulating risk exposures in business terms. You will learn techniques for how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive guide for managing security risks.

Read More Show Less

Editorial Reviews

From the Publisher
"Evan Wheeler has developed a much needed new approach to the field of security risk management. Readers familiar with this field of study will find that it does what he says he wants it to do: shake the old risk paradigms out of their roots and plant something fresh and useful today."—Dennis Treece, Colonel, US Army (Retired)/Chief Security Officer, Massachusetts Port Authority-Boston

"Wheeler’s book is predominantly a practitioner’s guide to security risk management but can also be used as a teaching text to help engineers, students of security, information assurance, or information systems more broadly. The key message that Wheeler is emphasizing is that risk is at the core of security, and at the heart of every business. Despite that the book lacks key referencing from academic literature, it can still be used as the basis for setting a large-scale team assignment on devising a risk management program from the ground up for a real organisation. Security professionals in banks will particularly find the book relevant."—Computers and Security

"This book is packed with practical?tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of the subjects covered. This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. …his book is recommended, in particular, for those beginning a career in Risk Management. It also provides a useful reference for current risk professionals who perhaps could benefit from a book that helps refine and further improve their current skillset."—Best Governance and ISMS Books in InfoSecReviews Book Awards

"Evan Wheeler’s book, Security Risk Management, provides security and business continuity practitioners with the ability to thoroughly plan and build a solid security risk management program. The buzz words that are used throughout the corporate risk management industry today are often misused or overused. Wheeler breaks down such terms, translating them for the reader and articulating how they apply to a security risk management program. He believes risk managers should consider banning the term "best practices" from their vocabulary; he doesn’t think one size fits all when creating a security risk management program… Building an information security risk management program from the ground up is a monumental task that requires various business units to react and adopt change to move a business forward. This book provides valuable information for security, IT, and business continuity professionals on creating such a program."—Security Management

Read More Show Less

Product Details

  • ISBN-13: 9781597496155
  • Publisher: Elsevier Science
  • Publication date: 5/31/2011
  • Pages: 360
  • Sales rank: 414,879
  • Product dimensions: 7.40 (w) x 9.10 (h) x 1.00 (d)

Meet the Author

Evan Wheeler currently is a Director of Information Security for Omgeo (A DTCC | Thomson Reuters Company), an instructor at both Clark and Northeastern Universities, and the author of the Information Security Risk Management course for the SANS Institute. Previously he spent six years as a Security Consultant for the U.S. Department of Defense.
Read More Show Less

Read an Excerpt

Security Risk Management

Building an Information Security Risk Management Program from the Ground Up
By Evan Wheeler

SYNGRESS

Copyright © 2011 Elsevier Inc.
All right reserved.

ISBN: 978-1-59749-616-2


Chapter One

The Security Evolution

INFORMATION IN THIS CHAPTER

• How We Got Here

• A Risk-Focused Future

• Information Security Fundamentals

• The Death of Information Security

INTRODUCTION

Before even starting to think about the various steps required to design a program to assess and evaluate information security risks, it is important to briefly review the history of the field and take a quick look at Information Security as a discipline. Even those of you who are already familiar with some advanced risk assessment techniques can benefit from reviewing how we got here or you risk repeating the same mistakes. Information Security (or Information Assurance) needs to be viewed through the lens of business context to see the added value of basing your security program on a risk model. Risk management is by no means a ubiquitous foundation for information security programs, but many visionaries in the field recognize that the future of information security has to be focused on risk decisions if we are to have any hope of combating the ever-changing threat landscape and constantly increasing business demands. From an outsider's perspective, risk management may seem like an obvious fit for information security, but, amazingly, within the profession, there are still debates regarding its merit.

HOW WE GOT HERE

If you attend any industry conference or pick up any information security trade magazine, you will certainly see many references to risk assessments, risk analysis, and risk management. So, how is it possible that many security professionals are still arguing about the value of a risk-based approach to information security? Certainly, all the security products and service vendors have jumped on the risk bandwagon in full force. As a profession, have we fallen behind the vendors or are they contributing to the false perception of risk management? In fact, walking on the expo floor of any major information security conference, the number of vendors touting their so-called "risk management" solutions has increased significantly compared to even 1 year prior. Hopefully, as you look at each vendor's offerings, you will start to ask yourself questions like "is a vulnerability scanner really a risk management solution?" The answer is no, not really; but, the vendors are positioning it that way, and many people are more than happy to follow blindly if they can cross risk management off their compliance checklist. This example highlights a great misunderstanding within the field about what risk management really is. Let's face it—risk management is not a new concept. Several other industries (for example, insurance, economics, finance) have implemented very robust and precise risk models to handle even complex scenarios. Unfortunately, the information security field itself is rather young compared with these other industries, and when you try to apply a mature discipline like risk management to an evolving practice, there will be gaps that need to be overcome. This book is focused on addressing those gaps by providing a solid foundation upon which information security professionals can build a world-class risk management program that is aligned with the business objectives of the organization.

Banning Best Practices

In order to start the transformation into a risk mind-set, we first have to shed some of the baggage of outdated approaches to information security and dispel several misconceptions about how an information security function should operate. A growing problem in the information security field is the emphasis and reliance on checklists and so-called "best practices" as the only basis for many decisions. For the sake of simplicity and consistency, the security field has evolved into a cookbook-type approach. Everyone gets the same recipe for security and is expected to implement it in the exact same way. The fundamental flaw with this strategy is that we don't live in a one-size-fits-all world. Instead of blanketly applying best practices across the board, we should be using some risk analysis techniques to identify the critical focus areas and to select the most appropriate solutions for our organizations.

The motivation behind this cookbook mentality and the value of security checklists are clear when you look at how the information security field has evolved. There has always been a heavy technology focus in the field, and much of the security community got their start in an Information Technology (IT) role. As the discipline developed, implementations of security principles and concepts were inconsistent at best and the need to provide more standardized guidance to the practitioners who were battling it out in the trenches every day resulted in several generic security frameworks, some basic standards, and a lot of operationally focused training. Moreover, there are a wide variety of training options available at the practitioner level, but almost nothing focused on how to build and lead an information security program; most programs are aimed at teaching management activities, but there aren't many educational programs focused on true leadership.

Let's look at a quick example of this problem in practice. A typical information security standard might be that sensitive data needs to be encrypted wherever it is stored. Suppose that you found a database within your organization where sensitive data isn't encrypted. Before you confront the business owner and ask them to implement encryption, start by asking yourself why encryption is necessary. What problem are you trying to solve? What risk are you trying to mitigate? Encryption may not be necessary or appropriate every time. In some cases, it may even conflict with other security needs, such as the desire to inspect all communications in and out of the organization for malicious content or data leakage. Security controls need to provide business value and shouldn't be applied without first analyzing the problem. Your boss may attend an industry presentation, likely by a vendor, where the speaker recommends database encryption for all sensitive data. So, they run back to the office and you find yourself suddenly scoping out the effort to encrypt all your databases, but have you defined the problem you are trying to solve? This book is specifically focused on providing a risk model that will allow you to evaluate the threats and the vulnerabilities for your organization, and make educated decisions about how to address the most critical risks.

Having checklists and baselines does make it easy for security practitioners, and even people outside of security, to apply a minimal level of protection without having to understand the intricacies of information security, but at what expense? How can a single list of best practices possibly apply to every organization in the same way? There are "common practices," yes, but none of us is in the position to claim "best practices." There is too much potential to be lulled into a false sense of security if we base evaluations of security posture solely on a checklist.

To be effective, senior security professionals need to learn how to perform a true risk assessment and not just accept the established security checklists. Even the US federal government seems to be moving in this direction with the latest revision of the NIST SP800-37 guide [1] for managing the security of federal information systems (formerly focused on Certification and Accreditation), which has been overhauled to use a risk-based approach. It is hard to deny that risk management is the future of the information security field, though some still try to argue against it. A risk-based model can provide a more dynamic and flexible approach to security that bases recommendations on the particular risks of each scenario, not just a single pattern for the entire field. Just look at the Payment Card Industry (PCI), given all the breaches in the retail space, it is clear that the PCI requirements have not made retail companies any more secure, just more compliant.

Looking Inside the Perimeter

Another important development in the information security field is the shift from focusing purely on securing the perimeter. Traditional information security practices were primarily concerned with keeping the "bad guys" out. The assumption was that anything outside your network (or physical walls) was un-trusted and anything inside could be trusted. Although this perspective can be very comforting and simplifies your protection activities (in an "ignorance is bliss" kind of way), unfortunately, it is also greatly flawed. As environments have grown more complex, it has even become necessary to separate different portions of the internal environment based on the sensitivity of the resources. It is hard to deny the statistics (according to the 2010 Verizon Data Breach Investigations Report [2], 48 percent of the breaches were caused by insiders) regarding the large percentage of security breaches initiated by malicious insiders or compromises resulting from attackers leveraging exploits on mobile devices to launch attacks on more sensitive internal resources. At this point, it would be hard even to draw a meaningful perimeter line around your organization. You can't assume that the other systems on your internal networks can be trusted or that not being directly Internet-facing excludes a system from needing to worry about external threats.

Early attempts by many organizations to address these issues without a common security framework have lead to the implementation of point solutions and ad hoc levels of protection, which in many cases have not been the best solutions to address the organization's greatest risk areas. We all have seen organizations that spend a lot of money on technology or spend all their time trying to keep up with the bleeding-edge hacking techniques, but miss the big gaping holes that end up being exploited. Critical exposures are overlooked, and breaches occur despite the expensive controls in place. Technology won't fix process and procedural weaknesses, which are what typically contribute to the major disclosures. As the threat landscape continues to shift, the old paradigms for information security just aren't going to cut it anymore.

A RISK-FOCUSED FUTURE

No one can deny that keeping up with the pace of change in this field is challenging at best, and can, at worst, feel impossible. As soon as you feel like you have a good handle on the major threats to your organization, three new threats pop up. So how can you keep up? If you want to stay ahead or even just keep pace, you need not only to understand the fundamental principles of a solid information security program but also to understand how to apply them to mitigate your organization's specific risks.

A New Path Forward

There are many good security advisory services available that can provide a steady feed of intelligence about the latest threats and vulnerabilities, but you will soon discover that keeping up with the pace of information can quickly become overwhelming. Along the same lines, try running a vulnerability scan of any average-sized environment for the first time and see how many hundreds of findings you get back; even if your organization has a mature security program, a typical scan will generate volumes of raw data that need to be analyzed. Unfortunately, many new security managers will start with this approach instead of first establishing the foundation for their program on a robust risk model, so they get lost in the race to combat the latest threats or close out vulnerabilities as quickly as possible without any prioritization. The result is that resource administrators spend all of their time responding to every new vulnerability report and applying every security patch; meanwhile, the security folks spend all of their time processing and tracking every new vulnerability when they should be focusing on prioritizing risks and developing a security strategy. It's easy to get caught up in trying to address each risk finding as soon as you discover it, and in doing so, you lose sight of the big picture. If you don't identify and address the root causes and systemic issues, then you will just keep killing time and resources fixing the same symptoms over and over again.

(Continues...)



Excerpted from Security Risk Management by Evan Wheeler Copyright © 2011 by Elsevier Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Part I - Introduction to Risk Management Chapter 1. The Security Evolution Chapter 2. Risky Business Chapter 3. The Risk Management Lifecycle Chapter 4. Risk Profiling Part II - Risk Assessment and Analysis Techniques Chapter 5. Formulating a Risk Chapter 6. Risk Exposure Factors Chapter 7. Security Controls and Services Chapter 8. Risk Evaluation and Mitigation Strategies Chapter 9. Reports and Consulting Chapter 10. Risk Assessment Techniques Part III - Building and Running a Risk Management Program Chapter 11. Threat and Vulnerability Management Chapter 12. Security Risk Reviews Chapter 13. A Blueprint for Security Chapter 14. Building a Program from Scratch Appendix A: Security Risk Profile Appendix B: Risk Models and Scales Appendix C: Architectural Risk Analysis Reference Tables

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Posted September 7, 2011

    YOU MUST CHECK THIS BOOK OUT NOW!!

    Are you analyzing new threats or vulnerabilities, performing security assessments, providing a technology audit function, or building an information security program? If you are, then this book is for you! Author Evan Wheeler, has done an outstanding job of writing a book that will help both security professionals and business managers understand how to qualify risk to the organization and make educated decisions about how to handle risk exposures. Wheeler, begins by summarizing the struggles of checklist-oriented practitioners trying to move security initiatives forward without a clear business focus and lays out a new vision for how risk management can change the dynamic. In addition, the author lays out each step of the risk management lifecycle, which should be used to keep your team focused on the areas of greatest risk for your organizations. He then shows you how to construct a risk statement that includes all of the necessary details to convey the likely consequences to senior management. The author then, focuses on simple and proven models for both qualitative and quantitative risk analysis. He continues by showing you how to organize an effective executive summary that will highlight the most critical themes from an assessment. In addition, the author focuses on the highlights that risk managers and analysts need to understand in order to work with their architects to develop at least a basic risk assessment model. Finally, he pulls together the various risk models, assessment techniques, activities, and processes from the entire book and lays out a strategy for turning this into an actual program. The goal of this most excellent book is to present a well designed security program that can leverage risk models to reduce some level of burden on the organization from the security and compliance requirements. Perhaps more importantly, this book shows you some distinct benefits and drawbacks of both qualitative and quantitative analysis approaches that are important to understand before you choose which model to implement in your own organization.

    1 out of 1 people found this review helpful.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)