The security risk assessment handbook: a complete guide for performing security risk assessments
Gespeichert in:
| 1. Verfasser: | |
|---|---|
| Format: | Buch |
| Sprache: | English |
| Veröffentlicht: |
Boca Raton, FL
Auerbach Publications
2006
|
| Schlagworte: | |
| Online-Zugang: | Inhaltsverzeichnis |
| Beschreibung: | XXI, 473 S. |
| ISBN: | 0849329981 |
Internformat
MARC
| LEADER | 00000nam a2200000zc 4500 | ||
|---|---|---|---|
| 001 | BV021325753 | ||
| 003 | DE-604 | ||
| 005 | 20060327 | ||
| 007 | t | ||
| 008 | 060207s2006 xxu |||| 00||| eng d | ||
| 010 | |a 2005050717 | ||
| 020 | |a 0849329981 |9 0-8493-2998-1 | ||
| 035 | |a (OCoLC)60644880 | ||
| 035 | |a (DE-599)BVBBV021325753 | ||
| 040 | |a DE-604 |b ger |e aacr | ||
| 041 | 0 | |a eng | |
| 044 | |a xxu |c US | ||
| 049 | |a DE-91G | ||
| 050 | 0 | |a HF5548.37 | |
| 082 | 0 | |a 658.4/7 |2 22 | |
| 084 | |a DAT 460f |2 stub | ||
| 100 | 1 | |a Landoll, Douglas J. |e Verfasser |4 aut | |
| 245 | 1 | 0 | |a The security risk assessment handbook |b a complete guide for performing security risk assessments |c Douglas J. Landoll |
| 264 | 1 | |a Boca Raton, FL |b Auerbach Publications |c 2006 | |
| 300 | |a XXI, 473 S. | ||
| 336 | |b txt |2 rdacontent | ||
| 337 | |b n |2 rdamedia | ||
| 338 | |b nc |2 rdacarrier | ||
| 650 | 4 | |a Gestion - Informatique - Sécurité - Mesures | |
| 650 | 4 | |a Protection de l'information (Informatique) | |
| 650 | 4 | |a Sécurité informatique | |
| 650 | 4 | |a Évaluation du risque | |
| 650 | 4 | |a Datenverarbeitung | |
| 650 | 4 | |a Wirtschaft | |
| 650 | 4 | |a Business |x Data processing |x Security measures | |
| 650 | 4 | |a Computer security | |
| 650 | 4 | |a Data protection | |
| 650 | 4 | |a Risk assessment | |
| 650 | 0 | 7 | |a Datenverarbeitung |0 (DE-588)4011152-0 |2 gnd |9 rswk-swf |
| 650 | 0 | 7 | |a Unternehmen |0 (DE-588)4061963-1 |2 gnd |9 rswk-swf |
| 650 | 0 | 7 | |a Computersicherheit |0 (DE-588)4274324-2 |2 gnd |9 rswk-swf |
| 689 | 0 | 0 | |a Datenverarbeitung |0 (DE-588)4011152-0 |D s |
| 689 | 0 | 1 | |a Unternehmen |0 (DE-588)4061963-1 |D s |
| 689 | 0 | 2 | |a Computersicherheit |0 (DE-588)4274324-2 |D s |
| 689 | 0 | |5 DE-604 | |
| 856 | 4 | 2 | |m HBZ Datenaustausch |q application/pdf |u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014646097&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |3 Inhaltsverzeichnis |
| 999 | |a oai:aleph.bib-bvb.de:BVB01-014646097 | ||
Datensatz im Suchindex
| _version_ | 1804135136702234624 |
|---|---|
| adam_text | Contents
1 Introduction 1
1.1 The Need for an Information Security Program 2
1.2 Elements of an Information Security Program 4
1.2.1 Security Control Standards and Regulations 5
1.3 Common Core Information Security Practices 5
1.3.1 Unanimous Core Security Practices 6
1.3.2 Majority Core Security Practices 7
1.3.3 Core Security Practice Conclusions 8
1.4 Security Risk Assessment 8
1.4.1 The Role of the Security Risk Assessment 8
1.4.2 Definition of a Security Risk Assessment 10
1.4.3 The Need for a Security Risk Assessment 11
1.4.3.1 Checks and Balances 12
1.4.3.2 Periodic Review 12
1.4.3.3 Risk Based Spending 13
1.4.3.4 Requirement 14
1.4.4 Security Risk Assessment Secondary Benefits 14
1.5 Related Activities 15
1.5.1 Gap Assessment 16
1.5.2 Compliance Audit 16
1.5.3 Security Audit 19
1.5.4 Vulnerability Scanning 20
1.5.5 Penetration Testing 20
1.5.6 Ad Hoc Testing 20
1.5.7 Social Engineering 20
1.5.8 Wardialing 21
1.6 The Need for This Book 21
viii * Contents 1.7 Who Is This Book For? 23
Notes 24
References 25
2 Information Security Risk Assessment Basics 27
2.1 Phase 1: Project Definition 27
2.2 Phase 2: Project Preparation 29
2.3 Phase 3: Data Gathering 29
2.4 Phase 4: Risk Analysis 29
2.4.1 Assets 30
2.4.2 Threat Agents and Threats 30
2.4.2.1 Threat Agents 31
2.4.2.2 Threats 32
2.4.3 Vulnerabilities 34
2.4.4 Security Risk 34
2.5 Phase 5: Risk Mitigation 35
2.5.1 Safeguards 36
2.5.2 Residual Security Risk 37
2.6 Phase 6: Risk Reporting and Resolution 38
2.6.1 Risk Resolution 38
Note 39
References 40
3 Project Definition 41
3.1 Ensuring Project Success 41
3.1.1 Success Definition 42
3.1.1.1 Customer Satisfaction 42
3.1.1.2 Quality of Work 46
3.1.1.3 Completion within Budget 52
3.1.2 Setting the Budget 53
3.1.3 Determining the Objective 54
3.1.4 Limiting the Scope 55
3.1.4.1 Underscoping 56
3.1.4.2 Overscoping 56
3.1.4.3 Security Controls 57
3.1.4.4 Assets 58
3.1.4.5 Reasonableness in Limiting the Scope 59
3.1.5 Identifying System Boundaries 60
3.1.5.1 Physical Boundary 60
3.1.5.2 Logical Boundaries 60
3.1.6 Specifying the Rigor 63
3.1.7 Sample Scope Statements 64
3.2 Project Description 64
3.2.1 Project Variables 64
Contents • ix
3.2.2 Statement of Work 64
3.2.2.1 Specifying the Service Description 66
3.2.2.2 Scope of Security Controls 66
3.2.2.3 Specifying Deliverables 67
3.2.2.4 Contract Type 69
3.2.2.5 Contract Terms 70
Notes 74
References 75
4 Security Risk Assessment Preparation 77
4.1 Introduce the Team 77
4.1.1 Introductory Letter 78
4.1.2 Pre Assessment Briefing 79
4.1.3 Obtain Proper Permission 80
4.1.3.1 Policies Required 80
4.1.3.2 Permission Required 81
4.1.3.3 Scope of Permission 82
4.1.3.4 Accounts Required 82
4.2 Review Business Mission 83
4.2.1 What Is a Business Mission 83
4.2.2 Obtaining Business Mission Information 84
4.3 Identify Critical Systems 85
4.3.1 Determining Criticality 86
4.3.1.1 Approach 1: Find the Information Elsewhere 86
A3.1.2 Approach 2: Create the Information on a High Level 86
4.3.1.3 Approach 3: Classifying Critical Systems 88
4.4 Identify Assets 89
4.4.1 Checklists and Judgment 91
4.4.2 Asset Sensitivity/Criticality Classification 91
4.4.2.1 Approach 1: Find Asset Classification Information
Elsewhere 91
4.4.2.2 Approach 2: Create Asset Classification Information
Quickly 91
4.4.2.3 Approach 3: Create Asset Classification Information
Laboriously 94
4.4.3 Asset Valuation 95
4.4.3.1 Approach 1: Binary Asset Valuation 95
4.4.3.2 Approach 2: Classification Based Asset Valuation 96
4.4.3.3 Approach 3: Rank Based Asset Valuation 96
4.4.3.4 Approach 4: Consensus Asset Valuation 97
4.4.3.5 Approaches 5 7: Accounting Valuation Approaches 97
4.4.3.6 Approach 5: Cost Valuation 98
4.4.3.7 Approach 6: Market Valuation 98
4.4.3.8 Approach 7: Income Valuation 99
x • Contents __ 4.5 Identifying Threats 99
4.5.1 Threat Components 100
4.5.1.1 Threat Agent 100
4.5.1.2 Undesirable Events 100
4.5.2 Listing Possible Threats 100
4.5.2.1 Checklists and Judgment 103
4.5.2.2 Threat Agent and Undesirable Event Pairing 103
4.5.3 Threat Statements 105
4.5.4 Validating Threat Statements 105
4.5.4.1 Factors Affecting Threat Statement Validity 107
4.6 Determine Expected Controls 108
Notes 112
References 114
5 Data Gathering 115
5.1 Sampling 117
5.1.1 Sampling Objectives 119
5.1.2 Sampling Types 120
5.1.3 Use of Sampling in Security Testing 121
5.1.3.1 Approach 1: Representative Testing 121
5.1.3.2 Approach 2: Selected Sampling 122
5.1.3.3 Approach 3: Random Sampling 122
5.2 The RIIOT Method of Data Gathering 123
5.2.1 RIIOT Method Benefits 123
5.2.2 RIIOT Method Approaches 123
5.2.2.1 Review Documents or Designs 124
5.2.2.2 Interview Key Personnel 130
5.2.2.3 Inspect Security Controls 140
5.2.2.4 Observe Behavior 143
5.2.2.5 Test Security Controls 144
5.2.3 Using the RIIOT Method 148
Notes 148
References 149
6 Administrative Data Gathering 151
6.1 Threats and Safeguards 151
6.1.1 Human Resources 154
6.1.1.1 Recruitment 154
6.1.1.2 Employment 156
6.1.1.3 Termination 158
6.1.2 Organizational Structure 159
6.1.2.1 Senior Management 159
6.1.2.2 Security Program 160
6.1.2.3 Security Operations 161
6.1.2.4 Audit 162
__ Contents * xi
6.1.3 Information Control 163
6.1.3.1 User Accounts 163
6.1.3.2 User Error 164
6.1.3.3 Asset Control 164
6.1.3.4 Sensitive Information 165
6.1.4 Business Continuity 166
6.1.4.1 Contingency Planning 166
6.1.4.2 Incident Response Program 167
6.1.5 System Security 168
6.1.5.1 System Controls 168
6.1.5.2 Application Security 170
6.1.5.3 Configuration Management 170
6.1.5.4 Third Party Access 171
6.2 The RIIOT Method: Administrative Data Gathering 172
6.2.1 Review Administrative Documents 174
6.2.1.1 Documents to Request 174
6.2.1.2 Review Documents for Clarity, Consistency,
and Completeness 175
6.2.1.3 Reviewing Documents Other Than Policies 182
6.2.2 Interview Administrative Personnel 186
6.2.2.1 Administrative Interview Topics 186
6.2.2.2 Administrative Interview Subjects 187
6.2.2.3 Administrative Interview Questions 188
6.2.3 Inspect Administrative Security Controls 190
6.2.3.1 Listing Administrative Security Controls 192
6.2.3.2 Verify Information Gathered 192
6.2.3.3 Determine Vulnerabilities 193
6.2.3.4 Document and Review Findings 194
6.2.3.5 Inspect the Security Organization 194
6.2.4 Observe Administrative Behavior 200
6.2.5 Test Administrative Security Controls 200
6.2.5.1 Information Labeling Testing 200
6.2.5.2 Media Destruction Testing 205
6.2.5.3 Account and Access Control Procedures Testing 207
6.2.5.4 Outsourcing and Information Exchange 209
Notes 211
References 213
7 Technical Data Gathering 215
7.1 Technical Threats and Safeguards 215
7.1.1 Information Control 215
7.1.1.1 User Error 215
7.1.1.2 Sensitive and Critical Information 218
7.1.1.3 User Accounts 219
7.1.2 Business Continuity 220
;ii • Contents .
7.1.2.1 Contingency Planning 220
7.1.3 System Security 221
7.1.3.1 System Controls 221
7.1.3.2 Application Security 222
7.1.3.3 Change Management 222
7.1.4 Secure Architecture 223
7.1.4.1 Topology 223
7.1.4.2 Transmission 224
7.1.4.3 Perimeter Network 225
7.1.5 Components 226
7A.5.1 Access Control 226
7.1.5.2 Intrusion Detection 227
7.1.6 Configuration 228
7.1.6.1 System Settings 229
7.1.7 Data Security 229
7.1.7.1 Storage 229
7.1.7.2 Transit 229
7.2 The RIIOT Method: Technical Data Gathering 230
7.2.1 Review Technical Documents 230
7.2.1.1 Technical Documents to Request 230
7.2.1.2 Review Technical Documents for Information 231
7.2.1.3 Review Technical Security Designs 231
7.2.2 Interview Technical Personnel 245
7.2.2.1 Technical Interview Topics 246
7.2.2.2 Technical Interview Subjects 246
7.2.2.3 Technical Interview Questions 246
7.2.3 Inspect Technical Security Controls 247
7.2.3.1 Listing Technical Security Controls 247
7.2.3.2 Verify Information Gathered 252
7.2.3.3 Determine Vulnerabilities 259
7.2.3.4 Document and Review Findings 259
7.2.4 Observe Technical Personnel Behavior 259
7.2.5 Test Technical Security Controls 259
7.2.5.1 Monitoring Technology 262
7.2.5.2 Audit Logs 262
7.2.5.3 Anti Virus Systems 263
7.2.5.4 Automated Password Policies 263
7.2.5.5 Virtual Private Network 264
7.2.5.6 Firewalls, IDS, and System Hardening 264
7.2.5.7 Vulnerability Scanning 265
7.2.5.8 Penetration Testing 275
7.2.5.9 Testing Specific Technology 278
Notes 280
References 282
Contents • xiii
8 Physical Data Gathering 285
8.1 Physical Threats and Safeguards 286
8.1.1 Utilities and Interior Climate 286
8.1.1.1 Power 290
8.1.1.2 Heat 291
8.1.1.3 Humidity 291
8.1.2 Fire 292
8.1.2.1 Fire Impact and Likelihood 293
8.1.2.2 Fire Safeguards 293
8.1.2.3 Fire Alarm Systems 294
8.1.2.4 Fire Alarm Installation Types 298
8.1.2.5 Fire Suppression 300
8.1.2.6 Fire Evacuation 302
8.1.3 Flood and Water Damage 302
8.1.4 Lightning 305
8.1.5 Earthquakes 306
8.1.6 Volcanoes 307
8.1.7 Landslides 307
8.1.8 Hurricanes 308
8.1.9 Tornadoes 308
8.1.10 Natural Hazards Summary 308
8.1.11 Human Threats to Physical Security 310
8.1.11.1 Personnel Screening 311
8.1.11.2 Barriers 311
8.1.11.3 Lighting 313
8.1.11.4 Intrusion Detection 314
8.1.11.5 Physical Access Control 318
8.1.11.6 Preventing Unauthorized Entry 318
8.1.11.7 Preventing Unauthorized Removal 322
8.2 The RIIOT Method: Physical Data Gathering 322
8.2.1 Review Physical Documents 324
8.2.1.1 Physical Documents to Request 324
8.2.1.2 Review Physical Documents for Information 324
8.2.2 Interview Physical Personnel 330
8.2.2.1 Physical Security Interview Topics 332
8.2.2.2 Physical Security Interview Subjects 332
8.2.2.3 Physical Security Interview Questions 332
8.2.3 Inspect Physical Security Controls 332
8.2.3.1 Listing Physical Security Controls 333
8.2.3.2 Verify Information Gathered 340
8.2.3.3 Determine Physical Vulnerabilities 341
8.2.3.4 Document and Review Physical Findings 341
8.2.4 Observe Physical Personnel Behavior 341
8.2.5 Test Physical Security Safeguards 344
xiv • Contents 8.2.5.1 Doors and Locks 344
8.2.5.2 Intrusion Detection 344
Notes 350
References 351
9 Security Risk Analysis 353
9.1 Determining Risk 353
9.1.1 Uncertainty and Reducing Uncertainty 354
9.1.1.1 Review Available Data 357
9.1.1.2 Examine Historical Data 357
9.1.1.3 Use Judgment 358
9.1.1.4 Use Tools 359
9.1.1.5 Use Conditional Probabilities 359
9 2 Creating Risk Statements 362
9.3 Team Review of Security Risk Statements 363
9.3.1 Obtaining Consensus 363
9.3.2 Deriving Overall Security Risk 365
Notes 365
References 366
10 Security Risk Mitigation 367
10.1 Selecting Safeguards 367
10.2 Safeguard Solution Sets 368
I 10.2.1 Safeguard Cost Calculations 369
10.2.2 Justifying Safeguard Selections 370
10.2.2.1 Justification through Judgment 370
10.2.2.2 Cost Benefit Analysis 371
10.3 Establishing Risk Parameters 375
Notes 375
References 376
11 Security Risk Assessment Reporting 377
11.1 Cautions in Reporting 377
11.2 Pointers in Reporting 379
11.3 Report Structure 380
11.3.1 Executive Level Report 380
11.3.2 Base Report 380
11.3.3 Appendices and Exhibits 381
11.4 Document Review Methodology: Create the Report Using
a Top Down Approach 382
11.4.1 Document Specification 383
11.4.2 Draft 384
11.4.3 Final 384
11.5 Assessment Brief 387
11.6 Action Plan 387
Notes 388
References 388
Contents • xv
12 Security Risk Assessment Project Management 389
12.1 Project Planning 389
12.1.1 Project Definition 389
12.1.2 Project Planning Details 390
12.1.2.1 Project Phases and Activities 390
12.1.2.2 Phases and Activities Scheduling 390
12.1.2.3 Allocating Hours to Activities 392
12.1.3 Project Resources 393
12.1.3.1 Objectivity vs. Independence 393
12.1.3.2 Internal vs. External Team Members 395
12.1.3.3 Skills Required 395
12.1.3.4 Team Skills 396
12.1.3.5 Team Member Skills 396
12.2 Project Tracking 405
12.2.1 Hours Tracking 405
12.2.2 Calendar Time Tracking 406
12.2.3 Project Progress Tracking 407
12.3 Taking Corrective Measures 407
12.3.1 Obtaining More Resources 407
12.3.2 Using Management Reserve 408
12.4 Project Status Reporting 411
12.4.1 Report Detail 411
12.4.2 Report Frequency 412
12.4.3 Status Report Content 412
12.5 Project Conclusion and Wrap Up 412
12.5.1 Eliminating Scope Creep 413
12.5.2 Eliminating Project Run On 413
Notes 413
Reference 414
13 Security Risk Assessment Approaches 415
13.1 Quantitative vs. Qualitative Analysis 416
13.1.1 Quantitative Analysis 417
13.1.1.1 Expected Loss 417
13.1.1.2 Single Loss Expectancy 417
13.1.1.3 Annualized Loss Expectancy 418
13.1.1.4 Safeguard Value 418
13.1.1.5 Quantitative Analysis Advantages 419
13.1.1.6 Quantitative Analysis Disadvantages 421
13.1.2 Qualitative Analysis 423
13.1.2.1 Qualitative Analysis Advantages 424
13.1.2.2 Qualitative Analysis Disadvantages 425
13.2 Tools 426
13.2.1 Lists 426
13.2.2 Templates 426
xvi • Contents 13.3 Security Risk Assessment Methods 427
13.3.1 FAA Security Risk Management Process 427
13.3.2 OCTAVE 427
13.3.3 FRAP 430
13.3.4 CRAMM 430
13.3.5 NSA IAM 430
Notes 430
References 431
Appendix Relevant Standards and Regulations 433
GAISP 433
CobiT 435
ISO 17799 436
NIST Handbook 439
Management Controls 439
Operational Controls 440
Technical Controls 441
HIPAA: Security 441
Administrative Safeguards 442
Physical Safeguards 448
Technical Safeguards 450
Gramm Leach Bliley Act (GLB Act) 451
Notes 453
Index 455
|
| adam_txt |
Contents
1 Introduction 1
1.1 The Need for an Information Security Program 2
1.2 Elements of an Information Security Program 4
1.2.1 Security Control Standards and Regulations 5
1.3 Common Core Information Security Practices 5
1.3.1 Unanimous Core Security Practices 6
1.3.2 Majority Core Security Practices 7
1.3.3 Core Security Practice Conclusions 8
1.4 Security Risk Assessment 8
1.4.1 The Role of the Security Risk Assessment 8
1.4.2 Definition of a Security Risk Assessment 10
1.4.3 The Need for a Security Risk Assessment 11
1.4.3.1 Checks and Balances 12
1.4.3.2 Periodic Review 12
1.4.3.3 Risk Based Spending 13
1.4.3.4 Requirement 14
1.4.4 Security Risk Assessment Secondary Benefits 14
1.5 Related Activities 15
1.5.1 Gap Assessment 16
1.5.2 Compliance Audit 16
1.5.3 Security Audit 19
1.5.4 Vulnerability Scanning 20
1.5.5 Penetration Testing 20
1.5.6 Ad Hoc Testing 20
1.5.7 Social Engineering 20
1.5.8 Wardialing 21
1.6 The Need for This Book 21
viii * Contents 1.7 Who Is This Book For? 23
Notes 24
References 25
2 Information Security Risk Assessment Basics 27
2.1 Phase 1: Project Definition 27
2.2 Phase 2: Project Preparation 29
2.3 Phase 3: Data Gathering 29
2.4 Phase 4: Risk Analysis 29
2.4.1 Assets 30
2.4.2 Threat Agents and Threats 30
2.4.2.1 Threat Agents 31
2.4.2.2 Threats 32
2.4.3 Vulnerabilities 34
2.4.4 Security Risk 34
2.5 Phase 5: Risk Mitigation 35
2.5.1 Safeguards 36
2.5.2 Residual Security Risk 37
2.6 Phase 6: Risk Reporting and Resolution 38
2.6.1 Risk Resolution 38
Note 39
References 40
3 Project Definition 41
3.1 Ensuring Project Success 41
3.1.1 Success Definition 42
3.1.1.1 Customer Satisfaction 42
3.1.1.2 Quality of Work 46
3.1.1.3 Completion within Budget 52
3.1.2 Setting the Budget 53
3.1.3 Determining the Objective 54
3.1.4 Limiting the Scope 55
3.1.4.1 Underscoping 56
3.1.4.2 Overscoping 56
3.1.4.3 Security Controls 57
3.1.4.4 Assets 58
3.1.4.5 Reasonableness in Limiting the Scope 59
3.1.5 Identifying System Boundaries 60
3.1.5.1 Physical Boundary 60
3.1.5.2 Logical Boundaries 60
3.1.6 Specifying the Rigor 63
3.1.7 Sample Scope Statements 64
3.2 Project Description 64
3.2.1 Project Variables 64
Contents • ix
3.2.2 Statement of Work 64
3.2.2.1 Specifying the Service Description 66
3.2.2.2 Scope of Security Controls 66
3.2.2.3 Specifying Deliverables 67
3.2.2.4 Contract Type 69
3.2.2.5 Contract Terms 70
Notes 74
References 75
4 Security Risk Assessment Preparation 77
4.1 Introduce the Team 77
4.1.1 Introductory Letter 78
4.1.2 Pre Assessment Briefing 79
4.1.3 Obtain Proper Permission 80
4.1.3.1 Policies Required 80
4.1.3.2 Permission Required 81
4.1.3.3 Scope of Permission 82
4.1.3.4 Accounts Required 82
4.2 Review Business Mission 83
4.2.1 What Is a Business Mission 83
4.2.2 Obtaining Business Mission Information 84
4.3 Identify Critical Systems 85
4.3.1 Determining Criticality 86
4.3.1.1 Approach 1: Find the Information Elsewhere 86
A3.1.2 Approach 2: Create the Information on a High Level 86
4.3.1.3 Approach 3: Classifying Critical Systems 88
4.4 Identify Assets 89
4.4.1 Checklists and Judgment 91
4.4.2 Asset Sensitivity/Criticality Classification 91
4.4.2.1 Approach 1: Find Asset Classification Information
Elsewhere 91
4.4.2.2 Approach 2: Create Asset Classification Information
Quickly 91
4.4.2.3 Approach 3: Create Asset Classification Information
Laboriously 94
4.4.3 Asset Valuation 95
4.4.3.1 Approach 1: Binary Asset Valuation 95
4.4.3.2 Approach 2: Classification Based Asset Valuation 96
4.4.3.3 Approach 3: Rank Based Asset Valuation 96
4.4.3.4 Approach 4: Consensus Asset Valuation 97
4.4.3.5 Approaches 5 7: Accounting Valuation Approaches 97
4.4.3.6 Approach 5: Cost Valuation 98
4.4.3.7 Approach 6: Market Valuation 98
4.4.3.8 Approach 7: Income Valuation 99
x • Contents _ 4.5 Identifying Threats 99
4.5.1 Threat Components 100
4.5.1.1 Threat Agent 100
4.5.1.2 Undesirable Events 100
4.5.2 Listing Possible Threats 100
4.5.2.1 Checklists and Judgment 103
4.5.2.2 Threat Agent and Undesirable Event Pairing 103
4.5.3 Threat Statements 105
4.5.4 Validating Threat Statements 105
4.5.4.1 Factors Affecting Threat Statement Validity 107
4.6 Determine Expected Controls 108
Notes 112
References 114
5 Data Gathering 115
5.1 Sampling 117
5.1.1 Sampling Objectives 119
5.1.2 Sampling Types 120
5.1.3 Use of Sampling in Security Testing 121
5.1.3.1 Approach 1: Representative Testing 121
5.1.3.2 Approach 2: Selected Sampling 122
5.1.3.3 Approach 3: Random Sampling 122
5.2 The RIIOT Method of Data Gathering 123
5.2.1 RIIOT Method Benefits 123
5.2.2 RIIOT Method Approaches 123
5.2.2.1 Review Documents or Designs 124
5.2.2.2 Interview Key Personnel 130
5.2.2.3 Inspect Security Controls 140
5.2.2.4 Observe Behavior 143
5.2.2.5 Test Security Controls 144
5.2.3 Using the RIIOT Method 148
Notes 148
References 149
6 Administrative Data Gathering 151
6.1 Threats and Safeguards 151
6.1.1 Human Resources 154
6.1.1.1 Recruitment 154
6.1.1.2 Employment 156
6.1.1.3 Termination 158
6.1.2 Organizational Structure 159
6.1.2.1 Senior Management 159
6.1.2.2 Security Program 160
6.1.2.3 Security Operations 161
6.1.2.4 Audit 162
_ Contents * xi
6.1.3 Information Control 163
6.1.3.1 User Accounts 163
6.1.3.2 User Error 164
6.1.3.3 Asset Control 164
6.1.3.4 Sensitive Information 165
6.1.4 Business Continuity 166
6.1.4.1 Contingency Planning 166
6.1.4.2 Incident Response Program 167
6.1.5 System Security 168
6.1.5.1 System Controls 168
6.1.5.2 Application Security 170
6.1.5.3 Configuration Management 170
6.1.5.4 Third Party Access 171
6.2 The RIIOT Method: Administrative Data Gathering 172
6.2.1 Review Administrative Documents 174
6.2.1.1 Documents to Request 174
6.2.1.2 Review Documents for Clarity, Consistency,
and Completeness 175
6.2.1.3 Reviewing Documents Other Than Policies 182
6.2.2 Interview Administrative Personnel 186
6.2.2.1 Administrative Interview Topics 186
6.2.2.2 Administrative Interview Subjects 187
6.2.2.3 Administrative Interview Questions 188
6.2.3 Inspect Administrative Security Controls 190
6.2.3.1 Listing Administrative Security Controls 192
6.2.3.2 Verify Information Gathered 192
6.2.3.3 Determine Vulnerabilities 193
6.2.3.4 Document and Review Findings 194
6.2.3.5 Inspect the Security Organization 194
6.2.4 Observe Administrative Behavior 200
6.2.5 Test Administrative Security Controls 200
6.2.5.1 Information Labeling Testing 200
6.2.5.2 Media Destruction Testing 205
6.2.5.3 Account and Access Control Procedures Testing 207
6.2.5.4 Outsourcing and Information Exchange 209
Notes 211
References 213
7 Technical Data Gathering 215
7.1 Technical Threats and Safeguards 215
7.1.1 Information Control 215
7.1.1.1 User Error 215
7.1.1.2 Sensitive and Critical Information 218
7.1.1.3 User Accounts 219
7.1.2 Business Continuity 220
;ii • Contents .
7.1.2.1 Contingency Planning 220
7.1.3 System Security 221
7.1.3.1 System Controls 221
7.1.3.2 Application Security 222
7.1.3.3 Change Management 222
7.1.4 Secure Architecture 223
7.1.4.1 Topology 223
7.1.4.2 Transmission 224
7.1.4.3 Perimeter Network 225
7.1.5 Components 226
7A.5.1 Access Control 226
7.1.5.2 Intrusion Detection 227
7.1.6 Configuration 228
7.1.6.1 System Settings 229
7.1.7 Data Security 229
7.1.7.1 Storage 229
7.1.7.2 Transit 229
7.2 The RIIOT Method: Technical Data Gathering 230
7.2.1 Review Technical Documents 230
7.2.1.1 Technical Documents to Request 230
7.2.1.2 Review Technical Documents for Information 231
7.2.1.3 Review Technical Security Designs 231
7.2.2 Interview Technical Personnel 245
7.2.2.1 Technical Interview Topics 246
7.2.2.2 Technical Interview Subjects 246
7.2.2.3 Technical Interview Questions 246
7.2.3 Inspect Technical Security Controls 247
7.2.3.1 Listing Technical Security Controls 247
7.2.3.2 Verify Information Gathered 252
7.2.3.3 Determine Vulnerabilities 259
7.2.3.4 Document and Review Findings 259
7.2.4 Observe Technical Personnel Behavior 259
7.2.5 Test Technical Security Controls 259
7.2.5.1 Monitoring Technology 262
7.2.5.2 Audit Logs 262
7.2.5.3 Anti Virus Systems 263
7.2.5.4 Automated Password Policies 263
7.2.5.5 Virtual Private Network 264
7.2.5.6 Firewalls, IDS, and System Hardening 264
7.2.5.7 Vulnerability Scanning 265
7.2.5.8 Penetration Testing 275
7.2.5.9 Testing Specific Technology 278
Notes 280
References 282
Contents • xiii
8 Physical Data Gathering 285
8.1 Physical Threats and Safeguards 286
8.1.1 Utilities and Interior Climate 286
8.1.1.1 Power 290
8.1.1.2 Heat 291
8.1.1.3 Humidity 291
8.1.2 Fire 292
8.1.2.1 Fire Impact and Likelihood 293
8.1.2.2 Fire Safeguards 293
8.1.2.3 Fire Alarm Systems 294
8.1.2.4 Fire Alarm Installation Types 298
8.1.2.5 Fire Suppression 300
8.1.2.6 Fire Evacuation 302
8.1.3 Flood and Water Damage 302
8.1.4 Lightning 305
8.1.5 Earthquakes 306
8.1.6 Volcanoes 307
8.1.7 Landslides 307
8.1.8 Hurricanes 308
8.1.9 Tornadoes 308
8.1.10 Natural Hazards Summary 308
8.1.11 Human Threats to Physical Security 310
8.1.11.1 Personnel Screening 311
8.1.11.2 Barriers 311
8.1.11.3 Lighting 313
8.1.11.4 Intrusion Detection 314
8.1.11.5 Physical Access Control 318
8.1.11.6 Preventing Unauthorized Entry 318
8.1.11.7 Preventing Unauthorized Removal 322
8.2 The RIIOT Method: Physical Data Gathering 322
8.2.1 Review Physical Documents 324
8.2.1.1 Physical Documents to Request 324
8.2.1.2 Review Physical Documents for Information 324
8.2.2 Interview Physical Personnel 330
8.2.2.1 Physical Security Interview Topics 332
8.2.2.2 Physical Security Interview Subjects 332
8.2.2.3 Physical Security Interview Questions 332
8.2.3 Inspect Physical Security Controls 332
8.2.3.1 Listing Physical Security Controls 333
8.2.3.2 Verify Information Gathered 340
8.2.3.3 Determine Physical Vulnerabilities 341
8.2.3.4 Document and Review Physical Findings 341
8.2.4 Observe Physical Personnel Behavior 341
8.2.5 Test Physical Security Safeguards 344
xiv • Contents 8.2.5.1 Doors and Locks 344
8.2.5.2 Intrusion Detection 344
Notes 350
References 351
9 Security Risk Analysis 353
9.1 Determining Risk 353
9.1.1 Uncertainty and Reducing Uncertainty 354
9.1.1.1 Review Available Data 357
9.1.1.2 Examine Historical Data 357
9.1.1.3 Use Judgment 358
9.1.1.4 Use Tools 359
9.1.1.5 Use Conditional Probabilities 359
9 2 Creating Risk Statements 362
9.3 Team Review of Security Risk Statements 363
9.3.1 Obtaining Consensus 363
9.3.2 Deriving Overall Security Risk 365
Notes 365
References 366
10 Security Risk Mitigation 367
10.1 Selecting Safeguards 367
10.2 Safeguard Solution Sets 368
I 10.2.1 Safeguard Cost Calculations 369
' 10.2.2 Justifying Safeguard Selections 370
10.2.2.1 Justification through Judgment 370
10.2.2.2 Cost Benefit Analysis 371
10.3 Establishing Risk Parameters 375
Notes 375
References 376
11 Security Risk Assessment Reporting 377
11.1 Cautions in Reporting 377
11.2 Pointers in Reporting 379
11.3 Report Structure 380
11.3.1 Executive Level Report 380
11.3.2 Base Report 380
11.3.3 Appendices and Exhibits 381
11.4 Document Review Methodology: Create the Report Using
a Top Down Approach 382
11.4.1 Document Specification 383
11.4.2 Draft 384
11.4.3 Final 384
11.5 Assessment Brief 387
11.6 Action Plan 387
Notes 388
References 388
Contents • xv
12 Security Risk Assessment Project Management 389
12.1 Project Planning 389
12.1.1 Project Definition 389
12.1.2 Project Planning Details 390
12.1.2.1 Project Phases and Activities 390
12.1.2.2 Phases and Activities Scheduling 390
12.1.2.3 Allocating Hours to Activities 392
12.1.3 Project Resources 393
12.1.3.1 Objectivity vs. Independence 393
12.1.3.2 Internal vs. External Team Members 395
12.1.3.3 Skills Required 395
12.1.3.4 Team Skills 396
12.1.3.5 Team Member Skills 396
12.2 Project Tracking 405
12.2.1 Hours Tracking 405
12.2.2 Calendar Time Tracking 406
12.2.3 Project Progress Tracking 407
12.3 Taking Corrective Measures 407
12.3.1 Obtaining More Resources 407
12.3.2 Using Management Reserve 408
12.4 Project Status Reporting 411
12.4.1 Report Detail 411
12.4.2 Report Frequency 412
12.4.3 Status Report Content 412
12.5 Project Conclusion and Wrap Up 412
12.5.1 Eliminating "Scope Creep" 413
12.5.2 Eliminating Project Run On 413
Notes 413
Reference 414
13 Security Risk Assessment Approaches 415
13.1 Quantitative vs. Qualitative Analysis 416
13.1.1 Quantitative Analysis 417
13.1.1.1 Expected Loss 417
13.1.1.2 Single Loss Expectancy 417
13.1.1.3 Annualized Loss Expectancy 418
13.1.1.4 Safeguard Value 418
13.1.1.5 Quantitative Analysis Advantages 419
13.1.1.6 Quantitative Analysis Disadvantages 421
13.1.2 Qualitative Analysis 423
13.1.2.1 Qualitative Analysis Advantages 424
13.1.2.2 Qualitative Analysis Disadvantages 425
13.2 Tools 426
13.2.1 Lists 426
13.2.2 Templates 426
xvi • Contents 13.3 Security Risk Assessment Methods 427
13.3.1 FAA Security Risk Management Process 427
13.3.2 OCTAVE 427
13.3.3 FRAP 430
13.3.4 CRAMM 430
13.3.5 NSA IAM 430
Notes 430
References 431
Appendix Relevant Standards and Regulations 433
GAISP 433
CobiT 435
ISO 17799 436
NIST Handbook 439
Management Controls 439
Operational Controls 440
Technical Controls 441
HIPAA: Security 441
Administrative Safeguards 442
Physical Safeguards 448
Technical Safeguards 450
Gramm Leach Bliley Act (GLB Act) 451
Notes 453
Index 455 |
| any_adam_object | 1 |
| any_adam_object_boolean | 1 |
| author | Landoll, Douglas J. |
| author_facet | Landoll, Douglas J. |
| author_role | aut |
| author_sort | Landoll, Douglas J. |
| author_variant | d j l dj djl |
| building | Verbundindex |
| bvnumber | BV021325753 |
| callnumber-first | H - Social Science |
| callnumber-label | HF5548 |
| callnumber-raw | HF5548.37 |
| callnumber-search | HF5548.37 |
| callnumber-sort | HF 45548.37 |
| callnumber-subject | HF - Commerce |
| classification_tum | DAT 460f |
| ctrlnum | (OCoLC)60644880 (DE-599)BVBBV021325753 |
| dewey-full | 658.4/7 |
| dewey-hundreds | 600 - Technology (Applied sciences) |
| dewey-ones | 658 - General management |
| dewey-raw | 658.4/7 |
| dewey-search | 658.4/7 |
| dewey-sort | 3658.4 17 |
| dewey-tens | 650 - Management and auxiliary services |
| discipline | Informatik Wirtschaftswissenschaften |
| discipline_str_mv | Informatik Wirtschaftswissenschaften |
| format | Book |
| fullrecord | <?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01961nam a2200529zc 4500</leader><controlfield tag="001">BV021325753</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20060327 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">060207s2006 xxu |||| 00||| eng d</controlfield><datafield tag="010" ind1=" " ind2=" "><subfield code="a">2005050717</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">0849329981</subfield><subfield code="9">0-8493-2998-1</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)60644880</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV021325753</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">aacr</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="044" ind1=" " ind2=" "><subfield code="a">xxu</subfield><subfield code="c">US</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-91G</subfield></datafield><datafield tag="050" ind1=" " ind2="0"><subfield code="a">HF5548.37</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">658.4/7</subfield><subfield code="2">22</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">DAT 460f</subfield><subfield code="2">stub</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Landoll, Douglas J.</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">The security risk assessment handbook</subfield><subfield code="b">a complete guide for performing security risk assessments</subfield><subfield code="c">Douglas J. Landoll</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Boca Raton, FL</subfield><subfield code="b">Auerbach Publications</subfield><subfield code="c">2006</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XXI, 473 S.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Gestion - Informatique - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Protection de l'information (Informatique)</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Sécurité informatique</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Évaluation du risque</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Datenverarbeitung</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Wirtschaft</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Business</subfield><subfield code="x">Data processing</subfield><subfield code="x">Security measures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Computer security</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Data protection</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Risk assessment</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Datenverarbeitung</subfield><subfield code="0">(DE-588)4011152-0</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Unternehmen</subfield><subfield code="0">(DE-588)4061963-1</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Datenverarbeitung</subfield><subfield code="0">(DE-588)4011152-0</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Unternehmen</subfield><subfield code="0">(DE-588)4061963-1</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="2"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">HBZ Datenaustausch</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014646097&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-014646097</subfield></datafield></record></collection> |
| id | DE-604.BV021325753 |
| illustrated | Not Illustrated |
| index_date | 2024-07-02T14:00:17Z |
| indexdate | 2024-07-09T20:35:43Z |
| institution | BVB |
| isbn | 0849329981 |
| language | English |
| lccn | 2005050717 |
| oai_aleph_id | oai:aleph.bib-bvb.de:BVB01-014646097 |
| oclc_num | 60644880 |
| open_access_boolean | |
| owner | DE-91G DE-BY-TUM |
| owner_facet | DE-91G DE-BY-TUM |
| physical | XXI, 473 S. |
| publishDate | 2006 |
| publishDateSearch | 2006 |
| publishDateSort | 2006 |
| publisher | Auerbach Publications |
| record_format | marc |
| spelling | Landoll, Douglas J. Verfasser aut The security risk assessment handbook a complete guide for performing security risk assessments Douglas J. Landoll Boca Raton, FL Auerbach Publications 2006 XXI, 473 S. txt rdacontent n rdamedia nc rdacarrier Gestion - Informatique - Sécurité - Mesures Protection de l'information (Informatique) Sécurité informatique Évaluation du risque Datenverarbeitung Wirtschaft Business Data processing Security measures Computer security Data protection Risk assessment Datenverarbeitung (DE-588)4011152-0 gnd rswk-swf Unternehmen (DE-588)4061963-1 gnd rswk-swf Computersicherheit (DE-588)4274324-2 gnd rswk-swf Datenverarbeitung (DE-588)4011152-0 s Unternehmen (DE-588)4061963-1 s Computersicherheit (DE-588)4274324-2 s DE-604 HBZ Datenaustausch application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014646097&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis |
| spellingShingle | Landoll, Douglas J. The security risk assessment handbook a complete guide for performing security risk assessments Gestion - Informatique - Sécurité - Mesures Protection de l'information (Informatique) Sécurité informatique Évaluation du risque Datenverarbeitung Wirtschaft Business Data processing Security measures Computer security Data protection Risk assessment Datenverarbeitung (DE-588)4011152-0 gnd Unternehmen (DE-588)4061963-1 gnd Computersicherheit (DE-588)4274324-2 gnd |
| subject_GND | (DE-588)4011152-0 (DE-588)4061963-1 (DE-588)4274324-2 |
| title | The security risk assessment handbook a complete guide for performing security risk assessments |
| title_auth | The security risk assessment handbook a complete guide for performing security risk assessments |
| title_exact_search | The security risk assessment handbook a complete guide for performing security risk assessments |
| title_exact_search_txtP | The security risk assessment handbook a complete guide for performing security risk assessments |
| title_full | The security risk assessment handbook a complete guide for performing security risk assessments Douglas J. Landoll |
| title_fullStr | The security risk assessment handbook a complete guide for performing security risk assessments Douglas J. Landoll |
| title_full_unstemmed | The security risk assessment handbook a complete guide for performing security risk assessments Douglas J. Landoll |
| title_short | The security risk assessment handbook |
| title_sort | the security risk assessment handbook a complete guide for performing security risk assessments |
| title_sub | a complete guide for performing security risk assessments |
| topic | Gestion - Informatique - Sécurité - Mesures Protection de l'information (Informatique) Sécurité informatique Évaluation du risque Datenverarbeitung Wirtschaft Business Data processing Security measures Computer security Data protection Risk assessment Datenverarbeitung (DE-588)4011152-0 gnd Unternehmen (DE-588)4061963-1 gnd Computersicherheit (DE-588)4274324-2 gnd |
| topic_facet | Gestion - Informatique - Sécurité - Mesures Protection de l'information (Informatique) Sécurité informatique Évaluation du risque Datenverarbeitung Wirtschaft Business Data processing Security measures Computer security Data protection Risk assessment Unternehmen Computersicherheit |
| url | http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=014646097&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |
| work_keys_str_mv | AT landolldouglasj thesecurityriskassessmenthandbookacompleteguideforperformingsecurityriskassessments |