Verfügbarkeit: Security risk management

Security risk management: building an information ; security risk management ; program from the ground up

Gespeichert in:

Bibliographische Detailangaben
1. Verfasser:	Wheeler, Evan (VerfasserIn)
Format:	Buch
Sprache:	English
Veröffentlicht:	Amsterdam [u.a.] Elsevier 2011
Schlagworte:	Unternehmen Risikomanagement
Online-Zugang:	Inhaltsverzeichnis
Beschreibung:	XX, 340 S.
ISBN:	9781597496155

Internformat

MARC


LEADER	00000nam a2200000 c 4500
001	BV039157612
003	DE-604
005	20121015
007	t
008	110726s2011 ne \|\|\|\| 00\|\|\| eng d
020			\|a 9781597496155 \|9 978-1-59749-615-5
035			\|a (OCoLC)748331103
035			\|a (DE-599)BVBBV039157612
040			\|a DE-604 \|b ger \|e rakwb
041	1		\|h eng
044			\|a ne \|c NL
049			\|a DE-2070s \|a DE-355
084			\|a QP 345 \|0 (DE-625)141866: \|2 rvk
100	1		\|a Wheeler, Evan \|e Verfasser \|4 aut
245	1	0	\|a Security risk management \|b building an information ; security risk management ; program from the ground up \|c Evan Wheeler
264		1	\|a Amsterdam [u.a.] \|b Elsevier \|c 2011
300			\|a XX, 340 S.
336			\|b txt \|2 rdacontent
337			\|b n \|2 rdamedia
338			\|b nc \|2 rdacarrier
650	0	7	\|a Unternehmen \|0 (DE-588)4061963-1 \|2 gnd \|9 rswk-swf
650	0	7	\|a Risikomanagement \|0 (DE-588)4121590-4 \|2 gnd \|9 rswk-swf
689	0	0	\|a Unternehmen \|0 (DE-588)4061963-1 \|D s
689	0	1	\|a Risikomanagement \|0 (DE-588)4121590-4 \|D s
689	0		\|C b \|5 DE-604
856	4	2	\|m Digitalisierung UB Regensburg \|q application/pdf \|u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=024175217&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA \|3 Inhaltsverzeichnis
999			\|a oai:aleph.bib-bvb.de:BVB01-024175217

Datensatz im Suchindex

_version_	1804148004732534784
adam_text	Contents Preface ......................................................................xiii PART I INTRODUCTION TO RISK MANAGEMENT __________ CHAPTER 1 The Security Evolution ....................................3 Introduction ...................................................3 How We Got Here ............................................3 Banning Best Practices ...................................4 Looking Inside the Perimeter .............................6 A Risk-Focused Future ........................................6 A New Path Forward ....................................6 The Shangri-La of Risk Management .....................7 Information Security Fundamentals ............................8 Safety before Security ....................................8 The Lure of Security by Obscurity .......................9 Redefining the CIA Triad ...............................10 Security Design Principles ..............................11 Threats to Information ..................................16 The Death of Information Security ............................16 Security Team Responsibilities ..........................16 Modern Information Security Challenges ................17 The Next Evolution .....................................18 Summary ....................................................19 References ...................................................19 CHAPTER 2 Risky Business ...........................................21 Introduction ..................................................21 Applying Risk Management to Information Security ..........21 Mission of Information Security .........................22 Goal of Risk Management ..............................22 Architecting a Security Program .........................24 How Does it Help? .....................................25 Business-Driven Security Program ............................28 Work Smarter, Not Harder ..............................28 Positioning Information Security ........................30 Due Diligence ..........................................30 Facilitating Decision Making ............................32 vi Contents Security as an Investment ....................................34 Security Metrics ........................................35 Qualitative versus Quantitative ...............................37 Qualitative Analysis ....................................38 Quantitative Analysis ...................................39 Summary ....................................................40 Action Plan .............................................41 References ...................................................41 CHAPTER 3 The Risk Management Lifecycle .......................43 Introduction ..................................................43 Stages of the Risk Management Lifecycle .....................43 Risk Is a Moving Target ................................44 A Comprehensive Risk Management Workflow ..........46 Business Impact Assessment .................................48 Resource Profiling ......................................48 A Vulnerability Assessment Is Not a Risk Assessment ........50 Vulnerability Assessment ...............................51 Risk Assessment ........................................51 Making Risk Decisions .......................................53 Risk Evaluation .........................................53 Document ..............................................55 Mitigation Planning and Long-Term Strategy .................56 Risk Mitigation .........................................56 Validation ..............................................57 Monitoring and Audit ...................................57 Process Ownership ...........................................59 Summary ....................................................60 Action Plan .............................................60 PART II RISK ASSESSMENT AND ANALYSIS TECHNIQUES CHAPTER 4 Risk Profiling .............................................63 Introduction ..................................................63 How Risk Sensitivity Is Measured ............................63 Making a Resource List .................................64 Sensitivity, Not Exposure ...............................65 Security Risk Profile ....................................66 Profiling in Practice .....................................68 Asking the Right Questions ..................................71 Contents VII Risk Impact Categories and Examples ...................71 Profile Design ..........................................73 Calculating Sensitivity ..................................78 Assessing Risk Appetite ......................................81 Assessing the C-Level ..................................82 Setting Risk Thresholds and Determining Tolerance Ranges .......................................83 Summary ....................................................84 Action Plan .............................................84 Reference ....................................................85 CHAPTERS Formulating a Risk ......................................87 Introduction ..................................................87 Breaking down a Risk .......................................87 Finding the Risk, Part 1 .................................88 Terminology Is Key ....................................88 Envision the Consequences .............................90 Finding the Risk, Part Π ................................92 Who or What Is the Threat? ..................................95 Defining Threats ........................................95 Threat Analysis .........................................99 Threats Are Different from Risks ......................100 Summary ...................................................102 Action Plan ...........................................102 References ..................................................103 CHAPTER 6 Risk Exposure Factors .................................105 Introduction ................................................105 Qualitative Risk Measures ...................................105 Defining Severity ......................................106 Defining Likelihood ................................... Ill Qualitative Risk Exposure .............................114 Applying Sensitivity ...................................115 Risk Assessment ............................................117 Qualitative Risk Analysis ..............................117 Quantitative Risk Analysis .............................123 Summary ...................................................124 Action Plan ...........................................125 Reference ...................................................125 VIII Contents CHAPTER 7 Security Controls and Services ......................127 Introduction ................................................127 Fundamental Security Services ..............................127 Security Control Principles .............................128 Assurance Models .....................................129 Access Control Models ................................130 Security Services ......................................131 Composite Services ....................................143 Recommended Controls .....................................144 Fundamental Security Control Requirements ............144 Summary ...................................................145 Action Plan ...........................................146 Reference ...................................................146 CHAPTER 8 Risk Evaluation and Mitigation Strategies ..........147 Introduction ................................................147 Risk Evaluation .............................................147 Security s Role in Decision Making ....................148 Documenting Risk Decisions ...........................151 Calculating the Cost of Remediation ...................153 Residual Risk .........................................154 Risk Mitigation Planning ....................................154 Mitigation Approaches .................................154 Choosing Controls .....................................156 Policy Exceptions and Risk Acceptance .....................156 Exception Workflow ...................................157 Signature Requirements ................................159 Expiration and Renewal ...............................161 Summary ...................................................161 Action Plan ...........................................162 CHAPTER 9 Reports and Consulting ................................163 Introduction ................................................163 Risk Management Artifacts ..................................163 A Consultant s Perspective ..................................165 Octave Allegro ........................................165 Risk Assessment Engagement ..........................168 Structure of a Risk Assessment Report .................175 Executive Communication .............................181 Writing Audit Responses ....................................183 Contents ix Summary ...................................................187 Action Plan ...........................................188 References ..................................................188 CHAPTER 10 Risk Assessment Techniques .......................189 Introduction ................................................189 Operational Assessments ....................................189 Operational Techniques ................................190 Assessment Approaches for Different Sized Scopes .....197 Project-Based Assessments ..................................198 Risk Assessments in the Project Lifecycle ..............198 The FRAAP Approach ................................199 Third-Party Assessments ....................................205 Industry Standard Assessments .........................206 Improving the Process .................................210 Summary ...................................................211 Action Plan ...........................................211 References ..................................................212 PART III BUILDING AND RUNNING A RISK __________ MANAGEMENT PROGRAM _____________________ CHAPTER 11 Threat and Vulnerability Management ..............215 Introduction ................................................215 Building Blocks ............................................215 Program Essentials ....................................216 Asset and Data Inventory ..............................218 Resource Profiling .....................................219 Threat Identification ........................................220 Threat Data Sources ...................................221 Advisories and Testing ......................................222 Rating Vulnerabilities ..................................222 An Efficient Workflow ......................................228 Defining a Workflow ..................................229 Exceptions ............................................230 The FAIR Approach ........................................230 Measuring Risks .......................................231 Summary ...................................................236 Action Plan ...........................................237 References ..................................................237 Contents CHAPTER 12 Security Risk Reviews .................................239 Introduction ................................................239 Assessing the State of Compliance ..........................239 Balancing Security and Risk ...........................240 Qualifying the Risk ....................................241 Implementing a Process .....................................242 Workflow Steps .......................................242 Process Optimization: A Review of Key Points ..............251 The NIST Approach ........................................253 The NIST Evolution ...................................253 Focus of the NIST Process .............................254 Summary ...................................................257 Action Plan ...........................................257 References ..................................................257 CHAPTER 13 A Blueprint for Security ...............................259 Introduction ................................................259 Risk in the Development Lifecycle ..........................259 Analysis Workflow ....................................261 Security Architecture ........................................263 Goal of Security Architecture ..........................263 Developing an Architecture ............................264 Security Architecture Principles ........................267 Separation by Risk Profile .............................267 Rules of Data Movement ..............................268 Information Flow Control Model .......................269 Nontraversable Boundaries .............................269 Trust Relationships ....................................269 Security Zones ........................................272 Patterns and Baselines ......................................273 Services (Payload) Traffic ..............................273 Management Traffic ...................................273 Infrastructure Common Services ........................274 External versus Internal Traffic .........................274 Transitive Risk Considerations .........................274 Traversing Risk Sensitivity Boundaries .................275 Combining Security Controls ..........................275 Aggregate and Partial Data .............................276 Mutedevice Systems ...................................276 Front-End versus Back-End Application Tiers ..........277 Contents xi Public-Facing Resources...............................277 Internai Nonstandard Clients...........................277 Architectural Risk Analysis .................................278 Detailed Risk Analysis Workflow ......................278 Summary ...................................................283 Action Plan ...........................................284 Reference ...................................................284 CHAPTER 14 Building a Program from Scratch ....................285 Introduction ................................................285 Designing a Risk Program ..................................285 Risk Is the Core .......................................286 Program Goals ........................................287 Starting from Scratch ..................................288 Comparing the Models .................................290 Prerequisites for a Risk Management Program ...............291 Security Policies and Standards ........................292 Information Resources Inventory .......................292 Security Liaisons ......................................293 Risk at the Enterprise Level .................................295 Common Risk Formula ................................295 Enterprise Risk Committee .............................296 Mapping Risk Domains to Business Objectives .........296 Examples of Risk Areas ...............................298 Linking the Program Components ...........................298 Tying Other Security Processes to Risk ................298 Risk and Exception Tracking System ...................299 Program Roadmap ..........................................300 Lessons from the Trenches .............................301 Summary ...................................................302 Reference ...................................................302 Appendix A: Sample Security Risk Profile ..................................303 Appendix B: Qualitative Risk Scale Reference Tables .......................309 Appendix C: Architectural Risk Analysis Reference Tables ..................313 Index .......................................................................331
any_adam_object	1
author	Wheeler, Evan
author_facet	Wheeler, Evan
author_role	aut
author_sort	Wheeler, Evan
author_variant	e w ew
building	Verbundindex
bvnumber	BV039157612
classification_rvk	QP 345
ctrlnum	(OCoLC)748331103 (DE-599)BVBBV039157612
discipline	Wirtschaftswissenschaften
format	Book
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01360nam a2200349 c 4500</leader><controlfield tag="001">BV039157612</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20121015 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">110726s2011 ne \|\|\|\| 00\|\|\| eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781597496155</subfield><subfield code="9">978-1-59749-615-5</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)748331103</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV039157612</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rakwb</subfield></datafield><datafield tag="041" ind1="1" ind2=" "><subfield code="h">eng</subfield></datafield><datafield tag="044" ind1=" " ind2=" "><subfield code="a">ne</subfield><subfield code="c">NL</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-2070s</subfield><subfield code="a">DE-355</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">QP 345</subfield><subfield code="0">(DE-625)141866:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Wheeler, Evan</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Security risk management</subfield><subfield code="b">building an information ; security risk management ; program from the ground up</subfield><subfield code="c">Evan Wheeler</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Amsterdam [u.a.]</subfield><subfield code="b">Elsevier</subfield><subfield code="c">2011</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XX, 340 S.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Unternehmen</subfield><subfield code="0">(DE-588)4061963-1</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Risikomanagement</subfield><subfield code="0">(DE-588)4121590-4</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Unternehmen</subfield><subfield code="0">(DE-588)4061963-1</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Risikomanagement</subfield><subfield code="0">(DE-588)4121590-4</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="C">b</subfield><subfield code="5">DE-604</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Regensburg</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=024175217&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-024175217</subfield></datafield></record></collection>
id	DE-604.BV039157612
illustrated	Not Illustrated
indexdate	2024-07-10T00:00:15Z
institution	BVB
isbn	9781597496155
language	English
oai_aleph_id	oai:aleph.bib-bvb.de:BVB01-024175217
oclc_num	748331103
open_access_boolean
owner	DE-2070s DE-355 DE-BY-UBR
owner_facet	DE-2070s DE-355 DE-BY-UBR
physical	XX, 340 S.
publishDate	2011
publishDateSearch	2011
publishDateSort	2011
publisher	Elsevier
record_format	marc
spelling	Wheeler, Evan Verfasser aut Security risk management building an information ; security risk management ; program from the ground up Evan Wheeler Amsterdam [u.a.] Elsevier 2011 XX, 340 S. txt rdacontent n rdamedia nc rdacarrier Unternehmen (DE-588)4061963-1 gnd rswk-swf Risikomanagement (DE-588)4121590-4 gnd rswk-swf Unternehmen (DE-588)4061963-1 s Risikomanagement (DE-588)4121590-4 s b DE-604 Digitalisierung UB Regensburg application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=024175217&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis
spellingShingle	Wheeler, Evan Security risk management building an information ; security risk management ; program from the ground up Unternehmen (DE-588)4061963-1 gnd Risikomanagement (DE-588)4121590-4 gnd
subject_GND	(DE-588)4061963-1 (DE-588)4121590-4
title	Security risk management building an information ; security risk management ; program from the ground up
title_auth	Security risk management building an information ; security risk management ; program from the ground up
title_exact_search	Security risk management building an information ; security risk management ; program from the ground up
title_full	Security risk management building an information ; security risk management ; program from the ground up Evan Wheeler
title_fullStr	Security risk management building an information ; security risk management ; program from the ground up Evan Wheeler
title_full_unstemmed	Security risk management building an information ; security risk management ; program from the ground up Evan Wheeler
title_short	Security risk management
title_sort	security risk management building an information security risk management program from the ground up
title_sub	building an information ; security risk management ; program from the ground up
topic	Unternehmen (DE-588)4061963-1 gnd Risikomanagement (DE-588)4121590-4 gnd
topic_facet	Unternehmen Risikomanagement
url	http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=024175217&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA
work_keys_str_mv	AT wheelerevan securityriskmanagementbuildinganinformationsecurityriskmanagementprogramfromthegroundup

Verfügbarkeit

Es ist kein Print-Exemplar vorhanden.

Fernleihe Bestellen Achtung: Nicht im THWS-Bestand! Inhaltsverzeichnis

MARC

Datensatz im Suchindex

Es ist kein Print-Exemplar vorhanden.

Ähnliche Einträge