| Preface |
|
xix | |
| Acknowledgments |
|
xxiii | |
| About the Authors |
|
xxv | |
|
PART ONE Risk Management Business Challenges |
|
|
1 | (108) |
|
Chapter 1 Risk Management Fundamentals |
|
|
3 | (24) |
|
|
|
4 | (1) |
|
Compromise of Business Functions |
|
|
5 | (1) |
|
Threats, Vulnerabilities, Assets, and Impact |
|
|
6 | (3) |
|
|
|
9 | (1) |
|
|
|
10 | (1) |
|
Risks Posed by a Lack of Process |
|
|
11 | (1) |
|
Risks Posed by Technology |
|
|
12 | (2) |
|
Risk Identification Techniques |
|
|
14 | (1) |
|
|
|
14 | (2) |
|
Identifying Vulnerabilities |
|
|
16 | (1) |
|
Assessing Impact and Likelihood |
|
|
17 | (2) |
|
|
|
19 | (1) |
|
|
|
20 | (1) |
|
Profitability Versus Survivability |
|
|
21 | (2) |
|
|
|
23 | (1) |
|
|
|
23 | (1) |
|
|
|
23 | (1) |
|
|
|
23 | (1) |
|
|
|
24 | (1) |
|
|
|
24 | (1) |
|
|
|
25 | (1) |
|
|
|
25 | (1) |
|
|
|
26 | (1) |
|
Chapter 2 Managing Risk: Threats, Vulnerabilities, and Exploits |
|
|
27 | (28) |
|
Understanding and Protecting Assets |
|
|
28 | (1) |
|
Understanding and Managing Threats |
|
|
28 | (1) |
|
Uncontrollable Nature of Threats |
|
|
29 | (1) |
|
|
|
29 | (1) |
|
|
|
30 | (2) |
|
Best Practices for Managing Risk Within an IT Infrastructure |
|
|
32 | (1) |
|
EY Global Information Security Survey 2018-2019 |
|
|
33 | (1) |
|
Understanding and Managing Vulnerabilities |
|
|
34 | (1) |
|
Threat/Vulnerability Pairs |
|
|
34 | (1) |
|
Vulnerabilities Can Be Mitigated |
|
|
35 | (1) |
|
|
|
35 | (4) |
|
Best Practices for Managing Vulnerabilities Within an IT Infrastructure |
|
|
39 | (1) |
|
Understanding and Managing Exploits |
|
|
39 | (1) |
|
|
|
39 | (3) |
|
How Do Perpetrators Initiate an Exploit? |
|
|
42 | (2) |
|
Where Do Perpetrators Find Information About Vulnerabilities and Exploits? |
|
|
44 | (1) |
|
|
|
45 | (1) |
|
Best Practices for Managing Exploits Within an IT Infrastructure |
|
|
46 | (1) |
|
U.S. Federal Government Risk Management Initiatives |
|
|
46 | (1) |
|
National Institute of Standards and Technology |
|
|
47 | (2) |
|
Department of Homeland Security |
|
|
49 | (1) |
|
National Cybersecurity and Communications Integration Center |
|
|
49 | (1) |
|
U.S. Computer Emergency Readiness Team |
|
|
49 | (1) |
|
The MITRE Corporation and the CVE List |
|
|
50 | (2) |
|
|
|
52 | (1) |
|
|
|
53 | (1) |
|
|
|
53 | (2) |
|
Chapter 3 Understanding and Maintaining Compliance |
|
|
55 | (28) |
|
|
|
56 | (1) |
|
Federal Information Security Modernization Act |
|
|
57 | (1) |
|
Health Insurance Portability and Accountability Act |
|
|
57 | (3) |
|
|
|
60 | (1) |
|
|
|
60 | (1) |
|
Family Educational Rights and Privacy Act |
|
|
60 | (1) |
|
Children's Internet Protection Act |
|
|
61 | (1) |
|
Children's Online Privacy Protection Act |
|
|
61 | (1) |
|
Regulations Related to Compliance |
|
|
62 | (1) |
|
Securities and Exchange Commission |
|
|
63 | (1) |
|
Federal Deposit Insurance Corporation |
|
|
63 | (1) |
|
Department of Homeland Security |
|
|
63 | (1) |
|
|
|
64 | (1) |
|
|
|
65 | (1) |
|
|
|
65 | (1) |
|
Organizational Policies for Compliance |
|
|
66 | (1) |
|
Standards and Guidelines for Compliance |
|
|
67 | (1) |
|
Payment Card Industry Data Security Standard |
|
|
67 | (2) |
|
National Institute of Standards and Technology |
|
|
69 | (1) |
|
Generally Accepted Information Security Principles |
|
|
70 | (1) |
|
Control Objectives for Information and Related Technology |
|
|
70 | (2) |
|
International Organization for Standardization |
|
|
72 | (1) |
|
International Electrotechnical Commission |
|
|
73 | (1) |
|
Information Technology Infrastructure Library |
|
|
74 | (2) |
|
Capability Maturity Model Integration |
|
|
76 | (1) |
|
General Data Protection Regulation |
|
|
77 | (1) |
|
Department of Defense Information Assurance Certification and Accreditation Process |
|
|
78 | (1) |
|
|
|
79 | (1) |
|
|
|
79 | (1) |
|
|
|
80 | (3) |
|
Chapter 4 Developing a Risk Management Plan |
|
|
83 | (26) |
|
Objectives of a Risk Management Plan |
|
|
84 | (1) |
|
Objectives Example: Website |
|
|
85 | (1) |
|
Objectives Example: HIPAA Compliance |
|
|
86 | (1) |
|
Scope of a Risk Management Plan |
|
|
87 | (1) |
|
|
|
88 | (1) |
|
Scope Example: HIPAA Compliance |
|
|
89 | (1) |
|
Assigning Responsibilities |
|
|
89 | (1) |
|
Responsibilities Example: Website |
|
|
90 | (1) |
|
Responsibilities Example: HIPAA Compliance |
|
|
90 | (2) |
|
Describing Procedures and Schedules for Accomplishment |
|
|
92 | (1) |
|
Procedures Example: Website |
|
|
93 | (1) |
|
Procedures Example: HIPAA Compliance |
|
|
93 | (1) |
|
|
|
94 | (1) |
|
Presenting Recommendations |
|
|
94 | (5) |
|
Documenting Management Response to Recommendations |
|
|
99 | (1) |
|
Documenting and Tracking Implementation of Accepted Recommendations |
|
|
99 | (1) |
|
Plan of Action and Milestones |
|
|
100 | (2) |
|
Charting the Progress of a Risk Management Plan |
|
|
102 | (1) |
|
|
|
102 | (1) |
|
|
|
103 | (1) |
|
|
|
104 | (1) |
|
Steps of the NIST Risk Management Framework |
|
|
104 | (1) |
|
|
|
105 | (1) |
|
|
|
105 | (1) |
|
|
|
106 | (3) |
|
|
|
109 | (188) |
|
Chapter 5 Defining Risk Assessment Approaches |
|
|
111 | (24) |
|
Understanding Risk Assessments |
|
|
112 | (1) |
|
Importance of Risk Assessments |
|
|
113 | (1) |
|
Purpose of a Risk Assessment |
|
|
113 | (1) |
|
Critical Components of a Risk Assessment |
|
|
114 | (1) |
|
|
|
114 | (1) |
|
Identifying Critical Areas |
|
|
115 | (1) |
|
|
|
116 | (1) |
|
Types of Risk Assessments |
|
|
116 | (1) |
|
Quantitative Risk Assessments |
|
|
116 | (3) |
|
Qualitative Risk Assessments |
|
|
119 | (7) |
|
Comparing Quantitative and Qualitative Risk Assessments |
|
|
126 | (1) |
|
Risk Assessment Challenges |
|
|
127 | (1) |
|
Using a Static Process to Evaluate a Moving Target |
|
|
127 | (1) |
|
Availability of Resources and Data |
|
|
128 | (1) |
|
|
|
129 | (1) |
|
Estimating Impact Effects |
|
|
130 | (1) |
|
Providing Results That Support Resource Allocation and Risk Acceptance |
|
|
131 | (1) |
|
Best Practices for Risk Assessment |
|
|
132 | (1) |
|
|
|
133 | (1) |
|
|
|
133 | (1) |
|
|
|
133 | (2) |
|
Chapter 6 Performing a Risk Assessment |
|
|
135 | (26) |
|
Selecting a Risk Assessment Methodology |
|
|
136 | (1) |
|
|
|
137 | (2) |
|
Reviewing Previous Findings |
|
|
139 | (1) |
|
Identifying the Management Structure |
|
|
140 | (1) |
|
Identifying Assets and Activities Within Risk Assessment Boundaries |
|
|
141 | (1) |
|
System Access and Availability |
|
|
142 | (1) |
|
|
|
142 | (2) |
|
Hardware and Software Assets |
|
|
144 | (1) |
|
|
|
144 | (1) |
|
Data and Information Assets |
|
|
144 | (1) |
|
|
|
145 | (1) |
|
Identifying and Evaluating Relevant Threats |
|
|
145 | (1) |
|
Reviewing Historical Data |
|
|
146 | (1) |
|
Performing Threat Modeling |
|
|
146 | (1) |
|
Identifying and Evaluating Relevant Vulnerabilities |
|
|
147 | (1) |
|
Vulnerability Assessments |
|
|
147 | (1) |
|
|
|
148 | (1) |
|
Identifying and Evaluating Controls |
|
|
149 | (1) |
|
In-Place and Planned Controls |
|
|
149 | (1) |
|
|
|
149 | (3) |
|
Selecting a Methodology Based on Assessment Needs |
|
|
152 | (1) |
|
|
|
153 | (1) |
|
|
|
154 | (1) |
|
Developing Mitigating Recommendations |
|
|
155 | (1) |
|
Threat/Vulnerability Pairs |
|
|
155 | (1) |
|
Estimate of Cost and Time to Implement |
|
|
155 | (1) |
|
Estimate of Operational Impact |
|
|
156 | (1) |
|
|
|
157 | (1) |
|
Presenting Risk Assessment Results |
|
|
157 | (1) |
|
Best Practices for Performing Risk Assessments |
|
|
157 | (1) |
|
|
|
158 | (1) |
|
|
|
159 | (1) |
|
|
|
159 | (2) |
|
Chapter 7 Identifying Assets and Activities to Be Protected |
|
|
161 | (26) |
|
System Access and Availability |
|
|
162 | (2) |
|
System Functions: Manual and Automated |
|
|
164 | (1) |
|
|
|
164 | (1) |
|
|
|
165 | (1) |
|
|
|
166 | (1) |
|
|
|
167 | (2) |
|
|
|
169 | (1) |
|
Data and Information Assets |
|
|
169 | (2) |
|
|
|
171 | (1) |
|
|
|
172 | (1) |
|
|
|
172 | (1) |
|
Data Warehousing and Data Mining |
|
|
173 | (2) |
|
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure |
|
|
175 | (1) |
|
|
|
176 | (1) |
|
|
|
176 | (1) |
|
|
|
177 | (1) |
|
|
|
177 | (1) |
|
|
|
178 | (1) |
|
|
|
178 | (1) |
|
System/Application Domain |
|
|
178 | (1) |
|
Identifying Facilities and Supplies Needed to Maintain Business Operations |
|
|
179 | (1) |
|
Mission-Critical Systems and Applications Identification |
|
|
179 | (1) |
|
Business Impact Analysis Planning |
|
|
180 | (1) |
|
Business Continuity Planning |
|
|
181 | (1) |
|
Disaster Recovery Planning |
|
|
182 | (1) |
|
Business Liability Insurance Planning |
|
|
183 | (1) |
|
Asset Replacement Insurance Planning |
|
|
183 | (1) |
|
|
|
184 | (1) |
|
|
|
184 | (1) |
|
|
|
184 | (3) |
|
Chapter 8 Identifying and Analyzing Threats, Vulnerabilities, and Exploits |
|
|
187 | (28) |
|
|
|
188 | (3) |
|
Techniques for Identifying Threats |
|
|
191 | (3) |
|
Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure |
|
|
194 | (1) |
|
Vulnerability Assessments |
|
|
195 | (2) |
|
|
|
197 | (1) |
|
Review of System Logs, Audit Trails, and Intrusion Detection and Prevention System Outputs |
|
|
198 | (1) |
|
Vulnerability Scans and Other Assessment Tools |
|
|
199 | (1) |
|
Audits and Personnel Interviews |
|
|
200 | (1) |
|
Process Analysis and Output Analysis |
|
|
201 | (1) |
|
|
|
202 | (3) |
|
Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure |
|
|
205 | (1) |
|
|
|
206 | (1) |
|
|
|
207 | (3) |
|
Mitigating Exploits with a Gap Analysis and Remediation Plan |
|
|
210 | (1) |
|
Implementing Configuration or Change Management |
|
|
210 | (1) |
|
Verifying and Validating the Exploit Has Been Mitigated |
|
|
211 | (1) |
|
Best Practices for Performing Exploit Assessments Within an IT Infrastructure |
|
|
211 | (1) |
|
|
|
212 | (1) |
|
|
|
212 | (1) |
|
|
|
212 | (3) |
|
Chapter 9 Identifying and Analyzing Risk Mitigation Security Controls |
|
|
215 | (26) |
|
|
|
216 | (1) |
|
|
|
216 | (1) |
|
|
|
217 | (1) |
|
|
|
217 | (3) |
|
Procedural Control Examples |
|
|
220 | (1) |
|
|
|
220 | (2) |
|
|
|
222 | (1) |
|
|
|
223 | (1) |
|
Background and Financial Checks |
|
|
224 | (1) |
|
Data Loss Prevention Program |
|
|
225 | (1) |
|
Education, Training, and Awareness |
|
|
225 | (1) |
|
|
|
226 | (1) |
|
|
|
227 | (1) |
|
Technical Control Examples |
|
|
227 | (1) |
|
|
|
228 | (1) |
|
|
|
228 | (1) |
|
System Logs and Audit Trails |
|
|
229 | (1) |
|
Data Range and Reasonableness Checks |
|
|
229 | (1) |
|
|
|
230 | (2) |
|
|
|
232 | (1) |
|
Public Key Infrastructure |
|
|
233 | (2) |
|
Physical Control Examples |
|
|
235 | (1) |
|
Locked Doors, Guards, Access Logs, and Closed-Circuit Television |
|
|
235 | (1) |
|
Fire Detection and Suppression |
|
|
236 | (1) |
|
|
|
237 | (1) |
|
Temperature and Humidity Detection |
|
|
237 | (1) |
|
Electrical Grounding and Circuit Breakers |
|
|
238 | (1) |
|
Best Practices for Risk Mitigation Security Controls |
|
|
239 | (1) |
|
|
|
239 | (1) |
|
|
|
239 | (1) |
|
|
|
240 | (1) |
|
Chapter 10 Planning Risk Mitigation Throughout an Organization |
|
|
241 | (28) |
|
Where Should an Organization Start with Risk Mitigation? |
|
|
242 | (1) |
|
What Is the Scope of Risk Management for an Organization? |
|
|
243 | (1) |
|
Critical Business Operations |
|
|
244 | (1) |
|
Customer Service Delivery |
|
|
245 | (1) |
|
Mission-Critical Business Systems, Applications, and Data Access |
|
|
246 | (3) |
|
Seven Domains of a Typical IT Infrastructure |
|
|
249 | (3) |
|
Information Systems Security Gap |
|
|
252 | (1) |
|
Understanding and Assessing the Impact of Legal and Compliance Issues on an Organization |
|
|
253 | (2) |
|
Legal Requirements, Compliance Laws, Regulations, and Mandates |
|
|
255 | (2) |
|
Assessing the Impact of Legal and Compliance Issues on an Organization's Business Operations |
|
|
257 | (4) |
|
Translating Legal and Compliance Implications for an Organization |
|
|
261 | (1) |
|
Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure |
|
|
261 | (1) |
|
Assessing How Security Countermeasures, Controls, and Safeguards Can Assist With Risk Mitigation |
|
|
262 | (1) |
|
Understanding the Operational Implications of Legal and Compliance Requirements |
|
|
263 | (1) |
|
Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization |
|
|
263 | (1) |
|
Performing a Cost-Benefit Analysis |
|
|
264 | (1) |
|
Best Practices for Planning Risk Mitigation Throughout an Organization |
|
|
265 | (1) |
|
|
|
266 | (1) |
|
|
|
266 | (1) |
|
|
|
267 | (2) |
|
Chapter 11 Turning a Risk Assessment into a Risk Mitigation Plan |
|
|
269 | (28) |
|
Reviewing the Risk Assessment for the IT Infrastructure |
|
|
270 | (1) |
|
Overlapping Countermeasures |
|
|
271 | (1) |
|
Risk Assessments: Understanding Threats and Vulnerabilities |
|
|
272 | (1) |
|
Identifying Countermeasures |
|
|
273 | (3) |
|
Translating a Risk Assessment into a Risk Mitigation Plan |
|
|
276 | (1) |
|
|
|
276 | (4) |
|
|
|
280 | (3) |
|
|
|
283 | (1) |
|
Prioritizing Risk Elements That Require Risk Mitigation |
|
|
283 | (1) |
|
Using a Threat Likelihood/Impact Matrix |
|
|
284 | (1) |
|
Prioritizing Countermeasures |
|
|
284 | (2) |
|
Verifying Risk Elements and How They Can Be Mitigated |
|
|
286 | (1) |
|
Performing a Cost-Benefit Analysis on the Identified Risk Elements |
|
|
287 | (1) |
|
|
|
287 | (1) |
|
|
|
288 | (1) |
|
Implementing a Risk Mitigation Plan |
|
|
289 | (1) |
|
|
|
289 | (1) |
|
|
|
290 | (2) |
|
Following Up on the Risk Mitigation Plan |
|
|
292 | (1) |
|
Ensuring Countermeasures Have Been Implemented |
|
|
293 | (1) |
|
Ensuring Security Gaps Have Been Closed |
|
|
293 | (1) |
|
Best Practices for Enabling a Risk Mitigation Plan from the Risk Assessment |
|
|
294 | (1) |
|
|
|
295 | (1) |
|
|
|
295 | (1) |
|
|
|
296 | (1) |
|
PART THREE Risk Mitigation Plans |
|
|
297 | (108) |
|
Chapter 12 Mitigating Risk with a Business Impact Analysis |
|
|
299 | (24) |
|
What Is a Business Impact Analysis? |
|
|
300 | (1) |
|
|
|
301 | (1) |
|
Varying Data Collection Methods |
|
|
302 | (1) |
|
Defining the Scope of the Business Impact Analysis |
|
|
302 | (2) |
|
Objectives of a Business Impact Analysis |
|
|
304 | (1) |
|
Identifying Critical Business Functions |
|
|
305 | (1) |
|
Identifying Critical Resources |
|
|
306 | (2) |
|
Identifying the MAO and Impact |
|
|
308 | (2) |
|
Identifying Recovery Requirements |
|
|
310 | (2) |
|
Steps of a Business Impact Analysis Process |
|
|
312 | (1) |
|
Identifying the Environment |
|
|
313 | (1) |
|
|
|
313 | (1) |
|
Identifying Critical Business Functions |
|
|
314 | (1) |
|
Identifying Critical Resources |
|
|
314 | (1) |
|
|
|
315 | (1) |
|
Identifying Recovery Priorities |
|
|
315 | (1) |
|
Developing the BIA Report |
|
|
316 | (1) |
|
Identifying Mission-Critical Business Functions and Processes |
|
|
317 | (1) |
|
Mapping Business Functions and Processes to IT Systems |
|
|
318 | (1) |
|
Best Practices for Performing a BIA for an Organization |
|
|
319 | (1) |
|
|
|
320 | (1) |
|
|
|
320 | (1) |
|
|
|
320 | (3) |
|
Chapter 13 Mitigating Risk with a Business Continuity Plan |
|
|
323 | (26) |
|
What Is a Business Continuity Plan? |
|
|
324 | (1) |
|
|
|
325 | (1) |
|
|
|
326 | (1) |
|
|
|
326 | (1) |
|
Assumptions and Planning Principles |
|
|
327 | (2) |
|
System Description and Architecture |
|
|
329 | (4) |
|
|
|
333 | (3) |
|
Notification and Activation Phase |
|
|
336 | (3) |
|
|
|
339 | (1) |
|
Reconstitute Phase (Return to Normal Operations) |
|
|
340 | (2) |
|
Plan Training, Testing, and Exercises |
|
|
342 | (2) |
|
|
|
344 | (2) |
|
How Does a BCP Mitigate an Organization's Risk? |
|
|
346 | (1) |
|
Best Practices for Implementing a BCP for an Organization |
|
|
346 | (1) |
|
|
|
347 | (1) |
|
|
|
347 | (1) |
|
|
|
347 | (2) |
|
Chapter 14 Mitigating Risk with a Disaster Recovery Plan |
|
|
349 | (28) |
|
What Is a Disaster Recovery Plan? |
|
|
350 | (2) |
|
|
|
352 | (1) |
|
|
|
352 | (1) |
|
|
|
352 | (1) |
|
What Management Must Provide |
|
|
353 | (1) |
|
|
|
353 | (2) |
|
|
|
355 | (7) |
|
Disaster Recovery Financial Budget |
|
|
362 | (1) |
|
|
|
362 | (1) |
|
|
|
363 | (1) |
|
|
|
364 | (1) |
|
Disaster/Emergency Declaration |
|
|
365 | (1) |
|
|
|
365 | (1) |
|
|
|
366 | (1) |
|
|
|
366 | (1) |
|
|
|
367 | (2) |
|
Critical Operations, Customer Service, and Operations Recovery |
|
|
369 | (1) |
|
Restoration and Normalization |
|
|
370 | (1) |
|
|
|
370 | (1) |
|
Maintenance and DRP Update |
|
|
371 | (1) |
|
How Does a DRP Mitigate an Organization's Risk? |
|
|
372 | (1) |
|
Best Practices for Implementing a DRP for an Organization |
|
|
372 | (2) |
|
|
|
374 | (1) |
|
|
|
374 | (1) |
|
|
|
374 | (3) |
|
Chapter 15 Mitigating Risk with a Computer Incident Response Team Plan |
|
|
377 | (28) |
|
What Is a Computer Incident Response Team Plan? |
|
|
378 | (1) |
|
|
|
379 | (2) |
|
|
|
381 | (1) |
|
|
|
381 | (4) |
|
|
|
385 | (1) |
|
Incident Handling Process |
|
|
386 | (8) |
|
Communication Escalation Procedures |
|
|
394 | (1) |
|
Incident Handling Procedures |
|
|
395 | (5) |
|
How Does a CIRT Plan Mitigate an Organization's Risk? |
|
|
400 | (1) |
|
Best Practices for Implementing a CIRT Plan for an Organization |
|
|
400 | (1) |
|
|
|
401 | (1) |
|
|
|
401 | (1) |
|
|
|
402 | (3) |
| Appendix A Answer Key |
|
405 | (2) |
| Appendix B Standard Acronyms |
|
407 | (4) |
| Glossary of Key Terms |
|
411 | (12) |
| References |
|
423 | (4) |
| Index |
|
427 | |
