| Preface |
|
xv | |
| Acknowledgments |
|
xvii | |
| Part One Risk Management Business Challenges |
|
|
Chapter 1 Risk Management Fundamentals |
|
|
2 | (27) |
|
|
|
3 | (4) |
|
Compromise of Business Functions |
|
|
4 | (1) |
|
Compromise of Business Assets |
|
|
5 | (1) |
|
|
|
6 | (1) |
|
Profitability Versus Survivability |
|
|
6 | (1) |
|
What Are the Major Components of Risk to an IT Infrastructure? |
|
|
7 | (6) |
|
Seven Domains of a Typical IT Infrastructure |
|
|
7 | (4) |
|
Threats, Vulnerabilities, and Impact |
|
|
11 | (2) |
|
Risk Management and Its Importance to the Organization |
|
|
13 | (5) |
|
How Risk Affects an Organization's Survivability |
|
|
14 | (1) |
|
|
|
15 | (1) |
|
|
|
15 | (1) |
|
Role-Based Perceptions of Risk |
|
|
16 | (2) |
|
Risk Identification Techniques |
|
|
18 | (4) |
|
|
|
18 | (1) |
|
Identifying Vulnerabilities |
|
|
19 | (2) |
|
Pairing Threats with Vulnerabilities |
|
|
21 | (1) |
|
Risk Management Techniques |
|
|
22 | (5) |
|
|
|
23 | (1) |
|
|
|
23 | (1) |
|
|
|
23 | (1) |
|
|
|
24 | (1) |
|
|
|
25 | (1) |
|
|
|
26 | (1) |
|
|
|
27 | (1) |
|
|
|
27 | (1) |
|
|
|
28 | (1) |
|
Chapter 2 Managing Risk: Threats, Vulnerabilities, and Exploits |
|
|
29 | (28) |
|
Understanding and Managing Threats |
|
|
30 | (5) |
|
The Uncontrollable Nature of Threats |
|
|
30 | (1) |
|
|
|
31 | (1) |
|
|
|
32 | (2) |
|
Best Practices for Managing Threats Within Your IT Infrastructure |
|
|
34 | (1) |
|
Understanding and Managing Vulnerabilities |
|
|
35 | (6) |
|
Threat/Vulnerability Pairs |
|
|
36 | (1) |
|
Vulnerabilities Can Be Mitigated |
|
|
37 | (1) |
|
|
|
38 | (2) |
|
Best Practices for Managing Vulnerabilities Within Your IT Infrastructure |
|
|
40 | (1) |
|
Understanding and Managing Exploits |
|
|
41 | (7) |
|
|
|
41 | (3) |
|
How Do Perpetrators Initiate an Exploit? |
|
|
44 | (2) |
|
Where Do Perpetrators Find Information About Vulnerabilities and Exploits? |
|
|
46 | (1) |
|
|
|
47 | (1) |
|
Best Practices for Managing Exploits Within Your IT Infrastructure |
|
|
48 | (1) |
|
U.S. Federal Government Risk Management Initiatives |
|
|
48 | (6) |
|
National Institute of Standards and Technology |
|
|
49 | (1) |
|
Department of Homeland Security |
|
|
50 | (1) |
|
National Cybersecurity and Communications Integration Center |
|
|
51 | (1) |
|
US Computer Emergency Readiness Team |
|
|
51 | (1) |
|
The MITRE Corporation and the CVE List |
|
|
52 | (2) |
|
|
|
54 | (1) |
|
|
|
54 | (1) |
|
|
|
55 | (2) |
|
Chapter 3 Maintaining Compliance |
|
|
57 | (28) |
|
|
|
58 | (6) |
|
Federal Information Security Management Act |
|
|
59 | (1) |
|
Health Insurance Portability and Accountability Act |
|
|
59 | (2) |
|
|
|
61 | (1) |
|
|
|
62 | (1) |
|
Family Educational Rights and Privacy Act |
|
|
62 | (1) |
|
Children's Internet Protection Act |
|
|
63 | (1) |
|
Regulations Related to Compliance |
|
|
64 | (4) |
|
Securities and Exchange Commission |
|
|
65 | (1) |
|
Federal Deposit Insurance Corporation |
|
|
65 | (1) |
|
Department of Homeland Security |
|
|
65 | (1) |
|
|
|
66 | (1) |
|
|
|
67 | (1) |
|
|
|
67 | (1) |
|
Organizational Policies for Compliance |
|
|
68 | (1) |
|
Standards and Guidelines for Compliance |
|
|
69 | (13) |
|
Payment Card Industry Data Security Standard |
|
|
70 | (2) |
|
National Institute of Standards and Technology |
|
|
72 | (1) |
|
Generally Accepted Information Security Principles |
|
|
73 | (1) |
|
Control Objectives for Information and Related Technology |
|
|
73 | (2) |
|
International Organization for Standardization |
|
|
75 | (1) |
|
International Electrotechnical Commission |
|
|
76 | (1) |
|
Information Technology Infrastructure Library |
|
|
77 | (3) |
|
Capability Maturity Model Integration |
|
|
80 | (1) |
|
Department of Defense Information Assurance Certification and Accreditation Process |
|
|
81 | (1) |
|
|
|
82 | (1) |
|
|
|
83 | (1) |
|
|
|
83 | (2) |
|
Chapter 4 Developing a Risk Management Plan |
|
|
85 | (26) |
|
Objectives of a Risk Management Plan |
|
|
86 | (3) |
|
Objectives Example: Web Site |
|
|
87 | (1) |
|
Objectives Example: HIPAA Compliance |
|
|
88 | (1) |
|
Scope of a Risk Management Plan |
|
|
89 | (3) |
|
|
|
91 | (1) |
|
Scope Example: HIPAA Compliance |
|
|
91 | (1) |
|
Assigning Responsibilities |
|
|
92 | (2) |
|
Responsibilities Example: Web Site |
|
|
93 | (1) |
|
Responsibilities Example: HIPAA Compliance |
|
|
93 | (1) |
|
Describing Procedures and Schedules for Accomplishment |
|
|
94 | (3) |
|
Procedures Example: Web Site |
|
|
96 | (1) |
|
Procedures Example: HIPAA Compliance |
|
|
97 | (1) |
|
|
|
97 | (6) |
|
Presenting Recommendations |
|
|
97 | (5) |
|
Documenting Management Response to Recommendations |
|
|
102 | (1) |
|
Documenting and Tracking Implementation of Accepted Recommendations |
|
|
103 | (1) |
|
Plan of Action and Milestones |
|
|
103 | (3) |
|
Charting the Progress of a Risk Management Plan |
|
|
106 | (3) |
|
|
|
106 | (1) |
|
|
|
107 | (1) |
|
|
|
107 | (2) |
|
|
|
109 | (1) |
|
|
|
109 | (1) |
|
|
|
109 | (2) |
| Part Two Mitigating Risk |
|
111 | (202) |
|
Chapter 5 Defining Risk Assessment Approaches |
|
|
112 | (26) |
|
Understanding Risk Assessment |
|
|
113 | (2) |
|
Importance of Risk Assessments |
|
|
114 | (1) |
|
Purpose of a Risk Assessment |
|
|
114 | (1) |
|
Critical Components of a Risk Assessment |
|
|
115 | (2) |
|
|
|
115 | (1) |
|
Identifying Critical Areas |
|
|
116 | (1) |
|
|
|
117 | (1) |
|
Types of Risk Assessments |
|
|
117 | (12) |
|
Quantitative Risk Assessments |
|
|
118 | (2) |
|
Qualitative Risk Assessments |
|
|
120 | (8) |
|
Comparing Quantitative and Qualitative Risk Assessments |
|
|
128 | (1) |
|
Risk Assessment Challenges |
|
|
129 | (6) |
|
Using a Static Process to Evaluate a Moving Target |
|
|
130 | (1) |
|
Availability of Resources and Data |
|
|
131 | (1) |
|
|
|
131 | (2) |
|
Estimating Impact Effects |
|
|
133 | (1) |
|
Providing Results That Support Resource Allocation and Risk Acceptance |
|
|
134 | (1) |
|
Best Practices for Risk Assessment |
|
|
135 | (1) |
|
|
|
136 | (1) |
|
|
|
136 | (1) |
|
|
|
137 | (1) |
|
Chapter 6 Performing a Risk Assessment |
|
|
138 | (28) |
|
Selecting a Risk Assessment Methodology |
|
|
139 | (4) |
|
|
|
140 | (2) |
|
Reviewing Previous Findings |
|
|
142 | (1) |
|
Identifying the Management Structure |
|
|
143 | (1) |
|
Identifying Assets and Activities Within Risk Assessment Boundaries |
|
|
144 | (5) |
|
System Access and System Availability |
|
|
145 | (1) |
|
|
|
146 | (1) |
|
Hardware and Software Assets |
|
|
147 | (1) |
|
|
|
148 | (1) |
|
Data and Information Assets |
|
|
148 | (1) |
|
|
|
148 | (1) |
|
Identifying and Evaluating Relevant Threats |
|
|
149 | (2) |
|
Reviewing Historical Data |
|
|
150 | (1) |
|
Performing Threat Modeling |
|
|
150 | (1) |
|
Identifying and Evaluating Relevant Vulnerabilities |
|
|
151 | (2) |
|
Vulnerability Assessments |
|
|
151 | (1) |
|
|
|
152 | (1) |
|
Identifying and Evaluating Countermeasures |
|
|
153 | (4) |
|
In-Place and Planned Countermeasures |
|
|
153 | (1) |
|
|
|
153 | (4) |
|
Selecting a Methodology Based on Assessment Needs |
|
|
157 | (2) |
|
|
|
157 | (1) |
|
|
|
158 | (1) |
|
Developing Mitigating Recommendations |
|
|
159 | (3) |
|
Threat/Vulnerability Pairs |
|
|
159 | (1) |
|
Estimate of Cost and Time to Implement |
|
|
160 | (1) |
|
Estimate of Operational Impact |
|
|
160 | (1) |
|
|
|
161 | (1) |
|
Presenting Risk Assessment Results |
|
|
162 | (1) |
|
Best Practices for Performing Risk Assessments |
|
|
162 | (1) |
|
|
|
163 | (1) |
|
|
|
164 | (1) |
|
|
|
164 | (2) |
|
Chapter 7 Identifying Assets and Activities to Be Protected |
|
|
166 | (28) |
|
System Access and Availability |
|
|
167 | (3) |
|
System Functions: Manual and Automated |
|
|
170 | (1) |
|
|
|
170 | (1) |
|
|
|
170 | (1) |
|
|
|
171 | (2) |
|
|
|
173 | (1) |
|
|
|
174 | (1) |
|
Data and Information Assets |
|
|
175 | (6) |
|
|
|
177 | (1) |
|
|
|
178 | (1) |
|
|
|
178 | (1) |
|
Data Warehousing and Data Mining |
|
|
179 | (2) |
|
Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure |
|
|
181 | (5) |
|
|
|
182 | (1) |
|
|
|
183 | (1) |
|
|
|
183 | (1) |
|
|
|
184 | (1) |
|
|
|
184 | (1) |
|
|
|
185 | (1) |
|
System/Application Domain |
|
|
185 | (1) |
|
Identifying Facilities and Supplies Needed to Maintain Business Operations |
|
|
186 | (5) |
|
Identifying Mission-Critical Systems and Applications |
|
|
186 | (1) |
|
Business Impact Analysis Planning |
|
|
187 | (1) |
|
Business Continuity Planning |
|
|
188 | (1) |
|
Disaster Recovery Planning |
|
|
189 | (1) |
|
Business Liability Insurance Planning |
|
|
190 | (1) |
|
Asset Replacement Insurance Planning |
|
|
190 | (1) |
|
|
|
191 | (1) |
|
|
|
192 | (1) |
|
|
|
192 | (2) |
|
Chapter 8 Identifying and Analyzing Threats, Vulnerabilities, and Exploits |
|
|
194 | (30) |
|
|
|
195 | (8) |
|
Techniques for Identifying Threats |
|
|
198 | (4) |
|
Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure |
|
|
202 | (1) |
|
Vulnerability Assessments |
|
|
203 | (12) |
|
|
|
205 | (1) |
|
Review of System Logs, Audit Trails, and Intrusion Detection System Outputs |
|
|
205 | (3) |
|
Vulnerability Scans and Other Assessment Tools |
|
|
208 | (1) |
|
Audits and Personnel Interviews |
|
|
209 | (1) |
|
Process Analysis and Output Analysis |
|
|
209 | (1) |
|
|
|
210 | (4) |
|
Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure |
|
|
214 | (1) |
|
|
|
215 | (6) |
|
|
|
215 | (4) |
|
Mitigating Exploits with a Gap Analysis and Remediation Plan |
|
|
219 | (1) |
|
Implementing Configuration or Change Management |
|
|
220 | (1) |
|
Verifying and Validating the Exploit Has Been Mitigated |
|
|
220 | (1) |
|
Best Practices for Performing Exploit Assessments Within an IT Infrastructure |
|
|
220 | (1) |
|
|
|
221 | (1) |
|
|
|
221 | (1) |
|
|
|
222 | (2) |
|
Chapter 9 Identifying and Analyzing Risk Mitigation Security Controls |
|
|
224 | (28) |
|
|
|
225 | (1) |
|
|
|
225 | (1) |
|
|
|
226 | (4) |
|
|
|
226 | (4) |
|
Procedural Control Examples |
|
|
230 | (7) |
|
|
|
230 | (2) |
|
|
|
232 | (1) |
|
|
|
233 | (1) |
|
Background Checks and Financial Checks |
|
|
234 | (1) |
|
Data Loss Prevention Program |
|
|
235 | (1) |
|
|
|
235 | (1) |
|
|
|
236 | (1) |
|
|
|
237 | (1) |
|
Technical Control Examples |
|
|
237 | (8) |
|
|
|
238 | (1) |
|
|
|
238 | (1) |
|
System Logs and Audit Trails |
|
|
239 | (1) |
|
Data Range and Reasonableness Checks |
|
|
240 | (1) |
|
|
|
241 | (1) |
|
|
|
242 | (1) |
|
Public Key Infrastructure (PKI) |
|
|
243 | (2) |
|
Physical Control Examples |
|
|
245 | (4) |
|
Locked Doors, Guards, Access Logs, and Closed-Circuit Television (CCTV) |
|
|
245 | (2) |
|
Fire Detection and Suppression |
|
|
247 | (1) |
|
|
|
248 | (1) |
|
Temperature and Humidity Detection |
|
|
248 | (1) |
|
Electrical Grounding and Circuit Breakers |
|
|
249 | (1) |
|
Best Practices for Risk Mitigation Security Controls |
|
|
249 | (1) |
|
|
|
250 | (1) |
|
|
|
250 | (1) |
|
|
|
250 | (2) |
|
Chapter 10 Planning Risk Mitigation Throughout Your Organization |
|
|
252 | (30) |
|
Where Should Your Organization Start with Risk Mitigation? |
|
|
253 | (1) |
|
What Is the Scope of Risk Management for Your Organization? |
|
|
254 | (11) |
|
Critical Business Operations |
|
|
255 | (1) |
|
Customer Service Delivery |
|
|
256 | (1) |
|
Mission-Critical Business Systems, Applications, and Data Access |
|
|
257 | (3) |
|
Seven Domains of a Typical IT Infrastructure |
|
|
260 | (4) |
|
Information Systems Security Gap |
|
|
264 | (1) |
|
Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization |
|
|
265 | (8) |
|
Legal Requirements, Compliance Laws, Regulations, and Mandates |
|
|
266 | (3) |
|
Assessing the Impact of Legal and Compliance Issues on Your Business Operations |
|
|
269 | (4) |
|
Translating Legal and Compliance Implications for Your Organization |
|
|
273 | (1) |
|
Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure |
|
|
274 | (1) |
|
Assessing How Security Countermeasures and Safeguards Can Assist with Risk Mitigation |
|
|
275 | (1) |
|
Understanding the Operational Implications of Legal and Compliance Requirements |
|
|
275 | (1) |
|
Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization |
|
|
276 | (1) |
|
Performing a Cost-Benefit Analysis |
|
|
277 | (1) |
|
Best Practices for Planning Risk Mitigation Throughout Your Organization |
|
|
278 | (1) |
|
|
|
279 | (1) |
|
|
|
279 | (1) |
|
|
|
280 | (2) |
|
Chapter 11 Turning Your Risk Assessment into a Risk Mitigation Plan |
|
|
282 | (31) |
|
Reviewing the Risk Assessment for Your IT Infrastructure |
|
|
283 | (6) |
|
Overlapping Countermeasures |
|
|
284 | (1) |
|
Matching Threats with Vulnerabilities |
|
|
285 | (1) |
|
Identifying Countermeasures |
|
|
286 | (3) |
|
Translating Your Risk Assessment into a Risk Mitigation Plan |
|
|
289 | (8) |
|
|
|
289 | (4) |
|
|
|
293 | (3) |
|
|
|
296 | (1) |
|
Prioritizing Risk Elements That Require Risk Mitigation |
|
|
297 | (3) |
|
Using a Threat/Likelihood-Impact Matrix |
|
|
297 | (1) |
|
Prioritizing Countermeasures |
|
|
298 | (2) |
|
Verifying Risk Elements and How These Risks Can Be Mitigated |
|
|
300 | (1) |
|
Performing a Cost-Benefit Analysis on the Identified Risk Elements |
|
|
301 | (2) |
|
|
|
301 | (1) |
|
|
|
302 | (1) |
|
Implementing a Risk Mitigation Plan |
|
|
303 | (4) |
|
|
|
304 | (1) |
|
|
|
304 | (3) |
|
Following Up on the Risk Mitigation Plan |
|
|
307 | (2) |
|
Ensuring Countermeasures Are Implemented |
|
|
307 | (1) |
|
Ensuring Security Gaps Have Been Closed |
|
|
308 | (1) |
|
Best Practices for Enabling a Risk Mitigation Plan from Your Risk Assessment |
|
|
309 | (1) |
|
|
|
310 | (1) |
|
|
|
310 | (1) |
|
|
|
311 | (2) |
| Part Three Risk Mitigation Plans |
|
313 | (118) |
|
Chapter 12 Mitigating Risk with a Business Impact Analysis |
|
|
314 | (27) |
|
What Is a Business Impact Analysis? |
|
|
315 | (3) |
|
|
|
316 | (1) |
|
Varying Data Collection Methods |
|
|
317 | (1) |
|
Defining the Scope of Your Business Impact Analysis |
|
|
318 | (1) |
|
Objectives of a Business Impact Analysis |
|
|
319 | (10) |
|
Identifying Critical Business Functions |
|
|
321 | (1) |
|
Identifying Critical Resources |
|
|
322 | (2) |
|
Identifying MAO and Impact |
|
|
324 | (3) |
|
Identifying Recovery Requirements |
|
|
327 | (2) |
|
The Steps of a Business Impact Analysis Process |
|
|
329 | (6) |
|
Identifying the Environment |
|
|
330 | (1) |
|
|
|
331 | (1) |
|
Identifying Critical Business Functions |
|
|
331 | (1) |
|
Identifying Critical Resources |
|
|
331 | (1) |
|
Identifying the Maximum Downtime |
|
|
332 | (1) |
|
Identifying Recovery Priorities |
|
|
332 | (2) |
|
Developing the BIA Report |
|
|
334 | (1) |
|
Identifying Mission-Critical Business Functions and Processes |
|
|
335 | (1) |
|
Mapping Business Functions and Processes to IT Systems |
|
|
336 | (1) |
|
Best Practices for Performing a BIA for Your Organization |
|
|
337 | (2) |
|
|
|
339 | (1) |
|
|
|
339 | (1) |
|
|
|
339 | (2) |
|
Chapter 13 Mitigating Risk with a Business Continuity Plan |
|
|
341 | (29) |
|
What Is a Business Continuity Plan? |
|
|
342 | (1) |
|
|
|
343 | (23) |
|
|
|
345 | (1) |
|
|
|
345 | (1) |
|
Assumptions and Planning Principles |
|
|
345 | (3) |
|
System Description and Architecture |
|
|
348 | (4) |
|
|
|
352 | (3) |
|
Notification/Activation Phase |
|
|
355 | (4) |
|
|
|
359 | (1) |
|
Reconstitution Phase (Return to Normal Operations) |
|
|
360 | (2) |
|
Plan Training, Testing, and Exercises |
|
|
362 | (3) |
|
|
|
365 | (1) |
|
How Does a BCP Mitigate an Organization's Risk? |
|
|
366 | (1) |
|
Best Practices for Implementing a BCP for Your Organization |
|
|
367 | (1) |
|
|
|
368 | (1) |
|
|
|
368 | (1) |
|
|
|
368 | (2) |
|
Chapter 14 Mitigating Risk with a Disaster Recovery Plan |
|
|
370 | (30) |
|
What Is a Disaster Recovery Plan? |
|
|
371 | (3) |
|
|
|
373 | (1) |
|
|
|
373 | (1) |
|
|
|
374 | (10) |
|
What Management Must Provide |
|
|
374 | (1) |
|
|
|
375 | (1) |
|
|
|
376 | (7) |
|
Disaster Recovery Financial Budget |
|
|
383 | (1) |
|
|
|
384 | (11) |
|
|
|
385 | (1) |
|
|
|
386 | (1) |
|
Disaster/Emergency Declaration |
|
|
387 | (1) |
|
|
|
387 | (1) |
|
|
|
388 | (1) |
|
|
|
388 | (1) |
|
|
|
389 | (3) |
|
Critical Operations, Customer Service, and Operations Recovery |
|
|
392 | (1) |
|
Restoration and Normalization |
|
|
392 | (1) |
|
|
|
393 | (1) |
|
Maintenance and DRP Update |
|
|
393 | (2) |
|
How Does a DRP Mitigate an Organization's Risk? |
|
|
395 | (1) |
|
Best Practices for Implementing a DRP for Your Organization |
|
|
395 | (2) |
|
|
|
397 | (1) |
|
|
|
397 | (1) |
|
|
|
398 | (2) |
|
Chapter 15 Mitigating Risk with a Computer Incident Response Team Plan |
|
|
400 | (31) |
|
What Is a Computer Incident Response Team Plan? |
|
|
401 | (2) |
|
|
|
403 | (2) |
|
|
|
405 | (21) |
|
|
|
405 | (4) |
|
|
|
409 | (1) |
|
Incident Handling Process |
|
|
410 | (9) |
|
Communication Escalation Procedures |
|
|
419 | (1) |
|
Incident Handling Procedures |
|
|
420 | (6) |
|
How Does a CIRT Plan Mitigate an Organization's Risk? |
|
|
426 | (1) |
|
Best Practices for Implementing a CIRT Plan for Your Organization |
|
|
426 | (1) |
|
|
|
427 | (1) |
|
|
|
428 | (1) |
|
|
|
428 | (3) |
| Appendix A Answer Key |
|
431 | (2) |
| Appendix B Standard Acronyms |
|
433 | (4) |
| Glossary of Key Terms |
|
437 | (12) |
| References |
|
449 | (4) |
| Index |
|
453 | |
