You are previewing Information Risk Management: A practitioner’s guide.
O'Reilly logo
Information Risk Management: A practitioner’s guide

Book Description

Increasingly, organisations rely on information for their day-to-day operations, and the loss or unavailability of information can mean the difference between success and ruin. Information risk management (IRM) is about identifying, assessing and prioritising risks to keep information secure and available. This accessible book is a practical guide to understanding the principles of IRM and developing a strategic approach to an IRM programme. It also includes a chapter on applying IRM in the public sector. It is the only textbook for the BCS Practitioner Certificate in Information Risk Management.

Table of Contents

  1. FRONT COVER
  2. BCS, THE CHARTERED INSTITUTE FOR IT
  3. TITLE PAGE
  4. COPYRIGHT PAGE
  5. DEDICATION
  6. CONTENTS
  7. LIST OF FIGURES AND TABLES
  8. AUTHOR
  9. ACKNOWLEDGEMENTS
  10. ABBREVIATIONS
  11. DEFINITIONS, STANDARDS AND GLOSSARY OF TERMS
  12. PREFACE
  13. 1. THE NEED FOR INFORMATION RISK MANAGEMENT
    1. Introduction
    2. What is information?
    3. The information life cycle
    4. Who should use information risk management?
    5. The legal framework
    6. The context of risk in the organisation
    7. The benefits of taking account of information risk
    8. Overview of the information risk management process
  14. 2. REVIEW OF INFORMATION SECURITY FUNDAMENTALS
    1. Information Classification
    2. Plan, Do, Check, Act
  15. 3. THE INFORMATION RISK MANAGEMENT PROGRAMME
    1. Goals, scope and objectives
    2. Roles and responsibilities
    3. Governance of the risk management programme
    4. Information risk management criteria
  16. 4. RISK IDENTIFICATION
    1. The approach to risk identification
    2. Impact assessment
    3. Types of impact
    4. Qualitative and quantitative assessments
  17. 5. THREAT and VULNERABILITY ASSESSMENT
    1. Conducting threat assessments
    2. Conducting vulnerability assessments
    3. Identification of existing controls
  18. 6. RISK ANALYSIS AND RISK EVALUATION
    1. Assessment of likelihood
    2. Risk analysis
    3. Risk evaluation
  19. 7. RISK TREATMENT
    1. Strategic risk options
    2. Tactical risk management controls
    3. Operational risk management controls
    4. Examples of critical controls and control categories
  20. 8. RISK REPORTING AND PRESENTATION
    1. Business cases
    2. Risk treatment decision-making
    3. Risk treatment planning and implementation
    4. Business continuity and disaster recovery
  21. 9. COMMUNICATION, CONSULTATION, MONITORING and REVIEW
    1. Communication
    2. Consultation
    3. Risk reviews and monitoring
  22. 10. THE CESG IA CERTIFICATION SCHEME
    1. The CESG IA Certification Scheme
    2. Skills Framework for the Information Age (SFIA)
    3. The IISP Information Security Skills Framework
  23. 11. HMG SECURITY-RELATED DOCUMENTS
    1. HMG Security Policy Framework
    2. UK Government Security Classifications
  24. APPENDIX A TAXONOMIES AND DESCRIPTIONS
    1. Information risk
    2. Typical impacts or consequences
  25. APPENDIX B TYPICAL THREATS AND HAZARDS
    1. Malicious intrusion (hacking)
    2. Environmental threats
    3. Errors and failures
    4. Social engineering
    5. Misuse and abuse
    6. Physical threats
    7. Malware
  26. APPENDIX C TYPICAL VULNERABILITIES
    1. Access control
    2. Poor procedures
    3. Physical and environmental security
    4. Communications and operations management
    5. People-related security failures
  27. APPENDIX D INFORMATION RISK CONTROLS
    1. Strategic controls
    2. Tactical controls
    3. Operational controls
    4. Critical Security Controls Version 5.0
    5. ISO/IEC 27001 controls
    6. NIST Special Publication 800-53 Revision 4
  28. APPENDIX E METHODOLOGIES, GUIDELINES AND TOOLS
    1. Methodologies
    2. Other guidelines and tools
  29. APPENDIX F TEMPLATES
  30. APPENDIX G HMG CYBER SECURITY GUIDELINES
    1. HMG Cyber Essentials Scheme
    2. 10 Steps to Cyber Security
  31. APPENDIX H REFERENCES AND FURTHER READING
    1. Primary UK legislation
    2. Good Practice Guidelines
    3. Other reference material
    4. CESG Certified Professional Scheme
    5. Other UK Government publications
    6. Risk management methodologies
    7. News articles etc.
    8. UK and international standards
  32. INDEX
  33. BACK COVER