You are previewing Information Security Risk Assessment Toolkit.
O'Reilly logo
Information Security Risk Assessment Toolkit

Book Description

In order to protect company’s information assets such as sensitive customer records, health care records, etc., the security practitioner first needs to find out: what needs protected, what risks those assets are exposed to, what controls are in place to offset those risks, and where to focus attention for risk treatment. This is the true value and purpose of information security risk assessments.  Effective risk assessments are meant to provide a defendable analysis of residual risk associated with your key assets so that risk treatment options can be explored.  Information Security Risk Assessments gives you the tools and skills to get a quick, reliable, and thorough risk assessment for key stakeholders.




    • Based on authors’ experiences of real-world assessments, reports, and presentations

      • Focuses on implementing a process, rather than theory, that allows you to derive a quick and valuable assessment

        • Includes a companion web site with spreadsheets you can utilize to create and maintain the risk assessment

Table of Contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Dedication
  6. Acknowledgements
  7. About the Technical Editor
  8. About the Authors
  9. Introduction
  10. Chapter 1. Information Security Risk Assessments
    1. Introduction
    2. What is Risk?
    3. What is an Information Security Risk Assessment?
    4. Drivers, Laws, and Regulations
    5. Summary
    6. References
  11. Chapter 2. Information Security Risk Assessment: A Practical Approach
    1. Introduction
    2. A Primer on Information Security Risk Assessment Frameworks
    3. Summary
  12. Chapter 3. Information Security Risk Assessment: Data Collection
    1. Introduction
    2. The Sponsor
    3. The Project Team
    4. Data Collection Mechanisms
    5. Executive Interviews
    6. Document Requests
    7. IT Asset Inventories
    8. Asset Scoping
    9. The Asset Profile Survey
    10. The Control Survey
    11. Survey Support Activities and Wrap-Up
    12. Consolidation
  13. Chapter 4. Information Security Risk Assessment: Data Analysis
    1. Introduction
    2. Compiling Observations from Organizational Risk Documents
    3. Preparation of Threat and Vulnerability Catalogs
    4. Overview of the System Risk Computation
    5. Designing the Impact Analysis Scheme
    6. Designing the Control Analysis Scheme
    7. Designing the Likelihood Analysis Scheme
    8. Putting it Together and the Final Risk Score
  14. Chapter 5. Information Security Risk Assessment: Risk Assessment
    1. Introduction
    2. System Risk Analysis
  15. Chapter 6. Information Security Risk Assessment: Risk Prioritization and Treatment
    1. Introduction
    2. Organizational Risk Prioritization and Treatment
    3. System Specific Risk Prioritization and Treatment
    4. Issues Register
  16. Chapter 7. Information Security Risk Assessment: Reporting
    1. Introduction
    2. Outline
    3. Risk Analysis Executive Summary
    4. Methodology
    5. Results
    6. Risk Register
    7. Conclusion
    8. Appendices
  17. Chapter 8. Information Security Risk Assessment: Maintenance and Wrap Up
    1. Introduction
    2. Process Summary
    3. Key Deliverables
    4. Post Mortem
  18. Index