You are previewing Managing Information Risk: A Director's Guide.
O'Reilly logo
Managing Information Risk: A Director's Guide

Book Description

Information Security is the board's responsibility – read this book before you get into trouble!

Information risk is endemic in any modern organisation. From the potential for losing sensitive information to a full-system crash that incapacitates the company, the consequences can be disastrous. Information risk management is a method of assessing information threats and taking actions to minimise the chances of risks becoming a reality. With properly implemented security controls based on risk assessment, you could stop your company from having to suffer huge financial or reputational fallout.

This pocket guide addresses the scope of risks involved in a modern IT system, and outlines strategies for working through the process of putting risk management at the heart of your corporate culture. The guide draws on the work of the US National Institute of Standards and Technology, together with UK government white papers and interviews with board-level risk management practitioners.

Benefits to business include:

  • Learn how to conduct a risk assessment A risk assessment is essential to forming a clearer picture of how internal and external threats could impact on your organisation
  • Understand the requirements of a risk governance framework Under UK government guidance, directors need to put in place arrangements within their company for managing information risk and to assign responsibilities to their staff. This pocket guide sets out the most important elements of any information risk governance framework
  • Make better informed risk management decisions The pocket guide suggests a plan for choosing and implementing security controls, based on the idea that the greatest risks are the ones that should be targeted first.
  • Find out how to handle third party security Third party security is almost as important as your own, and more difficult to control. This pocket guide contains advice on how to minimise the risk of third party data loss, and suggests ways to prevent your information security from being compromised through the supply chain.

Help your organisation to manage information risk effectively... buy this pocket guide today!

"

Table of Contents

  1. PREFACE
  2. ABOUT THE AUTHOR
  3. CONTENTS
  4. INTRODUCTION
  5. CHAPTER 1: MANAGING RISK
    1. Reduce/Mitigate/Control
    2. Transferring risk
    3. Avoid
    4. Accept
  6. CHAPTER 2: INFORMATION RISK POLICY
  7. CHAPTER 3: THE RISKS
    1. Accidental disclosure
    2. Theft of hardware or data
    3. Acts of nature
    4. Alteration of software
    5. Redundant media
    6. System configuration error
    7. Suppliers and partners
    8. Critical information is wrongly destroyed
    9. Poor data input
    10. Critical information is lost
    11. Wasted assets
    12. Failure to make information available
  8. CHAPTER 4: RISK MANAGEMENT FRAMEWORK
  9. CHAPTER 5: RISK ASSESSMENT
    1. System characterisation
    2. Identify threats
    3. Identify vulnerabilities
    4. Control analysis
    5. Likelihood determination
    6. Impact analysis
    7. Risk determination
    8. Control recommendations
    9. Documentation
  10. CHAPTER 6: RISK MITIGATION STRATEGY
    1. Seven-stage plan
      1. Prioritise actions
      2. Evaluate recommended control options
      3. Conduct cost-benefit analysis
        1. Cost-benefits and residual risks
      4. Select controls
      5. Assign responsibility
      6. Draw up a safeguard implementation plan
      7. Implement selected controls
  11. CHAPTER 7: CONTROLS
  12. CHAPTER 8: INTERACTING WITH PARTNERS AND SUPPLIERS
  13. CHAPTER 9: STANDARDS
  14. APPENDIX 1: CHECKLIST FOR DIRECTORS
    1. Have we assessed the importance of information to our business?
    2. Have we assessed our information risks?
    3. Do we have a plan for managing these risks?
    4. Do all staff understand their roles and responsibilities in managing these risks?
    5. Does my organisation have the right skills and technical capabilities to manage these risks?
    6. Is management of information embedded in my business processes?
  15. APPENDIX 2: ESTABLISHING AN INFORMATION RISK TSAR
  16. FURTHER READING
  17. ITG RESOURCES
    1. Other Websites
    2. Pocket Guides
    3. Toolkits
    4. Best Practice Reports
    5. Training and Consultancy
    6. Newsletter