You are previewing Managing Risk in Information Systems.
O'Reilly logo
Managing Risk in Information Systems

Book Description

PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES! Managing Risk in Information Systems provides a unique, in-depth look at how to manage and reduce IT associated risks. Written by an industry expert, this book provides a comprehensive explanation of the SSCP? Risk, Response, and Recovery Domain in addition to providing a thorough overview of risk management and its implications on IT infrastructures and compliance. Using examples and exercises, this book incorporates hands-on activities to walk the reader through the fundamentals of risk management, strategies and approaches for mitigating risk, and the anatomy of how to create a plan that reduces risk.

Table of Contents

  1. Copyright
  2. Preface
    1. Purpose of This Book
    2. Learning Features
    3. Audience
  3. Acknowledgments
  4. About the Author
  5. ONE. Risk Management Business Challenges
    1. 1. Risk Management Fundamentals
      1. What Is Risk?
        1. Compromise of Business Functions
        2. Compromise of Business Assets
        3. Driver of Business Costs
        4. Profitability Versus Survivability
      2. What Are the Major Components of Risk to an IT Infrastructure?
        1. Seven Domains of a Typical IT Infrastructure
          1. User Domain
          2. Workstation Domain
          3. LAN Domain
          4. LAN-to-WAN Domain
          5. Remote Access Domain
          6. WAN Domain
          7. System/Application Domain
          8. Threats, Vulnerabilities, and Impact
      3. Risk Management and Its Importance to the Organization
        1. How Risk Affects an Organization's Survivability
        2. Reasonableness
        3. Balancing Risk and Cost
        4. Role-Based Perceptions of Risk
      4. Risk Identification Techniques
        1. Identifying Threats
        2. Identifying Vulnerabilities
          1. Using the Seven Domains of a Typical IT Infrastructure to Identify Weaknesses
          2. Using Reason When Identifying Vulnerabilities
        3. Pairing Threats with Vulnerabilities
      5. Risk Management Techniques
        1. Avoidance
        2. Transfer
        3. Mitigation
        4. Acceptance
        5. Cost-Benefit Analysis
        6. Residual Risk
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 1 ASSESSMENT
    2. 2. Managing Risk: Threats, Vulnerabilities, and Exploits
      1. Understanding and Managing Threats
        1. The Uncontrollable Nature of Threats
        2. Unintentional Threats
        3. Intentional Threats
        4. Best Practices for Managing Threats Within Your IT Infrastructure
      2. Understanding and Managing Vulnerabilities
        1. Threat/Vulnerability Pairs
        2. Vulnerabilities Can Be Mitigated
        3. Mitigation Techniques
        4. Best Practices for Managing Vulnerabilities Within Your IT Infrastructure
      3. Understanding and Managing Exploits
        1. What Is an Exploit?
        2. How Do Perpetrators Initiate an Exploit?
        3. Where Do Perpetrators Find Information About Vulnerabilities and Exploits?
        4. Mitigation Techniques
        5. Best Practices for Managing Exploits Within Your IT Infrastructure
      4. U.S. Federal Government Risk Management Initiatives
        1. National Institute of Standards and Technology
        2. Department of Homeland Security
        3. National Cyber Security Division
        4. US Computer Emergency Readiness Team
        5. The MITRE Corporation and the CVE List
        6. Common Vulnerabilities and Exposures (CVE) List
          1. Standard for Information Security Vulnerability Names
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 2 ASSESSMENT
    3. 3. Maintaining Compliance
      1. Compliance
        1. Federal Information Security Management Act
        2. Health Insurance Portability and Accountability Act
        3. Gramm-Leach-Bliley Act
        4. Sarbanes-Oxley Act
        5. Family Educational Rights and Privacy Act
        6. Children's Internet Protection Act
      2. Regulations Related to Compliance
        1. Securities and Exchange Commission
        2. Federal Deposit Insurance Corporation
        3. Department of Homeland Security
        4. Federal Trade Commission
        5. State Attorney General
        6. U.S. Attorney General
      3. Organizational Policies for Compliance
      4. Standards and Guidelines for Compliance
        1. Payment Card Industry Data Security Standard
        2. National Institute of Standards and Technology
        3. Generally Accepted Information Security Principles
        4. Control Objectives for Information and Related Technology
        5. International Organization for Standardization
          1. ISO 27002 Information Technology Security Techniques
          2. ISO 31000 Risk Management Principles and Guidelines
          3. ISO 73 Risk Management—Vocabulary
        6. International Electrotechnical Commission
        7. Information Technology Infrastructure Library
        8. Capability Maturity Model Integration
        9. Department of Defense Information Assurance Certification and Accreditation Process
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 3 ASSESSMENT
    4. 4. Developing a Risk Management Plan
      1. Objectives of a Risk Management Plan
        1. Objectives Example: Web Site
        2. Objectives Example: HIPAA Compliance
      2. Scope of a Risk Management Plan
        1. Scope Example: Web Site
        2. Scope Example: HIPAA Compliance
      3. Assigning Responsibilities
        1. Responsibilities Example: Web Site
        2. Responsibilities Example: HIPAA Compliance
      4. Describing Procedures and Schedules for Accomplishment
        1. Procedures Example: Web Site
        2. Procedures Example: HIPAA Compliance
      5. Reporting Requirements
        1. Present Recommendations
          1. Findings
          2. Recommendation Cost and Time Frame
          3. Cost-Benefit Analysis
          4. Risk Statements
        2. Document Management Response to Recommendations
        3. Document and Track Implementation of Accepted Recommendations
      6. Plan of Action and Milestones
      7. Charting the Progress of a Risk Management Plan
        1. Milestone Plan Chart
        2. Gantt Chart
        3. Critical Path Chart
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 4 ASSESSMENT
  6. TWO. Mitigating Risk
    1. 5. Defining Risk Assessment Approaches
      1. Understanding Risk Assessment
        1. Importance of Risk Assessments
        2. Purpose of a Risk Assessment
      2. Critical Components of a Risk Assessment
        1. Identify Scope
        2. Identify Critical Areas
        3. Identify Team
      3. Types of Risk Assessments
        1. Quantitative Risk Assessments
          1. Benefits
          2. Limitations
        2. Qualitative Risk Assessments
          1. Prioritizing the Risk
          2. Evaluating the Effectiveness of Controls
          3. Benefits
          4. Limitations
        3. Comparing Quantitative and Qualitative Risk Assessments
      4. Risk Assessment Challenges
        1. Using a Static Process to Evaluate a Moving Target
        2. Availability
        3. Data Consistency
          1. Differences in Data Format
          2. Changes in Data Collection
          3. Changes in the Business
        4. Estimating Impact Effects
        5. Providing Results That Support Resource Allocation and Risk Acceptance
          1. Resource Allocation
          2. Risk Acceptance
      5. Best Practices for Risk Assessment
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 5 ASSESSMENT
    2. 6. Performing a Risk Assessment
      1. Selecting a Risk Assessment Methodology
        1. Defining the Assessment
          1. Operational Characteristics
          2. Mission of the System
        1. Review Previous Findings
      2. Identifying the Management Structure
      3. Identifying Assets and Activities Within Risk Assessment Boundaries
        1. System Access and System Availability
        2. System Functions
        3. Hardware and Software Assets
        4. Personnel Assets
        5. Data and Information Assets
        6. Facilities and Supplies
      4. Identifying and Evaluating Relevant Threats
        1. Reviewing Historical Data
        2. Modeling
      5. Identifying and Evaluating Relevant Vulnerabilities
        1. Vulnerability Assessments
        2. Exploit Assessments
      6. Identifying and Evaluating Countermeasures
        1. In-Place and Planned Countermeasures
        2. Control Categories
          1. Administrative Security Controls
          2. Technical Security Control
          3. Physical Security Controls
      7. Selecting a Methodology Based on Assessment Needs
        1. Quantitative
        2. Qualitative
      8. Develop Mitigating Recommendations
        1. Threat/Vulnerability Pairs
        2. Estimate of Cost and Time to Implement
        3. Estimate of Operational Impact
        4. Prepare Cost-Benefit Analysis
      9. Present Risk Assessment Results
      10. Best Practices for Performing Risk Assessments
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 6 ASSESSMENT
    3. 7. Identifying Assets and Activities to Be Protected
      1. System Access and Availability
      2. System Functions: Manual and Automated
        1. Manual Methods
        2. Automated Methods
      3. Hardware Assets
      4. Software Assets
      5. Personnel Assets
      6. Data and Information Assets
        1. Organization
        2. Customer
        3. Intellectual Property
        4. Data Warehousing and Data Mining
      7. Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
        1. User Domain
        2. Workstation Domain
        3. LAN Domain
        4. LAN-to-WAN Domain
        5. WAN Domain
        6. Remote Access Domain
        7. System/Application Domain
      8. Identifying Facilities and Supplies Needed to Maintain Business Operations
        1. Mission-Critical Systems and Applications Identification
        2. Business Impact Analysis Planning
        3. Business Continuity Planning
        4. Disaster Recovery Planning
        5. Business Liability Insurance Planning
        6. Asset Replacement Insurance Planning
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 7 ASSESSMENT
    4. 8. Identifying and Analyzing Threats, Vulnerabilities, and Exploits
      1. Threat Assessments
        1. Techniques for Identifying Threats
          1. Review Historical Data
            1. Organization Historical Data.
            2. Similar Organization's Historical Data.
            3. Local Area Data.
          2. Threat Modeling
          3. Analogy and Comparison with Similar Situations and Activities
        2. Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure
      2. Vulnerability Assessments
        1. Documentation Review
        2. Review of System Logs, Audit Trails, and Intrusion Detection System Outputs
          1. System Logs
          2. Audit Trails
          3. Intrusion Detection System Outputs
        3. Vulnerability Scans and Other Assessment Tools
        4. Audits and Personnel Interviews
        5. Process Analysis and Output Analysis
        6. System Testing
          1. Functionality Testing
          2. Access Controls Testing
          3. Penetration Testing
          4. Transaction and Applications Testing
        7. Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure
      3. Exploit Assessments
        1. Identify Exploits
          1. Social Engineering
          2. MAC Flood Attack
          3. TCP Syn Flood Attack
        2. Mitigate Exploits with a Gap Analysis and Remediation Plan
        3. Implement Configuration or Change Management
        4. Verify and Validate the Exploit Has Been Mitigated
        5. Best Practices for Performing Exploit Assessments Within an IT Infrastructure
      4. CHAPTER SUMMARY
      5. KEY CONCEPTS AND TERMS
      6. CHAPTER 8 ASSESSMENT
    5. 9. Identifying and Analyzing Risk Mitigation Security Controls
      1. In-Place Controls
      2. Planned Controls
      3. Control Categories
        1. NIST Control Classes
      4. Administrative Control Examples
        1. Policies and Procedures
        2. Security Plans
            1. Business Continuity Plan.
            2. Disaster Recovery Plan.
            3. Backup Plan.
            4. Incident Response Plan.
        3. Insurance and Bonding
        4. Background Checks and Financial Checks
        5. Data Loss Prevention Program
        6. Awareness and Training
        7. Rules of Behavior
        8. Software Testing
      5. Technical Control Examples
        1. Logon Identifier
        2. Session Timeout
        3. System Logs and Audit Trails
        4. Data Range and Reasonableness Checks
        5. Firewalls and Routers
        6. Encryption
        7. Public Key Infrastructure (PKI)
      6. Physical Control Examples
        1. Locked Doors, Guards, Access Logs, and Closed-Circuit Television (CCTV)
        2. Fire Detection and Suppression
        3. Water Detection
        4. Temperature and Humidity Detection
        5. Electrical Grounding and Circuit Breakers
      7. Best Practices for Risk Mitigation Security Controls
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 9 ASSESSMENT
    6. 10. Planning Risk Mitigation Throughout Your Organization
      1. Where Should Your Organization Start with Risk Mitigation?
      2. What Is the Scope of Risk Management for Your Organization?
        1. Critical Business Operations
        2. Customer Service Delivery
        3. Mission-Critical Business Systems, Applications, and Data Access
        4. Seven Domains of a Typical IT Infrastructure
          1. User Domain
          2. Workstation Domain
          3. LAN Domain
          4. LAN-to-WAN Domain
          5. Remote Access Domain
          6. WAN Domain
          7. System/Application Domain
        5. Information Systems Security Gap
      3. Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization
        1. Legal Requirements, Compliance Laws, Regulations, and Mandates
          1. Health Insurance Portability and Accountability Act (HIPAA)
          2. Sarbanes-Oxley Act (SOX)
          3. Federal Information Security Management Act (FISMA)
          4. Family Educational Rights and Privacy Act (FERPA)
          5. Children's Internet Protection Act (CIPA)
          6. Payment Card Industry Data Security Standard (PCI DSS)
        2. Assessing the Impact of Legal and Compliance Issues on Your Business Operations
          1. Health Insurance Portability and Accountability Act (HIPAA)
          2. Sarbanes-Oxley Act (SOX)
          3. Federal Information Security Management Act (FISMA)
          4. Family Educational Rights and Privacy Act (FERPA)
          5. Children's Internet Protection Act (CIPA)
          6. Payment Card Industry Data Security Standard (PCI DSS)
      4. Translating Legal and Compliance Implications for Your Organization
      5. Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure
      6. Assessing How Security Countermeasures and Safeguards Can Assist with Risk Mitigation
      7. Understanding the Operational Implications of Legal and Compliance Requirements
      8. Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization
      9. Performing a Cost-Benefit Analysis
      10. Best Practices for Planning Risk Mitigation Throughout Your Organization
      11. CHAPTER SUMMARY
      12. KEY CONCEPTS AND TERMS
      13. CHAPTER 10 ASSESSMENT
    7. 11. Turning Your Risk Assessment into a Risk Mitigation Plan
      1. Review the Risk Assessment for Your IT Infrastructure
        1. Overlapping Countermeasures
        2. Matching Threats with Vulnerabilities
        3. Identifying Countermeasures
      2. Translating Your Risk Assessment into a Risk Mitigation Plan
        1. Cost to Implement
          1. Initial Purchase Cost
          2. Facility Costs
          3. Installation Costs
          4. Training Costs
        2. Time to Implement
        3. Operational Impact
      3. Prioritizing Risk Elements That Require Risk Mitigation
        1. Using a Threat/Vulnerability Matrix
        2. Prioritizing Countermeasures
      4. Verifying Risk Elements and How These Risks Can Be Mitigated
      5. Performing a Cost-Benefit Analysis on the Identified Risk Elements
        1. Calculate the CBA
        2. A CBA Report
      6. Implementing a Risk Mitigation Plan
        1. Stay Within Budget
        2. Stay on Schedule
      7. Following Up on the Risk Mitigation Plan
        1. Ensuring Countermeasures Are Implemented
        2. Ensuring Security Gaps Have Been Closed
      8. Best Practices for Enabling a Risk Mitigation Plan from Your Risk Assessment
      9. CHAPTER SUMMARY
      10. KEY CONCEPTS AND TERMS
      11. CHAPTER 11 ASSESSMENT
  7. THREE. Risk Mitigation Plans
    1. 12. Mitigating Risk with a Business Impact Analysis
      1. What Is a Business Impact Analysis?
        1. Collecting Data
        2. Varying Data Collection Methods
      2. Defining the Scope of Your Business Impact Analysis
      3. Objectives of a Business Impact Analysis
        1. Identify Critical Business Functions
        2. Identify Critical Resources
        3. Identify MAO and Impact
        4. Direct Costs
        5. Indirect Costs
        6. Identify Recovery Requirements
      4. The Steps of a Business Impact Analysis Process
        1. Identify the Environment
        2. Identify Stakeholders
        3. Identify Critical Business Functions
        4. Identify Critical Resources
        5. Identify Maximum Downtime
        6. Identify Recovery Priorities
        7. Develop BIA Report
      5. Identifying Mission-Critical Business Functions and Processes
      6. Mapping Business Functions and Processes to IT Systems
      7. Best Practices for Performing a BIA for Your Organization
      8. CHAPTER SUMMARY
      9. KEY CONCEPTS AND TERMS
      10. CHAPTER 12 ASSESSMENT
      11. ENDNOTE
    2. 13. Mitigating Risk with a Business Continuity Plan
      1. What Is a Business Continuity Plan (BCP)?
      2. Elements of a BCP
        1. Purpose
        2. Scope
        3. Assumptions and Planning Principles
          1. Incidents to Be Included and Excluded
          2. Strategy
          3. Priorities
          4. Required Support
        4. System Description and Architecture
          1. Overview
          2. Functional Description
          3. Sensitivity of Data and Criticality of Operations
          4. Identifying Critical Equipment, Software, Data, Documents, and Supplies
          5. Telecommunications
        5. Responsibilities
          1. BCP Program Manager
          2. BCP Coordinator
          3. BCP Teams
          4. Key Personnel
          5. Order of Succession and Delegation of Authority
        6. Notification/Activation Phase
          1. Notification Procedures
          2. Damage Assessment Procedures
          3. Plan Activation
          4. Alternate Assessment Procedures
          5. Personal Location Control Form
        7. Recovery Phase
          1. Recovery Planning
          2. Recovery Goal
          3. Technical Recovery Team Lead
          4. Technical Recovery Team
        8. Reconstitution Phase (Return to Normal Operations)
          1. Original or New Site Restoration
          2. Concurrent Processing
          3. Plan Deactivation
        9. Plan Training, Testing, and Exercises
          1. BCP Training
          2. BCP Testing
          3. BCP Test Exercises
          4. Tabletop Exercises
          5. Functional Exercises
          6. Full-Scale Exercises
        10. Plan Maintenance
          1. BCP Plan Revisions Tracking
          2. BCP Updates Based on Changes Within the IT Infrastructure
          3. BCP Annual Updates and Content Refreshment
          4. BCP Testing
      3. How Does a BCP Mitigate an Organization's Risk?
      4. Best Practices for Implementing a BCP for Your Organization
      5. CHAPTER SUMMARY
      6. KEY CONCEPTS AND TERMS
      7. CHAPTER 13 ASSESSMENT
    3. 14. Mitigating Risk with a Disaster Recovery Plan
      1. What Is a Disaster Recovery Plan (DRP)?
        1. Need
        2. Purpose
      2. Critical Success Factors
        1. What Management Must Provide
          1. Resources
          2. Leadership
        2. What DRP Developers Need
          1. Knowledge of Disaster Recovery
          2. Knowledge of How the Organization Functions
          3. Authority
        3. Primary Concerns
          1. Recovery Time Objectives (RTOs)
          2. Off-Site Data Storage, Backup, and Recovery
          3. Alternate Locations
            1. Cold Site.
            2. Hot Site.
            3. Warm Site.
            4. Redundant Backup Site.
            5. User Access.
            6. Management Access.
            7. Customer Access.
        4. Disaster Recovery Financial Budget
      3. Elements of a DRP
        1. Purpose
        2. Scope
        3. Disaster/Emergency Declaration
        4. Communications
        5. Emergency Response
        6. Activities
        7. Recovery Steps and Procedures
          1. Recovery Plans
          2. Backup Plans
        8. Critical Business Operations
        9. Recovery Procedures
        10. Critical Operations, Customer Service, and Operations Recovery
        11. Testing
        12. Maintenance and DRP Update
      4. How Does a DRP Mitigate an Organization's Risk?
      5. Best Practices for Implementing a DRP for Your Organization
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 14 ASSESSMENT
    4. 15. Mitigating Risk with a Computer Incident Response Team Plan
      1. What Is a Computer Incident Response Team (CIRT) Plan?
      2. Purpose of a CIRT Plan
      3. Elements of a CIRT Plan
        1. CIRT Members
            1. Roles.
            2. Responsibilities.
            3. Accountabilities.
        2. CIRT Policies
        3. Incident Handling Process
            1. Handling DoS Attack Incidents.
            2. Handling Malware Incidents.
            3. Handling Unauthorized Access Incidents.
            4. Handling Inappropriate Usage Incidents.
            5. Handling Multiple Component Incidents.
        4. Communication Escalation Procedures
        5. Incident Handling Procedures
            1. Calculating the Impact and Priority.
            2. Using a Generic Checklist.
            3. Handling DoS Attack Incidents.
            4. Handling Malware Incidents.
            5. Handling Unauthorized Access Incidents.
            6. Handling Inappropriate Usage Incidents.
      4. How Does a CIRT Plan Mitigate an Organization's Risk?
      5. Best Practices for Implementing a CIRT Plan for Your Organization
      6. CHAPTER SUMMARY
      7. KEY CONCEPTS AND TERMS
      8. CHAPTER 15 ASSESSMENT
  8. A. Answer Key
  9. B. Standard Acronyms
  10. Glossary of Key Terms
  11. References