You are previewing Security Risk Management.
O'Reilly logo
Security Risk Management

Book Description

The goal of Security Risk Management is to teach you practical techniques that will be used on a daily basis, while also explaining the fundamentals so you understand the rationale behind these practices. Security professionals often fall into the trap of telling the business that they need to fix something, but they can’t explain why. This book will help you to break free from the so-called "best practices" argument by articulating risk exposures in business terms. You will learn techniques for how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive guide for managing security risks.



  • Named a 2011 Best Governance and ISMS Book by InfoSec Reviews
  • Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment
  • Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk
  • Presents a roadmap for designing and implementing a security risk management program

Table of Contents

  1. Cover Image
  2. Content
  3. Title
  4. Front Matter
  5. Copyright
  6. Preface
  7. Acknowledgments
  8. About the Author
  9. About the Technical Editor
  10. PART I. Introduction to Risk Management
    1. Chapter 1. The Security Evolution
      1. Information in this Chapter
      2. Introduction
      3. How We Got Here
      4. A Risk-Focused Future
      5. Information Security Fundamentals
      6. The Death of Information Security
      7. Summary
    2. Chapter 2. Risky Business
      1. Information in this Chapter
      2. Introduction
      3. Applying Risk Management to Information Security
      4. Business-Driven Security Program
      5. Security as an Investment
      6. Qualitative versus Quantitative
      7. Summary
    3. Chapter 3. The Risk Management Lifecycle
      1. Information in this Chapter
      2. Introduction
      3. Stages of the Risk Management Lifecycle
      4. Business Impact Assessment
      5. A Vulnerability Assessment Is Not a Risk Assessment
      6. Making Risk Decisions
      7. Mitigation Planning and Long-Term Strategy
      8. Process Ownership
      9. Summary
  11. PART II. Risk Assessment and Analysis Techniques
    1. Chapter 4. Risk Profiling
      1. Information in this Chapter
      2. Introduction
      3. How Risk Sensitivity Is Measured
      4. Asking the Right Questions
      5. Assessing Risk Appetite
      6. Summary
    2. Chapter 5. Formulating a Risk
      1. Information in this Chapter
      2. Introduction
      3. Breaking Down a Risk
      4. Who or What Is the Threat?
      5. Summary
    3. Chapter 6. Risk Exposure Factors
      1. Information in this Chapter
      2. Introduction
      3. Qualitative Risk Measures
      4. Risk Assessment
      5. Summary
    4. Chapter 7. Security Controls and Services
      1. Information in this Chapter
      2. Introduction
      3. Fundamental Security Services
      4. Recommended Controls
      5. Summary
    5. Chapter 8. Risk Evaluation and Mitigation Strategies
      1. Information in this Chapter
      2. Introduction
      3. Risk Evaluation
      4. Risk Mitigation Planning
      5. Policy Exceptions and Risk Acceptance
      6. Summary
    6. Chapter 9. Reports and Consulting
      1. Information in this Chapter
      2. Introduction
      3. Risk Management Artifacts
      4. A Consultant’s Perspective
      5. Writing Audit Responses
      6. Summary
    7. Chapter 10. Risk Assessment Techniques
      1. Information in this Chapter
      2. Introduction
      3. Operational Assessments
      4. Project-Based Assessments
      5. Third-Party Assessments
      6. Summary
  12. PART III. Building and Running a Risk Management Program
    1. Chapter 11. Threat and Vulnerability Management
      1. Information in this Chapter
      2. Introduction
      3. Building Blocks
      4. Threat Identification
      5. Advisories and Testing
      6. An Efficient Workflow
      7. The FAIR Approach
      8. Summary
    2. Chapter 12. Security Risk Reviews
      1. Information in this Chapter
      2. Introduction
      3. Assessing the State of Compliance
      4. Implementing a Process
      5. Process Optimization: A Review of Key Points
      6. The NIST Approach
      7. Summary
    3. Chapter 13. A Blueprint for Security
      1. Information in this Chapter
      2. Introduction
      3. Risk in the Development Lifecycle
      4. Security Architecture
      5. Patterns and Baselines
      6. Architectural Risk Analysis
      7. Summary
    4. Chapter 14. Building a Program from Scratch
      1. Information in this Chapter
      2. Introduction
      3. Designing a Risk Program
      4. Prerequisites for a Risk Management Program
      5. Risk at the Enterprise Level
      6. Linking the Program Components
      7. Program Roadmap
      8. Summary
  13. APPENDIX A. Sample Security Risk Profile
    1. A. General Information
    2. B. Information Sensitivity
    3. C. Regulatory Requirements
    4. D. Business Requirements
    5. E. Definitions
  14. APPENDIX B. Qualitative Risk Scale Reference Tables
  15. APPENDIX C. Architectural Risk Analysis Reference Tables
    1. Baseline Security Levels and Sample Controls
    2. Security Enhancement Levels and Sample Controls
    3. Mapping Security Levels
  16. Index