Information Technology Risk Management in Enterprise Environments

JAKE KOUNS is cofounder, CEO, and CFO of the Open Security Foundation. He holds an MBA in information security from James Madison University and a number of certifications, including ISC2's CISSP, ISACA's CISM, CISA, and CGEIT. DANIEL MINOLI is an expert in the fields of IT, telecommunications, and networking, with work experience at Capital One Financial, Prudential Securities, and AT&T, among others. He is the founder and President Emeritus of the IPv6 Institute. He is the author or coauthor of several books on IT, security, and networking, including Minoli-Cordovana's Authoritative Computer and Network Security Dictionary and Network Infrastructure and Architecture: Designing High Availability Networks, both published by Wiley.

• Preface xiiiAbout the Authors xvPart I Industry Practices in Risk Management 11. Information Security Risk Management Imperatives and Opportunities 31.1 Risk Management Purpose and Scope 31.1.1 Purpose of Risk Management 31.1.2 Text Scope 17References 24Appendix 1A: Bibliography of Related Literature 252. Information Security Risk Management Defined 332.1 Key Risk Management Definitions 332.1.1 Survey of Industry Definitions 332.1.2 Adopted Definitions 372.2 A Mathematical Formulation of Risk 402.2.1 What is Risk? A Formal Definition 442.2.2 Risk in IT Environments 442.2.3 Risk Management Procedures 492.3 Typical Threats/Risk Events 562.4 What is an Enterprise Architecture? 61References 65Appendix 2A: The CISSPforum/ISO27k Implementers Forum Information Security Risk List for 2008 66Appendix 2B: What is Enterprise Risk Management (ERM)? 713. Information Security Risk Management Standards 733.1 ISO/IEC 13335 773.2 ISO/IEC 17799 (ISO/IEC 27002:2005) 783.3 ISO/IEC 27000 SERIES 783.3.1 ISO/IEC 27000, Information Technology—Security Techniques—Information Security Management Systems—Fundamentals and Vocabulary 793.3.2 ISO/IEC 27001:2005, Information Technology—Security Techniques—Specification for an Information Security Management System 793.3.3 ISO/IEC 27002:2005, Information Technology—Security Techniques—Code of Practice for Information Security Management 843.3.4 ISO/IEC 27003 Information Technology—Security Techniques—Information Security Management System Implementation Guidance 903.3.5 ISO/IEC 27004 Information Technology—Security Techniques—Information Security Management—Measurement 913.3.6 ISO/IEC 27005:2008 Information Technology—Security Techniques—Information Security Risk Management 923.4 ISO/IEC 31000 923.5 NIST STANDARDS 943.5.1 NIST SP 800-16 963.5.2 NIST SP 800-30 993.5.3 NIST SP 800-39 1013.6 AS/NZS 4360 105References 106Appendix 3A: Organization for Economic CoOperation and Development (OECD) Guidelines for the Security of Information Systems and Networks: Toward a Culture of Security 1074. A Survey of Available Information Security Risk Management Methods and Tools 1114.1 Overview 1114.2 Risk Management/Risk Analysis Methods 1144.2.1 Austrian IT Security Handbook 1144.2.2 CCTA Risk Assessment and Management Methodology (CRAMM) 1154.2.3 Dutch A&K Analysis 1174.2.4 EBIOS 1174.2.5 ETSI Threat Vulnerability and Risk Analysis (TVRA) Method 1194.2.6 FAIR (Factor Analysis of Information Risk) 1224.2.7 FIRM (Fundamental Information Risk Management) 1244.2.8 FMEA (Failure Modes and Effects Analysis) 1254.2.9 FRAP (Facilitated Risk Assessment Process) 1284.2.10 ISAMM (Information Security Assessment and Monitoring Method) 1294.2.11 ISO/IEC Baselines 1304.2.12 ISO 31000 Methodology 1304.2.13 IT-Grundschutz (IT Baseline Protection Manual) 1364.2.14 MAGERIT (Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion) (Methodology for Information Systems Risk Analysis and Management) 1374.2.15 MEHARI (Méthode Harmonisée d’Analyse de Risques—Harmonised Risk Analysis Method) 1424.2.16 Microsoft’s Security Risk Management Guide 1464.2.17 MIGRA (Metodologia Integrata per la Gestione del Rischio Aziendale) 1524.2.18 NIST 1534.2.19 National Security Agency (NSA) IAM / IEM / IA-CMM 1534.2.20 Open Source Approach 1554.2.21 PTA (Practical Threat Analysis) 1584.2.22 SOMAP (Security Officers Management and Analysis Project) 1604.2.23 Summary 161References 1625. Methodologies Examples: Cobit and Octave 1645.1 Overview 1645.2 COBIT 1665.2.1 COBIT Framework 1725.2.2 The Need for a Control Framework for IT Governance 1735.2.3 How COBIT Meets the Need 1755.2.4 COBIT’s Information Criteria 1755.2.5 Business Goals and IT Goals 1765.2.6 COBIT Framework 1775.2.7 IT Resources 1785.2.8 Plan and Organize (PO) 1805.2.9 Acquire and Implement (AI) 1805.2.10 Deliver and Support (DS) 1805.2.11 Monitor and Evaluate (ME) 1815.2.12 Processes Need Controls 1815.2.13 COBIT Framework 1815.2.14 Business and IT Controls 1845.2.15 IT General Controls and Application Controls 1855.2.16 Maturity Models 1875.2.17 Performance Measurement 1945.3 OCTAVE 2055.3.1 The OCTAVE Approach 2055.3.2 The OCTAVE Method 208References 210Part II Developing Risk Management Teams 2116. Risk Management Issues and Organization Specifics 2136.1 Purpose and Scope 2136.2 Risk Management Policies 2166.3 A Snapshot of Risk Management in the Corporate World 2196.3.1 Motivations for Risk Management 2246.3.2 Justifying Risk Management Financially 2256.3.3 The Human Factors 2306.3.4 Priority-Oriented Rational Approach 2326.4 Overview of Pragmatic Risk Management Process 2346.4.1 Creation of a Risk Management Team, and Adoption of Methodologies 2346.4.2 Iterative Procedure for Ongoing Risk Management 2366.5 Roadmap to Pragmatic Risk Management 236References 239Appendix 6A: Example of a Security Policy 2397. Assessing Organization and Establishing Risk Management Scope 2437.1 Assessing the Current Enterprise Environment 2447.2 Soliciting Support From Senior Management 2487.3 Establishing Risk Management Scope and Boundaries 2597.4 Defining Acceptable Risk for Enterprise 2607.5 Risk Management Committee 2637.6 Organization-Specific Risk Methodology 2647.6.1 Quantitative Methods 2657.6.2 Qualitative Methods 2677.6.3 Other Approaches 2697.7 Risk Waivers Programs 272References 274Appendix 7A: Summary of Applicable Legislation 2758. Identifying Resources and Implementing the Risk Management Team 2808.1 Operating Costs to Support Risk Management and Staffing Requirements 2818.2 Organizational Models 2868.3 Staffing Requirements 2878.3.1 Specialized Skills Required 2908.3.2 Sourcing Options 2918.4 Risk Management Tools 2958.5 Risk Management Services 2968.5.1 Alerting and Analysis Services 2968.5.2 Assessments, Audits, and Project Consulting 2968.6 Developing and Implementing the Risk Management/Assessment Team 2988.6.1 Creating Security Standards 2988.6.2 Defining Subject Matter Experts 3008.6.3 Determining Information Sources 300References 301Appendix 8A: Sizing Example for Risk Management Team 302Appendix 8B: Example of Vulnerability Alerts by Vendors and CERT 331Appendix 8C: Examples of Data Losses—A One-Month Snapshot 3369. Identifying Assets and Organization Risk Exposures 3389.1 Importance of Asset Identification and Management 3389.2 Enterprise Architecture 3409.3 Identifying IT Assets 3469.4 Assigning Value to IT Assets 3539.5 Vulnerability Identification/Classification 3549.5.1 Base Parameters 3609.5.2 Temporal Parameters 3629.5.3 Environmental Parameters 3639.6 Threat Analysis: Type of Risk Exposures 3679.6.1 Type of Risk Exposures 3689.6.2 Internal Team Programs (to Uncover Risk Exposures) 3719.7 Summary 371References 371Appendix 9A: Common Information Systems Assets 37210. Remediation Planning and Compliance Reporting 37710.1 Determining Risk Value 37710.2 Remediation Approaches 38010.3 Prioritizing Remediations 38410.4 Determining Mitigating Timeframes 38510.5 Compliance Monitoring and Security Metrics 38710.6 Compliance Reporting 390References 391Basic Glossary of Terms Used in This Text 392Index 415

"Throughout, practical examples are included from various healthcare, manufacturing, and retail industries that demonstrate key concepts, implementation guidance to get started, as well as tables of risk indicators and metrics, physical structure diagrams, and graphs". (PR-Inside.com, 29 March 2011)