To add new messages please Login
Warning! Protect Yourself from Lawsuits and Fines!
Your IP Address is 18.104.22.168. Location is United States
ExtraTorrent Hide my IP address!
strongly recommends using Trust.Zone VPN
to anonymize your torrenting. It's FREE!
Risk Assessment Handbook MOST WANTED! torrent
Safety Recommendation: Download Torrents Anonymously!
Your IP Address is 22.214.171.124. Location is United States
strongly recommends using Trust.Zone VPN
to anonymize your torrenting. It's FREE!
HIDE ME NOW
IntroductionrnrnHeavy financial losses, breaches of privacy, and even the downfall of corporations have recently been attributed to the inability of corporations to protect themselves from cyber-risks. Cyber-risks are generated from hackers, malicious software, disgruntled employees, competitors, and many other sources both internal and external. These external and internal cyber-attacks on corporate assets and an increasingly technology-savvy corporate management have led to a more appropriate awareness of the information security risks to corporate information than ever previously experienced in corporations and government agencies. Understandably, information security is now a major concern for most corporations. A recent survey reported that computer security is the critical attribute of corporate networks for 78 percent of corporate executives. Another survey reported that security outweighed other concerns by a factor of three as the driving concern for IT improvements.rnMany corporations are putting their money where their mouth is by increasing security spending. In a survey of chief security officers, corporations have increased their information security budget fivefold to 10 percent of their IT budget from 2002 to 2003. Another survey reported that information security spending has increased by 28 percent globally from 2001 to 2003. But even with all this spending, many corporate executives are unsure about the effectiveness of their information security programs or the security controls that have been put in place. A 2003 survey found that 34 percent of organizations see their own security controls as inadequate to detect a security breach.rnIt should be rather clear from the discussion above that organizations need a reliable method for measuring the effectiveness of their information security program. An information security risk assessment is designed specifically for that task. An information security risk assessment, when performed correctly, can give corporate managers the information they need to understand and control the risks to their assets. The subject of this book is how to perform a security risk assessment correctly, efficiently, and effectively.rnrnOverviewrnThe Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments provides detailed insight into precisely how to conduct an information security risk assessment. Designed for security professionals and their customers who want a more in-depth understanding of the risk assessment process, this volume contains real-world advice that promotes professional development. It also enables security consumers to better negotiate the scope and rigor of a security assessment, effectively interface with a security assessment team, deliver insightful comments on a draft report, and have a greater understanding of final report recommendations.rnThis book can save time and money by eliminating guesswork as to what assessment steps to perform, and how to perform them. In addition, the book offers charts, checklists, examples, and templates that speed up data gathering, analysis, and document development. By improving the efficiency of the assessment process, security consultants can deliver a higher-quality service with a larger profit margin.rnThe text allows consumers to intelligently solicit and review proposals, positioning them to request affordable security risk assessments from quality vendors that meet the needs of their organizations.rnrnAbout the AuthorrnDouglas Landoll has 17 years of information security experience. He has led security risk assessments establishing security programs within top corporations and government agencies. He is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs.rnHis background includes evaluating security at the National Security Agency (NSA), North Atlantic Treaty Organization (NATO), Central Intelligence Agency (CIA), and other government agencies; co-founding the Arca Common Criteria Testing laboratory, co-authoring the sustems security engineering capability maturity model (SSE-CMM); teaching at NSA\'s National Cryptologic School; and running the southwest security services division for Exodus Communications.rnPresently he is the president of Veridyn, a provider of network security solutions. He is a certified information systems security professional (CISSP) and certified information systems auditor (CISA). He holds a BS degree from James Madison University and an MBA from the University of Texas at Austin. He has published numerous information security articles, speaks regularly at conferences, and serves as an advisor for several high-tech companies.rnrnTable Of Contentsrn1 - Introductionrn* 1.1 The Need for an Information Security Programrn* 1.2 Elements of an Information Security Programrn** 1.2.1 Security Control Standards and Regulationsrn* 1.3 Common Core Information Security Practicesrn** 1.3.1 Unanimous Core Security Practicesrn** 1.3.2 Majority Core Security Practicesrn** 1.3.3 Core Security Practice Conclusionsrn* 1.4 Security Risk Assessmentrn** 1.4.1 The Role of the Security Risk Assessmentrn** 1.4.2 Definition of a Security Risk Assessmentrn** 1.4.3 The Need for a Security Risk Assessmentrn*** 126.96.36.199 Checks and Balancesrn*** 188.8.131.52 Periodic Reviewrn*** 184.108.40.206 Risk-Based Spendingrn*** 220.127.116.11 Requirementrn** 1.4.4 Security Risk Assessment Secondary Benefitsrn* 1.5 Related Activitiesrn** 1.5.1 Gap Assessmentrn** 1.5.2 Compliance Auditrn** 1.5.3 Security Auditrn** 1.5.4 Vulnerability Scanningrn** 1.5.5 Penetration Testingrn** 1.5.6 Ad Hoc Testingrn** 1.5.7 Social Engineeringrn** 1.5.8 Wardialingrn* 1.6 The Need for This Bookrn* 1.7 Who Is This Book For?rn* Notesrn* Referencesrn2 - Information Security Risk Assessment Basicsrn* 2.1 Phase 1: Project Definitionrn* 2.2 Phase 2: Project Preparationrn* 2.3 Phase 3: Data Gatheringrn* 2.4 Phase 4: Risk Analysisrn** 2.4.1 Assetsrn** 2.4.2 Threat Agents and Threatsrn*** 18.104.22.168 Threat Agentsrn*** 22.214.171.124 Threatsrn** 2.4.3 Vulnerabilitiesrn** 2.4.4 Security Riskrn* 2.5 Phase 5: Risk Mitigationrn** 2.5.1 Safeguardsrn** 2.5.2 Residual Security Riskrn* 2.6 Phase 6: Risk Reporting and Resolutionrn** 2.6.1 Risk Resolutionrn* Notern* Referencesrn3 - Project Definitionrn* 3.1 Ensuring Project Successrn** 3.1.1 Success Definitionrn*** 126.96.36.199 Customer Satisfactionrn*** 188.8.131.52 Quality of Workrn*** 184.108.40.206 Completion within Budgetrn** 3.1.2 Setting the Budgetrn** 3.1.3 Determining the Objectivern** 3.1.4 Limiting the Scopern*** 220.127.116.11 Underscopingrn*** 18.104.22.168 Overscopingrn*** 22.214.171.124 Security Controlsrn*** 126.96.36.199 Assetsrn*** 188.8.131.52 Reasonableness in Limiting the Scopern** 3.1.5 Identifying System Boundariesrn*** 184.108.40.206 Physical Boundaryrn*** 220.127.116.11 Logical Boundariesrn** 3.1.6 Specifying the Rigorrn** 3.1.7 Sample Scope Statementsrn* 3.2 Project Descriptionrn** 3.2.1 Project Variablesrn** 3.2.2 Statement of Workrn*** 18.104.22.168 Specifying the Service Descriptionrn*** 22.214.171.124 Scope of Security Controlsrn*** 126.96.36.199 Specifying Deliverablesrn*** 188.8.131.52 Contract Typern*** 184.108.40.206 Contract Termsrn* Notesrn* Referencesrn4 - Security Risk Assessment Preparationrn* 4.1 Introduce the Teamrn** 4.1.1 Introductory Letterrn** 4.1.2 Pre-Assessment Briefingrn** 4.1.3 Obtain Proper Permissionrn*** 220.127.116.11 Policies Requiredrn*** 18.104.22.168 Permission Requiredrn*** 22.214.171.124 Scope of Permissionrn*** 126.96.36.199 Accounts Requiredrn* 4.2 Review Business Missionrn** 4.2.1 What Is a Business Missionrn** 4.2.2 Obtaining Business Mission Informationrn* 4.3 Identify Critical Systemsrn** 4.3.1 Determining Criticalityrn*** 188.8.131.52 Approach 1: Find the Information Elsewherern*** 184.108.40.206 Approach 2: Create the Information on a High Levelrn*** 220.127.116.11 Approach 3: Classifying Critical Systemsrn* 4.4 Identify Assetsrn** 4.4.1 Checklists and Judgmentrn** 4.4.2 Asset Sensitivity/Criticality Classificationrn*** 18.104.22.168 Approach 1: Find Asset Classification Information Elsewherern*** 22.214.171.124 Approach 2: Create Asset Classification Information Quicklyrn*** 126.96.36.199 Approach 3: Create Asset Classification Information Laboriouslyrn** 4.4.3 Asset Valuationrn*** 188.8.131.52 Approach 1: Binary Asset Valuationrn*** 184.108.40.206 Approach 2: Classification-Based Asset Valuationrn*** 220.127.116.11 Approach 3: Rank-Based Asset Valuationrn*** 18.104.22.168 Approach 4: Consensus Asset Valuationrn*** 22.214.171.124 Approaches 5–7: Accounting Valuation Approachesrn*** 126.96.36.199 Approach 5: Cost Valuationrn*** 188.8.131.52 Approach 6: Market Valuationrn*** 184.108.40.206 Approach 7: Income Valuationrn* 4.5 Identifying Threatsrn** 4.5.1 Threat Componentsrn*** 220.127.116.11 Threat Agentrn*** 18.104.22.168 Undesirable Eventsrn** 4.5.2 Listing Possible Threatsrn*** 22.214.171.124 Checklists and Judgmentrn*** 126.96.36.199 Threat Agent and Undesirable Event Pairingrn** 4.5.3 Threat Statementsrn** 4.5.4 Validating Threat Statementsrn*** 188.8.131.52 Factors Affecting Threat Statement Validityrn* 4.6 Determine Expected Controlsrn* Notesrn* Referencesrn5 - Data Gatheringrn* 5.1 Samplingrn** 5.1.1 Sampling Objectivesrn** 5.1.2 Sampling Typesrn** 5.1.3 Use of Sampling in Security Testingrn*** 184.108.40.206 Approach 1: Representative Testingrn*** 220.127.116.11 Approach 2: Selected Samplingrn*** 18.104.22.168 Approach 3: Random Samplingrn* 5.2 The RIIOT Method of Data Gatheringrn** 5.2.1 RIIOT Method Benefitsrn** 5.2.2 RIIOT Method Approachesrn*** 22.214.171.124 Review Documents or Designsrn*** 126.96.36.199 Interview Key Personnelrn*** 188.8.131.52 Inspect Security Controlsrn*** 184.108.40.206 Observe Behaviorrn*** 220.127.116.11 Test Security Controlsrn** 5.2.3 Using the RIIOT Methodrn* Notesrn* Referencesrn6 - Administrative Data Gatheringrn* 6.1 Threats and Safeguardsrn** 6.1.1 Human Resourcesrn*** 18.104.22.168 Recruitmentrn*** 22.214.171.124 Employmentrn*** 126.96.36.199 Terminationrn** 6.1.2 Organizational Structurern*** 188.8.131.52 Senior Managementrn*** 184.108.40.206 Security Programrn*** 220.127.116.11 Security Operationsrn*** 18.104.22.168 Auditrn** 6.1.3 Information Controlrn*** 22.214.171.124 User Accountsrn*** 126.96.36.199 User Errorrn*** 188.8.131.52 Asset Controlrn*** 184.108.40.206 Sensitive Informationrn** 6.1.4 Business Continuityrn*** 220.127.116.11 Contingency Planningrn*** 18.104.22.168 Incident Response Programrn*** 6.1.5 System Securityrn*** 22.214.171.124 System Controlsrn*** 126.96.36.199 Application Securityrn*** 188.8.131.52 Configuration Managementrn*** 184.108.40.206 Third-Party Accessrn* 6.2 The RIIOT Method: Administrative Data Gatheringrn** 6.2.1 Review Administrative Documentsrn*** 220.127.116.11 Documents to Requestrn*** 18.104.22.168 Review Documents for Clarity, Consistency, and Completenessrn*** 22.214.171.124 Reviewing Documents Other Than Policiesrn** 6.2.2 Interview Administrative Personnelrn*** 126.96.36.199 Administrative Interview Topicsrn*** 188.8.131.52 Administrative Interview Subjectsrn*** 184.108.40.206 Administrative Interview Questionsrn** 6.2.3 Inspect Administrative Security Controlsrn*** 220.127.116.11 Listing Administrative Security Controlsrn*** 18.104.22.168 Verify Information Gatheredrn*** 22.214.171.124 Determine Vulnerabilitiesrn*** 126.96.36.199 Document and Review Findingsrn*** 188.8.131.52 Inspect the Security Organizationrn** 6.2.4 Observe Administrative Behaviorrn** 6.2.5 Test Administrative Security Controlsrn*** 184.108.40.206 Information Labeling Testingrn*** 220.127.116.11 Media Destruction Testingrn*** 18.104.22.168 Account and Access Control Procedures Testingrn*** 22.214.171.124 Outsourcing and Information Exchangern* Notesrn* Referencesrn7 - Technical Data Gatheringrn* 7.1 Technical Threats and Safeguardsrn** 7.1.1 Information Controlrn*** 126.96.36.199 User Errorrn*** 188.8.131.52 Sensitive and Critical Informationrn*** 184.108.40.206 User Accountsrn** 7.1.2 Business Continuityrn*** 220.127.116.11 Contingency Planningrn** 7.1.3 System Securityrn*** 18.104.22.168 System Controlsrn*** 22.214.171.124 Application Securityrn*** 126.96.36.199 Change Managementrn** 7.1.4 Secure Architecturern*** 188.8.131.52 Topologyrn*** 184.108.40.206 Transmissionrn*** 220.127.116.11 Perimeter Networkrn** 7.1.5 Componentsrn*** 18.104.22.168 Access Controlrn*** 22.214.171.124 Intrusion Detectionrn** 7.1.6 Configurationrn*** 126.96.36.199 System Settingsrn** 7.1.7 Data Securityrn*** 188.8.131.52 Storagern*** 184.108.40.206 Transitrn* 7.2 The RIIOT Method: Technical Data Gatheringrn** 7.2.1 Review Technical Documentsrn*** 220.127.116.11 Technical Documents to Requestrn*** 18.104.22.168 Review Technical Documents for Informationrn*** 22.214.171.124 Review Technical Security Designsrn** 7.2.2 Interview Technical Personnelrn*** 126.96.36.199 Technical Interview Topicsrn*** 188.8.131.52 Technical Interview Subjectsrn*** 184.108.40.206 Technical Interview Questionsrn** 7.2.3 Inspect Technical Security Controlsrn*** 220.127.116.11 Listing Technical Security Controlsrn*** 18.104.22.168 Verify Information Gatheredrn*** 22.214.171.124 Determine Vulnerabilitiesrn*** 126.96.36.199 Document and Review Findingsrn** 7.2.4 Observe Technical Personnel Behaviorrn** 7.2.5 Test Technical Security Controlsrn*** 188.8.131.52 Monitoring Technologyrn*** 184.108.40.206 Audit Logsrn*** 220.127.116.11 Anti-Virus Systemsrn*** 18.104.22.168 Automated Password Policiesrn*** 22.214.171.124 Virtual Private Networkrn*** 126.96.36.199 Firewalls, IDS, and System Hardeningrn*** 188.8.131.52 Vulnerability Scanningrn*** 184.108.40.206 Penetration Testingrn*** 220.127.116.11 Testing Specific Technologyrn8 - Physical Data Gatheringrn* 8.1 Physical Threats and Safeguardsrn** 8.1.1 Utilities and Interior Climatern*** 18.104.22.168 Powerrn*** 22.214.171.124 Heatrn*** 126.96.36.199 Humidityrn** 8.1.2 Firern*** 188.8.131.52 Fire Impact and Likelihoodrn*** 184.108.40.206 Fire Safeguardsrn*** 220.127.116.11 Fire Alarm Systemsrn*** 18.104.22.168 Fire Alarm Installation Typesrn*** 22.214.171.124 Fire Suppressionrn*** 126.96.36.199 Fire Evacuationrn** 8.1.3 Flood and Water Damagern** 8.1.4 Lightningrn** 8.1.5 Earthquakesrn** 8.1.6 Volcanoesrn** 8.1.7 Landslidesrn** 8.1.8 Hurricanesrn** 8.1.9 Tornadoesrn** 8.1.10 Natural Hazards Summaryrn** 8.1.11 Human Threats to Physical Securityrn*** 188.8.131.52 Personnel Screeningrn*** 184.108.40.206 Barriersrn*** 220.127.116.11 Lightingrn*** 18.104.22.168 Intrusion Detectionrn*** 22.214.171.124 Physical Access Controlrn*** 126.96.36.199 Preventing Unauthorized Entryrn*** 188.8.131.52 Preventing Unauthorized Removalrn* 8.2 The RIIOT Method: Physical Data Gatheringrn** 8.2.1 Review Physical Documentsrn*** 184.108.40.206 Physical Documents to Requestrn*** 220.127.116.11 Review Physical Documents for Informationrn** 8.2.2 Interview Physical Personnelrn*** 18.104.22.168 Physical Security Interview Topicsrn*** 22.214.171.124 Physical Security Interview Subjectsrn*** 126.96.36.199 Physical Security Interview Questionsrn** 8.2.3 Inspect Physical Security Controlsrn*** 188.8.131.52 Listing Physical Security Controlsrn*** 184.108.40.206 Verify Information Gatheredrn*** 220.127.116.11 Determine Physical Vulnerabilitiesrn*** 18.104.22.168 Document and Review Physical Findingsrn** 8.2.4 Observe Physical Personnel Behaviorrn** 8.2.5 Test Physical Security Safeguardsrn*** 22.214.171.124 Doors and Locksrn*** 126.96.36.199 Intrusion Detectionrn* Notesrn* Referencesrn9 - Security Risk Analysisrn* 9.1 Determining Riskrn** 9.1.1 Uncertainty and Reducing Uncertaintyrn*** 188.8.131.52 Review Available Datarn*** 184.108.40.206 Examine Historical Datarn*** 220.127.116.11 Use Judgmentrn*** 18.104.22.168 Use Toolsrn*** 22.214.171.124 Use Conditional Probabilitiesrn* 9.2 Creating Risk Statementsrn* 9.3 Team Review of Security Risk Statementsrn** 9.3.1 Obtaining Consensusrn** 9.3.2 Deriving Overall Security Riskrn* Notesrn* Referencesrn10 - Security Risk Mitigationrn* 10.1 Selecting Safeguardsrn* 10.2 Safeguard Solution Setsrn** 10.2.1 Safeguard Cost Calculationsrn** 10.2.2 Justifying Safeguard Selectionsrn*** 10.2.2.1 Justification through Judgmentrn*** 10.2.2.2 Cost–Benefit Analysisrn* 10.3 Establishing Risk Parametersrn* Notesrn* Referencesrn11 - Security Risk Assessment Reportingrn* 11.1 Cautions in Reportingrn* 11.2 Pointers in Reportingrn* 11.3 Report Structurern* 11.3.1 Executive-Level Reportrn** 11.3.2 Base Reportrn** 11.3.3 Appendices and Exhibitsrn* 11.4 Document Review Methodology: Create the Report Using a Top-Down Approachrn** 11.4.1 Document Specificationrn** 11.4.2 Draftrn** 11.4.3 Finalrn* 11.5 Assessment Briefrn* 11.6 Action Planrn* Notesrn* Referencesrn12 - Security Risk Assessment Project Managementrn* 12.1 Project Planningrn** 12.1.1 Project Definitionrn** 12.1.2 Project Planning Detailsrn*** 126.96.36.199 Project Phases and Activitiesrn*** 188.8.131.52 Phases and Activities Schedulingrn*** 184.108.40.206 Allocating Hours to Activitiesrn** 12.1.3 Project Resourcesrn*** 220.127.116.11 Objectivity vs. Independencern*** 18.104.22.168 Internal vs. External Team Membersrn*** 22.214.171.124 Skills Requiredrn*** 126.96.36.199 Team Skillsrn*** 188.8.131.52 Team Member Skillsrn* 12.2 Project Trackingrn** 12.2.1 Hours Trackingrn** 12.2.2 Calendar Time Trackingrn** 12.2.3 Project Progress Trackingrn* 12.3 Taking Corrective Measuresrn** 12.3.1 Obtaining More Resourcesrn** 12.3.2 Using Management Reservern* 12.4 Project Status Reportingrn** 12.4.1 Report Detailrn** 12.4.2 Report Frequencyrn** 12.4.3 Status Report Contentrn* 12.5 Project Conclusion and Wrap-Uprn** 12.5.1 Eliminating ‘‘Scope Creep’’rn** 12.5.2 Eliminating Project Run-Onrn* Notesrn* Referencern13 - Security Risk Assessment Approachesrn* 13.1 Quantitative vs. Qualitative Analysisrn** 13.1.1 Quantitative Analysisrn*** 184.108.40.206 Expected Lossrn*** 220.127.116.11 Single Loss Expectancyrn*** 18.104.22.168 Annualized Loss Expectancyrn*** 22.214.171.124 Safeguard Valuern*** 126.96.36.199 Quantitative Analysis Advantagesrn*** 188.8.131.52 Quantitative Analysis Disadvantagesrn** 13.1.2 Qualitative Analysisrn*** 184.108.40.206 Qualitative Analysis Advantagesrn*** 220.127.116.11 Qualitative Analysis Disadvantagesrn* 13.2 Toolsrn** 13.2.1 Listsrn** 13.2.2 Templatesrn* 13.3 Security Risk Assessment Methodsrn** 13.3.1 FAA Security Risk Management Processrn** 13.3.2 OCTAVErn** 13.3.3 FRAPrn** 13.3.4 CRAMMrn** 13.3.5 NSA IAMrn* Notesrn* ReferencesrnAppendix Relevant Standards and Regulationsrn* GAISPrn* CobiTrn* ISO 17799rn* NIST Handbookrn* Management Controlsrn* Operational Controlsrn* Technical Controlsrn* HIPAA: Securityrn* Administrative Safeguardsrn* Physical Safeguardsrn* Technical Safeguardsrn* Gramm-Leach-Bliley Act (GLB Act)rn* NotesrnrnPlease note : The book is in .PDF file format and you will need the Adobe Acrobat Reader.rnRequested