Information Technology Risk Management in Enterprise Environments – A Review of Industry Practices and a Practical Guide to Risk Management

PREFACE.
<p>ABOUT THE AUTHORS.</p>
<p>PART I INDUSTRY PRACTICES IN RISK MANAGEMENT.</p>
<p>1. INFORMATION SECURITY RISK MANAGEMENT IMPERATIVES AND OPPORTUNITIES.</p>
<p>1.1 Risk Management Purpose and Scope.</p>
<p>1.1.1 Purpose of Risk Management.</p>
<p>1.1.2 Text Scope.</p>
<p>References.</p>
<p>Appendix 1A: Bibliography of Related Literature.</p>
<p>2. INFORMATION SECURITY RISK MANAGEMENT DEFINED.</p>
<p>2.1 Key Risk Management Definitions.</p>
<p>2.2 A Mathematical Formulation of Risk.</p>
<p>2.3 Typical Threats/Risk Events.</p>
<p>2.4 What is an Enterprise Architecture?.</p>
<p>References.</p>
<p>Appendix 2A: The CISSPforum/ISO27k Implementers Forum Information Security Risk List for 2008.</p>
<p>Appendix 2B: What is Enterprise Risk Management (ERM)?</p>
<p>3. INFORMATION SECURITY RISK MANAGEMENT STANDARDS.</p>
<p>3.1 ISO/IEC 13335.</p>
<p>3.2 ISO/IEC 17799 (ISO/IEC 27002:2005).</p>
<p>3.3 ISO/IEC 27000 SERIES.</p>
<p>3.3.1 ISO/IEC 27000, Information Technology Security Techniques Information Security Management Systems Fundamentals and Vocabulary.</p>
<p>3.3.2 ISO/IEC 27001:2005, Information Technology Security Techniques Specification for an Information Security Management System.</p>
<p>3.3.3 ISO/IEC 27002:2005, Information Technology Security Techniques Code of Practice for Information Security Management.</p>
<p>3.3.4 ISO/IEC 27003 Information Technology Security Techniques Information Security Management System Implementation Guidance.</p>
<p>3.3.5 ISO/IEC 27004 Information Technology Security Techniques Information Security Management Measurement.</p>
<p>3.3.6 ISO/IEC 27005:2008 Information Technology Security Techniques Information Security Risk Management.</p>
<p>3.4 ISO/IEC 31000.</p>
<p>3.5 NIST STANDARDS.</p>
<p>3.5.1 NIST SP 800–16.</p>
<p>3.5.2 NIST SP 800–30.</p>
<p>3.5.3 NIST SP 800–39.</p>
<p>3.6 AS/NZS 4360.</p>
<p>References.</p>
<p>Appendix 3A: Organization for Economic CoOperation and Development (OECD) Guidelines for the Security of Information Systems and Networks: Toward a Culture of Security.</p>
<p>4. A SURVEY OF AVAILABLE INFORMATION SECURITY RISK MANAGEMENT METHODS AND TOOLS.</p>
<p>4.1 Overview.</p>
<p>4.2 Risk Management/Risk Analysis Methods.</p>
<p>4.2.1 Austrian IT Security Handbook.</p>
<p>4.2.2 CCTA Risk Assessment and Management Methodology (CRAMM).</p>
<p>4.2.3 Dutch A&amp;K Analysis.</p>
<p>4.2.4 EBIOS.</p>
<p>4.2.5 ETSI Threat Vulnerability and Risk Analysis (TVRA) Method.</p>
<p>4.2.6 FAIR (Factor Analysis of Information Risk).</p>
<p>4.2.7 FIRM (Fundamental Information Risk Management).</p>
<p>4.2.8 FMEA (Failure Modes and Effects Analysis).</p>
<p>4.2.9 FRAP (Facilitated Risk Assessment Process).</p>
<p>4.2.10 ISAMM (Information Security Assessment and Monitoring Method).</p>
<p>4.2.11 ISO/IEC Baselines.</p>
<p>4.2.12 ISO 31000 Methodology.</p>
<p>4.2.13 IT–Grundschutz (IT Baseline Protection Manual).</p>
<p>4.2.14 MAGERIT (Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion) (Methodology for Information Systems Risk Analysis and Management).</p>
<p>4.2.15 MEHARI (M&eacute;thode Harmonis&eacute;e d Analyse de Risques Harmonised Risk Analysis Method).</p>
<p>4.2.16 Microsoft s Security Risk Management Guide.</p>
<p>4.2.17 MIGRA (Metodologia Integrata per la Gestione del Rischio Aziendale).</p>
<p>4.2.18 NIST.</p>
<p>4.2.19 National Security Agency (NSA) IAM / IEM /IA–CMM.</p>
<p>4.2.20 Open Source Approach.</p>
<p>4.2.21 PTA (Practical Threat Analysis).</p>
<p>4.2.22 SOMAP (Security Officers Management and Analysis Project).</p>
<p>4.2.23 Summary.</p>
<p>References.</p>
<p>5. METHODOLOGIES EXAMPLES: COBIT AND OCTAVE.</p>
<p>5.1 Overview.</p>
<p>5.2 COBIT.</p>
<p>5.2.1 COBIT Framework.</p>
<p>5.2.2 The Need for a Control Framework for IT Governance.</p>
<p>5.2.3 How COBIT Meets the Need.</p>
<p>5.2.4 COBIT s Information Criteria.</p>
<p>5.2.5 Business Goals and IT Goals.</p>
<p>5.2.6 COBIT Framework.</p>
<p>5.2.7 IT Resources.</p>
<p>5.2.8 Plan and Organize (PO).</p>
<p>5.2.9 Acquire and Implement (AI).</p>
<p>5.2.10 Deliver and Support (DS).</p>
<p>5.2.11 Monitor and Evaluate (ME).</p>
<p>5.2.12 Processes Need Controls.</p>
<p>5.2.13 COBIT Framework.</p>
<p>5.2.14 Business and IT Controls.</p>
<p>5.2.15 IT General Controls and Application Controls.</p>
<p>5.2.16 Maturity Models.</p>
<p>5.2.17 Performance Measurement.</p>
<p>5.3 OCTAVE.</p>
<p>5.3.1 The OCTAVE Approach.</p>
<p>5.3.2 The OCTAVE Method.</p>
<p>References.</p>
<p>PART II DEVELOPING RISK MANAGEMENT TEAMS.</p>
<p>6. RISK MANAGEMENT ISSUES AND ORGANIZATION SPECIFICS.</p>
<p>6.1 Purpose and Scope.</p>
<p>6.2 Risk Management Policies.</p>
<p>6.3 A Snapshot of Risk Management in the Corporate World.</p>
<p>6.3.1 Motivations for Risk Management.</p>
<p>6.3.2 Justifying Risk Management Financially.</p>
<p>6.3.3 The Human Factors.</p>
<p>6.3.4 Priority–Oriented Rational Approach.</p>
<p>6.4 Overview of Pragmatic Risk Management Process.</p>
<p>6.4.1 Creation of a Risk Management Team, and Adoption of Methodologies.</p>
<p>6.4.2 Iterative Procedure for Ongoing Risk Management.</p>
<p>6.5 Roadmap to Pragmatic Risk Management.</p>
<p>References.</p>
<p>Appendix 6A: Example of a Security Policy.</p>
<p>7. ASSESSING ORGANIZATION AND ESTABLISHING RISK MANAGEMENT SCOPE.</p>
<p>7.1 Assessing the Current Enterprise Environment.</p>
<p>7.2 Soliciting Support From Senior Management.</p>
<p>7.3 Establishing Risk Management Scope and Boundaries.</p>
<p>7.4 Defining Acceptable Risk for Enterprise.</p>
<p>7.5 Risk Management Committee.</p>
<p>7.6 Organization–Specific Risk Methodology.</p>
<p>7.6.1 Quantitative Methods.</p>
<p>7.6.2 Qualitative Methods.</p>
<p>7.6.3 Other Approaches.</p>
<p>7.7 Risk Waivers Programs.</p>
<p>References.</p>
<p>Appendix 7A: Summary of Applicable Legislation.</p>
<p>8. IDENTIFYING RESOURCES AND IMPLEMENTING THE RISK MANAGEMENT TEAM.</p>
<p>8.1 Operating Costs to Support Risk Management and Staffing Requirements.</p>
<p>8.2 Organizational Models.</p>
<p>8.3 Staffing Requirements.</p>
<p>8.3.1 Specialized Skills Required.</p>
<p>8.3.2 Sourcing Options.</p>
<p>8.4 Risk Management Tools.</p>
<p>8.5 Risk Management Services.</p>
<p>8.5.1 Alerting and Analysis Services.</p>
<p>8.5.2 Assessments, Audits, and Project Consulting.</p>
<p>8.6 Developing and Implementing the Risk Management/Assessment Team.</p>
<p>8.6.1 Creating Security Standards.</p>
<p>8.6.2 Defining Subject Matter Experts.</p>
<p>8.6.3 Determining Information Sources.</p>
<p>References.</p>
<p>Appendix 8A: Sizing Example for Risk Management Team.</p>
<p>Appendix 8B: Example of Vulnerability Alerts by Vendors and CERT.</p>
<p>Appendix 8C: Examples of Data Losses A One–Month Snapshot.</p>
<p>9. IDENTIFYING ASSETS AND ORGANIZATION RISK EXPOSURES.</p>
<p>9.1 Importance of Asset Identification and Management.</p>
<p>9.2 Enterprise Architecture.</p>
<p>9.3 Identifying IT Assets.</p>
<p>9.4 Assigning Value to IT Assets.</p>
<p>9.5 Vulnerability Identification/Classification.</p>
<p>9.5.1 Base Parameters.</p>
<p>9.5.2 Temporal Parameters.</p>
<p>9.5.3 Environmental Parameters.</p>
<p>9.6 Threat Analysis: Type of Risk Exposures.</p>
<p>9.6.1 Type of Risk Exposures.</p>
<p>9.6.2 Internal Team Programs (to Uncover Risk Exposures).</p>
<p>9.7 Summary.</p>
<p>References.</p>
<p>Appendix 9A: Common Information Systems Assets.</p>
<p>10. REMEDIATION PLANNING AND COMPLIANCE REPORTING.</p>
<p>10.1 Determining Risk Value.</p>
<p>10.2 Remediation Approaches.</p>
<p>10.3 Prioritizing Remediations.</p>
<p>10.4 Determining Mitigating Timeframes.</p>
<p>10.5 Compliance Monitoring and Security Metrics.</p>
<p>10.6 Compliance Reporting.</p>
<p>References.</p>
<p>BASIC GLOSSARY OF TERMS USED IN THIS TEXT.</p>
<p>INDEX.</p>