did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

did-you-know? rent-now

Amazon no longer offers textbook rentals. We do!

We're the #1 textbook rental company. Let us show you why.

9780471762546

Information Technology Risk Management in Enterprise Environments A Review of Industry Practices and a Practical Guide to Risk Management Teams

by ;
  • ISBN13:

    9780471762546

  • ISBN10:

    0471762547

  • Edition: 1st
  • Format: Hardcover
  • Copyright: 2010-01-07
  • Publisher: Wiley-Interscience
  • Purchase Benefits
List Price: $138.61 Save up to $21.61
  • Buy New
    $137.92
    Add to Cart Free Shipping Icon Free Shipping

    PRINT ON DEMAND: 2-4 WEEKS. THIS ITEM CANNOT BE CANCELLED OR RETURNED.

Supplemental Materials

What is included with this book?

Summary

Discusses all types of corporate risks and practical means of defending against them. Security is currently identified as a critical area of Information Technology management by a majority of government, commercial, and industrial organizations. Offers an effective risk management program, which is the most critical function of an information security program.

Author Biography

Jake Kouns in confounder, CEO, and CFO of the Open Security Foundation. He holds an MBA in information security from James Madison University and a number of certifications, including ISC2's CISSP, ISACA's CISM, CISA, and CGEIT. Daniel Minoli is an expert in the fields of IT, telecommunications, and networking, with work experience at Capital One Financial, Prudential Securities, and ATT, among others. He is the founder and President Emeritus off the IPv6 Institute. He is the author or coauthor of several books on IT, security, and networking, including Minoli-Cordovana's Authoritative Computer and Network Security Dictionary and Network Infrastructure and Architecture: Designing High Availability Networks, both published by Wiley.

Table of Contents

Prefacep. xiii
About the authorsp. xv
Industry Practices in Risk Managementp. 1
Information Security Risk Management Imperatives and Opportunitiesp. 3
Risk Management Purpose and Scopep. 3
Purpose of Risk Managementp. 3
Text Scopep. 17
Referencesp. 24
Bibliography of Related Literaturep. 25
Information Security Risk Management Definedp. 33
Key Risk Management Definitionsp. 33
Survey of Industry Definitionsp. 33
Adopted Definitionsp. 37
A Mathematical Formulation of Riskp. 40
What is Risk? A Formal Definitionp. 44
Risk in IT Environmentsp. 44
Risk Management Proceduresp. 49
Typical Threats/Risk Eventsp. 56
What is an Enterprise Architecture?p. 61
Referencesp. 65
The CISSPforum/ISO27k Implementers Forum Information Security Risk List for 2008p. 66
What is Enterprise Risk Management (ERM)?p. 71
Information security risk management standardsp. 73
ISO/IEC 13335p. 77
ISO/IEC 17799 (ISO/IEC 27002:2005)p. 78
ISO/IEC 27000 Seriesp. 78
ISO/IEC 27000, Information Technology-Security Techniques-Information Security Management Systems-Fundamentals and Vocabularyp. 79
ISO/IEC 27001:2005, Information Technology-Security Techniques-Specification for an information Security Management, System-p. 79
ISO/IEC 27002:2005, Information Technology-Security Techniques-Code of Practice for Information Security Managementp. 84
ISO/IEC 27003 Information Technology-Security Techniques-Information Security Management System Implementation Guidancep. 90
ISO/IEC 27004 Information Technology-Security Techniques-Information Security Management-Measurementp. 91
ISO/IEC 27005:2008 Information Technology-Security Techniques-Information Security Risk Managementp. 92
ISO/ICE 31000p. 92
NIST STANDARDSp. 94
NIST SP 800-16p. 96
NIST SP 800-30p. 99
NIST SP 800-39p. 101
AS/NZS 4360p. 105
Referencesp. 106
Organization for Economic Cooperation and Development (OECD) Guidelines for the Security of Information Systems and Networks: Toward a Culture of Securityp. 107
A Survey of Available Information Security Risk Management Methods and Toolsp. 111
Overviewp. 111
Risk Management/Risk Analysis Methodsp. 114
Austrian IT Security Handbookp. 114
CCTA Risk Assessment and Management Methodology (CRAMM)p. 115
Dutch A&K Analysisp. 117
EBIOSp. 117
ETSI Threat Vulnerability and Risk Analysis (TVRA) Methodp. 119
FAIR (Factor Analysis of Information Risk)p. 122
FIRM (Fundamental Information Risk Management)p. 124
FMEA (Failure Modes and Effects Analysis)p. 125
FRAP (Facilitated Risk Assessment Process)p. 128
ISAMM (Information Security Assessment and Monitoring Method)p. 129
ISO/IEC Baselinesp. 130
ISO 31000 Methodologyp. 130
IT-Grundschutz (IT Baseline Protection Manual)p. 136
MAGERIT (Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion) (Methodology for Information Systems Risk Analysis and Management)p. 137
MEHARI (Méthode Harmonisée d'Analyse de Risques-Harmonised Risk Analysis Method)p. 142
Microsoft's Security Risk Management Guidep. 146
MIGRA (Metodologia Integrata per la Gestione del Rischio Aziendale)p. 152
NISTp. 153
National Security Agency (NSA) IAM / IEM / IA-CMMp. 153
Open Source Approachp. 155
PTA (Practical Threat Analysis)p. 158
SOMAP (Security Officers Management and Analysis Project)p. 160
Summaryp. 161
Referencesp. 162
Methodologies examples: COBIT and octavep. 164
Overviewp. 164
COBITp. 166
COBIT Frameworkp. 172
The Need for a Control Framework for IT Governancep. 173
How COBIT Meets the Needp. 175
COBIT's Information Criteriap. 175
Business Goals and IT Goalsp. 176
COBTT Frameworkp. 177
IT Resourcesp. 178
Plan and Organize (PO)p. 180
Acquire and Implement (AI)p. 180
Deliver and Support (DS)p. 180
Monitor and Evaluate (ME)p. 181
Processes Need Controlsp. 181
COBIT Frameworkp. 181
Business and IT Controlsp. 184
IT General Controls and Application Controlsp. 185
Maturity Modelsp. 187
Performance Measurementp. 194
OCTAVEp. 205
The OCTAVE Approachp. 205
The OCTAVE Methodp. 208
Referencesp. 210
Developing Risk Management Teamsp. 211
Risk Management Issues and Organization Specificsp. 213
Purpose and Scopep. 213
Risk Management Policiesp. 216
A Snapshot of Risk Management in the Corporate Worldp. 219
Motivations for Risk Managementp. 224
Justifying Risk Management Financiallyp. 225
The Human Factorsp. 230
Priority-Oriented Rational Approachp. 232
Overview of Pragmatic Risk Management Processp. 234
Creation of a Risk Management Team, and Adoption of Methodologiesp. 234
Iterative Procedure for Ongoing Risk Managementp. 236
Roadmap to Pragmatic Risk Managementp. 236
Referencesp. 239
Example of a Security Policyp. 239
Assessing Organization and Establishing Risk Management Scopep. 243
Assessing the Current Enterprise Environmentp. 244
Soliciting Support from Senior Managementp. 248
Establishing Risk Management Scope and Boundariesp. 259
Defining Acceptable Risk for Enterprisep. 260
Risk Management Committeep. 263
Organization-Specific Risk Methodologyp. 264
Quantitative Methodsp. 265
Qualitative Methodsp. 267
Other Approachesp. 269
Risk Waivers Programsp. 272
Referencesp. 274
Summary of Applicable Legislationp. 275
Identifying Resources and Implementing the Risk Management Teamp. 280
Operating Costs to Support Risk Management and Staffing Requirementsp. 281
Organizational Modelsp. 286
Staffing Requirementsp. 287
Specialized Skills Requiredp. 290
Sourcing Optionsp. 291
Risk Management Toolsp. 295
Risk Management Servicesp. 296
Alerting and Analysis Servicesp. 296
Assessments, Audits, and Project Consultingp. 296
Developing and Implementing the Risk Management/ Assessment Teamp. 298
Creating Security Standardsp. 298
Defining Subject Matter Expertsp. 300
Determining Information Sourcesp. 300
Referencesp. 301
Sizing Example for Risk Management Teamp. 302
Example of Vulnerability Alerts by Vendors and CERTp. 331
Examples of Data Losses-A One-Month Snapshotp. 336
Identifying Assets and Organization Risk Exposuresp. 338
Importance of Asset Identification and Managementp. 338
Enterprise Architecturep. 340
Identifying IT Assetsp. 346
Assigning Value to IT Assetsp. 353
Vulnerability Identification/Classificationp. 354
Base Parametersp. 360
Temporal Parametersp. 362
Environmental Parametersp. 363
Threat Analysis: Type of Risk Exposuresp. 367
Type of Risk Exposuresp. 368
Internal Team Programs (to Uncover Risk Exposures)p. 371
Summaryp. 371
Referencesp. 371
Common Information Systems Assetsp. 372
Remediation planning and compliance reportingp. 377
Determining Risk Valuep. 377
Remediation Approachesp. 380
Prioritizing Remediationsp. 384
Determining Mitigating Timeframesp. 385
Compliance Monitoring and Security Metricsp. 387
Compliance Reportingp. 390
Referencesp. 391
Basic Glossary of Terms Used in This Textp. 392
Indexp. 415
Table of Contents provided by Ingram. All Rights Reserved.

Supplemental Materials

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

Rewards Program