- Authors:
- Mark Talabis,
- Jason Martin
In order to protect companys information assets such as sensitive customer records, health care records, etc., the security practitioner first needs to find out: what needs protected, what risks those assets are exposed to, what controls are in place to offset those risks, and where to focus attention for risk treatment. This is the true value and purpose of information security risk assessments. Effective risk assessments are meant to provide a defendable analysis of residual risk associated with your key assets so that risk treatment options can be explored. Information Security Risk Assessments gives you the tools and skills to get a quick, reliable, and thorough risk assessment for key stakeholders. Based on authors experiences of real-world assessments, reports, and presentations Focuses on implementing a process, rather than theory, that allows you to derive a quick and valuable assessment Includes a companion web site with spreadsheets you can utilize to create and maintain the risk assessment Table of Contents Chapter 1: Information Security Risk Assessments Chapter 2: A Practical Approach Chapter 3: Data Collection Chapter 4: Data Analysis Chapter 5: Risk Assessment Chapter 6: Risk Prioritization and Treatment Chapter 7: Reporting Chapter 8: Maintenance and Wrap Up
Index Terms
- Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis
Recommendations
Taxonomy of information security risk assessment (ISRA)
Information is a perennially significant business asset in all organizations. Therefore, it must be protected as any other valuable asset. This is the objective of information security, and an information security program provides this kind of ...
Development of an E-Healthcare Information Security Risk Assessment Method
This paper developed a method to assess information security risks in e-healthcare. Specifically, it first developed a static E-Healthcare Information Security Risk EHISR model to present thirty-three security risk factors by identifying information ...
Reviews
Diego Merani
The distinction between information security risk and business risk is blurrier today than in the past: risk management nowadays plays an important role in business decision making, and helps to align information technology (IT) with business strategies. Nevertheless, the term "risk" is often inconsistently associated with technology-centric aspects, and stakeholders fail to recognize the difference between IT operational risks addressed at an IT operational level and business risks related to IT. In this context, the toolkit presented in this book can be seen as a guide to help information security practitioners choose the most appropriate approach. The authors provide a methodology that starts with the most commonly used frameworks and proposes a step-by-step structured risk assessment through data collection and analysis. The book initially defines the term "risk," gives examples of risk assessment activities, and compares different US assessment laws, regulations, policies, and frameworks related to information security risk assessment, such as the Federal Information Security Management Act (FISMA), or the Gramm-Leach-Bliley Act (GLBA). The central chapters are dedicated to data collection and data analysis. The authors develop and explain the importance of following a structured and streamlined collection process to consolidate all the information gathered into a form that allows the analyst to extrapolate relevant findings and conclusions. Different analysis schemes are proposed and compared, and the practical computation of risk is demonstrated by leveraging guidance from a specific National Institute of Standards and Technology (NIST) framework. The risk assessment process is described in chapter 5, in which the authors interpret the data organized and analyzed with the methodologies described so far to ultimately form the conclusions that will be the result of the risk assessment activities. Finally, a full chapter is dedicated to reporting. According to the authors, "The compilation of all [the] results into the final information security risk assessment report is ... essential to the credibility of [the] entire process[, ... and allows] the assessor to communicate the findings clearly to the stakeholders," enabling them to support action plans and remediation activities. The book is an introduction to risk management activities. The approach is extremely practical and may not be immediately applicable to all situations. I recommend it to readers who are looking for a quick and simple guide to starting a structured risk assessment activity. More reviews about this item: Amazon Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.