Information Risk Management

David Sutton

BOOK

Information Risk Management

David Sutton

(2014)

Additional Information

Book Details

ISBN: 978-1-78017-266-8
Edition: 1
Language: English
Pages: 245
Subjects: Library, archive & information management
SAP (Systems, applications & products in databases)
Computer security

Abstract

Information risk management (IRM) is about identifying, assessing and prioritising risks to keep information secure and available. This accessible book is a practical guide to understanding the principles of IRM and developing a strategic approach to an IRM programme. It also includes a chapter on applying IRM in the public sector. It is the only textbook for the BCS Practitioner Certificate in Information Risk Management.
Information is the 21st century’s new gold and protecting such a volatile asset is a tremendous challenge. This book provides many keys to understanding important concepts and possible approaches for mitigating the associated risks.
Lionel Dupré
This book is a well written and illustrated throughout, covering the subject area to a sufficient level of detail for both novices and experienced practitioners requiring a refresher. A very practical and complete guide to managing risks within an organisation.
Mehmet Hurer
Increasingly, organisations rely on information for their day-to-day operations, and the loss or unavailability of information can mean the difference between success and ruin. Information risk management (IRM) is about identifying, assessing and prioritising risks to keep information secure and available. This accessible book is a practical guide to understanding the principles of IRM and developing a strategic approach to an IRM programme. It also includes a chapter on applying IRM in the public sector. It is the only textbook for the BCS Practitioner Certificate in Information Risk Management.
Anyone wishing to become an InfoSec risk management practitioner MUST purchase this book. David has produced an extremely useful and readable book for those entering this discipline and indeed those practitioners wishing to have an invaluable reference resource sitting on their bookshelf. I highly recommended it.
John Hughes
David Sutton's career in IT spans nearly 50 years and includes voice and data networking, information security and critical information infrastructure protection. He delivers an annual lecture on business continuity at Royal Holloway University of London from where he holds an MSc in Information Security. He is also a co-author of Information Security Management Principles (2nd edition).

Section Title	Page	Action	Price
Cover	Cover
Copyright	iv
CONTENTS	vi
LIST OF FIGURES AND TABLES	ix
AUTHOR	xi
ACKNOWLEDGMENTS	xii
ABBREVIATIONS	xiii
DEFINITIONS, STANDARDS AND GLOSSARY OF TERMS	xvi
PREFACE	xxx
1 THE NEED FOR INFORMATION RISK MANAGEMENT	1
INTRODUCTION	1
WHAT IS INFORMATION?	4
THE INFORMATION LIFE CYCLE	6
WHO SHOULD USE INFORMATION RISK MANAGEMENT?	7
THE LEGAL FRAMEWORK	8
THE CONTEXT OF RISK IN THE ORGANISATION	9
THE BENEFITS OF TAKING ACCOUNT OF INFORMATION RISK	11
OVERVIEW OF THE INFORMATION RISK MANAGEMENT PROCESS	13
2 REVIEW OF INFORMATION SECURITY FUNDAMENTALS	18
INFORMATION CLASSIFICATION	20
PLAN, DO, CHECK, ACT	24
3 THE INFORMATION RISK MANAGEMENT PROGRAMME	26
GOALS, SCOPE AND OBJECTIVES	26
ROLES AND RESPONSIBILITIES	27
GOVERNANCE OF THE RISK MANAGEMENT PROGRAMME	28
INFORMATION RISK MANAGEMENT CRITERIA	29
4 RISK IDENTIFICATION	35
THE APPROACH TO RISK IDENTIFICATION	37
IMPACT ASSESSMENT	39
TYPES OF IMPACT	41
QUALITATIVE AND QUANTITATIVE ASSESSMENTS	45
5 THREAT AND VULNERABILITY ASSESSMENT	51
CONDUCTING THREAT ASSESSMENTS	51
CONDUCTING VULNERABILITY ASSESSMENTS	57
IDENTIFICATION OF EXISTING CONTROLS	64
6 RISK ANALYSIS AND RISK EVALUATION	68
ASSESSMENT OF LIKELIHOOD	68
RISK ANALYSIS	71
RISK EVALUATION	73
7 RISK TREATMENT	77
STRATEGIC RISK OPTIONS	78
TACTICAL RISK MANAGEMENT CONTROLS	82
OPERATIONAL RISK MANAGEMENT CONTROLS	83
EXAMPLES OF CRITICAL CONTROLS AND CONTROL CATEGORIES	83
8 RISK REPORTING AND PRESENTATION	87
BUSINESS CASES	87
RISK TREATMENT DECISION-MAKING	89
RISK TREATMENT PLANNING AND IMPLEMENTATION	90
BUSINESS CONTINUITY AND DISASTER RECOVERY	90
9 COMMUNICATION, CONSULTATION, MONITORING AND REVIEW	100
COMMUNICATION	101
CONSULTATION	103
RISK REVIEWS AND MONITORING	104
10 THE CESG IA CERTIFICATION SCHEME	107
THE CESG IA CERTIFICATION SCHEME	107
SKILLS FRAMEWORK FOR THE INFORMATION AGE (SFIA)	110
THE IISP INFORMATION SECURITY SKILLS FRAMEWORK	112
11 HMG SECURITY-RELATED DOCUMENTS	115
HMG SECURITY POLICY FRAMEWORK	115
UK GOVERNMENT SECURITY CLASSIFICATIONS	120
APPENDIX A TAXONOMIES AND DESCRIPTIONS	122
INFORMATION RISK	122
TYPICAL IMPACTS OR CONSEQUENCES	124
APPENDIX B TYPICAL THREATS AND HAZARDS	128
MALICIOUS INTRUSION (HACKING)	128
ENVIRONMENTAL THREATS	131
ERRORS AND FAILURES	133
SOCIAL ENGINEERING	134
MISUSE AND ABUSE	136
PHYSICAL THREATS	137
MALWARE	137
APPENDIX C TYPICAL VULNERABILITIES	140
ACCESS CONTROL	140
POOR PROCEDURES	143
PHYSICAL AND ENVIRONMENTAL SECURITY	144
COMMUNICATIONS AND OPERATIONS MANAGEMENT	145
PEOPLE-RELATED SECURITY FAILURES	148
APPENDIX D INFORMATION RISK CONTROLS	150
STRATEGIC CONTROLS	150
TACTICAL CONTROLS	150
OPERATIONAL CONTROLS	152
CRITICAL SECURITY CONTROLS VERSION 5.0	152
ISO/IEC 27001 CONTROLS	156
NIST SPECIAL PUBLICATION 800-53 REVISION 4	161
APPENDIX E METHODOLOGIES, GUIDELINES AND TOOLS	168
METHODOLOGIES	168
OTHER GUIDELINES AND TOOLS	175
APPENDIX F TEMPLATES	180
APPENDIX G HMG CYBER SECURITY GUIDELINES	186
HMG CYBER ESSENTIALS SCHEME	186
10 STEPS TO CYBER SECURITY	190
APPENDIX H REFERENCES AND FURTHER READING	192
PRIMARY UK LEGISLATION	192
GOOD PRACTICE GUIDELINES	193
OTHER REFERENCE MATERIAL	193
CESG CERTIFIED PROFESSIONAL SCHEME	194
OTHER UK GOVERNMENT PUBLICATIONS	195
RISK MANAGEMENT METHODOLOGIES	196
NEWS ARTICLES ETC.	197
UK AND INTERNATIONAL STANDARDS	197
INDEX	204
Back Cover	211

Information Risk Management

Additional Information

Book Details

Abstract

Table of Contents

Contact Us

Quick Navigation