Menu Expand
Information Risk Management

Information Risk Management

David Sutton

(2014)

Additional Information

Book Details

Abstract

Information risk management (IRM) is about identifying, assessing and prioritising risks to keep information secure and available. This accessible book is a practical guide to understanding the principles of IRM and developing a strategic approach to an IRM programme. It also includes a chapter on applying IRM in the public sector. It is the only textbook for the BCS Practitioner Certificate in Information Risk Management.
Information is the 21st century’s new gold and protecting such a volatile asset is a tremendous challenge. This book provides many keys to understanding important concepts and possible approaches for mitigating the associated risks.
Lionel Dupré
This book is a well written and illustrated throughout, covering the subject area to a sufficient level of detail for both novices and experienced practitioners requiring a refresher. A very practical and complete guide to managing risks within an organisation.
Mehmet Hurer
Increasingly, organisations rely on information for their day-to-day operations, and the loss or unavailability of information can mean the difference between success and ruin. Information risk management (IRM) is about identifying, assessing and prioritising risks to keep information secure and available. This accessible book is a practical guide to understanding the principles of IRM and developing a strategic approach to an IRM programme. It also includes a chapter on applying IRM in the public sector. It is the only textbook for the BCS Practitioner Certificate in Information Risk Management.
Anyone wishing to become an InfoSec risk management practitioner MUST purchase this book. David has produced an extremely useful and readable book for those entering this discipline and indeed those practitioners wishing to have an invaluable reference resource sitting on their bookshelf. I highly recommended it.
John Hughes
David Sutton's career in IT spans nearly 50 years and includes voice and data networking, information security and critical information infrastructure protection. He delivers an annual lecture on business continuity at Royal Holloway University of London from where he holds an MSc in Information Security. He is also a co-author of Information Security Management Principles (2nd edition).

Table of Contents

Section Title Page Action Price
Cover Cover
Copyright iv
CONTENTS vi
LIST OF FIGURES AND TABLES ix
AUTHOR xi
ACKNOWLEDGMENTS xii
ABBREVIATIONS xiii
DEFINITIONS, STANDARDS AND GLOSSARY OF TERMS xvi
PREFACE xxx
1 THE NEED FOR INFORMATION RISK MANAGEMENT 1
INTRODUCTION 1
WHAT IS INFORMATION? 4
THE INFORMATION LIFE CYCLE 6
WHO SHOULD USE INFORMATION RISK MANAGEMENT? 7
THE LEGAL FRAMEWORK 8
THE CONTEXT OF RISK IN THE ORGANISATION 9
THE BENEFITS OF TAKING ACCOUNT OF INFORMATION RISK 11
OVERVIEW OF THE INFORMATION RISK MANAGEMENT PROCESS 13
2 REVIEW OF INFORMATION SECURITY FUNDAMENTALS 18
INFORMATION CLASSIFICATION 20
PLAN, DO, CHECK, ACT 24
3 THE INFORMATION RISK MANAGEMENT PROGRAMME 26
GOALS, SCOPE AND OBJECTIVES 26
ROLES AND RESPONSIBILITIES 27
GOVERNANCE OF THE RISK MANAGEMENT PROGRAMME 28
INFORMATION RISK MANAGEMENT CRITERIA 29
4 RISK IDENTIFICATION 35
THE APPROACH TO RISK IDENTIFICATION 37
IMPACT ASSESSMENT 39
TYPES OF IMPACT 41
QUALITATIVE AND QUANTITATIVE ASSESSMENTS 45
5 THREAT AND VULNERABILITY ASSESSMENT 51
CONDUCTING THREAT ASSESSMENTS 51
CONDUCTING VULNERABILITY ASSESSMENTS 57
IDENTIFICATION OF EXISTING CONTROLS 64
6 RISK ANALYSIS AND RISK EVALUATION 68
ASSESSMENT OF LIKELIHOOD 68
RISK ANALYSIS 71
RISK EVALUATION 73
7 RISK TREATMENT 77
STRATEGIC RISK OPTIONS 78
TACTICAL RISK MANAGEMENT CONTROLS 82
OPERATIONAL RISK MANAGEMENT CONTROLS 83
EXAMPLES OF CRITICAL CONTROLS AND CONTROL CATEGORIES 83
8 RISK REPORTING AND PRESENTATION 87
BUSINESS CASES 87
RISK TREATMENT DECISION-MAKING 89
RISK TREATMENT PLANNING AND IMPLEMENTATION 90
BUSINESS CONTINUITY AND DISASTER RECOVERY 90
9 COMMUNICATION, CONSULTATION, MONITORING AND REVIEW 100
COMMUNICATION 101
CONSULTATION 103
RISK REVIEWS AND MONITORING 104
10 THE CESG IA CERTIFICATION SCHEME 107
THE CESG IA CERTIFICATION SCHEME 107
SKILLS FRAMEWORK FOR THE INFORMATION AGE (SFIA) 110
THE IISP INFORMATION SECURITY SKILLS FRAMEWORK 112
11 HMG SECURITY-RELATED DOCUMENTS 115
HMG SECURITY POLICY FRAMEWORK 115
UK GOVERNMENT SECURITY CLASSIFICATIONS 120
APPENDIX A TAXONOMIES AND DESCRIPTIONS 122
INFORMATION RISK 122
TYPICAL IMPACTS OR CONSEQUENCES 124
APPENDIX B TYPICAL THREATS AND HAZARDS 128
MALICIOUS INTRUSION (HACKING) 128
ENVIRONMENTAL THREATS 131
ERRORS AND FAILURES 133
SOCIAL ENGINEERING 134
MISUSE AND ABUSE 136
PHYSICAL THREATS 137
MALWARE 137
APPENDIX C TYPICAL VULNERABILITIES 140
ACCESS CONTROL 140
POOR PROCEDURES 143
PHYSICAL AND ENVIRONMENTAL SECURITY 144
COMMUNICATIONS AND OPERATIONS MANAGEMENT 145
PEOPLE-RELATED SECURITY FAILURES 148
APPENDIX D INFORMATION RISK CONTROLS 150
STRATEGIC CONTROLS 150
TACTICAL CONTROLS 150
OPERATIONAL CONTROLS 152
CRITICAL SECURITY CONTROLS VERSION 5.0 152
ISO/IEC 27001 CONTROLS 156
NIST SPECIAL PUBLICATION 800-53 REVISION 4 161
APPENDIX E METHODOLOGIES, GUIDELINES AND TOOLS 168
METHODOLOGIES 168
OTHER GUIDELINES AND TOOLS 175
APPENDIX F TEMPLATES 180
APPENDIX G HMG CYBER SECURITY GUIDELINES 186
HMG CYBER ESSENTIALS SCHEME 186
10 STEPS TO CYBER SECURITY 190
APPENDIX H REFERENCES AND FURTHER READING 192
PRIMARY UK LEGISLATION 192
GOOD PRACTICE GUIDELINES 193
OTHER REFERENCE MATERIAL 193
CESG CERTIFIED PROFESSIONAL SCHEME 194
OTHER UK GOVERNMENT PUBLICATIONS 195
RISK MANAGEMENT METHODOLOGIES 196
NEWS ARTICLES ETC. 197
UK AND INTERNATIONAL STANDARDS 197
INDEX 204
Back Cover 211