Risk Management: The Open Group Guide (eBook)
138 Seiten
van Haren Publishing (Verlag)
978-90-8753-900-9 (ISBN)
This book brings together The Open Group’s set of publications addressing risk management, which have been developed and approved by The Open Group. It is presented in three parts:The Technical Standard for Risk TaxonomyTechnical Guide to the Requirements for Risk Assessment MethodologiesTechnical Guide: FAIR – ISO/IEC 27005 CookbookPart 1: Technical Standard for Risk Taxonomy This Part provides a standard definition and taxonomy for information security risk, as well as information regarding how to use the taxonomy. The intended audience for this Part includes anyone who needs to understand and/or analyze a risk condition. This includes, but is not limited to:Information security and risk management professionalsAuditors and regulatorsTechnology professionalsManagementThis taxonomy is not limited to application in the information security space. It can, in fact, be applied to any risk scenario. This means the taxonomy to be used as a foundation for normalizing the results of risk analyses across varied risk domains. Part 2: Technical Guide: Requirements for Risk Assessment MethodologiesThis Part identifies and describes the key characteristics that make up any effective risk assessment methodology, thus providing a common set of criteria for evaluating any given risk assessment methodology against a clearly defined common set of essential requirements. In this way, it explains what features to look for when evaluating the capabilities of any given methodology, and the value those features represent. Part 3: Technical Guide: FAIR – ISO/IEC 27005 CookbookThis Part describes in detail how to apply the FAIR (Factor Analysis for Information Risk) methodology to any selected risk management framework. It uses ISO/IEC 27005 as the example risk assessment framework. FAIR is complementary to all other risk assessment models/frameworks, including COSO, ITIL, ISO/IEC 27002, COBIT, OCTAVE, etc. It provides an engine that can be used in other risk models to improve the quality of the risk assessment results. The Cookbook enables risk technology practitioners to follow by example how to apply FAIR to other risk assessment models/frameworks of their choice.
Preface 6
Acknowledgements 7
References 8
Introduction 16
Part 1 The Open Group Technical Standard 18
Risk Taxonomy 18
Chapter 1 Introduction to risk taxonomy 19
1.1 Scope 19
1.2 Purpose/objective 20
1.3 Context 20
1.4 The risk language gap 20
1.5 Using FAIR with other risk assessment frameworks 22
1.5.1 The ability of a FAIR-based approach to complement other standards 22
1.5.2 An example: using FAIR with OCTAVE 22
1.5.3 Conclusion 23
Chapter 2 Business case for a risk taxonomy 24
2.1 What makes this the standard of choice? 26
2.2 Who should use this Technical Standard? 27
2.3 Related dependencies 28
Chapter 3 Risk management model 29
3.1 Risk assessment approach 29
3.2 Why is a tightly-defined taxonomy critical? 29
Chapter 4 Functional aspects 30
4.1 What is defined? 30
4.2 What is in/out of scope and why? 30
4.3 How should it be used? 30
Chapter 5 Technical aspects 31
5.1 Risk taxonomy overview 31
5.2 Component definitions 32
5.2.1 Risk 32
5.2.2 Loss Event Frequency (LEF) 32
5.2.3 Threat Event Frequency (TEF) 33
5.2.4 Contact 33
5.2.5 Action 34
5.2.6 Vulnerability 34
5.2.7 Threat Capability 36
5.2.8 Control Strength (CS) 36
5.2.9 Probable Loss Magnitude (PLM) 37
5.2.10 Forms of loss 38
5.2.11 Loss factors 39
5.2.12 Primary loss factors 40
5.2.13 Secondary loss factors 43
Chapter 6 Example application 48
6.1 The scenario 48
6.2 The analysis: FAIR basic risk assessment methodology 48
6.2.1 Stage 1: Identify scenario components 49
6.2.2 Stage 2: Evaluate Loss Event Frequency (LEF) 50
6.2.3 Stage 3: Evaluate Probable Loss Magnitude (PLM) 53
6.2.4 Stage 4: Derive and articulate risk 58
6.3 Further information 59
Appendix A Risk taxonomy considerations 60
A.1 Complexity of the model 60
A.2 Availability of data 61
A.3 Iterative risk analyses 61
A.4 Perspective 62
Part 2 The Open Group Technical Guide 64
Requirements for riskassessment methodologies 64
Chapter 1 Introduction to requirements for risk assessment methodologies 65
1.1 Business case for risk assessment methodologies 65
1.2 Scope 66
1.3 Using this Technical Guide 66
1.4 Definition of terms 66
1.5 Key operating assumptions 67
Chapter 2 What makes a good risk assessment methodology? 68
2.1 Key component: taxonomy 68
2.2 Key risk assessment traits 68
2.2.1 Probabilistic 68
2.2.2 Accurate 69
2.2.3 Consistent (repeatable) 70
2.2.4 Defensible 70
2.2.5 Logical 70
2.2.6 Risk-focused 71
2.2.7 Concise and meaningful 71
2.2.8 Feasible 71
2.2.9 Actionable 72
2.2.10 Prioritized 72
2.2.11 Important note 72
Chapter 3 Risk assessment methodology considerations 73
3.1 Use of qualitative versus quantitative scales 73
3.1.1 When is using numbers not quantitative? 74
3.2 Measurement scales 74
3.2.1 Nominal scale 74
3.2.2 Ordinal scale 74
3.2.3 Interval scale 74
3.2.4 Ratio scale 75
3.2.5 Important note 75
3.3 How frequent is ‘likely’? 75
3.4 Risk and the data owners 76
Chapter 4 Assessment elements 77
4.1 Identifying risk issues 77
4.1.1 Interviews and questionnaires 77
4.1.2 Testing 78
4.1.3 Sampling 79
4.1.4 Types of sampling 79
4.2 Evaluating the severity/significance of risk issues 79
4.3 Identifying the root cause of risk issues 80
4.4 Identifying cost-effective solution options 80
4.5 Communicating the results to management 81
4.5.1 What to communicate 81
4.5.2 How to communicate 81
Part 3 The Open Group Technical Guide 84
FAIR–ISO/IEC 27005 Cookbook 84
Chapter 1 Introduction to the FAIR–ISO/IEC 27005 Cookbook 85
1.1 Purpose 85
1.2 Scope 85
1.3 Intended audience 85
1.4 Operating assumptions 86
1.5 Using this Cookbook 86
Chapter 2 How to manage risk 87
2.1 Information Security Management System (ISMS) overview 87
2.2 How FAIR plugs into the ISMS 89
2.3 Major differences in approach 93
2.4 Recommended approach 95
2.5 Points to consider 95
2.5.1 Concerns about the complexity of the model 95
2.5.2 Availability of data to support statistical analysis 96
2.5.3 The iterative nature of risk analyses 96
Chapter 3 What information is necessary for risk analysis? 97
3.1 Introduction to the landscape of risk 97
3.2 Asset landscape 97
3.2.1 ISO definition and goal 98
3.2.2 Major differences in asset landscape treatment 99
3.3 Threat landscape 99
3.3.1 ISO definition and goal 99
3.3.2 Major differences in threat landscape treatment 99
3.3.3 Structure of classification 99
3.3.4 Consideration of threat actions 100
3.3.5 The development of metrics for the threat landscape 100
3.4 Controls landscape 101
3.4.1 ISO definition and goal 101
3.4.2 Major differences in controls landscape treatment 101
3.4.3 Development of metrics for the controls landscape 101
3.5 Loss (impact) landscape 102
3.5.1 ISO definition and goal 102
3.5.2 Major differences in loss (impact) landscape treatment 102
3.5.3 Structure of classification 102
3.5.4 Development of metrics for the loss (impact) landscape 103
3.5.5 Probability of indirect operational impacts 103
3.6 Vulnerability landscape 104
3.6.1 ISO definition and goal 104
3.6.2 Major differences in vulnerability landscape treatment 104
3.6.3 Consideration for the vulnerability landscape 104
3.6.4 Development of metrics for the vulnerability landscape 105
Chapter 4 How to use FAIR in your ISMS 106
4.1 Recipe for ISO/IEC 27005 risk management with FAIR 107
4.2 Define the context for information security risk management 110
4.2.1 General considerations 110
4.2.2 Risk acceptance criteria 111
4.3 Calculate risk 112
4.3.1 Stage 1 112
4.3.2 Stage 2 113
4.3.3 Stage 3 116
4.3.4 Stage 4 117
4.4 Determine the appropriate information risk treatment plan 118
4.5 Develop an information security risk communication plan 119
4.6 Describe the information security risk monitoring and review plan 120
Appendix A Risk Management Program Worksheet 121
A.1 Define the context for information security risk managementGeneral considerations 121
A.2 Calculate risk 122
A.3 Determine the appropriate information risk treatment plan 125
A.4 Develop an Information Security Risk Communication Plan 126
A.5 Describe the Information Security Risk Monitoring and Review Plan 127
Glossary 128
Index 132
Erscheint lt. Verlag | 11.11.2011 |
---|---|
Reihe/Serie | Security Series |
Verlagsort | Hertogenbosch |
Sprache | englisch |
Themenwelt | Schulbuch / Wörterbuch ► Schulbuch / Allgemeinbildende Schulen |
Mathematik / Informatik ► Informatik ► Programmiersprachen / -werkzeuge | |
Mathematik / Informatik ► Informatik ► Software Entwicklung | |
Sozialwissenschaften ► Pädagogik | |
Technik ► Architektur | |
Wirtschaft ► Betriebswirtschaft / Management ► Finanzierung | |
Wirtschaft ► Betriebswirtschaft / Management ► Marketing / Vertrieb | |
Wirtschaft ► Betriebswirtschaft / Management ► Personalwesen | |
Wirtschaft ► Betriebswirtschaft / Management ► Planung / Organisation | |
Wirtschaft ► Betriebswirtschaft / Management ► Projektmanagement | |
Wirtschaft ► Betriebswirtschaft / Management ► Unternehmensführung / Management | |
Schlagworte | Enterprise Architecture |
ISBN-10 | 90-8753-900-2 / 9087539002 |
ISBN-13 | 978-90-8753-900-9 / 9789087539009 |
Haben Sie eine Frage zum Produkt? |
Größe: 1,6 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich