|
|
Apr 21 2017
vsRiskā¢ risk assessment
Jun 29 2016
5 Must Read Books to Jumpstart Your Career in Risk Management
FAIR Institute blog by Isaiah McGowan
Read Books to Jumpstart Your Career in Risk Management
What are the mustĀ have resources for people new to operational and cyber risk?Ā This list outlines what books I would recommend to new analyst or manager.
Theyāre not ranked by which book is best. Instead, I list themĀ in the recommended reading order. Letās take a look at the list.
#1 – The Failure of Risk Management: Why Itās Broken and How to Fix It (Douglas Hubbard)
InĀ The Failure of Risk Management, Hubbard highlights flaws in the common approaches to risk management. His solutions are as simple as they are elegant. (Spoiler alert: the answer is quantitative risk analysis). The Failure of Risk Management shows up as #1 because it sets the tone for the others in the list. First, understand the problems. With the common problems in mind you can identify them on a regular basis. The next book provides approaches to modeling the problem.
#2 – Measuring and Managing Information Risk: A FAIR Approach (Jack Jones & Jack Freund)InĀ Measuring andĀ Managing Information Risk, the authors communicate a high volume of foundational knowledge. The authors outline the FAIR-based approach to measuring and managing risk. They tackle critical concepts often overlooked or taken for granted by risk practitioners.
With that foundation in place, they move on to theĀ FAIR approachĀ to risk analysis. Finally, they lay out foundational concepts for risk management.
This book is not an advanced perspective on analyzing or managing risk. Instead, it provides a systemic solution to our problems.
Books #1 and #2 lay the foundation to understand the common risk management and analysis problems. They also provide approaches for solving those problems. The next two books are critical to improving the execution of these approaches.
#3 – Superforecasting: The Art and Science ofĀ PredictionĀ (Phillip TetlockĀ & Dan Gardner)
We requireĀ Superforecasting. Risk analysis is always about forecasting future loss (frequency and magnitude). As practitioners, it is critical to learn the problems with forecasting. Knowing is half the battle. Superforecasting takes the audience through the battlefield by offering a process for improvement.
If there is one book you could read out of order, it is Superforecasting. Yet, it shows up at #3 because it will hammer home forecasting as a skill once the other books open your eyes.
#4 – Expert Political Judgment: How Good Is It? How Can WeĀ Know? (Phillip Tetlock)
Yes, another book by Tetlock appears in our list. Published first, tackled second.Ā His work in understanding forecasting is tremendously valuable. Superforecasting builds on the research that resulted in publishingĀ Expert Political Judgment.
Tetlock seeks to improve the reader’s ability to identify and understand errors of judgment. If we improve this skill, we will improve our ability to evaluate expert inputs in risk management.
#5 – Thinking, Fast and Slow (Daniel Kahneman)
Rounding out the list isĀ Thinking, Fast and Slow. Improving your understanding of thinking in general is the next best step. Take the time to read this book. Peel out nuggets of wisdomĀ beforeĀ tackling more advanced risk management and analysis concepts.
There it is…
This is myĀ go-to list of 5. I recite it to anyone who has made or will make the leap into risk management and analysis. These books will set the foundation for thinking about risk. They will also push you down a path towards improving your skills beyond your peers.
What books would you have in your top 5? How does your mileage vary?
Apr 21 2016
Fundamentals of Information Risk Management Auditing
An introductory guide to information risk management auditing, giving an interesting and useful insight into the risks and controls/mitigations that you may encounter when performing or managing an audit of information risk. Case studies and chapter summaries impart expert guidance to provide the best grounding in information risk available for risk managers and non-specialists alike.
For any modern business to thrive, it must assess, control, and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterpriseās risk management strategy, not in isolation. They must be identified, documented, assessed, and managed, and assigned to risk owners so that they can be mitigated and audited.
Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists.
Ā Book overview
Fundamentals of Information Risk Management Auditing ā An Introduction for Managers and Auditors has four main parts:
- What is risk and why is it important?Ā An introduction to general risk management and information risk.
- Introduction to general IS and management risksĀ An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity, and availability of information.
- Introduction to application controlsĀ An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely.
- Life as an information risk management specialist/auditorĀ A guide for those considering, or undergoing, a career in information risk management.
Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls.
Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses.
The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to.
Topics covered
Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defense; change management; service management; disaster planning; frameworks and approaches, including Agile, COBITĀ®5, CRAMM, PRINCE2Ā®, ITILĀ®, and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301, and ISO 38500; the UK Government’s Cyber Essentials scheme; IT security controls; and application controls.
Download your copy ofĀ Fundamentals of Information Risk Management Auditing
Dec 21 2015
Assessing Information Security
Assessing Information Security – Strategies, Tactics, Logic and Framework draws on the work of Clausewitz and Sun Tzu, and applies it to the understanding of information security that the authors have built up through their extensive experience in the field. The result is expert guidance on information security, underpinned by a profound understanding of human conflict.
| Assessing Information Security ā Strategies, Tactics, Logic and Framework, Second edition |
- Shows how to use principles of military strategy to defend against cyber attacks, enabling organizations to have a more structured response to malicious intrusions.
- Explains the priorities for robust cybersecurity , helping readers to decide which security measures will be the most effective.
- Buy today and discover how to integrate cybersecurity into your organizationās normal operations.
Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001.
āGives you new practical perspective and new way how to think about infosec, many views nicely packed in one book.ā Ivan Kopacik
Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001:2103.
Product overview:
-
Information Security Auditing and Strategy
-
Security Auditing, Governance, Policies and Compliance
-
Security Assessments Classification
-
Advanced Pre-Assessment Planning
-
Security Audit Strategies and Tactics
-
Synthetic Evaluation of Risks
-
Presenting the Outcome and Follow-Up Acts
-
Reviewing Security Assessment Failures and Auditor Management Strategies
Available in: Softcover, Adobe eBook, ePub, Kindle Ā Ā Ā Ā Ā Ā Ā ===>>> Ā Buy now Ā
Related articles
Feb 18 2014
Comprehensive Cyber Security Risk Management Toolkit
Govern and manage Cyber Security risk with this unique comprehensive toolkit suite
Comprehensive Cyber Security Risk Management Toolkit Suite – Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkitās modular
There are a number of standalone, best practice approaches to managing cyber risk, none of which is on its own completely satisfactory. This toolkit helps you make an enormous leap forward by consolidating five separate approaches into a single, comprehensive, robust framework.
ā¢ PAS 555:2013 is the new standard for cyber security risk governance and management; it was created to work with a range of other standards;
ā¢ ISO/IEC 27032 is the international guidance standard for managing cyber security risk;
ā¢ The Cloud Controls Matrix was developed by the Cloud Security Alliance for cloud service providers;
ā¢ Ten Steps to Cyber Security is the methodology developed by the UKās Business Department to help organizations of all sizes secure their cyber defenses;
ā¢ ISO/IEC 27001: 2013 is the internationally recognized standard against which an information security management system can achieve accredited certification.
Use the Cyber Security Governance & Risk Management Toolkit for a new, fresh implementation of a comprehensive management system that will also be capable of ISO27001 certification, or take advantage of this toolkitās modular construction and control mapping matrix to add its additional controls to an existing ISO27001 management system.
This Cyber Security Governance & Risk Management Toolkit recognizes that mobile device management is a critical component of effective cyber risk control and therefore includes the ITGP BYOD Policy Toolkit as a value-added extra.
Included in this comprehensive toolkit suite is:
- Cyber Security Governance & Risk Management Toolkit.
- PAS 555
- ISO 27032 Guidelines for Cybersecurity
- vsRisk (Standalone or Network Enabled user )
Related articles
Aug 07 2013
vsRisk – The Cyber Security Risk Assessment Tool
vsRisk – The Cyber Security Risk Assessment Tool
httpv://www.youtube.com/watch?v=M8acvay4FmU
It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.
Thereās just one risk assessment tool that IT Governance recommends; the vsRiskā¢ v1.7 ā the Cybersecurity Risk Assessment Tool.
Itās so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.
5 reasons why vsRisk is the definitive risk assessment tool:
- This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
- Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets ā as required by ISO27001
- Gives comprehensive best-practice alignment
- Itās easy and straight-forward to use
- Cost-effective route to assessing risks within your business
Download the definite risk assessment tool >>
Related articles
Apr 23 2013
Cyber Security and Risk Assessment
Cyber security is the protection of systems, networks and data in cyber space.
If your system is connected on the internet, you should know and uderstand the risks of cyber space to take appropriate countermeasures.
To understand the risks of cyber security,The first place is to begin with is a risk assessment. By completing a risk assessment you can understand what the risks, threats and vulnerabilities of your networks, systems and data really are and begin to comprehend how to reduce and handle them. The authors of The Information Security Risk Assessment Toolkit provides handy step-by-step guidance on how to undertake a risk assessment. As we said Security Risk Assessment is an important first to assess risks but the second step of mitigating those risks in timely manner is crucial to protect your information assets.
Once you understand what the risks of your business are, you can then decide on how to mitigate those risks based on your organization risk acceptance.
Tools and techniquesĀ which work in mitigating cyber risks
The UK’s Cyber-security Framework for Business (published by the Department for Business, Innovation and Skills) is a 10-step framework to stop around 80% of todayās cyber-attacks
1. Board-led Information Risk Management Regime
2. Secure Home and Mobile Working
3. User Education and Awareness
4. User privilege management
5. Removable media controls
6. Activity monitoring
7. Secure Configurations
8. Malware protection
9. Network security
10. Incident Management
Build the resilience in your information security management system (ISMS) to cope with the other 20% of the risk.
The authors of Hacking 7 Exposed cover the latest methods used by third-parties to (logical/physical) access to information assets. They then detail how you can protect your systems, networks and data from unauthorised access.
Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO/IEC 27001 is the most significant international best practice standard available to any organisation that wants an intelligently organised and structured framework for tackling its cyber risks
Related articles
Jan 29 2013
Impact of an Effective Risk Assessment to ISO 27001
First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.
The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why itās hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; itās easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.
To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:
1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance
Risk Assessment Basic Steps for ISO 27001:
o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods
Risk Assessment Titles from eBay | Risk Assessment Titles from DISC InfoSec Store
Related articles
Related articles
Jan 11 2013
Why SoD should be reviewed in every assessment
Similar to other controls SoD (Segragation of Duties) plays an important role in reducing certain potential risk of an organization.
SoD minimize certail risks, by deviding a task so it will take more than one individual to complete a task or a critical process. SoD control has been traditionally used in accounting to minimize risk of collusion. For separation of duties we donāt want to give any individual so much control that they become a security risk without proper check and balance inplace. SoD is utilized to avoid unauthorized modification of data and to make sure critical data is available when needed by authorized personals, which includes but not limited to the availability of the services.
Separation of Duties (SoD) is not only an important principle of security but SoD control A10.1.3 of ISO 27001 wants organizations to implement this control.
Possible Controls to Implement SoD:
- * Separate the IT Dept from user function, meaning user should not be able to perform its own IT duties.
- * Separate the InfoSec and IT Dept. The individual responsible for the InfoSec has unique knowledge of organization security infrastructure, basically a knowledgeable InfoSec individual will have keys to the knigdom and should be segregated from the rest of the IT department. Also InfoSec individual should not be reporting to the IT director which is not only independence issue but conflict of interest. IT Dept is responsible for the avaiability of service whereas security professional is responsible for security (adding controls) to the same service.
- * The development and testing of application should be segregated. There should be a complete segregation of App development and App testing function. Also the person who put the App into production/operation and maintain should be a different individual.
- * Operation of IT should be seprate from maintenance of IT function in different teirs, meaning avaiability of the information should be separated from support & maintenance.
- * The database admin should be segregated from other IT function. DBA individuals are very knowledgeable super user and should not have any other IT duties.
- * Last but not the least about the main Uber user the Sys Admin (router, FW, Server, DT) should have a separate account when performing regular user function. These super users should be logged and audited on regular basis.
Related reference topics on DISC InfoSec
Related reference topics on eBay
Nov 19 2012
PCI view of Risk Assessment
Ā
OrganizationsĀ that need to comply with PCI-DSS need to createĀ their ownĀ risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).
PCI Risk Assessment Special Interest GroupĀ says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.
Ā
Key recommendations include:
Ā
ā¢ A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
Ā
ā¢ Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
Ā
ā¢Ā Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization
PCI view of things:Ā
The announcement
https://www.pcisecuritystandards.org/pdfs/pr_121116_risk_sig.pdf
And the V1 document (also attached)
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
Below is my post on Risk management from prespective of ISO 27001 which has an Expert guidance on planning and implementing a risk assessment and protecting your business information
Information Security Risk Management for ISO 27001
Aug 22 2012
5 reasons why vsRisk v1.6 is the definitive risk assessment tool
by Melanie Watson
It is extremely difficult to carry out a risk assessment that will meet the requirements of ISO27001 without using a specialist information security risk assessment tool. While there are a wide range of products on the market that claim to meet these requirements, the reality is that there are very few.
Thereās just one risk assessment tool that IT Governance recommends; the vsRiskā¢ v1.6 ā the Cybersecurity Risk Assessment Tool.
Itās so straightforward, and so quick to use, it can save you a significant amount of the budget you might otherwise spend on consultancy advice at this stage of the project.
5 reasons why vsRisk is the definitive risk assessment tool:
- This tool automates and delivers an ISO/IEC 27001-compliant risk assessment
- Can uniquely assess confidentiality, integrity & availability (CIA) for each of business, legal and contractual aspects of information assets ā as required by ISO27001
- Gives comprehensive best-practice alignment
- Itās easy and straight-forward to use
- Cost-effective route to assessing risks within your business
Download the definite risk assessment tool >>
Related articles
- Staff awareness training – an essential component of ISO27001 (deurainfosec.com)
- ISO 27001 Information Security Incident Management (deurainfosec.com)
- Download the full version of the ITIL and/or ISO27001 toolkit today! (deurainfosec.com)
May 13 2012
The Cybersecurity Risk Assessment Tool
With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis ā and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure
vsRisk – The Definitive Cyber Security Risk Assessment Tool
The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
ā¢ Assessing key areas such as Groups, Assets and Owners
ā¢ Capturing your IS policy, objectives and ISMS scope
ā¢ In-built audit trail and comparative history
ā¢ Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
ā¢ Comprehensive reporting and gap analysis
Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
Watch the video now >>>
This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
Join the professionals and orders your today >>>
vsRisk and Security Risk Assessment
Apr 18 2012
Risk Assessment control selection and cost savings
In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
Once risks have been assessed, risk manager utilize the following techniques to manage the risks
ā¢ Avoidance (eliminate)
ā¢ Reduction (mitigate)
ā¢ Transfer (outsource or insure)
ā¢ Retention (accept and budget)
Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.
Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.
On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.
Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.
Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system
Mar 20 2012
Risk Management and Business Life Cycle
Risk Assessment should include the followings primary steps:
* Critical Asset Sensitivity (impact analysis) level affecting business, contractual and legal imapct
* Threats identified
* Vulnerabilities related to the threats
* Probablity of occurance that the specific threat will exploit the given vulnerability
* Impact of the loss if the specific threat will exploit the given vulnerability
* Risk level identified
* Control recommendations based on risk acceptance
* Results documentation
How to Complete a Risk Assessment in 5 Days or Less
Dec 06 2011
vsRisk The Ultimate Cyber Security Risk Assessment Tool
With over 10 years in the market and 2,500 global downloads, vsRiskTM has been helping organizations all over the world carry out successful risk assessments.
Risks assessment is the core competence of cyber security management. Every decision you make must be proportionate to the actual risk your organization faces. You must therefore assess risks on a structured asset-by-asset basis ā and experience proves you need to save time and money with a risk assessment tool that automates and simplifies this process.
vsRisk is the definitive ISO27001:2005-compliant risk assessment tool which will help you become cybersecure
vsRisk – The Definitive Cyber Security Risk Assessment Tool
The vsRisk Assessment Tool has been designed with the user in mind to effectively identify, analyze and control their actual information risks in line with their business objectives. Key features of vsRisk include:
ā¢ Assessing key areas such as Groups, Assets and Owners
ā¢ Capturing your IS policy, objectives and ISMS scope
ā¢ In-built audit trail and comparative history
ā¢ Assessesing attributes on Confidentiality, Integrity, and Availability, in relation to Business, Legal, Contractual
ā¢ Comprehensive reporting and gap analysis
Alan Calder, CEO of Vigilant Software, talks you through the risk assessment process using vsRisk
Watch the video now >>>
This unique risk assessment tool helps you get on top of the critical risk assessment phase of your ISMS project and, most importantly, sets you up for future risk assessments as well.
Join the professionals and orders your today >>>
vsRisk and Security Risk Assessment
Jul 05 2011
Newly released ISO/IEC 27005:2011 helps improve risk management
/EINPresswire.com/ ISO 27005:2011, the newly released international information security risk management standard, is now available to the international community of business continuity and information security practitioners.
Information security risk management is one of the core competencies of information security. This Standard is an essential companion to ISO/IEC 27001 and ISO/IEC 27002 and replaces ISO/IEC 27005:2008.
ISO 27005:2011 supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. The Standard is applicable to all organisations of all types and sizes, which intend to manage risks that could compromise the organisations information security.
IT Governance Ltd, an international distribution partner for IEC and a global leader in ISO27001 information, products and services, is making ISO/IEC 27005:2011 available from all its main websites. ISO 27005:2011 ISRM, can be downloaded today from www.itgovernance.co.uk/products/1852 .
“The new ISO/IEC 27005:2011 is a much better standard than was the 2008 version”, comments Alan Calder, CEO of IT Governance, “First, it is a better written, more coherent standard. Second, it is aligned with the risk management standard ISO31000, which makes it easier to integrate Enterprise Risk Management approaches with information security risk management. Third, it provides good, practical guidance on carrying out the risk assessment required by ISO27001, together with clear guidance on risk scales. Fourth, it has good guidance on threats, vulnerabilities, likelihoods and impacts. ISO27005 should become standard additional guidance on risk assessment – the ISMS core competence – for all organisations tackling ISO27001.”
Organisations that would like to save time and money whilst implementing the new Standard should consider applying vsRisk – an ISO27001:2005 compliant information security risk assessment tool produced by Vigilant Software, the specialist software subsidiary of IT Governance.
vsRisk (www.itgovernance.co.uk/products/744) simplifies each step of an ISO27001 risk assessment, allowing compliance project managers to capture their information security policy and objectives, plus the scope of their information security management system, and undertake a rapid appraisal of all key areas, including groups, assets and owners. The tool makes ISO27001 compliance achievable for a far wider range of organisations and professionals by minimising the need for specialist knowledge and significantly undercutting the cost of generalist risk management tools.
As well as supporting ISO/IEC 27001:2005 and ISO/IEC27002, vsRisk complies with BS7799-3:2006, ISO/IEC27005, NIST SP 800-30 and the UK’s Risk Assessment Standard.
A copy of the ISO27005:2011 standard can be downloaded immediately from www.itgovernance.co.uk/products/1852 and the vsRisk CD-ROM can be ordered from www.itgovernance.co.uk/products/744 .
May 13 2011
Enterprise Risk Management: From Incentives to Controls
Enterprise Risk Management: From Incentives to Controls
Enterprise risk management is a complex yet critical issue that all companies must deal with as they head into the twenty-first century. It empowers you to balance risks with rewards as well as people with processes.
But to master the numerous aspects of enterprise risk management- you must first realize that this approach is not only driven by sound theory but also by sound practice. No one knows this better than risk management expert James Lam.
In Enterprise Risk Management: From Incentives to Controls- Lam distills twenty years’ worth of experience in this field to give you a clear understanding of both the art and science of enterprise risk management.
Organized into four comprehensive sections- Enterprise Risk Management offers in-depth insights- practical advice- and real world case studies that explore every aspect of this important field.
Section I: Risk Management in Context lays a solid foundation for understanding the role of enterprise risk management in todays business environment.
Section II: The Enterprise Risk Management Framework offers an executive education on the business rationale for integrating risk management processes.
Section III: Risk Management Applications discusses the applications of risk management in two dimensions – functions and industries.
Section IV: A Look to the Future rounds out this comprehensive discussion of enterprise risk management by examining emerging topics in risk management with respect to people and technology.
Failure to properly manage risk continues to plague corporate America from Enron to Long Term Capital Management. Donāt let it hurt your organization. Pick up Enterprise Risk Management and learn how to meet the enterprise-wide risk management challenge head on and succeed.
Here are the contents of the book.
Authors: James Lam
Publisher: John Wiley
ISBN 10: 0471430005
ISBN 13: 9780471430001
Pages: 336
Format: Hard Cover
Published Date: 24/06/03
“I would highly recommend this book to anyone with a serious interest in understanding risk management from a holistic perspective.”
Dec 26 2010
Information Security Risk Management for ISO27001/ISO27002
Expert guidance on planning and implementing a risk assessment and protecting your business information. In the knowledge economy, organisations have to be able to protect their information assets. Information security management has, therefore, become a critical corporate discipline. The international code of practice for an information security management system (ISMS) is ISO27002. As the code of practice explains, information security management enables organisations to āensure business continuity, minimise business risk, and maximise return on investments and business opportunitiesā.
ISMS requirements
The requirements for an ISMS are specified in ISO27001. Under ISO27001, a risk assessment has to be carried out before any controls can be selected and implemented, making risk assessment the core competence of information security management. This book provides information security and risk management teams with detailed, practical guidance on how to develop and implement a risk assessment in line with the requirements of ISO27001.
International best practice
Drawing on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, the book explains in practical detail how to carry out an information security risk assessment. It covers key topics, such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.
Benefits to business include:
Stop the hacker. With a proper risk assessment, you can select appropriate controls to protect your organisation from hackers, worms and viruses, and other threats that could potentially cripple your business.
Achieve optimum ROI. Failure to invest sufficiently in information security controls is āpenny wise, pound foolishā, since, for a relatively low outlay, it is possible to minimise your organisationās exposure to potentially devastating losses. However, having too many safeguards in place will make information security system expensive and bureaucratic; so without accurate planning your investment in information security controls can become unproductive. With the aid of a methodical risk assessment, you can select and implement your information security controls to ensure that your resources will be allocated to countering the major risks to your organisation. In this way, you will optimise your return on investment.
Build customer confidence. Protecting your information security is essential if you want to preserve the trust of your clients and to keep your business running smoothly from day to day. If you set up an ISMS in line with ISO27001, then, after an assessment, you can obtain certification. Buyers now tend to look for the assurance that can be derived from an accredited certification to ISO27001 and, increasingly, certification to ISO27001 is becoming a prerequisite in service specification procurement documents.
Comply with corporate governance codes. Information security is a vital aspect of enterprise risk management (ERM). An ERM framework is required by various corporate governance codes, such as the Turnbull Guidance contained within the UKās Combined Code on Corporate Governance, and the American Sarbanes-Oxley Act (SOX) of 2002, and standards such as ISO310000.
Order this book for advice on information security management that can really benefit your bottom line! Information Security Risk Management for ISO27001 / ISO27002
About the authors
Alan Calder is the founder director of IT Governance Ltd. He has many years of senior management and board-level experience in the private and public sectors.
Steve G Watkins leads the consultancy and training services of IT Governance Ltd. In his various roles in both the public and private sectors he has been responsible for most support disciplines. He has over 20 yearsā experience of managing integrated management systems, and is a lead auditor for ISO27001 and ISO9000. He is now an ISMS Technical Expert for UKAS, and provides them with advice for their assessments of certification bodies offering certification to ISO27001.
Jun 08 2010
U.S cybersecurity policies update
- Image via Wikipedia
By Greg Masters
The U.S. House of Representatives has passed a defense bill that contains an amendment aimed at regulating the information security responsibilities and practices of federal agencies.
The amendment, sponsored by Rep. Jim Langevin, D-R.I., and Rep. Diane Watson, D-Calif., updates the Federal Information Security Management Act (FISMA) and establishes a National Office for Cyberspace in the Executive Office of the President.
The amendment was attached to the National Defense Authorization Act for Fiscal Year 2011, which passed the House Friday by a 229-186 vote.
āThe passage of this amendment comes after a great deal of work to raise awareness about the cybervulnerabilities that exist throughout our federal government,ā Langevin, co-chair of the House Cybersecurity Caucus, said in a news release. āThese provisions will establish strong, centralized oversight to protect our nation’s critical information infrastructure and update our comprehensive policy for operating in cyberspace.ā
The measure integrates a number of policy recommendations made by the Obama administration’s 60-day Cyberspace Policy Review, the CSIS Commission on Cybersecurity for the 44th Presidency and the U.S. Government Accountability Office (GAO), which has offered suggestions for remedying security vulnerabilities across federal agencies.
The amendment establishes the National Office for Cyberspace (NOC) within the Executive Office of the President.
A director, appointed by the president and confirmed by the Senate, would be charged with coordinating and overseeing the security of agency information systems and infrastructure. In addition, a CTO would be hired.
Also, a Federal Cybersecurity Practice Board within the NOC would be charged with overseeing the implementation of NIST-approved standards and guidelines, in addition to defining policies that agencies must adhere to in order to comply with FISMA requirements.
Further, agencies would be required to undertake automated and continuous monitoring of their systems to ensure compliance and to identify potential risks to assets. An annual independent audit of information security programs to determine their overall effectiveness and compliance with FISMA requirements would also be required.
The amendment also calls for developing policies to be used in the purchasing of technology products and services.
A version of the bill currently making its way through the Senate does not contain the Watson-Langevin amendment, but it could be altered before it is voted on by the upper chamber. Adjustments between the two versions of the bill could be made in conference before it is presented for President Obama’s signature. The Senate version passed the Armed Services Committee
The amendment combines two previous bills: Watson’s Federal Information Security Amendments Act and Langevin’s Executive Cyberspace Authorities Act.
Related articles by Zemanta
- FISMA Reform Inches Forward (blogs.splunk.com)
- Slippery Slope Alert: “National Office for Cyberspace” Proposed (pff.org)
- Telos Provides Cybersecurity Expertise For Administration Web Initiative (eon.businesswire.com)
- Panel Backs Measure To Boost Federal Cybersecurity (techdailydose.nationaljournal.com)
- Federal Cybersecurity Monitoring Goes Real Time (techdailydose.nationaljournal.com)
- Telos Awarded Blanket Purchase Agreement with Office of Governmentwide Policy (eon.businesswire.com)
May 11 2010
OCR draft guidelines for security risk analysis
- Image by veeliam via Flickr
The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.
The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHSā Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.
Risk analysis is a technique used to identify and assess threats and vulnerabilities that may hamper the success of achieving bsuiness goals. In risk analysis determines if the security controls are appropriate compare to the risk presented by the impact of threats and vulnerabilities.
The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.
Some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST), OCR said
OCR guidance document explains several elements a risk analysis must incorporate, regardless of the method employed. So basically the auditor will be looking for all the elements required by the guidelines during an audit.
Information Security Risk Analysis, Tom Peltier
« Previous Page — Next Page »
