Computer Science


Managing Risk in Information Systems DARRIL GIBSON

91872_TPCP_Gibson.indd 1 7/23/10 2:19 PM

World Headquarters Jones & Bartlett Learning 40 Tall Pine Drive Sudbury, MA 01776 978-443-5000

Jones & Bartlett Learning Canada 6339 Ormindale Way Mississauga, Ontario L5V 1J2 Canada

Jones & Bartlett Learning International Barb House, Barb Mews London W6 7PA United Kingdom

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website,

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to

Copyright © 2011 by Jones & Bartlett Learning, LLC

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the service of a competent professional person should be sought.

Production Credits Chief Executive Officer: Ty Field President: James Homer SVP, Chief Operating Officer: Don Jones, Jr. SVP, Chief Technology Officer: Dean Fossella SVP, Chief Marketing Officer: Alison M. Pendergast SVP, Chief Financial Officer: Ruth Siporin SVP, Business Development: Christopher Will VP, Design and Production: Anne Spencer VP, Manufacturing and Inventory Control: Therese Connell Editorial Management: High Stakes Writing, LLC, Editor and Publisher: Lawrence J. Goodrich Reprints and Special Projects Manager: Susan Schultz Associate Production Editor: Tina Chen Director of Marketing: Alisha Weisman Associate Marketing Manager: Meagan Norlund Cover Design: Anne Spencer Composition: Mia Saunders Design Cover Image: © ErickN/ShutterStock, Inc. Chapter Opener Image: © Rodolfo Clix/ Printing and Binding: Malloy, Inc. Cover Printing: Malloy, Inc.

ISBN: 978-0-7637-9187-2

Library of Congress Cataloging-in-Publication Data Unavailable at time of printing

6048 Printed in the United States of America 14 13 12 11 10 10 9 8 7 6 5 4 3 2 1

91872_TPCP_Gibson.indd 2 7/23/10 2:19 PM



Preface xv

Acknowledgments xvii

part one Risk Management Business Challenges 1

Chapter 1 risk Management Fundamentals 2 What Is Risk? 4

Compromise of Business Functions 4 Compromise of Business Assets 5 Driver of Business Costs 6 Profi tability Versus Survivability 6

What Are the Major Components of Risk to an IT Infrastructure? 7

Seven Domains of a Typical IT Infrastructure 7 Threats, Vulnerabilities, and Impact 12

Risk Management and Its Importance to the Organization 13

How Risk Affects an Organization’s Survivability 14 Reasonableness 15 Balancing Risk and Cost 15 Role-Based Perceptions of Risk 16

Risk Identifi cation Techniques 18

Identifying Threats 18 Identifying Vulnerabilities 19 Pairing Threats with Vulnerabilities 22

Risk Management Techniques 23

Avoidance 23 Transfer 23 Mitigation 24 Acceptance 24 Cost-Benefi t Analysis 25 Residual Risk 26

Chapter SUMMarY 27

KeY ConCeptS and terMS 27

Chapter 1 aSSeSSMent 28

iv Contents

Chapter 2 Managing risk: threats, Vulnerabilities, and exploits 29 Understanding and Managing Threats 30

The Uncontrollable Nature of Threats 30 Unintentional Threats 31 Intentional Threats 32 Best Practices for Managing Threats Within Your IT Infrastructure 34

Understanding and Managing Vulnerabilities 35

Threat/Vulnerability Pairs 36 Vulnerabilities Can Be Mitigated 37 Mitigation Techniques 38 Best Practices for Managing Vulnerabilities Within Your IT Infrastructure 40

Understanding and Managing Exploits 41

What Is an Exploit? 41 How Do Perpetrators Initiate an Exploit? 44 Where Do Perpetrators Find Information About Vulnerabilities and Exploits? 46 Mitigation Techniques 47 Best Practices for Managing Exploits Within Your IT Infrastructure 48

U.S. Federal Government Risk Management Initiatives 48

National Institute of Standards and Technology 49 Department of Homeland Security 50 National Cyber Security Division 51 US Computer Emergency Readiness Team 51 The MITRE Corporation and the CVE List 52

Chapter SUMMarY 54

KeY ConCeptS and terMS 54

Chapter 2 aSSeSSMent 55

Chapter 3 Maintaining Compliance 57 Compliance 58

Federal Information Security Management Act 59 Health Insurance Portability and Accountability Act 59 Gramm-Leach-Bliley Act 62 Sarbanes-Oxley Act 62 Family Educational Rights and Privacy Act 62 Children’s Internet Protection Act 63

Regulations Related to Compliance 64

Securities and Exchange Commission 65 Federal Deposit Insurance Corporation 65 Department of Homeland Security 65 Federal Trade Commission 65 State Attorney General 67 U.S. Attorney General 67

Contents v

Organizational Policies for Compliance 68

Standards and Guidelines for Compliance 69

Payment Card Industry Data Security Standard 70 National Institute of Standards and Technology 72 Generally Accepted Information Security Principles 73 Control Objectives for Information and Related Technology 73 International Organization for Standardization 74 International Electrotechnical Commission 76 Information Technology Infrastructure Library 77 Capability Maturity Model Integration 79 Department of Defense Information Assurance Certification

and Accreditation Process 81

Chapter SUMMarY 82

KeY ConCeptS and terMS 82

Chapter 3 aSSeSSMent 83

Chapter 4 developing a risk Management plan 85 Objectives of a Risk Management Plan 86

Objectives Example: Web Site 87 Objectives Example: HIPAA Compliance 88

Scope of a Risk Management Plan 89

Scope Example: Web Site 91 Scope Example: HIPAA Compliance 91

Assigning Responsibilities 92

Responsibilities Example: Web Site 93 Responsibilities Example: HIPAA Compliance 93

Describing Procedures and Schedules for Accomplishment 94

Procedures Example: Web Site 96 Procedures Example: HIPAA Compliance 97

Reporting Requirements 97

Present Recommendations 97 Document Management Response to Recommendations 102 Document and Track Implementation of Accepted Recommendations 103

Plan of Action and Milestones 103

Charting the Progress of a Risk Management Plan 106

Milestone Plan Chart 106 Gantt Chart 106 Critical Path Chart 107

Chapter SUMMarY 109

KeY ConCeptS and terMS 109

Chapter 4 aSSeSSMent 109

vi Contents

part tWo Mitigating Risk 111

Chapter 5 defi ning risk assessment approaches 112 Understanding Risk Assessment 113

Importance of Risk Assessments 114 Purpose of a Risk Assessment 114

Critical Components of a Risk Assessment 115

Identify Scope 115 Identify Critical Areas 116 Identify Team 117

Types of Risk Assessments 117

Quantitative Risk Assessments 118 Qualitative Risk Assessments 120 Comparing Quantitative and Qualitative Risk Assessments 128

Risk Assessment Challenges 129

Using a Static Process to Evaluate a Moving Target 130 Availability 131 Data Consistency 131 Estimating Impact Effects 133 Providing Results That Support Resource Allocation and Risk Acceptance 134

Best Practices for Risk Assessment 135

Chapter SUMMarY 136

KeY ConCeptS and terMS 136

Chapter 5 aSSeSSMent 137

Chapter 6 performing a risk assessment 138 Selecting a Risk Assessment Methodology 139

Defi ning the Assessment 140 Review Previous Findings 142

Identifying the Management Structure 143

Identifying Assets and Activities Within Risk Assessment Boundaries 144

System Access and System Availability 145 System Functions 146 Hardware and Software Assets 147 Personnel Assets 148 Data and Information Assets 148 Facilities and Supplies 148

Identifying and Evaluating Relevant Threats 149

Reviewing Historical Data 150 Modeling 150

Contents vii

Identifying and Evaluating Relevant Vulnerabilities 151

Vulnerability Assessments 151 Exploit Assessments 152

Identifying and Evaluating Countermeasures 153

In-Place and Planned Countermeasures 153 Control Categories 154

Selecting a Methodology Based on Assessment Needs 157

Quantitative 157 Qualitative 158

Develop Mitigating Recommendations 159

Threat/Vulnerability Pairs 159 Estimate of Cost and Time to Implement 160 Estimate of Operational Impact 160 Prepare Cost-Benefit Analysis 161

Present Risk Assessment Results 162

Best Practices for Performing Risk Assessments 162

Chapter SUMMarY 163

KeY ConCeptS and terMS 164

Chapter 6 aSSeSSMent 164

Chapter 7 Identifying assets and activities to Be protected 166 System Access and Availability 167

System Functions: Manual and Automated 170

Manual Methods 170 Automated Methods 170

Hardware Assets 171

Software Assets 173

Personnel Assets 174

Data and Information Assets 175

Organization 177 Customer 178 Intellectual Property 178 Data Warehousing and Data Mining 179

Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure 181

User Domain 182 Workstation Domain 183 LAN Domain 183 LAN-to-WAN Domain 183 WAN Domain 184 Remote Access Domain 185 System/Application Domain 185

viii Contents

Identifying Facilities and Supplies Needed to Maintain Business Operations 186

Mission-Critical Systems and Applications Identification 186 Business Impact Analysis Planning 187 Business Continuity Planning 188 Disaster Recovery Planning 189 Business Liability Insurance Planning 190 Asset Replacement Insurance Planning 190

Chapter SUMMarY 191

KeY ConCeptS and terMS 192

Chapter 7 aSSeSSMent 192

Chapter 8 Identifying and analyzing threats, Vulnerabilities, and exploits 194 Threat Assessments 195

Techniques for Identifying Threats 198 Best Practices for Threat Assessments Within the Seven Domains

of a Typical IT Infrastructure 202

Vulnerability Assessments 203

Documentation Review 204 Review of System Logs, Audit Trails, and Intrusion Detection System Outputs 205 Vulnerability Scans and Other Assessment Tools 206 Audits and Personnel Interviews 207 Process Analysis and Output Analysis 208 System Testing 209 Best Practices for Performing Vulnerability Assessments

Within the Seven Domains of a Typical IT Infrastructure 213

Exploit Assessments 214

Identify Exploits 214 Mitigate Exploits with a Gap Analysis and Remediation Plan 218 Implement Configuration or Change Management 218 Verify and Validate the Exploit Has Been Mitigated 219 Best Practices for Performing Exploit Assessments Within an IT Infrastructure 219

Chapter SUMMarY 220

KeY ConCeptS and terMS 220

Chapter 8 aSSeSSMent 220

Chapter 9 Identifying and analyzing risk Mitigation Security Controls 222 In-Place Controls 223

Planned Controls 223

Control Categories 224

NIST Control Classes 224

Contents ix

Administrative Control Examples 228

Policies and Procedures 229 Security Plans 230 Insurance and Bonding 231 Background Checks and Financial Checks 232 Data Loss Prevention Program 233 Awareness and Training 234 Rules of Behavior 234 Software Testing 235

Technical Control Examples 235

Logon Identifier 236 Session Timeout 236 System Logs and Audit Trails 237 Data Range and Reasonableness Checks 238 Firewalls and Routers 239 Encryption 240 Public Key Infrastructure (PKI) 241

Physical Control Examples 243

Locked Doors, Guards, Access Logs, and Closed-Circuit Television (CCTV) 243 Fire Detection and Suppression 244 Water Detection 245 Temperature and Humidity Detection 245 Electrical Grounding and Circuit Breakers 246

Best Practices for Risk Mitigation Security Controls 247

Chapter SUMMarY 248

KeY ConCeptS and terMS 248

Chapter 9 aSSeSSMent 249

Chapter 10 planning risk Mitigation throughout Your organization 250 Where Should Your Organization Start with Risk Mitigation? 251

What Is the Scope of Risk Management for Your Organization? 252

Critical Business Operations 253 Customer Service Delivery 254 Mission-Critical Business Systems, Applications, and Data Access 255 Seven Domains of a Typical IT Infrastructure 258 Information Systems Security Gap 262

Understanding and Assessing the Impact of Legal and Compliance Issues on Your Organization 263

Legal Requirements, Compliance Laws, Regulations, and Mandates 264 Assessing the Impact of Legal and Compliance Issues on Your Business Operations 266

Translating Legal and Compliance Implications for Your Organization 270

Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure 270

x Contents

Assessing How Security Countermeasures and Safeguards Can Assist with Risk Mitigation 271

Understanding the Operational Implications of Legal and Compliance Requirements 272

Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization 272

Performing a Cost-Benefit Analysis 273

Best Practices for Planning Risk Mitigation Throughout Your Organization 275

Chapter SUMMarY 276

KeY ConCeptS and terMS 276

Chapter 10 aSSeSSMent 276

Chapter 11 turning Your risk assessment Into a risk Mitigation plan 278 Review the Risk Assessment for Your IT Infrastructure 279

Overlapping Countermeasures 280 Matching Threats with Vulnerabilities 281 Identifying Countermeasures 282

Translating Your Risk Assessment into a Risk Mitigation Plan 285

Cost to Implement 285 Time to Implement 289 Operational Impact 292

Prioritizing Risk Elements That Require Risk Mitigation 293

Using a Threat/Vulnerability Matrix 293 Prioritizing Countermeasures 294

Verifying Risk Elements and How These Risks Can Be Mitigated 296

Performing a Cost-Benefit Analysis on the Identified Risk Elements 297

Calculate the CBA 298 A CBA Report 298

Implementing a Risk Mitigation Plan 299

Stay Within Budget 300 Stay on Schedule 300

Following Up on the Risk Mitigation Plan 303

Ensuring Countermeasures Are Implemented 303 Ensuring Security Gaps Have Been Closed 304

Best Practices for Enabling a Risk Mitigation Plan from Your Risk Assessment 305

Chapter SUMMarY 306

KeY ConCeptS and terMS 306

Chapter 11 aSSeSSMent 307

Contents xi

part three Risk Mitigation Plans 309

Chapter 12 Mitigating risk with a Business Impact analysis 310 What Is a Business Impact Analysis? 311

Collecting Data 312 Varying Data Collection Methods 313

Defi ning the Scope of Your Business Impact Analysis 314

Objectives of a Business Impact Analysis 315

Identify Critical Business Functions 317 Identify Critical Resources 318 Identify MAO and Impact 319 Direct Costs 320 Indirect Costs 321 Identify Recovery Requirements 322

The Steps of a Business Impact Analysis Process 324

Identify the Environment 325 Identify Stakeholders 325 Identify Critical Business Functions 326 Identify Critical Resources 326 Identify Maximum Downtime 327 Identify Recovery Priorities 328 Develop BIA Report 328

Identifying Mission-Critical Business Functions and Processes 329

Mapping Business Functions and Processes to IT Systems 331

Best Practices for Performing a BIA for Your Organization 331

Chapter SUMMarY 333

KeY ConCeptS and terMS 333

Chapter 12 aSSeSSMent 333

endnote 334

Chapter 13 Mitigating risk with a Business Continuity plan 335 What Is a Business Continuity Plan (BCP)? 336

Elements of a BCP 337

Purpose 339 Scope 339 Assumptions and Planning Principles 339 System Description and Architecture 342 Responsibilities 346 Notifi cation/Activation Phase 349 Recovery Phase 353

xii Contents

Reconstitution Phase (Return to Normal Operations) 354 Plan Training, Testing, and Exercises 356 Plan Maintenance 359

How Does a BCP Mitigate an Organization’s Risk? 360

Best Practices for Implementing a BCP for Your Organization 361

Chapter SUMMarY 362

KeY ConCeptS and terMS 362

Chapter 13 aSSeSSMent 362

Chapter 14 Mitigating risk with a disaster recovery plan 364 What Is a Disaster Recovery Plan (DRP)? 365

Need 367 Purpose 367

Critical Success Factors 368

What Management Must Provide 368 What DRP Developers Need 369 Primary Concerns 370 Disaster Recovery Financial Budget 377

Elements of a DRP 378

Order now and get 10% discount on all orders above $50 now!!The professional are ready and willing handle your assignment.