Dobson / Group Risk Management: The Open Group Guide
1. Auflage 2011
ISBN: 978-90-8753-900-9
Verlag: Van Haren Publishing
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
E-Book, Englisch, 137 Seiten, WEB PDF
ISBN: 978-90-8753-900-9
Verlag: Van Haren Publishing
Format: PDF
Kopierschutz: Adobe DRM (»Systemvoraussetzungen)
This book brings together The Open Groups set of publications addressing risk management, which have been developed and approved by The Open Group. It is presented in three parts:
The Technical Standard for Risk Taxonomy
Technical Guide to the Requirements for Risk Assessment Methodologies
Technical Guide: FAIR ISO/IEC 27005 Cookbook
Part 1: Technical Standard for Risk Taxonomy
This Part provides a standard definition and taxonomy for information security risk, as well as information regarding how to use the taxonomy. The intended audience for this Part includes anyone who needs to understand and/or analyze a risk condition. This includes, but is not limited to:
Information security and risk management professionals
Auditors and regulators
Technology professionals
Management
This taxonomy is not limited to application in the information security space. It can, in fact, be applied to any risk scenario. This means the taxonomy to be used as a foundation for normalizing the results of risk analyses across varied risk domains.
Part 2: Technical Guide: Requirements for Risk Assessment Methodologies
This Part identifies and describes the key characteristics that make up any effective risk assessment methodology, thus providing a common set of criteria for evaluating any given risk assessment methodology against a clearly defined common set of essential requirements. In this way, it explains what features to look for when evaluating the capabilities of any given methodology, and the value those features represent.
Part 3: Technical Guide: FAIR ISO/IEC 27005 Cookbook
This Part describes in detail how to apply the FAIR (Factor Analysis for Information Risk) methodology to any selected risk management framework. It uses ISO/IEC 27005 as the example risk assessment framework. FAIR is complementary to all other risk assessment models/frameworks, including COSO, ITIL, ISO/IEC 27002, COBIT, OCTAVE, etc. It provides an engine that can be used in other risk models to improve the quality of the risk assessment results. The Cookbook enables risk technology practitioners to follow by example how to apply FAIR to other risk assessment models/frameworks of their choice.
Autoren/Hrsg.
Weitere Infos & Material
1;Preface;6
2;Acknowledgements;7
3;References;8
4;Introduction;16
5;Part 1 The Open Group Technical Standard;18
5.1;Risk Taxonomy;18
5.2;Chapter 1 Introduction to risk taxonomy;19
5.2.1;1.1 Scope;19
5.2.2;1.2 Purpose/objective;20
5.2.3;1.3 Context;20
5.2.4;1.4 The risk language gap;20
5.2.5;1.5 Using FAIR with other risk assessment frameworks;22
5.2.5.1;1.5.1 The ability of a FAIR-based approach to complement other standards;22
5.2.5.2;1.5.2 An example: using FAIR with OCTAVE;22
5.2.5.3;1.5.3 Conclusion;23
5.3;Chapter 2 Business case for a risk taxonomy;24
5.3.1;2.1 What makes this the standard of choice?;26
5.3.2;2.2 Who should use this Technical Standard?;27
5.3.3;2.3 Related dependencies;28
5.4;Chapter 3 Risk management model;29
5.4.1;3.1 Risk assessment approach;29
5.4.2;3.2 Why is a tightly-defined taxonomy critical?;29
5.5;Chapter 4 Functional aspects;30
5.5.1;4.1 What is defined?;30
5.5.2;4.2 What is in/out of scope and why?;30
5.5.3;4.3 How should it be used?;30
5.6;Chapter 5 Technical aspects;31
5.6.1;5.1 Risk taxonomy overview;31
5.6.2;5.2 Component definitions;32
5.6.2.1;5.2.1 Risk;32
5.6.2.2;5.2.2 Loss Event Frequency (LEF);32
5.6.2.3;5.2.3 Threat Event Frequency (TEF);33
5.6.2.4;5.2.4 Contact;33
5.6.2.5;5.2.5 Action;34
5.6.2.6;5.2.6 Vulnerability;34
5.6.2.7;5.2.7 Threat Capability;36
5.6.2.8;5.2.8 Control Strength (CS);36
5.6.2.9;5.2.9 Probable Loss Magnitude (PLM);37
5.6.2.10;5.2.10 Forms of loss;38
5.6.2.11;5.2.11 Loss factors;39
5.6.2.12;5.2.12 Primary loss factors;40
5.6.2.13;5.2.13 Secondary loss factors;43
5.7;Chapter 6 Example application;48
5.7.1;6.1 The scenario;48
5.7.2;6.2 The analysis: FAIR basic risk assessment methodology;48
5.7.2.1;6.2.1 Stage 1: Identify scenario components;49
5.7.2.2;6.2.2 Stage 2: Evaluate Loss Event Frequency (LEF);50
5.7.2.3;6.2.3 Stage 3: Evaluate Probable Loss Magnitude (PLM);53
5.7.2.4;6.2.4 Stage 4: Derive and articulate risk;58
5.7.3;6.3 Further information;59
5.8;Appendix A Risk taxonomy considerations;60
5.8.1;A.1 Complexity of the model;60
5.8.2;A.2 Availability of data;61
5.8.3;A.3 Iterative risk analyses;61
5.8.4;A.4 Perspective;62
6;Part 2 The Open Group Technical Guide;64
6.1;Requirements for riskassessment methodologies;64
6.2;Chapter 1 Introduction to requirements for risk assessment methodologies;65
6.2.1;1.1 Business case for risk assessment methodologies;65
6.2.2;1.2 Scope;66
6.2.3;1.3 Using this Technical Guide;66
6.2.4;1.4 Definition of terms;66
6.2.5;1.5 Key operating assumptions;67
6.3;Chapter 2 What makes a good risk assessment methodology?;68
6.3.1;2.1 Key component: taxonomy;68
6.3.2;2.2 Key risk assessment traits;68
6.3.2.1;2.2.1 Probabilistic;68
6.3.2.2;2.2.2 Accurate;69
6.3.2.3;2.2.3 Consistent (repeatable);70
6.3.2.4;2.2.4 Defensible;70
6.3.2.5;2.2.5 Logical;70
6.3.2.6;2.2.6 Risk-focused;71
6.3.2.7;2.2.7 Concise and meaningful;71
6.3.2.8;2.2.8 Feasible;71
6.3.2.9;2.2.9 Actionable;72
6.3.2.10;2.2.10 Prioritized;72
6.3.2.11;2.2.11 Important note;72
6.4;Chapter 3 Risk assessment methodology considerations;73
6.4.1;3.1 Use of qualitative versus quantitative scales;73
6.4.1.1;3.1.1 When is using numbers not quantitative?;74
6.4.2;3.2 Measurement scales;74
6.4.2.1;3.2.1 Nominal scale;74
6.4.2.2;3.2.2 Ordinal scale;74
6.4.2.3;3.2.3 Interval scale;74
6.4.2.4;3.2.4 Ratio scale;75
6.4.2.5;3.2.5 Important note;75
6.4.3;3.3 How frequent is ‘likely’?;75
6.4.4;3.4 Risk and the data owners;76
6.5;Chapter 4 Assessment elements;77
6.5.1;4.1 Identifying risk issues;77
6.5.1.1;4.1.1 Interviews and questionnaires;77
6.5.1.2;4.1.2 Testing;78
6.5.1.3;4.1.3 Sampling;79
6.5.1.4;4.1.4 Types of sampling;79
6.5.2;4.2 Evaluating the severity/significance of risk issues;79
6.5.3;4.3 Identifying the root cause of risk issues;80
6.5.4;4.4 Identifying cost-effective solution options;80
6.5.5;4.5 Communicating the results to management;81
6.5.5.1;4.5.1 What to communicate;81
6.5.5.2;4.5.2 How to communicate;81
7;Part 3 The Open Group Technical Guide;84
7.1;FAIR–ISO/IEC 27005 Cookbook;84
7.2;Chapter 1 Introduction to the FAIR–ISO/IEC 27005 Cookbook;85
7.2.1;1.1 Purpose;85
7.2.2;1.2 Scope;85
7.2.3;1.3 Intended audience;85
7.2.4;1.4 Operating assumptions;86
7.2.5;1.5 Using this Cookbook;86
7.3;Chapter 2 How to manage risk;87
7.3.1;2.1 Information Security Management System (ISMS) overview;87
7.3.2;2.2 How FAIR plugs into the ISMS;89
7.3.3;2.3 Major differences in approach;93
7.3.4;2.4 Recommended approach;95
7.3.5;2.5 Points to consider;95
7.3.5.1;2.5.1 Concerns about the complexity of the model;95
7.3.5.2;2.5.2 Availability of data to support statistical analysis;96
7.3.5.3;2.5.3 The iterative nature of risk analyses;96
7.4;Chapter 3 What information is necessary for risk analysis?;97
7.4.1;3.1 Introduction to the landscape of risk;97
7.4.2;3.2 Asset landscape;97
7.4.2.1;3.2.1 ISO definition and goal;98
7.4.2.2;3.2.2 Major differences in asset landscape treatment;99
7.4.3;3.3 Threat landscape;99
7.4.3.1;3.3.1 ISO definition and goal;99
7.4.3.2;3.3.2 Major differences in threat landscape treatment;99
7.4.3.3;3.3.3 Structure of classification;99
7.4.3.4;3.3.4 Consideration of threat actions;100
7.4.3.5;3.3.5 The development of metrics for the threat landscape;100
7.4.4;3.4 Controls landscape;101
7.4.4.1;3.4.1 ISO definition and goal;101
7.4.4.2;3.4.2 Major differences in controls landscape treatment;101
7.4.4.3;3.4.3 Development of metrics for the controls landscape;101
7.4.5;3.5 Loss (impact) landscape;102
7.4.5.1;3.5.1 ISO definition and goal;102
7.4.5.2;3.5.2 Major differences in loss (impact) landscape treatment;102
7.4.5.3;3.5.3 Structure of classification;102
7.4.5.4;3.5.4 Development of metrics for the loss (impact) landscape;103
7.4.5.5;3.5.5 Probability of indirect operational impacts;103
7.4.6;3.6 Vulnerability landscape;104
7.4.6.1;3.6.1 ISO definition and goal;104
7.4.6.2;3.6.2 Major differences in vulnerability landscape treatment;104
7.4.6.3;3.6.3 Consideration for the vulnerability landscape;104
7.4.6.4;3.6.4 Development of metrics for the vulnerability landscape;105
7.5;Chapter 4 How to use FAIR in your ISMS;106
7.5.1;4.1 Recipe for ISO/IEC 27005 risk management with FAIR;107
7.5.2;4.2 Define the context for information security risk management;110
7.5.2.1;4.2.1 General considerations;110
7.5.2.2;4.2.2 Risk acceptance criteria;111
7.5.3;4.3 Calculate risk;112
7.5.3.1;4.3.1 Stage 1;112
7.5.3.2;4.3.2 Stage 2;113
7.5.3.3;4.3.3 Stage 3;116
7.5.3.4;4.3.4 Stage 4;117
7.5.4;4.4 Determine the appropriate information risk treatment plan;118
7.5.5;4.5 Develop an information security risk communication plan;119
7.5.6;4.6 Describe the information security risk monitoring and review plan;120
7.6;Appendix A Risk Management Program Worksheet;121
7.6.1;A.1 Define the context for information security risk managementGeneral considerations;121
7.6.2;A.2 Calculate risk;122
7.6.3;A.3 Determine the appropriate information risk treatment plan;125
7.6.4;A.4 Develop an Information Security Risk Communication Plan;126
7.6.5;A.5 Describe the Information Security Risk Monitoring and Review Plan;127
7.7;Glossary;128
7.8;Index;132
