Scherling | Practical Risk Management for the CIO | E-Book | www2.sack.de
E-Book

E-Book, Englisch, 399 Seiten

Scherling Practical Risk Management for the CIO


Erscheinungsjahr 2011
ISBN: 978-1-4398-5654-3
Verlag: Taylor & Francis
Format: PDF
 Kopierschutz: Adobe DRM (»Systemvoraussetzungen)

E-Book, Englisch, 399 Seiten

ISBN: 978-1-4398-5654-3
Verlag: Taylor & Francis
Format: PDF
 Kopierschutz: Adobe DRM (»Systemvoraussetzungen)

The growing complexity of today’s interconnected systems has not only increased the need for improved information security, but also helped to move information from the IT backroom to the executive boardroom as a strategic asset. And, just like the tip of an iceberg is all you see until you run into it, the risks to your information are mostly invisible until disaster strikes.

Detailing procedures to help your team perform better risk assessments and aggregate results into more meaningful metrics, Practical Risk Management for the CIO approaches information risk management through improvements to information management and information security. It provides easy-to-follow guidance on how to effectively manage the flow of information and incorporate both service delivery and reliability.

- Explains why every CIO should be managing his or her information differently

- Provides time-tested risk ranking strategies

- Considers information security strategy standards such as NIST, FISMA, PCI, SP 800, & ISO 17799

- Supplies steps for managing: information flow, classification, controlled vocabularies, life cycle, and data leakage

- Describes how to put it all together into a complete information risk management framework

Information is one of your most valuable assets. If you aren’t on the constant lookout for better ways to manage it, your organization will inevitably suffer. Clarifying common misunderstandings about the risks in cyberspace, this book provides the foundation required to make more informed decisions and effectively manage, protect, and deliver information to your organization and its constituents.

Scherling Practical Risk Management for the CIO jetzt bestellen!

Zielgruppe

CIOs, CISOs, information security specialists, auditors, CFOs, risk managers, information managers, information security architects, information architects, consultants, and project managers.

Autoren/Hrsg.

Scherling, Mark

Fachgebiete

Weitere Infos & Material

Introduction: Why Risk Management?

Liability

Personal Data Disclosed or Stolen

Intellectual Property Lost or Stolen

Wrong Decisions Made

Liability Risks

Service Delivery
Transaction Centric

Information Centric

Risks to Service Delivery
Risks to the CIO

PRINCIPLES AND CONCEPTS

Overview

Market Risks

Budget Risks

People Risks

Technology Risks

Operational Risks

Information Risks
Control Risks

Detection Risks

Risk Treatment
Basic Concepts, Principles, and Practices

Concepts
Risk IT Framework Principles

ISO 31000 Risk Management Principles

Other Risk Management Principles
Summary: Risk Management and Risk IT Principles
Information Security Principles

Accountability Principle

Awareness Principle
Ethics Principle

Multidisciplinary Principle

Proportionality Principle

Integration Principle

Timeliness Principle

Assessment Principle

Equity Principle

Information Management Principles

Value

Life Cycle
Reuse
Proliferates Quickly
Dependencies

Principles

Risk Assessment, Analysis, and Procedures
Making Decisions: Fact or Fiction? How Do You Decide?

Confidence Ranking Process

Facts

Calculations

Estimations

Guesses

Risk Management Starts with the Individual

Managing Risky People

Risk Management Profiling and Risk Culture

Measuring Risks or Uncertainty
How to Measure Risks

Identify the Risk

Consensus of the Risk

Analysis of Risk

Mitigate the Risk

Monitor the Risk
Reassess the Risk

Performing a Risk Assessment

Team or Committee Selection

Step 1: Define Parameters

Taxonomy of Risk Types

Scope, Time Frame, Complexity, and Stakeholders

Step 2: Identify Risks and Impacts
Step 3: Consensus of Risks and Impacts

Step 4 Risks and Impacts Analysis

Step 5: Prioritize Risks and Impacts

Step 6: Review Existing Controls

Step 7: Risks and Impacts Mitigation Analysis
Step 8: Costing, Prioritization, and Decisions

Step 9: Implementation

Step 10: Review
Metrics

User Experienced Metrics

Best Practices

Principles and Concepts: Section Summary

Part II: SERVICE DELIVERY

Product Management

Products You Deliver as a CIO

Information Delivery: How Information Flows in Your
Organization
Organizing IT for Information Delivery, Management, and Protection

Process Management

Project Management

Projects

Risk Ranking

Vulnerability Scanning

Reporting

IT Service Management

Opportunity Capacity

Reporting on Service Delivery

Service Delivery: Section Summary
LIABILITIES MANAGEMENT
Information Management

The Value of Information

Classify Your Information: Value and Categories

Value/Sensitivity of Information

Categories of Information
Controlled Vocabulary, Taxonomies, Keywords, and Search

Controlled Vocabularies

Summary

Identify Information Assets

Information Has a Life Cycle

Database Information Life Cycle

Information Flows

Information Flow Analysis

Information Management Strategy

Designing Information Management across Large Organizations

Steps to Better Information Management

Information Protection

Security Controls

Essential Controls

Personnel (Includes Management and Operations)

Technology
Information

Ingress

Egress

Database Security and Monitoring
Defense in Depth

Audit and Compliance

Documentation

Information Security Architecture
Reporting on Information Security

FISMA, NIST, and FIPS

Why
What

Specifications for Minimum Security Requirements
How

Payment Card Industry Data Security Standard
Analysis of Good Information Security Practices

Employee, Hacker, Insider, or Outsider
Insiders
Employees
Partners

Contractors

Outsourced

Insider Threats
Insider Controls

Outsiders

General Public

Hackers

Customers, Clients, Others

Outsider Threats

Outsider Controls

Data Loss Prevention/Information Knowledge Leakage
Database Solutions
Network and End-Point Solutions

Portable Device Control
Defining the Risk
Deploying DLP Solutions

Paper: Print, Keep, Shred

E-Discovery
Rules and Obligations

Standard of Proof

E-Discovery Process

Information Management

Collection and Preservation

Production

Presentation

Summary of E-Discovery

Privacy

Policies and Procedures

Writing Good Policies
Communicating Policy

Enforcing Policy

Writing Good Procedures

Following Procedures

Next-Generation Policies and Procedures
Planning for Big Failures or Business Continuity

Business Resilience and Redundancy

Business Continuity Management

Liabilities Management: Section Summary

PUTTING IT ALL TOGETHER
Designing a Risk Management Strategy

External Factors

Organization Structure

Identify Assets
Compliance Requirements

Risk Management Profiles

Risk Culture

Governance
Risk Management Strategy for Service Delivery

Risk Management Strategy for Liabilities

Consolidated Risk Management Strategy

Risk Management Framework: Outline

Maintain Risk Management Program

Resourcing a Risk Management Program

Forward-Looking Risk Management
Preparing for a "Black Swan"
Conclusion
Appendices:

OECD Privacy Principles

Project Profiling Risk Assessment

Risk Impact Scales

Classification Schema

Bibliography

Index

Mark Scherling, CISSP, CRM, has been working in IT for over 30 years. For the past four years, he has been managing information security and privacy for the Justice Sector in the Government of British Columbia (Canada). Prior to the Justice Sector, he managed the Information Security Investigations Unit for the entire BC government.

He has designed and implemented public key infrastructure (PKI) and security solutions for numerous clients. He is considered a Subject Matter Expert in Risk Management and Information Security by the Information Systems Audit and Control Association (ISACA). He contributed to the Risk IT Framework and Certification in Risk and Information Systems (CRISC), a new ISACA Certification. He is viewed as a Security and Risk Management Expert by many people within and associated with the Government of British Columbia.

His background includes sales, marketing, and information management. In the mid-1990s, he was instrumental in developing and implementing the Canadian Department of National Defence Intranet or the DIN. He has significant experience in information and knowledge management. He combines this expertise with information protection to create an information risk management strategy for Chief Information Officers (CIOs).

He has been part of the evolution of information technology (IT) from Digital Equipment’s Vaxes and PDP11s to mobile computing, the Internet, and cloud computing. The interconnected world we now live in holds exciting promise to link people, computers, applications, and information. There are risks when we link everything together and share information. Organizations are always trying to reduce costs and improve customer relations. Mark has been involved in information security for over 13 years and has oriented his approach from simple information security to risk management strategies. As the Internet continues to evolve, so evolves information security and risk management.

The reality is that we need better ways of managing risks to our information and services. His approach takes a more holistic approach to risks, considering not just liabilities but also service delivery because information is one of our most important assets.

Ihre Fragen, Wünsche oder Anmerkungen
Vorname*
Nachname*
Ihre E-Mail-Adresse*
Kundennr.
Ihre Nachricht*
Lediglich mit * gekennzeichnete Felder sind Pflichtfelder.
Wenn Sie die im Kontaktformular eingegebenen Daten durch Klick auf den nachfolgenden Button übersenden, erklären Sie sich damit einverstanden, dass wir Ihr Angaben für die Beantwortung Ihrer Anfrage verwenden. Selbstverständlich werden Ihre Daten vertraulich behandelt und nicht an Dritte weitergegeben. Sie können der Verwendung Ihrer Daten jederzeit widersprechen. Das Datenhandling bei Sack Fachmedien erklären wir Ihnen in unserer Datenschutzerklärung.