Description
The goal of Information Security Risk Analysis is to give you the tools and skill set needed to do exactly that. Over the course of this book we will examine many different ways to improve the risk assessment process to work best for you and your organization.
The book is designed in such a manner that the initial discussions will relate to the actual risk assessment process. We will examine each of the steps necessary to complete a successful risk assessment. We will discuss the basic concepts and then we will entertain variations of the theme.
The process that we will use is called the Facilitated Risk Analysis and Assessment Process (FRAAP). This is a qualitative risk assessment process that has been used throughout the world for the past fifteen years. The guiding factor in the development of the FRAAP was that we had neither a budget to purchase a risk assessment product nor the time to implement a product. My team and I began to discuss what the outer limits of time were that we could expect the infrastructure and business people to be able to complete one risk assessment. It was this time factor that drove the development of the FRAAP and over the years added to its refinements. Throughout the book you will be given examples of checklists, forms, questionnaires, and other tools needed to complete a risk assessment.
Once we have covered the basics on how to complete a risk assessment, we will then examine other important concepts and how to implement them. We will examine the concept of risk analysis and how it relates to the risk assessment process.
We will discuss where risk analysis fits into the system development life cycle (SDLC) and how it is used in project management processes. We will discuss the SDLC and how risk analysis, risk assessment, risk mitigation, and vulnerability assessment fit into this structure. We will also review the gap analysis process and see how this can be used to support the quality control objectives of the risk assessment process. We will examine the difference between a gap analysis and a security or controls assessment.
It will be necessary to discuss the cost–benefit analysis process because it is found in a number of other concepts we will discuss.
We will discuss also how to use the concepts developed throughout the book to implement a business impact analysis (BIA) process and an information classification methodology.
The final concept we will explore is the pre-screening methodology. Over the years we have come to the conclusion that not every application, system, or business process needs to have a full-blown risk assessment or BIA run against it. To reach that conclusion, it will be important to create a methodology that will enable the organization to determine what needs analysis and what can benefit best by implementation of a baseline set of controls. Through understanding gap analysis, controls assessment, and information classification requirements, we will be able to generate a baseline set of controls and a methodology to determine whether a risk assessment or BIA is required.
The book is meant to be a reference guide to help you create the components you will need to implement a successful risk assessment process. I have included sample documents that include a management summary and a completed risk assessment action plan. Copies of the following worksheets, checklists and other documents are available at http://www.infosectoday.com/Risk_Assessment.
Chapter 1 The Facilitated Risk Analysis and Assessment Process
Table 1.8 Pre-FRAAP Meeting Checklist
Table 1.32–34 Post-FRAAP Worksheet
Chapter 2 Risk Analysis (Project Impact Analysis)
Table 2.2 Project Impact Analysis Questionnaire
Chapter 4 Business Impact Analysis
Figure 4.2 BIA Sample Worksheet
Table 4.3 BIA Financial Impact Worksheet
Table 4.4 BIA Worksheet Example
Table 4.14 BIA Sample Summary Report
Chapter 5 Gap Analysis
Table 5.3 Gap Analysis Example 1
Table 5.6 Gap Analysis Example 2
Table 5.7 Gap Analysis Example 3
Appendix G Sample Threat Checklist
Sample Threat Checklist
Appendix H Sample BIA Questionnaire
Sample BIA Summary Report
Business Impact Analysis Checklist
Sample Threat Checklist
BIA Consolidated Report