product iamge

Security Risk Management - The Driving Force for Operational Resilience: The Firefighting Paradox

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

The importance of businesses being ‘operationally resilient’ is becoming increasingly important, and a driving force behind whether an organization can ensure that its valuable business operations can ‘bounce back’ from or manage to evade impactful occurrences is its security risk management capabilities.

In this book, we change the perspective on an organization’s operational resilience capabilities so that it shifts from being a reactive (tick box) approach to being proactive. The perspectives of every chapter in this book focus on risk profiles and how your business can reduce these profiles using effective mitigation measures.

The book is divided into two sections:

1. Security Risk Management (SRM).

All the components of security risk management contribute to your organization’s operational resilience capabilities, to help reduce your risks.

• Reduce the probability/ likelihood.

2. Survive to Operate.

If your SRM capabilities fail your organization, these are the components that are needed to allow you to quickly ‘bounce back.’

• Reduce the severity/ impact.

Rather than looking at this from an operational resilience compliance capabilities aspect, we have written these to be agnostic of any specific operational resilience framework (e.g., CERT RMM, ISO 22316, SP 800- 160 Vol. 2 Rev. 1, etc.), with the idea of looking at operational resilience through a risk management lens instead.

This book is not intended to replace these numerous operational resilience standards/ frameworks but, rather, has been designed to complement them by getting you to appreciate their value in helping to identify and mitigate your operational resilience risks.

Unlike the cybersecurity or information security domains, operational resilience looks at risks from a business-oriented view, so that anything that might disrupt your essential business operations are risk-assessed and appropriate countermeasures identified and applied. Consequently, this book is not limited to cyberattacks or the loss of sensitive data but, instead, looks at things from a holistic business-based perspective.

Author(s): Jim Seaman, Michael Gioia
Series: Internal Audit and IT Audit
Publisher: CRC Press
Year: 2023

Language: English
Pages: 288
City: Boca Raton

Cover
Half Title
Series Information
Title Page
Copyright Page
Table of Contents
About the Authors
Introduction
Notes
Section One Security Risk Management: Reducing the Likelihood/Probability
Chapter 1 Finagling Your Business
1.1 The Finagle Analogy
1.2 Introduction
1.3 The Importance of Effective Security Risk Management
1.4 To Finagle Or Not to Finagle? That Is the Question
1.5 The Firefighting Paradox
1.6 The Psychology of Finagling
1.7 Effective Risk Communication
1.8 When Security Risk Management Bites Back
1.9 The Security Risk Management Enabler
1.10 Decoding Security Risk Management
Notes
Chapter 2 Business Impact Analysis
2.1 A Vehicle Wheel and Tire Analogy
2.2 Introduction to Business Impact Analysis/Assessment
2.2.1 Risk Appetite
2.2.2 Risk Tolerance
2.2.3 Risk Threshold
2.3 Understanding Recovery Point Objectives
2.4 Understanding Recovery Time Objectives
2.5 Identifying Potential Loss/Impact
2.6 Prioritizing Business Assets/Processes/Operations
2.7 When Business Impact Analysis Bites Back
2.8 Lessons Learned From Health and Safety
2.9 Decoding Business Impact Analysis
Notes
Chapter 3 Asset Management
3.1 The U.S. Air Force Mission Statement Analogy
3.2 Introduction
3.3 What Is an Asset?
3.4 The Components of Effective Asset Management
3.4.1 ADM:SG1 Establish Organizational Assets
3.4.2 ADM:SG2 Establish the Relationship Between Assets and Services
3.4.3 ADM:SG3 Manage Assets
3.5 When Security Risk Management Bites Back
3.5.1 The Asset Management Enabler
3.5.2 Decoding Asset Management
Notes
Chapter 4 Risk-Based Vulnerability Management
4.1 The First Aid Analogy
4.2 Introduction to Vulnerability Management
4.3 What Is Vulnerability Management?
4.4 Difference Between RISK-BASED Patch Management and Risk-Based Vulnerability Management
4.5 Applying Project Management Techniques
4.5.1 Planning and Preparation
4.5.2 Identify
4.5.3 Evaluate, Engage, and Explain
4.5.4 Fix
4.5.5 Assess
4.5.6 Report
4.5.7 Maintain
4.6 When Risk-Based Vulnerability Management Bites Back
4.7 Decoding Risk-Based Vulnerability Management
Notes
Chapter 5 Threat Management
5.1 A Farming Analogy
5.2 Introduction to Threat Management
5.2.1 Term Origins
5.2.2 Term Definitions
5.2.3 Knife Crime
5.3 Threat Modeling
5.4 Attack Tree Threat Analysis
5.5 MITRE ATT&CK® Threat Framework
5.5.1 Navigating the MITRE ATT&CK® Threat Matrix
5.6 Mitre’s CAPEC™
5.7 Open-Source Intelligence
5.8 Internal Sources/Knowledge
5.9 When Threat Management Bites Back
5.10 Decoding Threat Management
Notes
Chapter 6 Risk Scenarios
6.1 The ‘Big Bad Wolf’ Analogy
6.2 Introduction to Risk Scenarios
6.3 The Value of Risk Scenarios
6.4 Prior Planning With Risk Scenarios
6.5 Creating Risk Scenario Playbooks
6.5.1 Components of a Playbook
6.6 When Risk Scenarios Bite Back
6.7 Decoding Risk Scenarios
Notes
Chapter 7 Quality Versus Quantity
7.1 The Aging Brain Analogy
7.2 Introduction to Risk Assessments
7.3 Conducting Qualitative Risk Assessments
7.4 Conducting Quantitative Risk Assessments
7.5 Quality Or Quantity?
7.6 Choosing Your Risk Assessment Types
7.7 The Value of Risk Assessments
7.8 When Risk Assessments Bite Back
7.9 Decoding Risk Assessments
Notes
Chapter 8 Developing a Risk Culture
8.1 The British Military Deployments Analogy
8.2 An Introduction to Risk Culture
8.3 Risk Culture Versus ‘Security’ Culture
8.4 Developing an Effective Risk Culture
8.5 Risk Culture Hierarchy
8.5.1 Three Lines of Defense Model
8.6 When Developing a Risk Culture Bites Back
8.7 Decoding Developing a Risk Culture
Notes
Chapter 9 Risk-Enabling the Human Firewall
9.1 Learning How to Drive Analogy
9.2 An Introduction to Risk-Enabling the Human Firewall
9.3 Service Provider Versus Service Enablement
9.4 Achieving Risk-Based Service Enablement
9.5 When a Lack of Risk-Enabling the Human Firewall Bites Back
9.6 Decoding Risk-Enabling the Human Firewall
Notes
Chapter 10 Risk-Based Security Operations
10.1 The Human Security Operations Center – The Immune System
10.2 An Introduction to Risk-Based Security Operations
10.3 The Great Divide of Security
10.4 Establishing a Risk-Based Security Operations Framework
10.4.1 Business Objectives
10.4.2 Threat Profile
10.4.3 Monitoring and Alerting
10.4.4 Incident Response Playbooks
10.4.5 Event Investigation/Incident Response
10.4.6 Hardening
10.4.7 Monitoring and Alerting Revisited
10.4.8 Residual Risk
10.4.9 Auditing and Testing
10.5 When Risk-Based Security Operations Bite Back
10.6 Decoding Risk-Based Security Operations
Notes
Chapter 11 Creating Visibility and Insights Through Effective Security Risk Metrics
11.1 A Vehicle Warning Light Analogy
11.2 Introduction to Security Risk Metrics
11.3 Creating Visibility and Showing a Return On Investments
11.4 Converting Information Into Actionable Intelligence
11.5 Delivering the ‘Elevator (Lift) Pitch’
11.6 When Security Risk Metrics Bite Back
11.7 Decoding Security Risk Metrics
Notes
Section Two Survive to Operate: Reducing the Impacts/Consequences
Chapter 12 Security Incident Management
12.1 An Emergency and Military Services Analogy
12.2 Introduction to Security Incident Management
12.3 What Is a Security Incident?
12.4 The Importance of an Effective Security Incident Management Practice
12.5 Components of an Effective Security Incident Management Program (SIMP)
12.6 It Is All in the Play
12.7 When Incident Management Bites Back
12.8 Decoding Incident Management
Notes
Chapter 13 Business Continuity Management
13.1 Roadside Assistance Analogy
13.2 Introduction to Business Continuity Management
13.3 Understanding Business Continuity
13.3.1 Risk Assessments
13.3.2 Business Impact Analysis
13.3.3 Business Continuity Plan Development
13.4 Constructs of a Business Continuity Plan
13.5 When Business Continuity Management Bites Back
13.6 Decoding Business Continuity Management
Notes
Chapter 14 Disaster Recovery Management
14.1 A Disaster Recovery Analogy
14.2 Introduction to Disaster Recovery
14.3 Constructing Your Disaster Recovery Plan/Program
14.4 Creating a Disaster Recovery Plan
14.4.1 Components of an Effective Disaster Recovery Plan
14.5 Validating the Effectiveness of Your Disaster Recovery Plan/Program
14.6 When Disaster Recovery Bites Back
14.7 Decoding Disaster Recovery
Notes
Index