Table Of ContentInformation Security / Security & Auditing
LANDOLL SECOND EDITION
THE SECURITY RISK
ASSESSMENT HANDBOOK
A Complete Guide for Performing Security Risk Assessments
Conducted properly, information security risk assessments provide managers
with the feedback needed to understand threats to corporate assets, determine
vulnerabilities of current controls, and select appropriate safeguards. Performed
incorectly, they can provide the false sense of security that alows potential DOUGLAS J. LANDOLL
threats to develop into disastrous losses of proprietary information, capital, and
corporate value.
Picking up where its bestselling predecessor left off, The Security Risk
Assessment Handbook: A Complete Guide for Performing Security Risk
Assessments, Second Edition gives you detailed instruction on how to conduct
a risk assessment effectively and effciently. Supplying wide-ranging coverage
that includes security risk analysis, mitigation, and risk assessment reporting,
this updated edition provides the tools needed to solicit and review the scope
and rigor of risk assessment proposals with competence and confdence.
Trusted to assess security for leading organizations and government agencies,
including the CIA, NSA, and NATO, Douglas Landoll unveils the little-known tips,
tricks, and techniques used by savvy security professionals in the feld. He details
time-tested methods to help you
• Better negotiate the scope and rigor of security assessments
• Effectively interface with security assessment teams
• Gain an improved understanding of fnal report recommendations
• Deliver insightful comments on draft reports
The book includes charts, checklists, and sample reports to help you speed up
the data gathering, analysis, and document development process. Walking you
through the process of conducting an effective security assessment, it provides
the tools and up-to-date understanding you need to select the security measures
best suited to your organization.
SECOND
K11138 EDITION
ISBN: 978-1-4398-2148-0
90000
9 781439 821480
AN A U E R B A C H B O O K
K11138_COVER_final.indd 1 4/20/11 10:12 AM
Boca Raton London New York
CRC Press is an imprint of the
Taylor & Francis Group, an informa business
A N A U E R B A C H B O O K
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2011 by Taylor and Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Printed in the United States of America on acid-free paper
10 9 8 7 6 5 4 3 2 1
International Standard Book Number-13: 978-1-4398-2149-7 (Ebook-PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made
to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all
materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all
material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not
been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in
any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, micro-
filming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.
copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-
8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that
have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identi-
fication and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
To my family: Without their support, this and many other
accomplishments would not have been possible and would mean little.
© 2011 by Taylor & Francis Group, LLC
Contents
Biography..................................................................................................... xix
1 Introduction............................................................................................1
1.1 Te Role of the Information Security Manager .................................1
1.1.1 Audit as a Driver for Security Initiatives ...............................2
1.1.2 Technology as a Driver for Security Initiatives. .....................2
1.1.3 Compliance as a Driver for Security Initiatives .....................2
1.1.4 Security Risk as a Driver for Security Initiatives ...................2
1.2 Ensuring a Quality Information Security Risk Assessment ................3
1.3 Security Risk Assessment ...................................................................3
1.3.1 Te Role of the Security Risk Assessment .............................4
1.3.2 Defnition of a Security Risk Assessment ..............................5
1.3.3 Te Need for a Security Risk Assessment. .............................7
1.3.3.1 Checks and Balances ............................................7
1.3.3.2 Periodic Review ....................................................7
1.3.3.3 Risk-Based Spending ............................................8
1.3.3.4 Requirement .......................................................10
1.3.4 Security Risk Assessment Secondary Benefts .....................10
1.4 Related Activities .............................................................................11
1.4.1 Gap Assessment ..................................................................11
1.4.2 Compliance Audit ..............................................................13
1.4.3 Security Audit ....................................................................14
1.4.4 Vulnerability Scanning .......................................................14
1.4.5 Penetration Testing .............................................................15
1.4.6 Ad Hoc Testing ..................................................................15
1.4.7 Social Engineering ..............................................................15
1.4.8 War Dialing ........................................................................15
1.5 Te Need for Tis Book. ..................................................................16
1.6 Who Is Tis Book For? ....................................................................18
Exercises ....................................................................................................19
Notes .........................................................................................................20
vii
© 2011 by Taylor & Francis Group, LLC
viii ◾ Contents
References ..................................................................................................21
Bibliography ..............................................................................................21
2 Information.Security.Risk.Assessment.Basics......................................23
2.1 Phase 1: Project Defnition ..............................................................23
2.2 Phase 2: Project Preparation ............................................................25
2.3 Phase 3: Data Gathering ..................................................................25
2.4 Phase 4: Risk Analysis .....................................................................25
2.4.1 Assets ..................................................................................26
2.4.2 Treat Agents and Treats ..................................................27
2.4.2.1 Treat Agents .....................................................27
2.4.2.2 Treats ................................................................28
2.4.3 Vulnerabilities.....................................................................29
2.4.4 Security Risk ......................................................................30
2.5 Phase 5: Risk Mitigation .................................................................31
2.5.1 Safeguards ..........................................................................31
2.5.2 Residual Security Risk ........................................................33
2.6 Phase 6: Risk Reporting and Resolution ..........................................33
2.6.1 Risk Resolution ................................................................. 34
Exercises .....................................................................................................35
Notes .........................................................................................................36
References ..................................................................................................37
3 Project.Defnition.................................................................................39
3.1 Ensuring Project Success .................................................................39
3.1.1 Success Defnition ............................................................. 40
3.1.1.1 Customer Satisfaction ........................................ 40
3.1.1.2 Quality of Work ................................................ 44
3.1.1.3 Completion within Budget .................................49
3.1.2 Setting the Budget ..............................................................50
3.1.3 Determining the Objective .................................................51
3.1.4 Limiting the Scope .............................................................52
3.1.4.1 Underscoping .....................................................52
3.1.4.2 Overscoping .......................................................53
3.1.4.3 Security Controls ................................................54
3.1.4.4 Assets ..................................................................55
3.1.4.5 Reasonableness in Limiting the Scope ................56
3.1.5 Identifying System Boundaries ...........................................56
3.1.5.1 Physical Boundary ..............................................57
3.1.5.2 Logical Boundaries .............................................58
3.1.6 Specifying the Rigor ...........................................................60
3.1.7 Sample Scope Statements ....................................................60
© 2011 by Taylor & Francis Group, LLC
Contents ◾ ix
3.2 Project Description ..........................................................................62
3.2.1 Project Variables .................................................................62
3.2.2 Statement of Work ..............................................................63
3.2.2.1 Specifying the Service Description .....................63
3.2.2.2 Scope of Security Controls .................................63
3.2.2.3 Specifying Deliverables ...................................... 64
3.2.2.4 Contract Type ................................................... 66
3.2.2.5 Contract Terms ..................................................67
Exercises .....................................................................................................70
Notes .........................................................................................................71
References ..................................................................................................72
4 Security.Risk.Assessment.Preparation..................................................73
4.1 Introduce the Team .........................................................................73
4.1.1 Introductory Letter .............................................................74
4.1.2 Pre-Assessment Briefng ......................................................74
4.1.3 Obtain Proper Permission ...................................................75
4.1.3.1 Policies Required ................................................76
4.1.3.2 Permission Required ...........................................76
4.1.3.3 Scope of Permission ........................................... 77
4.1.3.4 Accounts Required .............................................78
4.2 Review Business Mission .................................................................78
4.2.1 What Is a Business Mission? ...............................................79
4.2.2 Obtaining Business Mission Information ...........................80
4.3 Identify Critical Systems. .................................................................81
4.3.1 Determining Criticality ......................................................81
4.3.1.1 Approach 1: Find the Information Elsewhere .....83
4.3.1.2 Approach 2: Create the Information on a
High Level ..........................................................83
4.3.1.3 Approach 3: Classify Critical Systems .................83
4.4 Identify Assets .................................................................................85
4.4.1 Checklists and Judgment ....................................................86
4.4.2 Asset Sensitivity/Criticality Classifcation ...........................86
4.4.2.1 Approach 1: Find Asset Classifcation
Information Elsewhere........................................86
4.4.2.2 Approach 2: Create Asset Classifcation
Information ........................................................86
4.4.2.3 Approach 3: Determine Asset Criticality ............89
4.4.3 Asset Valuation ...................................................................91
4.4.3.1 Approach 1: Binary Asset Valuation ...................91
4.4.3.2 Approach 2: Classifcation-Based Asset
Valuation ............................................................91
© 2011 by Taylor & Francis Group, LLC
