The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments
暫譯: 安全風險評估手冊:執行安全風險評估的完整指南
Landoll, Douglas
相關主題
商品描述
Conducted properly, information security risk assessments provide managers with the feedback needed to manage risk through the understanding of threats to corporate assets, determination of current control vulnerabilities, and the appropriate safeguards selection. Performed incorrectly, they can provide the false sense of security that allows potential threats to develop into disastrous losses of proprietary information, capital, and corporate value. Picking up where its bestselling predecessors left off, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Third Edition gives you detailed instruction on how to conduct a security risk assessment effectively and efficiently, supplying wide-ranging coverage that includes security risk analysis, mitigation, and risk assessment reporting.
The third edition has expanded coverage of essential topics, such as threat analysis, data gathering, risk analysis, and risk assessment methods, and added coverage of new topics essential for current assessment projects (e.g., cloud security, supply chain management, and security risk assessment methods). This handbook walks you through the process of conducting an effective security assessment, and it provides the tools, methods, and up-to-date understanding you need to select the security measures best suited to your organization.
Trusted to assess security for small companies, leading organizations, and government agencies, including the CIA, NSA, and NATO, Douglas Landoll unveils the little-known tips, tricks, and techniques used by savvy security professionals in the field. It includes features on how-to:
- Better negotiate the scope and rigor of security assessments
- Effectively interface with security assessment teams
- Gain an improved understanding of final report recommendations
- Deliver insightful comments on draft reports
This edition includes detailed guidance on gathering data and analyzes over 200 administrative, technical, and physical controls using the RIIOT data gathering method; introduces the RIIOT FRAME (risk assessment method), including hundreds of tables, over 70 new diagrams and figures, and over 80 exercises; and provides a detailed analysis of many of the popular security risk assessment methods in use today. The companion website (infosecurityrisk.com) provides downloads for checklists, spreadsheets, figures, and tools.
商品描述(中文翻譯)
進行得當的資訊安全風險評估能夠為管理者提供所需的反饋,以透過了解對企業資產的威脅、確定當前控制的脆弱性以及選擇適當的保護措施來管理風險。如果執行不當,則可能會產生虛假的安全感,使潛在威脅發展成為對專有資訊、資本和企業價值的災難性損失。接續其暢銷前作的基礎,第三版的《安全風險評估手冊:執行安全風險評估的完整指南》為您提供了如何有效且高效地進行安全風險評估的詳細指導,涵蓋了安全風險分析、緩解和風險評估報告等廣泛內容。
第三版擴展了對基本主題的涵蓋,例如威脅分析、數據收集、風險分析和風險評估方法,並新增了當前評估項目所需的新主題(例如,雲安全、供應鏈管理和安全風險評估方法)。本手冊將引導您完成有效安全評估的過程,並提供您選擇最適合您組織的安全措施所需的工具、方法和最新理解。
道格拉斯·蘭多爾(Douglas Landoll)被信任為小型公司、領先組織和政府機構(包括CIA、NSA和北約)進行安全評估,揭示了資深安全專業人士在現場使用的鮮為人知的技巧、竅門和技術。它包括如何做到以下幾點的特點:
- 更好地協商安全評估的範圍和嚴謹性
- 有效地與安全評估團隊進行接口
- 更深入地理解最終報告的建議
- 對草稿報告提供有見地的評論
本版包括有關數據收集的詳細指導,並使用RIIOT數據收集方法分析超過200項管理、技術和物理控制;介紹RIIOT FRAME(風險評估方法),包括數百個表格、超過70個新圖表和圖形,以及超過80個練習;並提供對當前流行的安全風險評估方法的詳細分析。伴隨網站(infosecurityrisk.com)提供檢查清單、電子表格、圖形和工具的下載。
作者簡介
Douglas Landoll has over two decades of information security experience. He has led security risk assessments and established security programs for top corporations and government agencies. He is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs. His background includes evaluating security at the National Security Agency (NSA), North Atlantic Treaty Organization (NATO), Central Intelligence Agency (CIA), and other government agencies; co-founding the Arca Common Criteria Testing Laboratory, co-authoring the systems security engineering capability maturity model (SSE-CMM); teaching at NSA's National Cryptologic School; and running the southwest security services division for Exodus Communications.
Doug is currently the CEO of Lantego, specializing in risk assessment, policy and training. He is a certified information systems security professional (CISSP) and certified information systems auditor (CISA). He holds a BS degree from James Madison University and an MBA from the University of Texas at Austin. He has published numerous information security articles, speaks regularly at conferences, and serves as an advisor for several high-tech companies.
作者簡介(中文翻譯)
道格拉斯·蘭多爾(Douglas Landoll)擁有超過二十年的資訊安全經驗。他曾為頂尖企業和政府機構主導安全風險評估並建立安全計畫。他是安全風險評估、安全風險管理、安全標準以及建立企業安全計畫的專家。他的背景包括在國家安全局(NSA)、北大西洋公約組織(NATO)、中央情報局(CIA)及其他政府機構評估安全;共同創立阿卡通用標準測試實驗室(Arca Common Criteria Testing Laboratory);共同撰寫系統安全工程能力成熟度模型(SSE-CMM);在NSA的國家密碼學學校授課;以及負責Exodus Communications的西南安全服務部門。
道格目前是Lantego的首席執行官,專注於風險評估、政策和培訓。他是認證資訊系統安全專業人員(CISSP)和認證資訊系統審計師(CISA)。他擁有詹姆斯·麥迪遜大學的學士學位和德克薩斯大學奧斯汀分校的MBA學位。他發表了多篇資訊安全文章,定期在會議上演講,並擔任多家高科技公司的顧問。
