The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Volumn , Issue , 2005, Pages 1-475

  Landoll, Douglas J ^a,b,c,d  

^a NATIONAL SECURITY AGENCY   (United States)

^b Arca Common Criteria Testing Laboratory   (United States)

^c NSA s National Cryptologic School   (United States)

^d NONE   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 85179250879     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1201/9781003090441     Document Type: Book

References (106)

1. AT&T Corp. PR Newswire, ‘‘Security Is Top Concern for Corporate Networks, According to Global Survey of Senior Executives,’’ July 14, 2004.
2. The Free Dictionary, www.thefreedictionary.com
3. Gold Wire Technology, ‘‘Gold Wire: Survey Shows Security Still Top Concern,’’ April 13, 2004.
4. CobiT Steering Committee, IT Governance Institute, COBIT Control Objectives, 3rd ed., July 2000.
5. CobiT Steering Committee, IT Governance Institute, COBIT Executive Summary, 3rd ed., July 2000.
6. CobiT Steering Committee, IT Governance Institute, COBIT Framework, 3rd ed., July 2000.
7. CobiT Steering Committee, IT Governance Institute, COBIT Management Guidelines, 3rd ed., July 2000.
8. Cosgrove, Lorraine, ‘‘CSOs Prioritize Security Spending for 2003,’’ CSO Online, CSO Research Reports, January 7, 2003.
9. Martin, James A., ‘‘Security Spending on the Rise,’’ iQMagazine, September/ October 2003.
10. Ernst & Young, ‘‘Global Information Security Survey 2003,’’ No. FF0224.
11. United States General Accounting Office, Accounting and Information Management Division, Information Security Risk Assessment: Practices of Leading Organizations, A Supplement to GAO’s May 1998 Executive Guide on Information Security Management, GAO/IAM-00-33, November 1999.
12. Federal Trade Commission, Standards for Safeguarding Customer Information; Final Rule, 16 CFR Part 314, Federal Register, Vol. 67, No. 100, May 23, 2002. www.ftc.gov/os/2002/05/67fr36585.pdf
13. Federal Trade Commission, Standards for Privacy of Individually Identifiable Health Information; Final Rule, 45 CFR Parts 160 and 164, Federal Register, Vol. 67, No. 157, August 14, 2002. http://www.hhs.gov/ocr/hipaa/privrulepd.pdf
14. International Organization for Standardization, International Electrotechnical Commission, Information Technology — Code of Practice for Information Security Management, ISO/IEC: 17799. First Edition 2000-12-01.
15. An Introduction to Computer Security: A NIST Handbook, NIST Special Publication 800–12, October 1995. http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html
16. American Institute of Certified Public Accountants, Service Organizations: Applying SAS No. 70, as Amended: AICPA Guide, 2004.
17. ASIS International, The General Security Risk Assessment Guideline, November 13, 2002. http://www.asisonline.org/guidelines/guidelinesgsra.pdf
18. Risk Management Guide: Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-30, July 2002. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
19. Common Criteria for Information Technology Security Evaluation, Version 2.1, CCIMB-99-031, August 1999.
20. Krause, Micki, and Tipton, Harold F., Handbook of Information Security Management, 1997.
21. Guide for Developing Security Plans for Information Technology Systems, NIST Special Publication 800-18, December 1998. http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF
22. Security Self-Assessment Guide for Information Technology Systems, NIST Special Publication 800-26, November 2001. http://csrc.nist.gov/publications/nistpubs/800-26/sp800-26.pdf
23. Guide for the Security Certification and Accreditation of Federal Information Systems, NIST Special Publication 800-37, May 2004. http://csrc.nist.gov/publications/nistpubs/800-37/SP800-37-final.pdf
24. Management of Federal Information Resource, The Office of Management and the Budget, Circular A-130, July 2, 1993.
25. The NIST Security Configuration Checklists Program, NIST Special Publication 800-70, August 12, 2004. http://csrc.nist.gov/checklists/index.html
26. Guide for Developing Security Plans for Information Technology Systems, NIST Special Publication 800-18, December 1998. http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF
27. ASIS International, Protection of Assets, 2004.
28. Guide for Selecting Automated Risk Analysis Tools, NIST Special Publication 500-174, October 1989. http://csrc.nist.gov/publications/nistpubs/500-174/sp174.txt
29. Dalkey, N. C., ‘‘The Delphi Method: An Experimental Study of Group Opinion,’’ Rand Corporation, RM-5888-PR, 1969.
30. General Support Systems and Major Applications Inventory Guide, NIST Publications, July 2002. http://csrc.nist.gov/fasp/FASPDocs/risk-mgmt/GSSMAInventory-Guide.doc
31. Guide for Mapping Types of Information and Information Systems to security categories, NIST special Publications 800-60, June 2004.
32. Energy Infrastructure Risk Management Checklists for Small and Medium Sized Energy Facilities, Department of Energy, August 19, 2002.
33. Milton, Thomas J., Rabe, James G., and Wilhoite, Charles, Economic Analysis of Intangible Assets and Intellectual Properties, 1999.
34. Marshall, Alfred, Principles of Economics, 1920.
35. Guideline for Information Valuation (GIV), Information System Security Association (ISSA), 1993.
36. Recommended Security Controls for Federal Information Systems, NIST special Publication 800-53, February 2005.
37. Albright, S. Christian, Winston, Wayne L., and Zappe, Christopher, Data Analysis and Decision Making, Duxbury Press, 1999.
38. IS Auditing Guideline: Audit Sampling, Information Systems Audit and Control Association, November, 1999.
39. Kennedy, Mary, ‘‘A Guide to Interview Guides,’’ Teacher Education Doctoral Students, Digital Advisor for Research Projects. http://ed-web3/educ.msu.edu/digiatladvisor/ResearchFiles/InterviewGuide.htm
40. McNamara, Carter, ‘‘General Guidelines for Conducting Interviews.’’ www.mapnp.org/library/evaluatn/interview.htm
41. Hass, Anne, Configuration Management Principles and Practice, December 30, 2003.
42. NCSA Secure Programming Guidelines, National Center for Supercomputing Applications, 1997. www.ncsa.uiuc.edu/General/Grid/ACES/security/ programming
43. Graff, Mark. Secure Coding: The State of the Practice, 2001
44. Pfenning, Art, IT Needs to do better at planning for the worst, InternetWeek, October 8, 2001.
45. Williams, Jeff, Security Code Review — The Best Way to Find and Eliminate the Vulnerabilities in Your Web Applications, August 2002, unpublished White Paper.
46. Aleph One, Smashing the Stack for Fun and Profit, Phrack Magazine, issue 49, article 14, November 8, 1996.
47. National Industrial Security Program Operating Manual (NISPOM), DoD 5220.22-M, January 1995. http://www.dss.mil/isec/nispom_0195.htm
48. Plain English Guide to Hiring, U.S. Small Business Administration. www.business.gov
49. National Institute of Standards and Technology, Recommended Security Controls for Federal Information Systems, NIST Special Publication 800-53, Final Draft, January 2005. http://csrc.nist.gov/publications/drafts/SP-800-53-FinalDraft.pdf
50. Audit IT Examination Handbook, Federal Financial Institutions Examination Council, August 2003. www.ffiec.gov/ffiecinfobase/booklets/ausit/audit.pdf
51. Financial Institutions and Customer Data: Complying with the Safeguards Rule, Federal Trade Commission. http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm
52. Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements, Federal Deposit Insurance Corporation. http://www.fdic.gov/regulations/information/btbulletins/brochure2.html
53. Hills, Roy, VPN Security Flaws White Paper, January 31, 2005. www.nta-monitor.com/news/vpn-flaws
54. Hills, Roy, ‘‘If you fail to prepare, be prepared to fail’’, SC Magazine, November 2004, p. 48.
55. Generally Accepted Information Security Principles, GAISP v3.0, Information Systems Security Association. http://www.issa.org/gaisp/_pdfs/v30.pdf
56. Common Criteria Evaluation Methodology, Version 1.0, CEM-99/045, August 1999.
57. PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does, NIST Special Publication 800-24, August 2000. http://csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf
58. Engineering Principles for Information Technology Security (A Baseline for Achieving Security), NIST Special Publication 800-27, June 2001. http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf
59. The NIST Security Configuration Checklists Program, NIST Special Publication 800-70, August 12, 2004. http://csrc.nist.gov/checklists/index.html
60. Mateti, Prabhaker, Port Scanning Lecture. Wright State University, College of Engineering and Computer Science, Dayton, OH. www.cs.wright.edu/_pmateti/InternetSecurity/Lectures/Probing
61. Fydor, ‘‘The Art of Port Scanning,’’ 1997. www.nmap.org
62. [RFC 1700] Reynolds, J., Postel, J., Request for Comments: 1700, Assigned Numbers, October 1994.
63. [VISA CISP] Visa International, Cardholder Information Security Program.
64. [ISSAF] Rathore, Balwant, Information System Security Assessment Framework (ISSAF), Draft 0.1, Open Information Systems Security Group, December 25, 2004.
65. [SANS] Naidu, Krishni, Firewall Checklist, SANS SCORE. www.sans.org/score/firewallchecklist.php
66. [backup] Beaver, Kevin, Checklist: Performing data backups, November 28, 2004. SearchWinSystems.com
67. Perimeter Security Sensor Technologies Handbook, Defense Advanced Research Projects Agency (DARPA), 1996. www.justnet.org/perimetr/full3.htm
68. Glossary of Security Terms, ASIS International. www.asisonline.org/library/glossary/index.xml
69. Physical Security Inspectors Guide, U.S. Department of Energy, September 2000.
70. Mathewson, Stuart B., U.S. Earthquake frequency estimation — ratemaking for unusual events, 1999 Casualty Actuarial Society Forum Conference Proceedings.
71. Shore Facilities Ozone-Depleting Substances (ODS) Conversion Guide for Heating, Ventilation, Air-Conditioning and Refrigeration (HVAC&R) and Fire Protection Systems, January 2002. http://enviro.nfesc.navy.mil/ps/FacilityODSCOnv/halon.htm
72. National Fire Alarm Code, NFPA 72(02), National Fire Protection Association, 2002.
73. McEwen, R.H.L., Fire alarm and detection systems, Canadian Building Digest, CBD-233, August 1984.
74. Early Detection, Data Center Journal, June 14, 2004.
75. U.S. Fire Administration/National Fire Data Center, Non-residential structure fires in 2000, Topical Fire Research Series, Vol. 3, issue 10, June 2004. www.usfa.fema.gov
76. Fire Protection Design Criteria, DOE Standard, DoE-STD-1066-99, U.S. Department of Energy, Washington, DC 20585, July 1999.
77. National Industrial Security Program Operating Manual (NISPOM), DoD 5220.22-M, January 1995. http://www.dss.mil/isec/nispom_0195.htm
78. Physical Security Standards For Sensitive Compartmented Information Facilities, Director of Central Intelligence Directive (DCID) 6/9-Manual, 18 November 2002.
79. CMS Information Security Risk Assessment Methodology, Department of Health and Human Services, Centers for Medicare and Medicaid Services, Version 1.1, September 2002.
80. Krause, Micki, and Tipton, Harold F., Handbook of Information Security Management, ISBN: 0849399475.
81. Approach to Risk: Position Paper on the Approach to Risk, Methodologies Dealing with This and the Technical and Community Information Required for Implementation, Environmental Risk Management Authority, New Zealand, December 2002, ER-OP-03-02 12/02.
82. Preparing Information on Risks, Costs and Benefits for Applications Under the Hazardous Substances and New Organisms Act 1996, Environmental Risk Management Authority, New Zealand, July 2000, ISBN 0-478-21507-1, ERTG-03-01 07/00.
83. Common Criteria for Information Technology Security Evaluation, Version 2.1, CCIMB-99-031, August 1999.
84. Guidelines for Automatic Data Processing Physical Security and Risk Management, Federal Information Processing Standards Publication 31 (FIPS Pub. 31), National Bureau of Standards, June 1974.
85. Krause, Micki, and Tipton, Harold F., Handbook of Information Security Management, ISBN: 0849399475
86. ‘‘Cost-Benefit Analysis Guide for NIH IT Projects,’’ May 1999. www.wwwoirm.nih.gov/itmra/cbaguide.html
87. Information Security Risk Assessment: Practices of Leading Organizations, A Supplement to GAO’s May 1998 Executive Guide on Information Security Management. United States General Accounting Office, Accounting and Information Management Division, November 1999. GAO/AMID-00-33. http://www.gao.gov/special.pubs/ai00033.pdf
88. An Introduction to Computer Security: A NIST Handbook, NIST Special Publication 800-12, October 1995. http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html
89. ‘‘Generally Accepted Information Security Principles’’ GAISP v3.0, Information Systems Security Association. http://www.issa.org/gaisp/_pdfs/v30.pdf
90. ‘‘Lessons Learned from RITs First Security Posture Assessment,’’ Rochester Institute of Technology, January 1, 2004. http://www.educause.edu/ep/ep_item_detail.asp?ITEM_ID¼197
91. How to Get Action on Audit Recommendations, U.S. General Accounting Office, July 1991.
92. Rugh, David E., and Manning, Robert E., Proposal Management Using the Modular Technique, Peninsula Publishing, 1973.
93. Landoll, Douglas J. ‘‘Benefits of IT Certifications’’ Certification Magazine, March 2004.
94. Passori, AI, ‘‘Selecting the Risk Assessment Method of Choice,’’ META Group, July 21, 2004. http://searchcio.techtarget.com/originalContent/0,289142,sid19_gci994851,00.html
95. Alberts, Christopher J., and Dorofee, Audrey J., ‘‘OCTAVE(SM) Method Implementation Guide Version 2.0,’’ November 5, 2003. http://www.cert.org/octave/download/intro.html
96. Alberts, Christopher J., and Dorofee, Audrey J., ‘‘OCTAVE Criteria, Version 2.0,’’ December 2001.
97. Decision Making: A Technical Guide to Identifying, Assessing and Evaluating Risks, Costs and Benefits. Environmental Risk Management Authority, New Zealand, ER-TG-05-1 03/04, March 2004, ISBN 0-478-21523-1.
98. Security Self-Assessment Guide for Information Technology Systems, NIST Special Publication 800-26, November 2001. http://csrc.nist.gov/publications/nistpubs/ 800-26/sp800-26.pdf
99. INFOSEC Assessment Methodology, ‘‘National Security Agency.’’ http://www.iatrp.com/iam.cfm
100. ‘‘Lessons Learned from RITs First Security Posture Assessment,’’ Rochester Institute of Technology, January, 2004. http://www.educause.edu/ep/ep_item_detail.asp?ITEM_ID¼197
101. ‘‘FIRM: Fundamental Information Risk Management Implementation Guide,’’ Information Security Forum, March 2001. http://www.securityforum.org/assests/pdf/firm.pdf
102. Guide for Selecting Automated Risk Analysis Tools, NIST Special Publication 500–174, October 1989. http://csrc.nist.gov/publications/nistpubs/500–174/sp174.txt
103. Guidelines for Automatic Data Processing Physical Security and Risk Management, Federal Information Processing Standards Publication 31 (FIPS Pub. 31), National Bureau of Standards, June 1974.
104. Yazar, Zeki, ‘‘A Qualitative Risk Analysis and Management Tool — CRAMM,’’ April 11, 2002. www.sans.org/rr/whitepapers/auditing/83.php
105. ‘‘Acquisition Management Policy,’’ Federal Aviation Administration, February 2005. http://fast.faa.gov
106. Peltier, Thomas R., Information Security Risk Analysis, pp. 23–46. Auerbach Publications, 2001.