Security Risk Management

Friday, October 07, 2011

Tony Campbell

C6dd57cb9806eadc9f7915a90d91aa92

Article by John Bennett

Book Review:  Security Risk Management - Building an Information Security Risk Management Program from the Ground Up

Available in paperback only at the present time and consisting of 339 pages, this book provides a good grounding with respect to the subject matter: that of Security Risk Management.

The back cover of the book is described as presenting a roadmap for designing and implementing a security risk management program, and in my view it largely delivers on this promise, both for individuals and teams engaged in risk identification and management.

The book is packed with practical tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of subjects covered.

The author articulates security risk management in business terms well and has taken care to provide an explanation each time jargon is used; he also covers the majority of jargon in everyday use amongst security professionals.

From a practical perspective, the author explores the risk management lifecycle, describes methodologies for qualifying and quantifying risk and levels of risk, and provides examples of how these can best be described and/or presented at a senior management level. He draws a direct comparison between analyzing and assessing business risk (trust me, these are not the same thing!).

This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. Sufficient information is provided throughout to enhance the readers understanding of each phase of the risk management lifecycle, providing practical examples and advice.

In addition to identifying business risks, the book also covers various ways in which risk assessments are (or should be) undertaken (in particular for IT systems/projects) and it contains relevant case studies that are presented in simple easy-to-follow terms, which makes the book suitable for beginners and experienced professionals alike.

At times the book does provide glimpses of the origin of the author (American), but thankfully some pains have been taken to ensure that (unlike other books of this type from authors of a similar geographical background), the book remains reasonably free of stereotypical 'Americanized' jargon.

If I have one criticism of this book content, it is in one key area that is missing or covered too briefly: that of legal compliance. The wide range of subjects I was expecting to be in the book can be found from the identification of relevant security controls, audits, assessments, policies, reports, programs and sample profiles, risk and reference tables etc., but not legal issues regarding information security and risk identification.

Legal compliance with local and national requirements, as well as standards and relevant policies, were not given enough prominence in this book, and yet this subject (in my view) forms a critical part of risk awareness, identification and management.

Closing summary    

Notwithstanding the lack of legal compliance coverage, this is an excellent book, which I would expect to appeal to a wide readership. It is packed full of relevant information and is both logically structured and easy to follow.

However, this is not a technical book and the author generally avoids detailed technical analysis, rather acting as an aide-memoir for Security Risk Management. Sufficient information is provided throughout to enhance the readers understanding of each phase of the risk management lifecycle, providing practical examples and advice.

This book is recommended, in particular, for those beginning a career in Risk Management. It also provides a useful reference for current risk professionals who perhaps could benefit from a book that could help refine and further improve their current skillset.

Marks: 4 out of 5

Book Title:  Security Risk Management - Building an Information Security Risk Management Program from the Ground Up

Author: Evan Wheeler

Publisher:
Syngress

Date of Publishing:
24 Jun 2011

ISBN: 9781597496155

Cross-posted from InfoSec Reviews
Possibly Related Articles:
14749
Policy
Information Security
Policy Compliance Enterprise Security Risk Management Security Book Review Skill Set
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.