Information Security Risk Analysis
||Author: Thomas R. Peltier|
List Price: $69.95
Our Price: Click to see the latest and low price
Publisher: Auerbach Pub (23 January, 2001)
Sales Rank: 19,286
Average Customer Rating: 4 out of 5
Customer ReviewsRating: 3 out of 5
Awesome Content - hurried writing
I believe that this book was pushed out to the presses much too quickly. Be prepared to rewrite some of the processes because of poor writing (and/or proof reading). Some of the steps in the Qualitative Risk Analysis just strait up don't make sense.
However I give it two thumbs up for content. This book helped me with disaster planning tremendously.
Bottom line this book is worth the money and deserves/needs a second edition.
Rating: 4 out of 5
A very good kick-off book on Risk Analysis
This is the only book that provides a general overview of what a Risk Analysis is, and I consider it a very good basis for learning how to perform a Risk Analysis and evaluate the risks. Anyway, it is my personal opinion that there are no standard methods to be used: a good Risk Analyst stays to a good Risk Analysis, like a good tailor stays to a good suit. Every time that you will have to perform a Risk Analysis, you will decide with the team or with the customer what kind of methods are going to be used and wich kind of evaluation parameters are going to be taken into consideration. Another thing that I disagree about, is the time that should be spent on the Risk Analysis: to perform a good analysis in ten days, is like expecting a persian carpet to be made in one week or a good italian meal to be served in three minutes.
Rating: 5 out of 5
Superb book - explains the details
This is an excellent introduction to risk analysis in general and a highly effective guide for conducting a security risk analysis.
Of the 281 pages in this book, 156 pages are devoted to the seven chapters comprising the "how to" and case study, with the remaining pages allocated to six highly valuable appendices.
Chapter 1, Effective Risk Analysis, starts the book by discussing risk analysis in general, including common approaches, and leads into the author's approach. The next chapter covers qualitative risk analysis, followed by a chapter on value analysis. By this point it's clear that the author's philosophy is to capture major risks, cost data and develop impact without getting bogged down in complex methods. I liked chapter 4, which discusses other qualitative methods, their strengths and weaknesses, which adds context to the heart of this book: Chapter 5, Facilitated Risk Analysis Process. In a nutshell, this approach involves all stakeholders and spreads the responsibility and accountability for identifying, analyzing and prioritizing risks. This is as it should be because security should be everyone's job, and the stakeholders (led by subject matter experts) are the best source of authority for making trade-offs and allocating resources to ensure the degree of security that consensus dictates. Since security is, in part, a function of trade-offs, the Facilitated Analysis Risk Process proposed by the author is an effective and essential process supporting security. Chapter 6 covers other uses of qualitative risk analysis, and is though-provoking and informative. The case study in chapter 7 ties together the preceding chapters and concludes the text on risk analysis.
The appendices are, in my opinion, invaluable. Like a previous reviewer I lament the fact that the tables and forms were not included in electronic format, but this is a minor quibble on my part. Appendix A is a comprehensive, 25-page questionnaire that covers every facet of security risks. Appendix B contains a reproduction of every form associated with the Facilitated Risk Analysis Process (Scope/Business Process Identification, Action Plan, Final Report, Controls List, Risk List and Controls/Risk Cross-Reference List). Business Impact Analysis forms are provided in Appendix C, and a sample report is provided in Appendix D. Threat definitions are provided in Appendix E, and three short papers authored by other experts giving other opinions of risk analysis are the subject of Appendix F.
Overall this is a highly focused book that should not be ignored by anyone who is responsible for security, business continuity or disaster recovery planning. Even if you are more apt to use quantitative methods instead of the qualitative methods proposed by the author, this book is still an important work on security risk analysis. The appendices alone are worth the price of the book.
· Writing Information Security Policies
· Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management
· Managing Information Security Risks: The OCTAVE Approach
· Information Security Management Handbook, Fourth Edition, Volume I
· Computer Security Handbook