It is a truth universally acknowledged that in order to know what company IT assets you should protect and how, you need to first perform a risk assessment. But how do to go about it? This book will tell you everything you need to know and do to perform this feat.
About the authors
Mark Ryan Talabis is a Manager for the Secure DNA Consulting practice. He has extensive experience in information security risk assessments, information security policy and program development, vulnerability assessments and penetration testing.
Jason Martin is the President and CEO of Secure DNA. He has designed, implemented, and operated security programs for multi-billion dollar organizations in the US and has served as executive level security advisor to companies throughout the world.
Inside the book
The books start with a chapter about risk, its components, and information security risk assessment in a nutshell. I would recommend skipping it altogether, were it not for "The Real World" boxes of text that are interspersed throughout it (and, as it happens, throughout the book).
These "boxes" follow the mock real-life decisions and actions of Jane, a fictional CIO at a large healthcare organization, who is tasked with building up the org's information security program and consequently must first perform a thorough infosec risk assessment.
We can follow her reasonings, her talks with colleagues and superiors, and how she goes about realizing her goal, and this serialized tale is a great addition to the theory in each chapter. It's definitely a vivid and memorable teaching aid.
The first chapter also includes a short explanation of each of the major risk assessment "drivers" in the US: FISMA, GLBA, HIPAA, ISO 27001, and various state government security policies. Unfortunately, readers from outside the US will have to find those for their own countries (well, except for ISO 27001, which is an international standard).
The next chapter provides a good overview of the most commonly used (again, in the US) infosec security risk assessment frameworks, their pros and cons, and the question of whether is to use any of them or try one you made is also addressed.
The rest of the chapters address data collection, data analysis, risk assessment, risk prioritization and treatment, reporting, and maintenance. It all starts with choosing a project sponsor among the firm's executives and creating a quality project team, and ends up with the assessment of whether the assessment was successfully executed.
Although the theory part was well written and was very easy to grasp, Jane's story is what "sold" this book for me. I would definitely recommend this book to anyone who has to go through the infosec security risk assessment process for the first time.
As a side note: the authors have also provided a companion web site to go with the book, and it includes spreadsheets you can utilize to create and maintain the risk assessment.