InfoSec Reviews – Security Risk Management

Book Title:  Security Risk Management

Subtitle: Building an Information Security Risk Management Program from the Ground Up

Author: Evan Wheeler

Publisher: Syngress

Date of Publishing: 24 Jun 2011

ISBN: 9781597496155

Price (UK&US price – full price, not discounted price):  £30.99  $49.95

 

URL of Publisher Site:  Syngress

URL of Amazon UK web page: Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

URL of Amazon UK (Kindle) web page: Not available

URL of Amazon US web page:  Security Risk Management: Building an Information Security Risk Management Program from the Ground Up

URL of Amazon US (Kindle) web page: Not available

 Available in paperback only at the present time and consisting of 339 pages, this book provides a good grounding with respect to the subject matter: that of ‘Security Risk Management’.The back cover of the book is described as, “presenting a roadmap for designing and implementing a security risk management program,” and in my view it largely delivers on this promise, both for individuals and teams engaged in risk identification and management. The book is packed with practical tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of subjects covered.The author articulates security risk management in business terms well and has taken care to provide an explanation each time jargon is used; he also covers the majority of jargon in everyday use amongst security professionals.From a practical perspective, the author explores the risk management lifecycle, describes methodologies for qualifying and quantifying risk and levels of risk, and provides examples of how these can best be described and/or presented at a senior management level. He draws a direct comparison between analyzing and assessing business risk (trust me, these are not the same thing!).This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. Sufficient information is provided throughout to enhance the readers understanding of each phase of the risk management lifecycle, providing practical examples and advice.In addition to identifying business risks, the book also covers various ways in which risk assessments are (or should be) undertaken (in particular for IT systems/projects) and it contains relevant case studies that are presented in simple easy-to-follow terms, which makes the book suitable for beginners and experienced professionals alike.At times the book does provide glimpses of the origin of the author (American), but thankfully some pains have been taken to ensure that (unlike other books of this type from authors of a similar geographical background), the book remains reasonably free of stereotypical ‘Americanized’ jargon.If I have one criticism of this book content, it is in one key area that is missing or covered too briefly: that of ‘legal compliance’. The wide range of subjects I was expecting to be in the book can be found from the identification of relevant security controls, audits, assessments, policies, reports, programs and sample profiles, risk and reference tables etc., but not legal issues regarding information security and risk identification.

Legal compliance with local and national requirements, as well as standards and relevant policies, were not given enough prominence in this book, and yet this subject (in my view) forms a critical part of risk awareness, identification and management.

Notwithstanding the lack of legal compliance coverage, this is an excellent book, which I would expect to appeal to a wide readership. It is packed full of relevant information and is both logically structured and easy to follow. However, this is not a technical book and the author generally avoids detailed technical analysis, rather acting as an aide-memoir for Security Risk Management. Sufficient information is provided throughout to enhance the readers understanding of each phase of the risk management lifecycle, providing practical examples and advice.

This book is recommended, in particular, for those beginning a career in Risk Management. It also provides a useful reference for current risk professionals who perhaps could benefit from a book that could help refine and further improve their current skillset

Marks:  .4 out of 5

****