The manager's guide to enterprise security risk management : essentials of risk-based security / Brian Allen, Esq., CISSP, CISM, CPP, CFE, Rachelle Loyear, CISM, MBCP ; Kristen Noakes-Fry, ABCI, editor.

Format:

Book

Author/Creator:

Allen, Brian (Cybersecurity professional), author.

Loyear, Rachelle, author.

Contributor:

Noakes-Fry, Kristen, editor.

Series:

A Rothstein Publishing collection eBook

Language:

English

Subjects (All):

Business enterprises--Security measures.

Business enterprises.

Security system.

Physical Description:

1 online resource (138 pages) : illustrations, map.

Edition:

1st ed.

Place of Publication:

Brookfield, Connecticut : Rothstein Associates Incorporated, [2016]

Summary:

Is security management changing so fast that you can't keep up? Perhaps it seems like those traditional "best practices" in security no longer work? One answer might be that you need better best practices! In their new book, The Manager's Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security, two experienced professionals introduce ESRM. Their practical, organization-wide, integrated approach redefines the securing of an organization's people and assets from being task-based to being risk-based. In their careers, the authors, Brian Allen and Rachelle Loyear, have been instrumental in successfully reorganizing the way security is handled in major corporations. In this ground-breaking book, the authors begin by defining Enterprise Security Risk Management (ESRM): "Enterprise security risk management is the application of fundamental risk principles to manage all security risks − whether information, cyber, physical security, asset management, or business continuity − in a comprehensive, holistic, all-encompassing approach." In the face of a continually evolving and increasingly risky global security landscape, this book takes you through the steps of putting ESRM into practice enterprise-wide, and helps you to: Differentiate between traditional, task-based management and strategic, risk-based management. See how adopting ESRM can lead to a more successful security program overall and enhance your own career. . Prepare your security organization to adopt an ESRM methodology. . Analyze and communicate risks and their root causes to all appropriate parties. . Identify what elements are necessary for long-term success of your ESRM program. . Ensure the proper governance of the security function in your enterprise. . Explain the value of security and ESRM to executives using useful metrics and reports. . Throughout

the book, the authors provide a wealth of real-world case studies from a wide range of businesses and industries to help you overcome any blocks to acceptance as you design and roll out a new ESRM-based security program for your own workplace.

Contents:

Cover

Title page

Copyright

Table of Contents

Part 1: What Is Enterprise Security Risk Management (ESRM) and How Can It Help You?

Chapter 1: What is Enterprise Security Risk Management (ESRM)?

1.1 ESRM Defined

1.1.1 Enterprise

1.1.2 Security Risk

1.1.3 Risk Principles

1.2 How is ESRM Different from Traditional Security?The description

1.2.1 Traditional Corporate Security Scenarios: Something is Missing

1.3 What is ESRM? − A Closer Look

1.3.1 The Phases of the ESRM Life Cycle

1.3.2 Managing Risk in a Life Cycle

1.4 What ESRM Is - and What It Is Not

1.4.1 ESRM Mission and Goals

1.4.1.1 Enterprise Risk Management: A Brief Overview

1.4.2 ESRM vs. Security Organization Convergence

Chapter 2: Why Does the Security Industry Need ESRM?

2.1 Why Does the Traditional Approach to Security Frustrate So Many People?

2.1.1 The Missing Network Switch: A Story of Security Frustration in a TraditionalSecurity Environment

2.1.2 The Missing Network Switch: A Story of Security Partnership in an ESRMSecurity Environment

2.1.3 The Missing Network Switch: Lessons Learned and the ESRM Difference

2.2 What Do We Mean by "Traditional" Security vs. ESRM?

2.2.1 What Does Security Do? The Traditional View

2.2.1.1 The Answer from the Security Practitioner

2.2.1.2 The Answer from the Board of Directors and Senior Executives

2.2.1.3 The Answer from Operational Personnel

2.2.2 Why the Security Industry Needs to Define "Security"

2.2.3 What Does Security Do? The ESRM View

2.2.3.1 Managing Security Risks

2.2.3.2 Basic Risk Principles

2.3 The Security Professional and the Business Leader: Moving BeyondFrustration with One Another

2.4 ESRM-Based Security: Moving from Task Management to Risk Management

2.4.1 Task Management

2.4.2 Risk Management.

2.5 The ESRM Solution: A New Philosophy

2.5.1 Security Becomes Strategic

2.5.2 Security Becomes a Business Function

2.6 ESRM as a Path to Security Success

2.6.1 What Does "Security Success" Look Like?

2.6.1.1 Success Is Not Just Measured by Numbers

2.6.1.2 In Security Success, Intangibles Are Important

2.6.1.3 Your Answers Create Your Definition of "Success"

Part 2: Implementing an ESRM Program

Chapter 3: Preparing to Implement an ESRM Program

3.1 Begin by Working to Understand the Business and Its Mission

3.1.1 What Are the Insiders Saying?

3.1.2 What is the Business Saying About Itself?

3.1.3 What Are Outsiders Saying?

3.1.4 What Isn't Being Said?

3.1.5 What Is the Environment the Enterprise Operates In?

3.1.6 Who Are the Environmental Decision-Makers?

3.2 Understanding Your Stakeholders − and Why They Matter

3.2.1 What Is a Stakeholder?

3.2.2 Why Should You Care About Stakeholders?

3.2.3 What Is the Role of the Stakeholders in ESRM?

3.2.4 Finding Your Stakeholders: A Closer Look

3.2.5 Example 1: Customer Personal Data − Whose Asset Is It?

3.2.6 Example 2: Customer Personal Data − Who Decides

Chapter 4: Following the ESRM Life Cycle

4.1 What is the ESRM Life Cycle?

4.2 Step 1: Identify and Prioritize Assets

4.2.1 How Do You Identify Business Assets?

4.2.2 Who Really "Owns" an Asset?

4.2.3 How Do You Assign Value to Assets?

4.2.3.1 Simple Tangible Asset Valuation (Two Methods)

4.2.3.2 Complex Tangible Asset Valuation

4.2.3.3 Intangible Asset Valuation

4.2.3.4 Business Impact Analysis (BIA)

4.2.4 How Do You Prioritize Assets for Protection?

4.2.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization?

4.3 Step 2: Identify and Prioritize Risks

4.3.1 How Do You Assess Risk?

4.3.2 How Do You Find All the Risks?.

4.3.3 How Do You Prioritize Risk?

4.4 Step 3: Mitigate Prioritized Risks

4.4.1 Risk Treatment Options

4.4.2 Who Has the Final Word on Risk Mitigation?

4.5 Step 4: Improve and Advance

4.5.1 Incident Response

4.5.2 Root Cause Analysis

4.5.3 Ongoing Security Risk Assessment

Chapter 5: Phased Rollout

5.1 Design Thinking - A Conceptual Model for Your ESRM Program

5.1.1 The Phases of Design Thinking

5.1.1.1 Empathy

5.1.1.2 Definition

5.1.1.3 Ideation/Brainstorming

5.1.1.4 Prototyping

5.1.1.5 Testing

5.2 Iterative ESRM Program Rollout in a Formal Design Thinking Model

5.2.1 Educate and Involve (Empathy)

5.2.2 Iterate (Your Definition and Prototypes)

5.2.3 Mature the Process (Testing/Feedback)

5.2.4 Expand (Begin the Design Thinking Process Again with a Larger Scope)

5.3 ESRM Program Rollout Checklist

Part 3: Ensuring Long-Term ESRM Success

Chapter 6: Essentials for Success

6.1 Transparency

6.1.1 Process Transparency

6.1.2 Risk Transparency

6.2 Independence

6.3 Authority

6.4 Scope

6.4.1 Example: Risk Management in Scope with Mitigation Actions by Security

6.4.2 Example: Risk Management in Scope with Mitigation Actions by the Business

Chapter 7: ESRM Governance, Metrics, and Reporting

7.1 What is Corporate Governance?

7.1.1 Why Corporate Governance Is Complex

7.1.2 Importance of OECD Guidelines

7.2 How Does Corporate Governance Apply to ESRM?

7.3 The Security Council's Role in ESRM

7.4 Setting Up a Security Council

7.4.1 Security's Role on the Security Council: What It Is and What It Is Not

7.4.1.1 What the Role of the Security Practitioner Is

7.4.1.2 What the Role of the Security Practitioner Is Not

Chapter 8: Where Should Security Report in anOrganization Structure?

8.1 Reporting Options.

8.2 What Does Security Need to Be Successful?

8.3 Some Lines of Reporting Carry Obvious Conflicts

8.4 Greatest Success Comes with the Greatest Independence

Chapter 9: What Do Executives Need to Know AboutESRM?

9.1 The Challenge of Executive Support

9.2 Communicating ESRM Concepts to the Executive

9.2.1 For the Executive: Understand the Underlying Philosophy of ESRM and theRole of Security

9.2.2 For the Executive: Understand ESRM Parallels with Other Risk-BasedFunctions

9.2.2.1 For the Security Practitioner: What Are Audit, Legal, and Compliance?

9.2.2.2 For the Security Practitioner: What Do Audit, Legal, and ComplianceFunctions Need for Success?

9.3 For the Executive: What is Your Role in Supporting an ESRM SecurityStructure?

9.3.1 Ensuring a Definition of Security Success

9.3.2 Ensuring the Correct Security Skill Sets

9.3.3 Ensuring the Essentials for Success Are in Place

9.3.4 Ensuring the Correct Reporting Structure

9.3.5 Ensuring the Board or Enterprise Ownership is Aware of the Role of Securityand Security Risks as a Business-Critical Topic

9.4 For the Executive: What Should You Expect from the ESRM Program?

Chapter 10: Reports and Metrics

10.1 Metrics of Risk Tolerance

10.1.1 Example of a Security Report

10.1.1.1 Planning the Report

10.1.1.2 Building the Report

10.2 Metrics of Security Department Efficiency

10.3 Communicating to an Executive Audience

10.4 A Look into the Future - A Successful ESRM Program

References

Credits

About the Authors

More from Publisher.

Notes:

Includes bibliographical references.

Description based on online resource; title from PDF title page (ebrary, viewed December 7, 2016).

ISBN:

1-944480-25-0