Darril Gibson - Managing Risk in Information Systems, 3rd Edition

World Headquarters

Jones & Bartlett Learning

5 Wall Street

Burlington, MA 01803

978-443-5000

www.jblearning.com

Jones & Bartlett Learning books and products are available through most bookstores and online booksellers. To contact Jones & Bartlett Learning directly, call 800-832-0034, fax 978-443-8000, or visit our website, www.jblearning.com.

Substantial discounts on bulk quantities of Jones & Bartlett Learning publications are available to corporations, professional associations, and other qualified organizations. For details and specific discount information, contact the special sales department at Jones & Bartlett Learning via the above contact information or send an email to .

Copyright 2022 by Jones & Bartlett Learning, LLC, an Ascend Learning Company

All rights reserved. No part of the material protected by this copyright may be reproduced or utilized in any form, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the copyright owner.

The content, statements, views, and opinions herein are the sole expression of the respective authors and not that of Jones & Bartlett Learning, LLC. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement or recommendation by Jones & Bartlett Learning, LLC and such reference shall not be used for advertising or product endorsement purposes. All trademarks displayed are the trademarks of the parties noted herein. Managing Risk in Information Systems, Third Edition is an independent publication and has not been authorized, sponsored, or otherwise approved by the owners of the trademarks or service marks referenced in this product.

There may be images in this book that feature models; these models do not necessarily endorse, represent, or participate in the activities represented in the images. Any screenshots in this product are for educational and instructive purposes only. Any individuals and scenarios featured in the case studies throughout this product may be real or fictitious, but are used for instructional purposes only.

Production Credits

Math/CS team:

VP, Product Management: Christine Emerton

Director of Product Management: Laura Pagluica

Product Manager: Ned Hinman

Product Specialist/Assistant: Melissa Duffy

Product Coordinator: Paula-Yuan Gregory

Project Manager: Kristen Rogers

Senior Project Specialist: Alex Schab

Senior Digital Project Specialist: Angela Dooley

Marketing Manager: Michael Sullivan

Product Fulfillment Manager: Wendy Kilborn

Composition: Exela Technologies

Development Editor: Ginny Munroe

Technical Editor: Jeff Parker

Project Management: Exela Technologies

Cover Design: Briana Yates

Text Design: Briana Yates

Senior Media Development Editor: Troy Liston

Media Development Editor: Faith Brosnan

Rights & Permissions Manager: John Rusk

Rights Specialist: James Fortney

Cover Image (Title Page, Part Opener, Chapter Opener): Sai Chan/Shutterstock

Printing and Binding: LSC Communications

Library of Congress Cataloging-in-Publication Data

Library of Congress Cataloging-in-Publication Data unavailable at time of printing.

6048

Printed in the United States of America

24 23 22 21 20 10 9 8 7 6 5 4 3 2 1

Sai Chan/Shutterstock

Brief Contents

Sai Chan/Shutterstock

Contents

To my wife, who has enriched my life in so many ways over the past 22 years. Im looking forward to sharing many more with you.

Darril Gibson

To my wife and our boys, for their patience and support.

Andy Igonor

Sai Chan/Shutterstock

Preface

Purpose of This Book

This book is part of the Information Systems Security & Assurance Series from Jones & Bartlett Learning (https://www.jblearning.com/cybersecurity/issa). Designed for courses and curriculums in IT security, cybersecurity, information assurance, and information systems security, this series features a comprehensive, consistent treatment of the most current thinking and trends in this critical subject area. The books in this series deliver fundamental information security principles packed with real-world applications and examples. Authored by Certified Information Systems Security Professionals (CISSPs), they deliver comprehensive information on all aspects of information security. Reviewed word for word by leading technical experts in the field, these books are not just current, but also forward thinking, putting you in the position to solve the cybersecurity challenges not just of today, but of tomorrow as well.

This book provides a comprehensive view of managing risk in information systems. It covers the fundamentals of risk and risk management and includes in-depth details on more comprehensive risk management topics in three major parts.

Part One, Risk Management Business Challenges, addresses many of the issues relevant to present-day businesses. It covers details of risks, threats, and vulnerabilities. Topics help students understand the importance of risk management in the organization, including many of the techniques used to manage risks. Several current laws are presented with clear descriptions of how they are relevant in organizations. It also includes a chapter describing the contents of a risk management plan.

Part Two, Mitigating Risk, focuses on risk assessments. Topics presented include risk assessment approaches, including the overall steps in performing a risk assessment. It covers the importance of identifying assets and then identifying potential threats, vulnerabilities, and exploits against these assets. Chapter 9 covers the types of controls that can be used to mitigate risk. The last two chapters in this part identify how to plan risk mitigation throughout the organization and convert the risk assessment into a risk management plan.

Part Three, Risk Mitigation Plans, covers the many elements of risk mitigation plans, such as a business impact analysis and a business continuity plan. The last two chapters cover disaster recovery and computer incident response team plans.

Learning Features

The writing style of this book is practical and conversational. Step-by-step examples of information security concepts and procedures are presented throughout the text. Each chapter begins with a statement of learning objectives. Illustrations are used to clarify the material and vary the presentation. The text is sprinkled with Notes, Tips, FYIs, and sidebars to alert the reader to additional and helpful information related to the subject under discussion. Chapter Assessments appear at the end of each chapter, with solutions provided in the back of the book.

Chapter summaries are included in the text to provide a rapid review or preview of the material and to help students understand the relative importance of the concepts presented.