Enterprise Security Risk Management : Concepts and Applications.

Cover -- Title page -- Copyright -- Dedication -- Acknowledgments -- Foreword -- Table of Contents -- Part 1: Why Enterprise Security Risk Management (ESRM)? -- 1: What is Enterprise Security Risk Management? -- 1.1 ESRM Defined -- 1.1.1 Enterprise -- 1.1.2 Security Risk -- 1.1.3 Risk Principles -- 1.2 ESRM Overview -- 1.2.1 ESRM Mission and Goals -- 1.2.2 ESRM Life Cycle - A Quick Look -- 1.2.3 Your Role in ESRM -- 1.3 Why is ESRM Important? -- 1.3.1 Traditional Corporate Security Scenarios: Something is Missing -- 1.3.2 ESRM as a Driver for Consistency -- 1.4 What is ESRM Not? -- 1.4.1 How is ESRM Different from Enterprise Risk Management (ERM)? -- Questions for Discussion -- References -- Learn More About It -- 2: How Can ESRM Help You? -- 2.1 Security Function Professionals -- 2.1.1 The Student -- 2.1.1.1 How Can ESRM Help You? -- 2.1.2 The New Security Practitioner -- 2.1.2.1 How Can ESRM Help You? -- 2.1.3 The Security Manager or Executive -- 2.1.3.1 How Can ESRM Help You? -- 2.1.4 The Transitioning Public Sector Professional -- 2.1.4.1 How Can ESRM Help You? -- 2.2 Business Functional Professionals -- 2.2.1 The Business Function Manager -- 2.2.1.1 How Can ESRM Help You? -- 2.2.2 The Senior Executive -- 2.2.2.1 How Can ESRM Help Your Organization? -- 2.2.3 The Company Board of Directors -- 2.2.3.1 How Can ESRM Help Your Organization? -- Questions for Discussion -- References -- 3: How Can ESRM Help Your Security Program? -- 3.1 The Traditional View of Security and Why the Industry Must Chan -- 3.1.1 The Traditional View of Security -- 3.1.1.1 What Does Security Do? - The Answer from the Security Practitioner -- 3.1.1.2 What Does Security Do? - The Answer from the Board of Directors and Senior Executives -- 3.1.2 Why the Security Industry Needs to Define "Security" -- 3.1.3 The ESRM View of Security - A Profession, not a Trade.

3.1.3.1. Managing Security Risks -- 3.1.4 ESRM-Based Security - Moving from Task Management to Risk Management -- 3.1.4.1 Security Task Management -- 3.1.4.2 Security Risk Management -- 3.1.4.3 The ESRM Solution: A New Philosophy -- 3.1.5 Why Is the Traditional Approach to Security So Frustrating for So Many People? -- 3.1.5.1 The Missing Network Switch: A Story of Security Frustration -- 3.1.5.1.1 The Traditional Security Environment -- 3.1.5.1.2 The ESRM Security Environment -- 3.1.5.1.3 The ESRM Difference -- 3.2 The Evolving Global Risk Environment is Driving Industry to Risk Management Postures -- 3.2.1 Security and Risk Threats are Real -- 3.2.2 The Risk Conversation is Changing Rapidly -- 3.3 What Does "Security Success" Look Like? -- 3.3.1 Success is Not Just Measured by Numbers -- 3.3.2 In Security Success, Intangibles are Important -- 3.3.3 Your Answers Create Your Definition of "Success" -- 3.3.4 The Security Professional and the Business Leader: Using ESRM to Move Beyond Frustration to Success -- 3.3.5 The ESRM Philosophy of Security Success -- 3.3.5.1 Security Becomes Strategic -- 3.3.5.2 Security Becomes a Business Function -- Questions for Discussion -- References -- Learn More About It -- Part 2: The Fundamentals of ESRM -- 4: Preparing for an ESRM Program -- 4.1 Understand the Business and its Mission -- 4.1.1 Holistic Understanding of Risk -- 4.1.2 The Needs of Your Business -- 4.1.3 Sources of Information -- 4.1.3.1 Company Insiders -- 4.1.3.2 Company Published Communications -- 4.1.3.3 Outsiders and The Media -- 4.1.3.4 Observing Non-Verbal Communication - The Underlying Culture -- 4.2 Understand the Business Environment -- 4.2.1 Examining the Environment the Business Operates In -- 4.3 Understand Your Stakeholders -- 4.3.1 What is a Stakeholder? -- 4.3.1.1 Finding Your Stakeholders: A Closer Look -- 4.3.2 Why Stakeholders Matter.

4.3.2.1 Risk Stakeholder Conflict -- Questions for Discussion -- References -- Learn More About It -- 5: The ESRM Cycle - An Overview -- 5.1 What is ESRM? - A Closer Look -- 5.1.1 Similarities to Industry Life Cycles -- 5.1.2 Application of the ESRM Model -- 5.2 The ESRM Life Cycle Model in Action -- 5.2.1 A Task Management Approach -- 5.2.2 An ESRM Approach -- 5.3 ESRM is Cyclical, But Not Always Sequential -- Questions for Discussion -- References -- 6: The ESRM Cycle - Step 1: Identify and Prioritize Assets -- 6.1 Step 1 - Identify and Prioritize Assets -- 6.2 What is an Asset? -- 6.2.1 How Do You Identify Business Assets? -- 6.2.1.1 Finding Tangible Assets -- 6.2.1.2 Finding Intangible Assets -- 6.2.2 Who Really "Owns" an Asset? -- 6.2.2.1 A Building -- 6.2.2.2 A Server -- 6.2.2.3 The Web of Assets and Asset Owners/Stakeholders -- 6.3 How Do You Assign Value to Assets? -- 6.3.1 Simple Tangible Asset Valuation (Two Methods) -- 6.3.2 Complex Tangible Asset Valuation -- 6.3.3 Intangible Asset Valuation (Three Methods) -- 6.3.4 Business Impact Analysis (BIA) -- 6.4 How Do You Prioritize Assets for Protection? -- 6.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization? -- Questions for Discussion -- References -- Learn More About It -- 7: The ESRM Cycle - Step 2: Identify and Prioritize Security Risks -- 7.1 Identify and Prioritize Security Risks -- 7.2 What is Risk? -- 7.2.1 The Risk Triangle -- 7.3 The Risk Assessment Process -- 7.3.1 ISO Standard and Good Practices -- 7.3.1.1 The ESRM Difference -- 7.4 Risk Identification - Finding all the Risks -- 7.5 Prioritizing Risks for Mitigation -- 7.5.1 Presenting a Risk Matrix -- 7.5.1.1 Education vs. Fear -- 7.5.1.2 Building a Matrix -- 7.5.1.3 Building a Heat Map -- 7.5.1.4 Security Risk Decision-Making -- 7.5.2 Conflicts in Risk Prioritization -- 7.5.2.1 The Role of Security.

7.5.2.2 The Role of the Asset Owner -- Questions for Discussion -- References -- Learn More About It -- 8: The ESRM Cycle - Step 3: Mitigate Prioritized Risks -- 8.1 Mitigate Prioritized Risks -- 8.2 Risk Management and Mitigation Responses in Existing Industry Standards -- 8.2.1 The ISO Risk Management Standard -- 8.2.2 The ESRM Difference -- 8.3 Risk Treatment Options -- 8.4 Risk Mitigation Decisions -- 8.4.1 Conflicts in Risk Mitigation Decisions -- Questions for Discussion -- Learn More About It -- 9: The ESRM Cycle - Step 4: Improve and Advance -- 9.1 Improve and Advance -- 9.2 Incident Response -- 9.3 ESRM Investigations and Root Cause Analysis -- 9.3.1 Performing a Root Cause Analysis -- 9.4 Ongoing Security Risk Assessment -- 9.4.1 Sources of Risk Awareness -- 9.4.2 Reporting and Employee Vigilance -- Questions for Discussion -- References -- Learn More About It -- Part 3: Designing a Program That Works for Your Enterprise -- 10: Designing an ESRM Program to Fit Your Enterprise -- 10.1 Design Thinking - A Conceptual Model for Your ESRM Program -- 10.2 The Phases of Design Thinking -- 10.2.1 Empathize Phase -- 10.2.2 Define Phase -- 10.2.3 Ideate Phase -- 10.2.4 Prototype Phase -- 10.2.5 Test Phase -- 10.3 ESRM Program Rollout in a Formal Design Thinking Model -- 10.3.1 Educate and Involve the Stakeholders (Empathy) -- 10.3.2 Iterate the Process (Your Definition and Prototypes) -- 10.3.3 Mature the Process (Testing and Feedback) -- 10.3.4 Expand the Process (Begin Again with a Larger Scope) -- Questions for Discussion -- References -- Learn More About It -- 11: Rolling Out Your ESRM Program -- 11.1 Rolling out ESRM in the Real World - A Story -- 11.1.1 Step 1: Understanding the Current Environment and the Current Challenges (Empathy with Our Security Team) -- 11.1.1.1 A Deeper Dive (Even More Empathy).

11.1.2 Step 2: Communicating with the Business and Other Stakeholders (Empathy with Our Strategic Partners) -- 11.1.3 Step 3: Creating a Roadmap for the Program Rollout (Ideation and Brainstorming) -- 11.1.4 Step 4: Piloting the Program (Prototyping and Feedback) -- 11.1.5 Step 5: Implementation and Evolution Across the Enterprise -- 11.2 ESRM Program Rollout Checklist -- Questions for Discussion -- Learn More About It -- Part 4: Making ESRM Work for Your Organization -- 12: ESRM Essentials for Success -- 12.1 Transparency -- 12.1.1 Risk Transparency -- 12.1.2 Process Transparency -- 12.2 Independence -- 12.3 Authority -- 12.4 Scope -- 12.5 Parallels with Other Risk-Based Functions -- 12.5.1 What Are Audit, Legal, and Compliance? -- 12.5.2 What do Legal, Audit and Compliance Functions Need for Success? -- Questions for Discussion -- References -- Learn More About It -- 13: Security Governance -- 13.1 What is Corporate Governance? -- 13.1.1 Defining Corporate Governance -- 13.1.2 Why is Corporate Governance Important? -- 13.1.3 Common Themes in Corporate Governance -- 13.2 The Security Council: ESRM Governance -- 13.2.1 Who is the ESRM Security Council? -- 13.2.2 The Security Council's Role in ESRM -- 13.2.3 Setting Up a Security Council -- 13.2.3.1 Step 1: Define the Council Structure that Will Best Serve Enterprise Needs -- 13.2.3.2 Step 2: Define the Security Council Stakeholders -- 13.2.3.3 Step 3: Define the Mission, Objectives, and Goals of the Security Council and Document Them in a Council Charter -- 13.2.3.4 Step 4: Define Measurements/Project Key Performance Indicators (KPIs) for ESRM -- 13.2.3.5 Step 5: Develop a List of Potential Quick "Wins" for the ESRM Program -- 13.2.3.6 Step 6: Begin the Process of Meeting, Reviewing, and Directing the Program According to the Council Charter.

13.2.4 Security's Role on the Security Council: What It Is and What It Is Not.

As a security professional, have you found that you and others in your company do not always define "security" the same way? Perhaps security interests and business interests have become misaligned. Brian Allen and Rachelle Loyear offer a new approach: Enterprise Security Risk Management (ESRM). By viewing security through a risk management lens, ESRM can help make you and your security program successful.

Description based on publisher supplied metadata and other sources.

Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2024. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.