Ebook Download Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones
Yet here, we will certainly show you extraordinary thing to be able consistently check out guide Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones wherever and whenever you happen and also time. Guide Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones by simply could help you to recognize having guide to check out every time. It won't obligate you to consistently bring the thick e-book wherever you go. You could merely keep them on the kitchen appliance or on soft data in your computer system to always review the area during that time.
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones
Ebook Download Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones
Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones. Welcome to the very best web site that supply hundreds type of book collections. Below, we will provide all books Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones that you require. Guides from popular writers and authors are offered. So, you could take pleasure in now to obtain one by one type of publication Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones that you will browse. Well, related to the book that you want, is this Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones your choice?
Obtaining guides Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones now is not kind of difficult method. You could not only opting for e-book store or library or loaning from your good friends to read them. This is an extremely easy means to specifically obtain guide by online. This online e-book Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones can be among the options to accompany you when having extra time. It will certainly not waste your time. Think me, guide will show you brand-new thing to review. Just invest little time to open this on the internet e-book Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones as well as review them wherever you are now.
Sooner you obtain guide Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones, sooner you can appreciate checking out the e-book. It will certainly be your turn to maintain downloading and install the publication Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones in given link. In this means, you can really choose that is worked in to obtain your very own e-book online. Below, be the first to get the e-book qualified Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones and be the very first to know how the author implies the notification and also understanding for you.
It will certainly have no question when you are going to pick this book. This inspiring Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones book could be reviewed totally in specific time depending on exactly how commonly you open as well as review them. One to bear in mind is that every publication has their own manufacturing to get by each reader. So, be the excellent visitor and be a better person after reading this publication Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones
Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk.
- Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization.
- Carefully balances theory with practical applicability and relevant stories of successful implementation.
- Includes examples from a wide variety of businesses and situations presented in an accessible writing style.
- Sales Rank: #177521 in Books
- Brand: Freund, Jack/ Jones, Jack
- Published on: 2014-09-05
- Released on: 2014-08-22
- Original language: English
- Number of items: 1
- Dimensions: 9.25" h x .93" w x 7.50" l, 1.82 pounds
- Binding: Paperback
- 408 pages
About the Author
Dr. Jack Freund is an expert in IT risk management specializing in analyzing and communicating complex IT risk scenarios in plain language to business executives. Jack has been conducting quantitative information risk modeling since 2007. He currently leads a team of risk analysts at TIAA-CREF. Jack has over 15 years in IT and technology consulting for organizations such as Nationwide Insurance, CVS/Caremark, Lucent Technologies, Sony Ericsson, AEP, Wendy’s International, and The State of Ohio.
He holds a BS in CIS, master's in telecommunication and project management, a PhD in information systems, and the CISSP, CISA, CISM, CRISC, CIPP, and PMP certifications. Jack is a visiting professor at DeVry University and a senior member of the ISSA, IEEE, and ACM. Jack chairs a CRISC subcommittee for ISACA and has participated as a member of the Open Group’s risk analyst certification committee. Jack’s writings have appeared in the ISSA Journal, Bell Labs Technical Journal, Columbus CEO magazine, and he currently writes a risk column for @ISACA. You can follow all Jack’s work and writings at riskdr.com.
Jack Jones, CISM, CISA, CRISC, CISSP, has been employed in technology for the past thirty years, and has specialized in information security and risk management for twenty-four years. During this time, he’s worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries. Jack has over nine years of experience as a CISO with three different companies, with five of those years at a Fortune 100 financial services company. His work there was recognized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference.
In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 was honored with the CSO Compass award for leadership in risk management. He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework. Currently, Jack is co-founder and president of CXOWARE, Inc.
Most helpful customer reviews
10 of 11 people found the following review helpful.
Very worth while and informative. Well written and useful to both the analyst and the manager.
By Walter B. Williams III
I'm rather familiar with FAIR, and its revision by the OpenGroup:
https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12239,
https://www2.opengroup.org/ogsys/catalog/C13K
https://www2.opengroup.org/ogsys/catalog/C13G
https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12158
This book does not duplicate the existing literature on FAIR, but goes into the specific details of how FAIR is used and the algorithms involved in the specific steps.
Unfortunately, there is no attempt to explain the construction of Monte Carlo simulations, recommending the CXOWare solution (expensive) or OpenPERT https://code.google.com/p/openpert/ (free plugin for MS Excel).
FAIR relies heavily on Monte Carlo simulation.
The volume spends time to teach the differences between frequency and probability analysis, and the traps of both. It teaches the ontology that the OpenGroup has also published, as well as terminology specific to FAIR. It shows how to defectively measure
It discusses how to calibrate measurements, how to deal with the limitations of probabilistic models and how to handle issues of accuracy versus precision. It also provides an excellent guide to interpreting the results, and the common mistakes analysts make.
The chapter on controls is well thought out as it shows how to breakdown the overlap between prevention/detection/response in a control set, as well as how to understand the impact of the fact that all controls are vulnerable to some degree, and therefor only effective at a percentage. Unfortunately, there is no good data that experts can use to calibrate these values, as none of the various breach reports expose the failed control set. Please note that this gap is not a failure of the book, and I'm just raising my favorite complaint.
The chapter on metrics is somewhat obvious. Quantitative risk analysis produces measurements and those measurements can be compared with goals to allow for metrics. They make the correct (in my estimation) to focus on impact here.
If you want to learn how to leverage a very serious quantitative analysis tool, this book is well worth the purchase.
The book itself is produced by a print on demand service, and has some font issues, where the font is often rather small and hard to read for my old eyes. Paper quality is high, so the book is rather heavy for its thin binding.
Other than this, if you are considering a quantitative method for performing risk analysis, I can highly recommend this volume.
A somewhat critical note on FAIR as a methodology
The use of Monte Carlo simulation for risk analysis is well documented as a successful approach, but relies upon the problematic PERT distribution. PERT has not been shown to be mathematically valid, and has arbitrary input shapes. (Ferson & Shoemaker). PERT, however, has the advantage of allowing the mathematical capturing of that calibration through an adjustment of the variables.
Another mechanism to capture the calibration of measurement mathematically is a p-box. It would be interesting to try to build a monte carlo simulation built upon a p-box instead of PERT. Unlike PERT, p-boxes are mathematically valid and allows you to marry intervals with probability, distinguish between variability and incertitude and like PERT allows you to work with unknown input distributions.
3 of 3 people found the following review helpful.
The CISO's Bible
By Steve Poppe
In a world where seemingly everything is oversold, this is the rare exception that is undersold. The title succinctly states, without drama, the authors’ broad ambit. They over-deliver. The book is nothing less than a manifesto for quantitative management of information security risk.
Consider how radical it is to promise a truly quantitative approach to cyber risk management in a world dominated by numerous qualitative “frameworks,” red-yellow-green heat maps, thousand-item one-size-fits-all questionnaires, subjective and qualitative scales of likelihood and impact, and fake math like “red times green equals yellow”. And then consider how transformational it is to deliver on the promise.
Other reviewers have nicely discussed the book’s coverage of the FAIR taxonomy. Suffice it to say that MMIR is your best friend in understanding the Open Group FAIR standards. Freund and Jones bring a potentially dry subject alive with many “Talking About Risk” sidebars that tell of their experience with FAIR methods in practice. These war stories make the content accessible and relevant. I especially appreciate the authors’ informal style that is conversational without being verbose and humorous without being patronizing or cute. What the war stories leave out chapter 8 fills in with numerous example analyses. A worked example is better than a thousand war stories.
If giving a thorough rationale for and introduction to FAIR were all that MMIR did, it would be worth its weight in gold. But wait! There’s more!
It’s the “managing” part, chapters 11-14, that constitutes another breakthrough beyond FAIR. There Freund and Jones begin laying out (one senses it is a work in progress) a risk management ontology, built on the FAIR risk measurement ontology. In rethinking the classification of controls in the context of threat event frequency, vulnerability, and loss mitigation, they provide ways to assess and – yikes! – quantify the potential value of control improvements, in isolation or in combination. This gives the CISO the beginning of a way to manage the control environment, not just the threats.
But controls not consistently adhered to are both false comfort and all too common. Therefore F&J suggest that variance in the application of controls is perhaps the single most important set of infosec management metrics. As the old saw goes, if you cannot measure it you cannot manage it, and if you do not know how well your controls are operating on a continuing basis, then what confidence can you have in the millions of dollars invested in technology and staff?
Which brings us to metrics. It is perhaps not surprising that a methodology based on quantitative analysis lends itself to meaningful metrics. F&J offer many concrete suggestions far superior to the grab-bag of metrics found in vendor dashboards (measure what’s cheap and looks cool) and other books. These are real metrics that the CISO can use to … manage risk.
And managing risk is really why we do all this stuff. Making good decisions on both operational and strategic levels requires good data derived from reliable instruments and methods. It is in managing risk that MMIR is truly seminal and profound.
If they do another edition Freund and Jones should consider adding a subtitle, “The CISO’s Bible,” because CISOs will find themselves coming back to it time and again. Or maybe that is the next book.
5 of 6 people found the following review helpful.
Fantastic Book For All Info Sec Professionals, Not Just Risk People
By Mairtin O. Sullivan
The book starts off by first explaining what FAIR is, walks through the FAIR model and explains each variable within the model. The authors highlight some of the changes to the model since the original whitepaper on FAIR and cover why the changes have taken place.
It then moves on to provide a number of different worked scenarios using the FAIR approach, covering discussions on assets, threat communities, threat profiles, scenario building and actual analysis. This is the first time I've seen someone other than myself really walk through some FAIR analysis examples and these are great to see if you've never touched on FAIR before.
The book then shifts tact a little and looks at how controls are viewed from the authors' perspectives; covering asset level controls, variance controls and decision making controls. The sections on variance and decision controls will definitely require a second read before I fully get to grips with the nuances of what the authors were highlighting. However, these chapters bring a level of depth of discussion on controls that I've never seen elsewhere, and something that I think would feed very well into ISACA or other similar groups with a strong control focus.
The book then goes on to cover risk management briefly, and the moves to risk metrics, using the Goal, Question, Metric approach. What I liked particularly about the metrics section is that they didn't simply just list a long number of metrics, but approached is more like a worked example of the approach to defining the metrics. First they look at the goals of risk management, then break these down into sub-goals in order find the questions that match these sub-goals, and finally identify the metrics that you may wish to gather. This chapter also introduces probably the best description of the difference between risk appetite and risk tolerance; comparing risk appetite with the speed limit on a motorway, and risk tolerance the variance around that speed limit in which the police would accept.
What's fantastic is that throughout the book there's a real sense of practical, real world application of this risk analysis approach. There are practical examples of analysis scenarios and even an entire chapter outlying where you can go wrong. This is something that I've often seen lacking other books on information or IT risk analysis, which are often full of theoretical approaches, but which lack any relevant examples and definitely don't outline where you'll have problems. This gives the book a practical credibility that I believe will find favor with info sec professionals who normally would shy away from risk management books.
I would say that the book definitely assumes some prior knowledge in approaches such as Monte Carlo simulations and why you may use them, but if you haven't come across these before, then I'd highly recommend The Failure of Risk Management by Doug Hubbard to get you up to speed.
Overall, this is the book I was looking for on information risk analysis four years ago... and I'm thrilled to see it's finally arrived. Even if you never plan to use FAIR as your risk analysis methodology, there's enough in this book that it will help anyone's critical thinking in relation to information security and I can't recommend it highly enough. Everyone in info sec should read it!
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones PDF
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones EPub
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones Doc
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones iBooks
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones rtf
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones Mobipocket
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones Kindle
Tidak ada komentar:
Posting Komentar