Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide

Здесь есть возможность читать онлайн «Mike Chapple - (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide» — ознакомительный отрывок электронной книги совершенно бесплатно, а после прочтения отрывка купить полную версию. В некоторых случаях можно слушать аудио, скачать через торрент в формате fb2 и присутствует краткое содержание. Жанр: unrecognised, на английском языке. Описание произведения, (предисловие) а так же отзывы посетителей доступны на портале библиотеки ЛибКат.

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide: краткое содержание, описание и аннотация

Предлагаем к чтению аннотацию, описание, краткое содержание или предисловие (зависит от того, что написал сам автор книги «(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide»). Если вы не нашли необходимую информацию о книге — напишите в комментариях, мы постараемся отыскать её.

CISSP Study Guide – fully updated for the 2021 CISSP Body of Knowledge  (ISC)2 Certified Information Systems Security Professional (CISSP) Official Study Guide, 9th Edition The three co-authors of this book bring decades of experience as cybersecurity practitioners and educators, integrating real-world expertise with the practical knowledge you’ll need to successfully pass the CISSP exam. Combined, they’ve taught cybersecurity concepts to millions of students through their books, video courses, and live training programs. 
Along with the book, you also get access to Sybex's superior online interactive learning environment that includes: 
Over 900 new and improved practice test questions with complete answer explanations. This includes all of the questions from the book plus four additional online-only practice exams, each with 125 unique questions. You can use the online-only practice exams as full exam simulations. Our questions will help you identify where you need to study more. Get more than 90 percent of the answers correct, and you're ready to take the certification exam. More than 700 Electronic Flashcards to reinforce your learning and give you last-minute test prep before the exam A searchable glossary in PDF to give you instant access to the key terms you need to know for the exam 
Author Mike Chapple reads the Exam Essentials for each chapter providing you with 2 hours and 50 minutes of new audio review for yet another way to reinforce your knowledge as you prepare. Coverage of all of the exam topics in the book means you'll be ready for: 
Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security

(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide — читать онлайн ознакомительный отрывок

Ниже представлен текст книги, разбитый по страницам. Система сохранения места последней прочитанной страницы, позволяет с удобством читать онлайн бесплатно книгу «(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide», без необходимости каждый раз заново искать на чём Вы остановились. Поставьте закладку, и сможете в любой момент перейти на страницу, на которой закончили чтение.

Тёмная тема
Сбросить

Интервал:

Закладка:

Сделать

For more information on this topic, see the AICPA's document comparing the SOC report types at www.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html.

Likelihood Assessment

The preceding step consisted of the BCP team's drawing up a comprehensive list of the events that can be a threat to an organization. You probably recognized that some events are much more likely to happen than others. For example, an earthquake is a much more plausible risk than a tropical storm for a business located in Southern California. A company based in Florida might have the exact opposite likelihood that each risk would occur.

To account for these differences, the next phase of the business impact analysis identifies the likelihood that each risk will occur. We describe this likelihood using the same process used for the risk assessment in Chapter 2. First, we determine the annualized rate of occurrence (ARO) that reflects the number of times a business expects to experience a given disaster each year. This annualization process simplifies comparing the magnitude of very different risks.

The BCP team should sit down and determine an ARO for each risk identified in the previous section. Base these numbers on corporate history, professional experience of team members, and advice from experts, such as meteorologists, seismologists, fire prevention professionals, and other consultants, as needed.

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide - изображение 40In addition to the government resources identified in this chapter, insurance companies develop large repositories of risk information as part of their actuarial processes. You may be able to obtain this information from them to assist in your BCP efforts. After all, you have a mutual interest in preventing damage to your business!

In many cases, you may be able to find likelihood assessments for some risks prepared by experts at no cost to you. For example, the U.S. Geological Survey (USGS) developed the earthquake hazard map shown in Figure 3.1. This map illustrates the ARO for earthquakes in various regions of the United States. Similarly, the Federal Emergency Management Agency (FEMA) coordinates the development of detailed flood maps of local communities throughout the United States. These resources are available online and offer a wealth of information to organizations performing a business impact analysis.

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide - изображение 41

FIGURE 3.1Earthquake hazard map of the United States

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide - изображение 42One useful online tool is the nonprofit First Street Foundation's Flood Factor, which helps you quickly identify a property's risk of flooding. See www.floodfactor.com.

Impact Analysis

As you may have surmised based on its name, the impact analysis is one of the most critical portions of the business impact analysis. In this phase, you analyze the data gathered during risk identification and likelihood assessment and attempt to determine what impact each one of the identified risks would have on the business if it were to occur.

From a quantitative point of view, we will cover three specific metrics: the exposure factor, the single loss expectancy, and the annualized loss expectancy. Each one of these values describes a particular risk/asset combination evaluated during the previous phases.

The exposure factor (EF) is the amount of damage that the risk poses to the asset, expressed as a percentage of the asset's value. For example, if the BCP team consults with fire experts and determines that a building fire would destroy 70 percent of the building, the exposure factor of the building to fire is 70 percent.

The single loss expectancy (SLE) is the monetary loss expected each time the risk materializes. You can compute the SLE using the following formula:

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide - изображение 43

Continuing with the preceding example, if the building is worth $500,000, the single loss expectancy would be 70 percent of $500,000, or $350,000. You can interpret this figure to mean that you could expect a single fire in the building would cause $350,000 worth of damage.

The annualized loss expectancy (ALE) is the monetary loss that the business expects to suffer as a result of the risk harming the asset during a typical year. The SLE is the amount of damage you expect each time a disaster strikes, and the ARO (from the likelihood analysis) is the number of times you expect a disaster to occur each year. You compute the ALE by simply multiplying those two numbers:

Returning once again to our building example fire experts might predict that a - фото 44

Returning once again to our building example, fire experts might predict that a fire will occur in the building approximately once every 30 years, specifically determining that there is a 0.03 chance of a fire in any given year. The ALE is then 3 percent of the $350,000 SLE, or $10,500. You can interpret this figure to mean that the business should expect to lose $10,500 each year due to a fire in the building.

Obviously, a fire will not occur each year—this figure represents the average cost over the approximately 30 years between fires. It's not especially useful for budgeting considerations but proves invaluable when attempting to prioritize the assignment of BCP resources to a given risk. Of course, a business leader may decide that the risk of fire remains unacceptable and take actions that contradict the quantitative analysis. That's where qualitative assessment comes into play.

ISC2 CISSP Certified Information Systems Security Professional Official Study Guide - изображение 45Be sure you're familiar with the quantitative formulas contained in this chapter, and the concepts of asset value, exposure factor, the annualized rate of occurrence, single loss expectancy, and annualized loss expectancy. Know the formulas and be able to work through a scenario.

From a qualitative point of view, you must consider the nonmonetary impact that interruptions might have on your business. For example, you might want to consider the following:

Loss of goodwill among your client base

Loss of employees to other jobs after prolonged downtime

Social/ethical responsibilities to the community

Negative publicity

It's difficult to put dollar values on items like these to include them in the quantitative portion of the impact analysis, but they are equally important. After all, if you decimate your client base, you won't have a business to return to when you're ready to resume operations!

Resource Prioritization

The final step of the BIA is to prioritize the allocation of business continuity resources to the various risks that you identified and assessed in earlier phases of the BIA.

From a quantitative point of view, this process is relatively straightforward. You simply create a list of all the risks you analyzed during the BIA process and sort them in descending order according to the ALE computed during the impact analysis phase. This step provides you with a prioritized list of the risks that you should address. Select as many items as you're willing and able to handle simultaneously from the top of the list and work your way down. Eventually, you'll reach a point at which you've exhausted either the list of risks (unlikely!) or all your available resources (much more likely!).

Читать дальше
Тёмная тема
Сбросить

Интервал:

Закладка:

Сделать

Похожие книги на «(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide»

Представляем Вашему вниманию похожие книги на «(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide» списком для выбора. Мы отобрали схожую по названию и смыслу литературу в надежде предоставить читателям больше вариантов отыскать новые, интересные, ещё непрочитанные произведения.


Отзывы о книге «(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide»

Обсуждение, отзывы о книге «(ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide» и просто собственные мнения читателей. Оставьте ваши комментарии, напишите, что Вы думаете о произведении, его смысле или главных героях. Укажите что конкретно понравилось, а что нет, и почему Вы так считаете.

x