Fee Download Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones
Interested? Naturally, this is why, we expect you to click the link page to visit, and then you could take pleasure in guide Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones downloaded until finished. You can save the soft data of this Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones in your gadget. Certainly, you will bring the device all over, won't you? This is why, each time you have downtime, whenever you could enjoy reading by soft copy publication Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones
Fee Download Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones
Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones. Change your routine to hang or waste the moment to only chat with your friends. It is done by your everyday, don't you feel tired? Currently, we will certainly reveal you the brand-new routine that, actually it's an older behavior to do that can make your life a lot more certified. When feeling burnt out of constantly talking with your good friends all free time, you could discover guide entitle Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones and afterwards read it.
By checking out Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones, you can know the knowledge and also things more, not just about what you obtain from individuals to individuals. Reserve Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones will be much more relied on. As this Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones, it will actually offer you the great idea to be successful. It is not only for you to be success in certain life; you can be successful in everything. The success can be started by knowing the fundamental understanding and also do actions.
From the mix of understanding and also activities, a person can enhance their skill and capacity. It will certainly lead them to live as well as work much better. This is why, the pupils, employees, or even companies need to have reading practice for books. Any sort of book Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones will certainly give particular knowledge to take all perks. This is just what this Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones informs you. It will certainly add even more understanding of you to life and also function better. Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones, Try it and also confirm it.
Based on some experiences of many people, it remains in reality that reading this Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones can help them making better selection and provide more experience. If you want to be one of them, let's purchase this publication Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones by downloading and install the book on web link download in this website. You could get the soft documents of this book Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones to download and also deposit in your offered electronic devices. Exactly what are you waiting for? Allow get this book Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones online as well as review them in any time as well as any kind of area you will certainly read. It will not encumber you to bring heavy publication Measuring And Managing Information Risk: A FAIR Approach, By Jack Freund, Jack Jones inside of your bag.
Using the factor analysis of information risk (FAIR) methodology developed over ten years and adopted by corporations worldwide, Measuring and Managing Information Risk provides a proven and credible framework for understanding, measuring, and analyzing information risk of any size or complexity. Intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one, this book provides a unique and fresh perspective on how to do a basic quantitative risk analysis. Covering such key areas as risk theory, risk calculation, scenario modeling, and communicating risk within the organization, Measuring and Managing Information Risk helps managers make better business decisions by understanding their organizational risk.
- Uses factor analysis of information risk (FAIR) as a methodology for measuring and managing risk in any organization.
- Carefully balances theory with practical applicability and relevant stories of successful implementation.
- Includes examples from a wide variety of businesses and situations presented in an accessible writing style.
- Sales Rank: #177521 in Books
- Brand: Freund, Jack/ Jones, Jack
- Published on: 2014-09-05
- Released on: 2014-08-22
- Original language: English
- Number of items: 1
- Dimensions: 9.25" h x .93" w x 7.50" l, 1.82 pounds
- Binding: Paperback
- 408 pages
About the Author
Dr. Jack Freund is an expert in IT risk management specializing in analyzing and communicating complex IT risk scenarios in plain language to business executives. Jack has been conducting quantitative information risk modeling since 2007. He currently leads a team of risk analysts at TIAA-CREF. Jack has over 15 years in IT and technology consulting for organizations such as Nationwide Insurance, CVS/Caremark, Lucent Technologies, Sony Ericsson, AEP, Wendy’s International, and The State of Ohio.
He holds a BS in CIS, master's in telecommunication and project management, a PhD in information systems, and the CISSP, CISA, CISM, CRISC, CIPP, and PMP certifications. Jack is a visiting professor at DeVry University and a senior member of the ISSA, IEEE, and ACM. Jack chairs a CRISC subcommittee for ISACA and has participated as a member of the Open Group’s risk analyst certification committee. Jack’s writings have appeared in the ISSA Journal, Bell Labs Technical Journal, Columbus CEO magazine, and he currently writes a risk column for @ISACA. You can follow all Jack’s work and writings at riskdr.com.
Jack Jones, CISM, CISA, CRISC, CISSP, has been employed in technology for the past thirty years, and has specialized in information security and risk management for twenty-four years. During this time, he’s worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries. Jack has over nine years of experience as a CISO with three different companies, with five of those years at a Fortune 100 financial services company. His work there was recognized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference.
In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 was honored with the CSO Compass award for leadership in risk management. He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework. Currently, Jack is co-founder and president of CXOWARE, Inc.
Most helpful customer reviews
10 of 11 people found the following review helpful.
Very worth while and informative. Well written and useful to both the analyst and the manager.
By Walter B. Williams III
I'm rather familiar with FAIR, and its revision by the OpenGroup:
https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12239,
https://www2.opengroup.org/ogsys/catalog/C13K
https://www2.opengroup.org/ogsys/catalog/C13G
https://www2.opengroup.org/ogsys/jsp/publications/PublicationDetails.jsp?publicationid=12158
This book does not duplicate the existing literature on FAIR, but goes into the specific details of how FAIR is used and the algorithms involved in the specific steps.
Unfortunately, there is no attempt to explain the construction of Monte Carlo simulations, recommending the CXOWare solution (expensive) or OpenPERT https://code.google.com/p/openpert/ (free plugin for MS Excel).
FAIR relies heavily on Monte Carlo simulation.
The volume spends time to teach the differences between frequency and probability analysis, and the traps of both. It teaches the ontology that the OpenGroup has also published, as well as terminology specific to FAIR. It shows how to defectively measure
It discusses how to calibrate measurements, how to deal with the limitations of probabilistic models and how to handle issues of accuracy versus precision. It also provides an excellent guide to interpreting the results, and the common mistakes analysts make.
The chapter on controls is well thought out as it shows how to breakdown the overlap between prevention/detection/response in a control set, as well as how to understand the impact of the fact that all controls are vulnerable to some degree, and therefor only effective at a percentage. Unfortunately, there is no good data that experts can use to calibrate these values, as none of the various breach reports expose the failed control set. Please note that this gap is not a failure of the book, and I'm just raising my favorite complaint.
The chapter on metrics is somewhat obvious. Quantitative risk analysis produces measurements and those measurements can be compared with goals to allow for metrics. They make the correct (in my estimation) to focus on impact here.
If you want to learn how to leverage a very serious quantitative analysis tool, this book is well worth the purchase.
The book itself is produced by a print on demand service, and has some font issues, where the font is often rather small and hard to read for my old eyes. Paper quality is high, so the book is rather heavy for its thin binding.
Other than this, if you are considering a quantitative method for performing risk analysis, I can highly recommend this volume.
A somewhat critical note on FAIR as a methodology
The use of Monte Carlo simulation for risk analysis is well documented as a successful approach, but relies upon the problematic PERT distribution. PERT has not been shown to be mathematically valid, and has arbitrary input shapes. (Ferson & Shoemaker). PERT, however, has the advantage of allowing the mathematical capturing of that calibration through an adjustment of the variables.
Another mechanism to capture the calibration of measurement mathematically is a p-box. It would be interesting to try to build a monte carlo simulation built upon a p-box instead of PERT. Unlike PERT, p-boxes are mathematically valid and allows you to marry intervals with probability, distinguish between variability and incertitude and like PERT allows you to work with unknown input distributions.
3 of 3 people found the following review helpful.
The CISO's Bible
By Steve Poppe
In a world where seemingly everything is oversold, this is the rare exception that is undersold. The title succinctly states, without drama, the authors’ broad ambit. They over-deliver. The book is nothing less than a manifesto for quantitative management of information security risk.
Consider how radical it is to promise a truly quantitative approach to cyber risk management in a world dominated by numerous qualitative “frameworks,” red-yellow-green heat maps, thousand-item one-size-fits-all questionnaires, subjective and qualitative scales of likelihood and impact, and fake math like “red times green equals yellow”. And then consider how transformational it is to deliver on the promise.
Other reviewers have nicely discussed the book’s coverage of the FAIR taxonomy. Suffice it to say that MMIR is your best friend in understanding the Open Group FAIR standards. Freund and Jones bring a potentially dry subject alive with many “Talking About Risk” sidebars that tell of their experience with FAIR methods in practice. These war stories make the content accessible and relevant. I especially appreciate the authors’ informal style that is conversational without being verbose and humorous without being patronizing or cute. What the war stories leave out chapter 8 fills in with numerous example analyses. A worked example is better than a thousand war stories.
If giving a thorough rationale for and introduction to FAIR were all that MMIR did, it would be worth its weight in gold. But wait! There’s more!
It’s the “managing” part, chapters 11-14, that constitutes another breakthrough beyond FAIR. There Freund and Jones begin laying out (one senses it is a work in progress) a risk management ontology, built on the FAIR risk measurement ontology. In rethinking the classification of controls in the context of threat event frequency, vulnerability, and loss mitigation, they provide ways to assess and – yikes! – quantify the potential value of control improvements, in isolation or in combination. This gives the CISO the beginning of a way to manage the control environment, not just the threats.
But controls not consistently adhered to are both false comfort and all too common. Therefore F&J suggest that variance in the application of controls is perhaps the single most important set of infosec management metrics. As the old saw goes, if you cannot measure it you cannot manage it, and if you do not know how well your controls are operating on a continuing basis, then what confidence can you have in the millions of dollars invested in technology and staff?
Which brings us to metrics. It is perhaps not surprising that a methodology based on quantitative analysis lends itself to meaningful metrics. F&J offer many concrete suggestions far superior to the grab-bag of metrics found in vendor dashboards (measure what’s cheap and looks cool) and other books. These are real metrics that the CISO can use to … manage risk.
And managing risk is really why we do all this stuff. Making good decisions on both operational and strategic levels requires good data derived from reliable instruments and methods. It is in managing risk that MMIR is truly seminal and profound.
If they do another edition Freund and Jones should consider adding a subtitle, “The CISO’s Bible,” because CISOs will find themselves coming back to it time and again. Or maybe that is the next book.
5 of 6 people found the following review helpful.
Fantastic Book For All Info Sec Professionals, Not Just Risk People
By Mairtin O. Sullivan
The book starts off by first explaining what FAIR is, walks through the FAIR model and explains each variable within the model. The authors highlight some of the changes to the model since the original whitepaper on FAIR and cover why the changes have taken place.
It then moves on to provide a number of different worked scenarios using the FAIR approach, covering discussions on assets, threat communities, threat profiles, scenario building and actual analysis. This is the first time I've seen someone other than myself really walk through some FAIR analysis examples and these are great to see if you've never touched on FAIR before.
The book then shifts tact a little and looks at how controls are viewed from the authors' perspectives; covering asset level controls, variance controls and decision making controls. The sections on variance and decision controls will definitely require a second read before I fully get to grips with the nuances of what the authors were highlighting. However, these chapters bring a level of depth of discussion on controls that I've never seen elsewhere, and something that I think would feed very well into ISACA or other similar groups with a strong control focus.
The book then goes on to cover risk management briefly, and the moves to risk metrics, using the Goal, Question, Metric approach. What I liked particularly about the metrics section is that they didn't simply just list a long number of metrics, but approached is more like a worked example of the approach to defining the metrics. First they look at the goals of risk management, then break these down into sub-goals in order find the questions that match these sub-goals, and finally identify the metrics that you may wish to gather. This chapter also introduces probably the best description of the difference between risk appetite and risk tolerance; comparing risk appetite with the speed limit on a motorway, and risk tolerance the variance around that speed limit in which the police would accept.
What's fantastic is that throughout the book there's a real sense of practical, real world application of this risk analysis approach. There are practical examples of analysis scenarios and even an entire chapter outlying where you can go wrong. This is something that I've often seen lacking other books on information or IT risk analysis, which are often full of theoretical approaches, but which lack any relevant examples and definitely don't outline where you'll have problems. This gives the book a practical credibility that I believe will find favor with info sec professionals who normally would shy away from risk management books.
I would say that the book definitely assumes some prior knowledge in approaches such as Monte Carlo simulations and why you may use them, but if you haven't come across these before, then I'd highly recommend The Failure of Risk Management by Doug Hubbard to get you up to speed.
Overall, this is the book I was looking for on information risk analysis four years ago... and I'm thrilled to see it's finally arrived. Even if you never plan to use FAIR as your risk analysis methodology, there's enough in this book that it will help anyone's critical thinking in relation to information security and I can't recommend it highly enough. Everyone in info sec should read it!
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones PDF
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones EPub
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones Doc
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones iBooks
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones rtf
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones Mobipocket
Measuring and Managing Information Risk: A FAIR Approach, by Jack Freund, Jack Jones Kindle
0 komentar:
Posting Komentar