Handbook

Track updates

HB 167:2006

[Pending Revision]

Security risk management

Outlines a broad framework and the core elements that should be included in a security risk management process, and is consistent with the risk management principles of AS/NZS 4360: 2004. This Handbook can be used by any size or type of organisation - from large multinationals to small businesses, government agencies and the not-for profit sector.

Published: 21/12/2006

Pages: 159

Table of contents

Cited references

Content history

Table of contents

Header

About this publication

Preface

1 Introduction

1.1 Security Risk Management—A new paradigm

1.2 Security Risk Management approach

1.2.1 The structure of security risk management

1.3 Security risk management and its relationship with risk management

1.4 Security risk management

2 Communicate and consult

2.1 Introduction

2.1.1 Effective communication

2.2 Engagement

2.2.1 Participation

2.2.2 Engagement and participation of senior management

2.2.3 Engagement and participation of staff

2.2.4 Engagement and participation of other stakeholders

2.3 Perception

2.4 Information transfer

2.5 Decision making

2.6 Developing the communications strategy

3 Establish the context

3.1 Introduction

3.2 The external context

3.3 The internal context

3.4 The security risk management context

3.4.1 Finalising the goals and objectives for security risk management

3.5 Determine the process/program structure

3.6 Developing the evaluation criteria

3.7 Developing the business case

4 Identify risk

4.1 Introduction

4.2 Data and information sources

4.2.1 Retrieving data and information

4.2.2 Potential sources of risk

4.3 Conducting the criticality assessment

4.4 Threat assessment

4.4.1 Identifying the threat

4.4.2 Understanding the threat

4.4.3 Measuring the threat

4.4.4 Likelihood of a security threat

4.5 Conducting the vulnerability analysis

4.5.1 Introduction

4.5.2 Assessing the effectiveness of the controls

4.5.3 Approaches to assessment

4.6 Mapping threat, vulnerability and criticality

5 Analyse risk

5.1 Introduction

5.2 Measuring risk

5.2.1 Consequence

5.2.2 Likelihood

5.2.3 Risk rating

6 Evaluate risk

6.1 Introduction

6.2 Tolerance of risk

7 Treat risk

7.1 Introduction

7.2 Developing a treatment plan

7.2.1 Establish treatment objectives

7.2.2 Identify and develop treatment options

7.2.3 Evaluate treatment objectives

7.2.4 Detailed design

7.2.5 Design review

7.2.6 Communicating and implementing

7.3 Conformance vs. Performance

8 Monitor and review

8.1 Introduction

8.2 The elements of ‘monitor and review’

8.3 Monitoring and review practices

8.4 Triggering monitor and review processes

8.5 Post-event analysis and reporting

F1 Business case template

F2 SRM Project management template37

F3 Developing the context template (with some examples)

F4 Information collection worksheet

F5 Criticality and vulnerability assessment worksheet

F6 Threat sources identification and assessment40

F7 Threat assessment worksheet

F8 Security risk assessment worksheet

F9 Strategic security risk management activities plan

F10 Security risk management controls assessment checklist46 (Example 1)

F11 Security survey worksheet (Example 2)

F12 Example treatment plan template

I1 Visibility rating

I2 Vulnerability: Iconic status

I3 Vulnerability: Threat access

I4 Vulnerability: Collateral exposures

I5 Vulnerability: Interdependency demand54

I6 Critical incident management

Cited references in this standard

Content history

$219.67

AUD

Inclusive of GST

Available formats

Web Reader

Instantly view standards in your browser. Search, bookmark, highlight, and comment for anytime access - online and offline.

Web Reader (PDF)

View standards in PDF format in your browser. Search, bookmark, highlight, and comment for anytime access - online and offline.

Web Reader

Licence:

1 user

Total

$219.67

Add to cart