Preparing for Battle – discusses the planning process in detail with concrete examples of the building blocks that make up a plan.
Chapter 4 — Recognizing and Capturing Risk
Reveals the authors' methodology for gathering key business information. An exercise called Riches, Ruins & Regulations is the centerpiece. We provide guidelines that security team members can follow to entice line-of-business (LOB) leaders to reveal business risks and their magnitudes.
Chapter 5 — Performing Threat Analysis
Explains how the security team methodically marries business risk to vulnerabilities and threats. While security expertise is required to perform the analysis, we alert the security-obligated executive to make sure that explicit threat statements are prepared in this planning stage.
- Threat Statement Template
- Whitepaper on Assessing Threat/Attack Likelihood
- Security Program Template
Chapter 6 — Adhering to Regulations
Addresses the issues of regulatory compliance, which is another form of business risk. Failure to pass a compliance audit can lead to fines and sanctions that can be as harmful as a hacker's attack. Once again the security-obligated executive is put on alert to expect explicit compliance statements.
Chapter 7 — Preparing the Strategic Plan
Shows how the building blocks fit together. Threats and compliance obligations are pitted against programs that provide controls (i.e., protection). We recommend that weaknesses be documented in a control deficiency statement and that priorities be set to identify the most important improvements.