Cyber Strategy: Risk-Driven Security and Resiliency
- Length: 200 pages
- Edition: 1
- Language: English
- Publisher: Auerbach Publications
- Publication Date: 2020-04-07
- ISBN-10: 0367339455
- ISBN-13: 9780367339456
- Sales Rank: #1214277 (See Top 100 Books)
Cyber Strategy: Risk-Driven Security and Resiliency provides a process and roadmap for any company to develop its unified Cybersecurity and Cyber Resiliency strategies. It demonstrates a methodology for companies to combine their disassociated efforts into one corporate plan with buy-in from senior management that will efficiently utilize resources, target high risk threats, and evaluate risk assessment methodologies and the efficacy of resultant risk mitigations. The book discusses all the steps required from conception of the plan from preplanning (mission/vision, principles, strategic objectives, new initiatives derivation), project management directives, cyber threat and vulnerability analysis, cyber risk and controls assessment to reporting and measurement techniques for plan success and overall strategic plan performance. In addition, a methodology is presented to aid in new initiative selection for the following year by identifying all relevant inputs.
Tools utilized include:
- Key Risk Indicators (KRI) and Key Performance Indicators (KPI)
- National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) Target State Maturity interval mapping per initiative
- Comparisons of current and target state business goals and critical success factors
- A quantitative NIST-based risk assessment of initiative technology components
- Responsible, Accountable, Consulted, Informed (RACI) diagrams for Cyber Steering Committee tasks and Governance Boards’ approval processes
- Swimlanes, timelines, data flow diagrams (inputs, resources, outputs), progress report templates, and Gantt charts for project management
The last chapter provides downloadable checklists, tables, data flow diagrams, figures, and assessment tools to help develop your company’s cybersecurity and cyber resiliency strategic plan.
Cover Half Title Title Page Copyright Page Contents Author Biographies Chapter 1 Why Cybersecurity and Cyber Resiliency Strategies Are Mandatory for Organizations Today 1.1 The Value Proposition 1.2 The 6 STEPs for Developing and Maintaining a Cybersecurity and Cyber Resiliency Strategy 1.3 Cybersecurity and Cyber Resiliency Strategy Key Players 1.4 Initiating the Strategy 1.5 Triggers to Create a Corporate Cybersecurity and Cyber Resiliency Strategy 1.6 Information Security vs. Cybersecurity 1.6.1 Information Security 1.6.2 Cybersecurity 1.7 Cyber Resiliency vs. Traditional Resiliency 1.8 Cybersecurity and Cyber Resiliency Strategy Life Cycle 1.9 Cyber Strategies vs. Cyber Programs 1.10 Cybersecurity and Cyber Resiliency Programs for Organizations 1.11 Cybersecurity and Cyber Resiliency Architecture: Standards and Frameworks 1.11.1 Enterprise Information Security Architecture 1.11.2 Regulatory Security Architecture 1.11.3 Introduction to the NIST Cybersecurity Framework (CSF) 1.12 Cyber Program Preplanning 1.13 Technical Areas of Concentration for a Cyber Program Chapter 2 The 6 STEPs in Developing and Maintaining a Cybersecurity and Cyber Resiliency Strategy 2.1 STEP 1: Preplanning: Preparation for Strategy Development 2.1.1 Corporate Culture and Organizational Analysis 2.1.2 Matrixed Organizational Structure 2.1.3 Siloed Organizational Structure 2.1.4 Enabling the Organization for Strategy Adoption 2.1.5 Forming a Steering Committee 2.1.6 Creating Strategic Plan Critical Success Factors 2.1.7 Designating a Project Manager for the Steering Committee 2.1.8 Developing Steering Committee Tasks 2.1.9 Establishing Corporate Business Values 2.1.10 Determining the Mission/Vision, Principles, and Strategic Objectives for Cybersecurity and Cyber Resiliency 2.1.10.1 Mission/Vision 2.1.10.2 Cyber Program Principles 2.1.10.3 Strategic Objectives 2.2 STEP 2: Strategy Project Management 2.2.1 Initiatives for Cybersecurity Strategic Objectives 2.2.2 Initiatives for Cyber Resiliency Strategic Objectives 2.2.3 Creating a Strategy Project Charter 2.2.4 Aligning the Strategy with Other Existing Corporate Strategies and Corporate Business Objectives 2.2.5 Developing a Strategic Plan Overview Reporting Template 2.2.6 Determining Work Efforts 2.2.7 Strategy Timeline 2.2.8 Strategy Swimlane 2.2.9 NIST CSF Initiative Mapping 2.2.10 The Final Strategy Document Deliverable 2.3 STEP 3: Cyber Threats, Vulnerabilities, and Intelligence Analysis 2.3.1 Cyber Threats 2.3.1.1 Cyber Threat Risk Reporting 2.3.2 Threat Intelligence, Identification, and Modeling 2.3.3 Vulnerabilities 2.3.3.1 Asset Related Vulnerabilities 2.3.3.2 Vulnerability Severity Risk Reporting 2.4 STEP 4: Cyber Risks and Controls 2.4.1 Cyber Risk Category Definitions for Business 2.4.2 Risk Appetite and Risk Tolerance 2.4.3 Cyber Risk Measurement Methodologies 2.4.3.1 Cyber Risk Management 2.4.3.2 Cyber Risk Calculation 2.4.4 Controls 2.4.5 Cyber Insurance 2.5 STEP 5: Assessing Current and Target States 2.5.1 Types of Assessments 2.6 STEP 6: Measuring Strategic Plan Performance and End of Year (EoY) Tasks 2.6.1 Cyber Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) 2.7 Governance Cycles and Processes 2.8 Proposing New Initiatives to Mitigate Threats and Reduce Risk 2.8.1 Cybersecurity and Cyber Resiliency Reporting – Yearly Report Example 2.8.2 Refining the Strategy over Time – End of Year (EoY) Tasks 2.8.2.1 Gathering Data to Measure Strategy Performance 2.8.2.2 Creating Yearly Reports to Show Performance 2.8.2.3 Determining New Initiatives for the Following Year 2.8.2.4 Perform Various Project Management Tasks 2.9 Checklists and Templates Notes Chapter 3 Strategy Project Management 3.1 Vision to Initiative Flow 3.2 Strategy Project Charter 3.3 Strategy Preparation Checklist 3.4 Strategy Timeline 3.5 Strategy Gantt Chart 3.6 Strategy Swimlane 3.7 Data Flow Diagrams for STEPs 2, 3, 4, 5, and 6 3.8 RACI Strategy Development Matrix 3.9 NIST CSF Initiative Mapping 3.10 The Final Strategy Deliverable Chapter 4 Cyber Threats, Vulnerabilities, and Intelligence Analysis 4.1 Threats in the Context of a Cybersecurity and Cyber Resiliency Strategy 4.1.1 Definition of a Threat 4.1.2 Evolution of Cyber Threats 4.1.2.1 The Early Stages of Cyber Threats 4.1.2.2 Present-Day and Future Cyber Threat Actors 4.1.3 Types of Threats and Actors 4.1.3.1 Script Kiddies 4.1.3.2 Hacktivists 4.1.3.3 Organized Crime Groups 4.1.3.4 Nation-States 4.1.3.5 Insider Threats 4.1.3.6 Artificial Intelligence Powered Threats 4.1.4 Threat Intelligence, Identification, and Modeling 4.1.4.1 MITRE ATT&CK 4.1.4.2 Threat Intelligence, Identification, and Modeling within a Strategy and a Program 4.1.4.3 Monitoring for Threats 4.1.4.4 Reporting on Threat Intelligence 4.2 Vulnerabilities 4.2.1 Open Web Application Security Project (OWASP) Application Security Vulnerabilities 4.2.2 Identifying Vulnerabilities 4.2.2.1 Modern-Day Vulnerability Management Issues 4.2.3 Asset-Related Vulnerabilities 4.2.4 Common Vulnerability Scoring System (CVSS) 4.2.5 Vulnerabilities in the Context of a Strategy 4.3 Cyberattacks 4.3.1 Common Types of Cyberattacks 4.3.2 Typical Types of Losses Due to Cyberattacks Notes Chapter 5 Cyber Risks and Controls 5.1 Cyber Risk 5.1.1 Cyber Risk Framework 5.1.2 Risk Category Definitions 5.1.3 Risk Tolerance and Risk Appetite 5.1.3.1 Risk Appetite 5.1.3.2 Risk Tolerance 5.1.3.3 Risk Appetite vs. Risk Tolerance 5.1.4 Cyber Risk Measurement Methodologies 5.1.4.1 US National Institute of Standards and Technology’s Special Publications 800-30 5.1.5 A NIST 800-30 Cyber Risk Assessment Example 5.1.5.1 NIST Risk Descriptions for Government Entities 5.1.5.2 NIST Adversarial Threat Ratings 5.1.6 Other Well-Known Cyber Risk Assessment Methodologies 5.1.6.1 ISACA Risk Framework – Risk IT 5.1.6.2 The International Organization for Standardization/International Electrotechnical Commission’s (ISO/IEC) 27000 5.1.6.3 A Guide to the Project Management Body of Knowledge (PMBOK® Guide) 5.1.6.4 Open Web Application Security Project^TM (OWASP) Risk Rating Methodology 5.1.6.5 Committee of Sponsoring Organization of the Treadway Commission (COSO) Enterprise Risk Management (ERM) 5.1.6.6 Factor Analysis of Information Risk (FAIR) 5.1.6.7 Carnegie Mellon® Risk Quantification Method (CM RQM) 5.1.7 Risk Disclosure: The Securities and Exchange Commission (SEC) Guidance on Risk (Feb 2018) 5.2 IT Controls 5.2.1 Main Functions of Controls 5.2.2 Maturity of Controls 5.2.3 The Center for Internet Security Critical Security Controls 5.2.4 Auditing of Information Technology (IT) Controls 5.3 Cyber Insurance 5.3.1 Risk Transfer Notes Chapter 6 Current and Target State Assessments 6.1 Introduction to Assessments 6.2 Current State Assessments 6.2.1 Categories of Assessments 6.2.1.1 Self-Assessments 6.2.1.2 External/Third-Party Assessments 6.2.1.3 Audits (Internal & External) 6.2.2 Frameworks, Industry Standards, Regulations, and Models 6.2.2.1 NIST Cybersecurity Framework Core Identifiers and Categories 6.3 Conducting a Current State Assessment 6.4 Unmapped Initiatives Discussion 6.5 Target State Assessment 6.5.1 NIST CSF Target States 6.6 How to Rate Current and Target States Chapter 7 Measuring Strategic Plan Performance and End of Year (EoY) Tasks 7.1 Evaluating the Strategy Against the Critical Success Factors 7.2 Key Risk Indicators (KRIs) 7.3 Key Performance Indicators (KPIs) 7.4 Reporting on the Strategies 7.4.1 Cybersecurity and Cyber Resiliency Initiatives Mapped to NIST CSF Subcategories 7.4.2 Cybersecurity Initiatives NOT Mapped to the NIST CSF 7.4.3 Initiative to CSF Mapping Per Objective 7.4.4 Strategic Plan Progress Reports – Cybersecurity and Cyber Resiliency 7.4.5 Current State to End of Year and Target State Maturity Tier Rating 7.4.6 Preparation of the EoY Performance Report 7.5 Determining New Initiatives for the Next Year 7.6 End of Year Tasks 7.6.1 Define the Strategy’s Pyramid Parameters for Following Year 7.6.2 Create the Timeline for Following Year 7.6.3 Confirm Steering Group Member Composition 7.6.4 Distribute EoY Performance Reports to Senior Management 7.6.5 End of Year Steering Committee Responsibilities RACI 7.6.6 Ensure Compliance with Regulations 7.6.7 Complete Governance Hoops 7.6.7.1 Governance Organization Diagram 7.6.7.2 Strategy Governance Body RACI 7.6.7.3 Governance Approval Swimlane for the Cybersecurity and Cyber Resiliency Strategy 7.6.8 Cybersecurity and Cyber Resiliency Strategy Life Cycle Chapter 8 Checklists and Templates to Help Create an Enterprise-Wide Cybersecurity and Cyber Resiliency Strategy 8.1 Guides to Strategy Preparation 8.2 STEP 1: Preplanning: Preparation for Strategy Development 8.2.1 Preplanning Checklist 8.2.2 Mission/Vision, Principles, Strategic Objectives, and Initiatives Pyramid 8.2.3 Analyze Organizational and Cultural Structure 8.2.4 RACI Completion for STEP 1 8.2.5 Critical Success Factors Validation 8.2.6 Evaluate Organizational Readiness 8.3 STEP 2: Strategy Project Management 8.3.1 Project Charter 8.3.2 RACI Completion for STEP 2 8.3.3 Complete RACI Development for the Steering Committee Tasks 8.3.4 Data Flow Analysis for STEP 2 8.3.5 Develop Draft Final Deliverable Table of Contents 8.4 STEPs 3 and 4: Cyber Threats, Vulnerabilities, Intelligence Analysis, Risks, and Controls 8.4.1 RACI for STEPs 3 and 4: Cyber Threats, Vulnerabilities & Cyber Risks, and Controls 8.4.2 Data Flow Analysis for STEPs 3 and 4 8.4.3 Incidents to Controls Mapping 8.5 STEP 5: Current and Target State Assessments 8.5.1 RACI for STEP 5: Current and Target State Assessments 8.5.2 Data Flow Analysis for STEP 5: Current and Target State Assessments 8.5.3 Performing a Quantitative Risk Assessment 8.6 STEP 6: Measuring Plan Performance and EoY Tasks 8.6.1 Checklist for STEP 6: End of Year Tasks 8.6.2 RACI for STEP 6: Measuring Plan Performance and EoY Tasks 8.6.3 Data Flow Diagram for STEP 6: Measuring Strategic Plan Performance and EoY Tasks 8.6.4 Derive the Critical Success Factors 8.6.5 Review the Key Risk Indicators and Key Performance Indicators 8.6.6 Strategic Plan Reporting Template 8.6.7 Initiative to CSF Mapping Per Objective 8.6.8 Cybersecurity and Cyber Resiliency Yearly Report 8.6.9 Governance Hoops 8.6.10 Governance Approval Organization Hierarchy 8.6.11 Governance Approval RACI 8.6.12 Governance Approval Swimlane 8.7 Assembling the Full Project RACI 8.8 Chapter 8 Downloadable Files
Donate to keep this site alive
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.