Executive’s Cybersecurity Program Handbook: A comprehensive guide to building and operationalizing a complete cybersecurity program
- Length: 232 pages
- Edition: 1
- Language: English
- Publisher: Packt Publishing
- Publication Date: 2023-02-24
- ISBN-10: 180461923X
- ISBN-13: 9781804619230
- Sales Rank: #1516402 (See Top 100 Books)
Develop strategic plans for building cybersecurity programs and prepare your organization for compliance investigations and audits
Key Features
- Get started as a cybersecurity executive and design an infallible security program
- Perform assessments and build a strong risk management framework
- Promote the importance of security within the organization through awareness and training sessions
Book Description
Ransomware, phishing, and data breaches are major concerns affecting all organizations as a new cyber threat seems to emerge every day. making it paramount to protect the security of your organization and be prepared for potential cyberattacks. This book will ensure that you can build a reliable cybersecurity framework to keep your organization safe from cyberattacks.
This Executive’s Cybersecurity Program Handbook explains the importance of executive buy-in, mission, and vision statement of the main pillars of security program (governance, defence, people and innovation). You’ll explore the different types of cybersecurity frameworks, how they differ from one another, and how to pick the right framework to minimize cyber risk. As you advance, you’ll perform an assessment against the NIST Cybersecurity Framework, which will help you evaluate threats to your organization by identifying both internal and external vulnerabilities. Toward the end, you’ll learn the importance of standard cybersecurity policies, along with concepts of governance, risk, and compliance, and become well-equipped to build an effective incident response team.
By the end of this book, you’ll have gained a thorough understanding of how to build your security program from scratch as well as the importance of implementing administrative and technical security controls.
What you will learn
- Explore various cybersecurity frameworks such as NIST and ISO
- Implement industry-standard cybersecurity policies and procedures effectively to minimize the risk of cyberattacks
- Find out how to hire the right talent for building a sound cybersecurity team structure
- Understand the difference between security awareness and training
- Explore the zero-trust concept and various firewalls to secure your environment
- Harden your operating system and server to enhance the security
- Perform scans to detect vulnerabilities in software
Who this book is for
This book is for you if you are a newly appointed security team manager, director, or C-suite executive who is in the transition stage or new to the information security field and willing to empower yourself with the required knowledge. As a Cybersecurity professional, you can use this book to deepen your knowledge and understand your organization’s overall security posture. Basic knowledge of information security or governance, risk, and compliance is required.
Executive’s Cybersecurity Program Handbook
Contributors
About the author
About the reviewers
Preface
Who this book is for
What this book covers
Download the color images
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
Part 1 – Getting Your Program Off the Ground
Chapter 1: The First 90 Days
Getting executive buy-in
Budget or no budget?
Vision statements
Mission statements
Program charters
Purpose
Scope
Responsibilities
Those responsible for the charter
The pillars of your cybersecurity program
Summary
References
Chapter 2: Choosing the Right Cybersecurity Framework
What is a cybersecurity framework?
Types of cybersecurity frameworks
Examining security as a checkbox
Understanding continual improvement
Selecting the right framework
The framework used in this book
Summary
References
Chapter 3: Cybersecurity Strategic Planning through the Assessment Process
Developing your cybersecurity strategy
Who should perform the assessment?
Preparing for the assessment
Drafting an engagement letter
Project initiation and information gathering
Performing the assessment
Wrapping up the assessment
Administrative review of policy documents using the NIST CSF
A technical review using the CIS controls
Understanding the current and future state of your program
Developing goals
The exit interview
Summary
References
Part 2 – Administrative Cybersecurity Controls
Chapter 4: Establishing Governance through Policy
The importance of governance
The importance of policy documents
Exploring PSPs
Policies
Standards
Procedures
Policy workflow
Getting executive sign-off for policy documents
Creating new policies
Reviewing policies
Building a framework layout
Exploring policy objectives
Summary
References
Chapter 5: The Security Team
The need for more security professionals
Applying NIST NICE framework to your organization
Exploring cybersecurity roles
Cybersecurity analysts
Cybersecurity engineers
Cybersecurity architects
Cybersecurity compliance specialists
Head of security
Exploring cybersecurity architectural frameworks
SABSA
TOGAF
OSA
Staffing – insourcing versus outsourcing
Structuring the cybersecurity team
Summary
References
Chapter 6: Risk Management
Why do we need risk management?
Exploring IT risks
Human
Technology
Environmental
The NIST RMF
Tier 1 – organizational risk
Tier 2 – mission/business process
Tier 3 – information systems
Applying risk management to IT resources
Categorize
Select
Implement
Assess
Authorize
Monitor
Documenting in the SSP
What is a risk register?
Driving to a resolution
Summary
References
Chapter 7: Incident Response
NIST incident response methodology
Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity
Incident response playbooks
Train like we fight
Walk-through exercises
Tabletop exercises
Live action exercises
Summary
References
Chapter 8: Security Awareness and Training
Understanding security awareness, training, and education
Awareness
Training
Education
Setting up a security training program
Establishing the need for a security training program
Obtaining executive support
Developing metrics
Examining course objectives
Continuous improvement
Training for compliance
Summary
References
Part 3 – Technical Controls
Chapter 9: Network Security
The history of the internet
The OSI model
The first three OSI layers
IPv4 addressing and micro-segmentation
Traditional network security
Traffic inspection
Networks of today
Building trust into the network
Virtual private networking and remote access
Getting to know the “zero trust” concept
Understanding firewall functionality
Web application firewalls
DNS firewalls
Distributed denial of service
Summary
References
Chapter 10: Computer and Server Security
The history of operating systems
Exploring server hardening steps
Operating system patching
Least privilege
Removing unneeded services
Host-based security
Picking the right password
MFA
Secure software configurations
Changing system defaults
Remote management
Zero trust
Dangers of TOFU
The IoT
Understanding encryption
Digital signatures
Protecting the private key
Summary
References
Chapter 11: Securing Software Development through DevSecOps
Why introduce cybersecurity early?
A new style in project management
The six principles of DevSecOps
Planning
Building
Testing
Deploying
Operating
Code reviews
Static application security testing
Dynamic application security testing
Software composition analysis
Open source licensing
Copyright licenses
Copyleft licenses
Permissive licenses
Gitflow branching
Secure coding checklists
NIST
SEI
OWASP
Embedded secrets
Summary
References
Chapter 12: Testing Your Security and Building Metrics
Understanding your requirements
Business requirements
Regulatory requirements
Continuous evaluation of your security program
Maintaining corporate security
Maintaining third-party security
Why CARE about metrics?
Vulnerability metrics
Incident reporting – red team versus blue team
Reporting to the executive team and BoD
System security plans and the risk register
A risk heat map
Balanced scorecard
Summary
References
Index
Why subscribe?
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this bookHow to download source code?
1. Go to: https://github.com/PacktPublishing
2. In the Find a repository… box, search the book title: Executive’s Cybersecurity Program Handbook: A comprehensive guide to building and operationalizing a complete cybersecurity program, sometime you may not get the results, please search the main title.
3. Click the book title in the search results.
3. Click Code to download.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.
