Index

A

  • Access control
    • cryptography
    • mobile devices
    • organization requirements for
    • risk management statement
    • taking a fresh look at
    • teleworking
    • user access management
      • management of privileged access rights
      • management of secret authentication information of users
      • removal and adjustment of user rights
      • review of user access
      • user access provisioning
      • user registration and deregistration
    • user responsibility
      • access control to program source code
      • information access restriction
      • password management system
      • privileged utility programs, use of
      • secure log-in procedures
  • Advanced Persistent Threat Awareness survey (2015)
  • Airmic
  • Align, plan, and organize (APO) domain
  • Assurance and cyber risk management
    • assurance maturity scenarios
      • less mature assurance
      • mature assurance
    • combined assurance reporting by ERM head
      • illustrative sample
    • cyber risk management statement
    • ever presence of cyber risk
    • internal auditor's expectation of an organization managing cyber risks effectively
      • case for combined assurance model
      • combined assurance obtained by CEO
      • risk assessment expected by internal audit
      • role for a cybersecurity-specific line of defense
      • role for an information, communication, and technology (ICT) unit
      • roles for compliance and quality assurance
      • roles for ERM and organization strategy to work closely with ICT

B

  • Big Data analytics
    • preparing for a Big Data policy
      • employee policy content amendments
      • “privacy by design” key content
    • understanding Big Data risks
  • Board cyber risk oversight
    • barriers to action
      • failure to link cybersecurity assessments to key organization objectives
      • lack of reliable information on residual risk status
      • lack of senior management ownership
      • omission of cybersecurity from entity-level objectives and strategic plans
      • too much focus on internal controls
    • cybersecurity—the way forward
    • expectations of boards
    • practical steps boards should take to respond
      • establish a risk management framework
      • include top objectives and specific owners
      • require regular reporting by the CEO
      • use a “five lines of assurance” approach
  • Bring your own devices (BYOD)
    • choosing between BOYD policy options
    • examples of BYOD policies
    • preparing for a BYOD policy
    • understanding BYOD risks
  • Build, acquire, and implement (BAI) domain
  • Business continuity management and cybersecurity
    • cyber risk management statement
    • developing and implementing BCM responses for cyber incidents
    • embedding cybersecurity requirements in BCMS
    • glossary of key terms
    • good international practices for
      • BCMS components and ISO 22301
      • cyber and business continuity management system (BCMS)

C

  • Center for Strategic and International Studies report (June 2014)
  • CEO under pressure
    • cyber risk handbook, need for
  • Chapters listed by interest to functional type
  • Chief information security officer (CISO). See Cyber competencies and the cybersecurity officer
  • Cisco study
  • City University of Hong Kong Human Resource Security Standard
  • Cloud computing and third-party vendors
    • preparing for a cloud computing policy
    • procuring cloud provider services effectively
      • customer agreement key content
    • understanding cloud computing risks
  • Cloud/SaaS applications
    • in-house developed applications
  • COBIT 5 domains, and support of complete cybersecurity life cycle
    • benefits of process enablers
    • reasons for using a COBIT 5 process enabler approach
  • COBIT 5 for information security
  • COBIT 5 GEIT principles
    • applying a single, integrated framework
      • being structured
    • covering the enterprise end to end
      • addressing uncertainty
      • creating and protection value
      • tailoring
    • enabling a holistic approach
      • being part of decision making
      • considering human and cultural factors
      • integrating into the organization
      • using the best available information
    • meeting stakeholder needs
      • being responsive to change
      • being transparent and inclusive
    • separating governance from management
      • maturity strategy and continual improvement
  • COBIT 5 processes, leveraging
    • components of cybersecurity processes
    • cybersecurity practices and activities
    • different types working together
      • align, plan, and organize (APO) domain
      • build, acquire, and implement (BAI) domain
      • deliver, service, and support (DSS) domain
      • evaluate, direct, and monitor (EDM) domain
      • monitor, evaluate, and assess (MEA) domain
  • Commercial off-the-shelf applications
  • “Corporate Culture and the Role of Boards” (FRC, 2016)
  • Crisis decision-making unit (CDU)
  • Crisis management
    • unique characteristics of
  • Cryptography
  • Culture and human factors
    • cyber risk management statement
    • frameworks and standards
      • business model for information security (BMIS)
      • ISO 27001:2013
      • NIST framework
    • human factors and cybersecurity
      • insider threats
      • social engineering threats
    • organizations as social systems
      • cybersecurity not merely a technology issue
      • organizational culture
    • technology trends and human factors
      • measuring human behaviors for security
      • reducing cyber risks that occur due to human mistakes
    • training
  • Cyber competencies and the cybersecurity officer
    • CISO, duality of
      • executive strategist
      • key attributes for
      • RASCI matrix cyber roles
      • should report to CEO
      • technical specialist
    • cyber risk management statement
    • evolving information security professional
    • job responsibilities and tasks
      • information risk management and compliance
      • information security governance
      • information security incident management
      • information security program development and management
  • Cyber crisis management steps
    • alert and qualification
    • carrying out the investigation and building a defense plan
      • building the defense plan
      • starting investigations
    • crisis closure
    • executing the plan and surveillance
  • Cyber risk insurance
    • management statement
    • market constraints
      • capacity
      • insurance placement
      • regulatory
    • planning for
      • conducting pre-breach education and planning
      • creating a breach business continuity plan
      • developing an incident response plan and crisis management plan
      • reviewing or implementing cyber insurance
    • risk manager's perspective on planning for
  • Cyber risk–managed organization
  • Cyber risk management, principles behind
    • applying a single, integrated framework
      • being structured
    • covering the enterprise end to end
      • addressing uncertainty
      • creating and protection value
      • tailoring
    • enabling a holistic approach
      • being part of decision making
      • considering human and cultural factors
      • integrating into the organization
      • using the best available information
    • meeting stakeholder needs
      • being responsive to change
      • being transparent and inclusive
    • principles guiding actions
    • separating governance from management
      • maturity strategy and continual improvement
  • “Cyber Risk Oversight” guide (NACD, 2014)
  • Cyber risks
    • identifying, analyzing, and evaluating
      • cyber risk management statement
      • landscape of risk
      • maturing security
      • people factor
      • prioritizing protection
      • regulatory compliance
      • security culture
      • structured approach to assessing and managing risk
    • treating
      • alignment of treatment
      • applying necessary measures and reacting effectively
      • cyber risk management statement
      • determining cyber risk profile
      • practicing treatment
      • treating with the proper nuance in line with an organization's risk profile
      • using process capabilities
      • using insurance and finance
  • Cyber strategic performance management
    • creating an effective cybersecurity performance management system
      • measuring capability
      • measuring progress against initiatives
      • measuring protection
    • cyber risk management statement
    • cybersecurity strategy required to measure cybersecurity performance
      • cybersecurity capabilities
      • organization risk assessment
      • portfolio of initiatives
      • target state protections
    • pitfalls in measuring cybersecurity performance
  • Cybersecurity incident and crisis management
    • crisis management
      • cyber crisis management steps
      • going from incident to
      • operating principles
      • operational cybersecurity crisis unit, structuring and mobilizing
      • tools and techniques for managing a cyber crisis
    • cyber risk management statement
    • incident management
      • external incident identification
      • incident must-have checklist
      • integrating incident reporting with enterprise-wide risk management (ERM)
      • internal incident identification
      • policy and process steps, following
      • qualifying incidents
      • when an event becomes an incident
  • Cybersecurity lending practices
  • Cybersecurity policies and procedures
    • Big Data analytics
      • preparing for a Big Data policy
      • understanding Big Data risks
    • cloud computing and third-party vendors
      • preparing for a cloud computing policy
      • procuring cloud provider services effectively
      • understanding cloud computing risks
    • cyber risk management statement
    • Internet of Things (IoT)
      • preparing for an IoT policy
      • understanding IoT risks
    • mobile or bring your own devices (BYOD)
      • choosing between BOYD policy options
      • examples of BYOD policies
      • preparing for a BYOD policy
      • understanding BYOD risks
    • ransomware risk policies and procedures
      • preparing for a ransomware policy
      • understanding ransomware risks
    • social media risk policy
      • choose between social media policy options
      • examples of social media policies
      • preparing for a social media policy
      • understanding social media risks
  • Cybersecurity, state of
    • global cyber crisis
    • increasing cyber risk management maturity
    • time for change
      • implications for 2016
  • Cybersecurity systems
    • cyber risk management statement
    • incorporating cybersecurity requirements and establishing sound practices
      • application life cycle and typical controls
      • development and implementation
      • governance and planning
      • maintenance and operations
      • sunset and disposal
    • specific considerations
      • cloud/SaaS applications
      • commercial off-the-shelf applications
  • CyberSmart capabilities
  • CyberSmart maturity model
    • culture, ethics, and behavior
    • governance and risk oversight
    • organizational structures and design
    • processes
    • resources in architecture—services, infrastructure, and applications
    • resources in information assets
    • resources in people, skills, and competencies as assets

D

  • Decommissioning a system
  • Deliver, service, and support (DSS) domain
  • Digital governance gap
  • Digital leadership and emergence of digital risk and digital risk officer
  • Digital quotient

E

  • Embedded risk management processes, using
  • Enterprise risk management, integrating cyber risk management into
  • Enterprise-wide risk management
    • digital governance gap
    • people risk management system
  • European Union Agency for Network and Information Security (ENISA)
  • Evaluate, direct, and monitor (EDM) domain
  • External context and supply chain
    • building cybersecurity management capabilities from an external perspective
      • avoiding silos to focus on external and internal alignment
      • cybersecurity task force to focus on maturity targets
      • integrating supply chain capability
      • private-sector and policymaker recommendations to improve global cyber governance
      • seven key roles to drive capability
    • cyber risk management statement
    • external context
      • to the growing importance of cyber risk and IT failure
      • specific to cyber risks
      • and supply chain and third parties
      • transportation cyber attack, example of
      • transportation sector's key role in supply chain
    • measuring cybersecurity management capabilities from an external perspective
      • supply chain risk maturity measured by peer organizations

F

  • Fiat Chrysler
  • Financial impact modeling, constraints on
  • Financial Reporting Council (FRC)
  • “Five lines of assurance” approach
  • “Framework for Improving Critical Infrastructure Cybersecurity” version 1.0
  • Frameworks and standards
    • business model for information security (BMIS)
    • ISO 27001:2013
    • NIST framework

G

  • General Data Protection Regulation (GDPR) (EU)
  • Generation Y employees
  • “Global State of Information Security Survey 2016”
  • Glossary of commonly used terms
  • Governance and planning
    • defining security requirements
    • establishing policies and procedures
  • Groupthink as a bias

H

  • Handbook structure, rationale, and benefits
    • balance and objectivity
    • enterprise-wide comprehensiveness
    • moving up the risk maturity curve
  • Handbook structured for the enterprise
    • conceptualizing cybersecurity for organization-wide solutions
    • cyber risk maturity model
    • theming the right set of capabilities
  • Human factors and cybersecurity
    • insider threats
    • social engineering threats
  • Human Impact Management for Information Security (HIMIS)
  • Human resources security
    • cyber risk management statement
    • higher-maturity HR functions
      • academia
      • certified professionals
    • lower-maturity HR functions, needs of
      • HR security standard, example of
    • mid-maturity HR functions
      • certifiable international standard, capabilities to meet

I

  • Incident and crisis management. See Cybersecurity incident and crisis management
  • Information asset management for cyber
    • best practices
    • cyber risk management statement
    • cybersecurity for the future
      • from exploitation to attack
      • new opportunities for network agility
      • observe, orient, decide, and act (OODA)
      • reimagining the attack surface
    • invisible attacker
    • thinking like a general
    • time to act
    • troubling trend
  • Information risk management and compliance
  • Information Security Forum (ISF)
    • standard of good practice for information security
  • Information security governance
  • Information security incident management
  • Information security program development and management
  • Institute of Internal Audit
  • Internal organization context
    • cyber risk management statement
    • cybersecurity within the enterprise
    • standards and guidance approaches
    • tailoring cybersecurity to enterprise exposures
      • aligning cybersecurity within enterprise functions
      • designing a cyber risk function operating model
      • governance and risk oversight functions for cybersecurity
      • IT-related executive management functions for cybersecurity
      • typical enterprise functional roles most involved in cybersecurity
  • International Organization for Standardization (ISO)
  • Internet of Things (IoT)
    • preparing for an IoT policy
      • key content
    • understanding IoT risks
  • ISO 22301
  • ISO 27001
  • ISO 31000
  • ISO/IEC 27000 family
  • IT capability maturity framework—information security management (IT-CMF:ISM)
  • IT-related executive management functions for cybersecurity
    • CISO should report to CEO
    • emergence of the digital risk officer (DRO)
    • enterprise risk-related management functions for cybersecurity
    • other enterprise management functions supporting cybersecurity
    • RASCI matrix cyber roles
      • for board members
      • for CEO
      • for CFO
      • for CIO
      • for CISO
      • for COO
      • for CRO
      • for CSO
      • for DRO
      • for head of business continuity
      • for head of corporate communications
      • for head of human resources
      • for head of insurance
      • for head of physical security
      • for head of supply chain
      • for ISRC
      • for internal audit function
      • for legal counsel and compliance
      • for risk committee
    • variations to reporting and titles/roles

K

  • Key risk indicators (KRIs), monitoring and reviewing
    • definitions
      • key control indicator
      • key performance indicator
      • key risk indicator
    • design for cyber risk management
      • case study
      • dashboard samples tailored to stakeholders
      • functional risk
      • informing stakeholders
      • inherent risk, residual risk, and big-picture KRIs
      • linking objectives, risks, and controls
      • organizational risk
      • risk taxonomy
    • KRI management statement
  • Korn Ferry study (2016)

L

  • Legal and compliance
    • counsel's advice and “boom” planning
      • boom and right of boom
      • left of boom
      • RASCI matrix role for legal counsel and compliance
    • cyber risk management statement
    • European Union and international regulatory schemes
      • International Organization for Standardization (ISO)
      • post-Brexit United Kingdom
      • transfer of data out of the EU
    • U.S. regulations
      • cybersecurity negligence remains undefined
      • forecasting the future U.S. cyber regulatory environment
      • general fiduciary duty in the United States
      • specific U.S. industry/sector regulations

M

  • Maintenance and operations
    • modification
    • risk of impact
    • secure operations
  • McGregor, Douglas
  • McKinsey Global
  • Mobile or bring your own devices (BYOD)
    • choosing between BYOD policy options
    • examples of BYOD policies
      • key content
    • preparing for a BYOD policy
    • understanding BYOD risks
  • Mobile devices
  • Monitor, evaluate, and assess (MEA) domain

N

  • National Institute of Standards and Technology (NIST)
    • information security standards
    • IT security framework
    • NIST computer/cybersecurity frameworks

O

  • Operational cybersecurity crisis unit, structuring and mobilizing
    • defense team
    • investigation team
    • steering team
  • Operations and communications, cybersecurity for
    • challenges from within
    • changes
    • data and its integrity
    • digital revolution
    • hindrances to cybersecurity operations
    • knowing what you do not know
    • people
    • threat landscape
    • what to do now
      • adapting to your environment
      • adapting your organization
      • cyber risk management statement
      • drive for clarity
      • filling in the knowledge gap
      • knowing your assets
      • making cyber risk more tangible
      • understanding the speed of change
  • Organization risk assessment

P

  • Payment Card Industry (PCI) Data Security Standard (PCI-DSS)
  • People risk management
    • crisis management
      • unique characteristics of
    • cyber risk management statement
    • enterprise-wide risk management
      • digital governance gap
      • people risk management system
    • rise of the machines
    • risk culture
    • tomorrow's talent
      • digital leadership and emergence of digital risk and digital risk officer
      • digital quotient
  • Physical security
    • calculating or reviewing exposure to adversary attacks
      • calculating the probability of interrupting the adversary
      • simulating the path of an adversary
    • committing to a plan
    • cyber risk management statement
    • designing or reviewing integrated security measures
    • getting a clear view on physical security risk landscape and impact on cybersecurity
    • key objectives for security measures
    • managing or reviewing the cybersecurity organization
    • optimizing return on security investment
    • RASCI plan for physical security organization
    • reworking the data center scenario
      • understanding controls for data center scenario
      • understanding objectives for security measures
    • risk landscape heat map example
    • security zone model example
    • typical security design example
  • Policies and procedures. See Cybersecurity policies and procedures
  • Predefined risk appetite, managing cyber risks with
  • PricewaterhouseCooper international survey (2016)
  • Process capabilities, treating cyber risks using
    • lack of intrinsic motivation to document
      • moving routine actions to operations
    • leveraging ISACA COBIT 5 processes
    • undocumented processes
  • Proctor, Paul

Q

  • Quantified cost-benefit model, tailoring
    • constraints on financial impact modeling
    • cyber losses underinsured compared to property losses
    • modeling cost-benefits of investments in insurance vs. cybersecurity

R

  • Ransomware risk policies and procedures
    • preparing for a ransomware policy
      • key content
    • understanding ransomware risks
      • how cybercriminals spread ransomware
  • RASCI matrix cyber roles
    • for board members
    • for CEO
    • for CFO
    • for CIO
    • for CISO
    • for COO
    • for CRO
    • for CSO
    • for DRO
    • for head of business continuity
    • for head of corporate communications
    • for head of human resources
    • for head of insurance
    • for head of physical security
    • for head of supply chain
    • for ISRC
    • for internal audit function
    • for legal counsel and compliance
    • for risk committee
  • Risk culture
  • Risk insurance. See Cyber risk insurance
  • Risk management maturity, improving
  • RSA Conference/ISACA joint research

S

  • SANS Top 20 CIS Critical Security Controls
  • Secure engineering and development practices, importance of
  • Security and acceptance testing
  • Social media risk policy
    • choose between social media policy options
    • examples of social media policies
      • personal social media policy for employees
      • social media policy for corporate accounts
    • prepare for your social media policy
    • understand your social media risks
  • Standards and frameworks for cybersecurity
    • commonly used frameworks and standards
      • COBIT 5 for information security
      • European Union Agency for Network and Information Security (ENISA)
      • ISF standard of good practice for information security
      • ISO/IEC 27000 family
      • IT capability maturity framework—information security management (IT-CMF:ISM)
      • NIST computer/cybersecurity frameworks
      • Payment Card Industry (PCI) Data Security Standard (PCI-DSS)
      • SANS Top 20
      • World Economic Forum Cyber Risk Framework (WEF-CRF)
    • constraints on standards and frameworks
      • good practice consistently applied
    • cyber risk management statement
    • putting in context
      • diversity as a blessing and curse
      • first steps
      • no “best” cybersecurity standard
      • tailoring a choice of frameworks
  • Strategic performance management. See Cyber strategic performance management
  • Supply chain. See External context and supply chain
  • Supply Chain Risk Leadership Council (SCRLC)
  • Symantec Internet Security Threat Report (April 2016)

T

  • Target data breach (2013)
  • Teleworking
  • Test data, protection of
  • TrapX

U

  • User access management
    • management of privileged access rights
    • management of secret authentication information of users
    • removal and adjustment of user rights
    • review of user access
    • user access provisioning
    • user registration and deregistration
  • User responsibility
    • access control to program source code
    • information access restriction
    • password management system
    • privileged utility programs, use of

W

  • World Economic Forum
  • World Economic Forum Cyber Risk Framework (WEF-CRF)

Z

  • Zombie Zero
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset