Home Page Icon
Home Page
Table of Contents for
The Cyber Risk Handbook
Close
The Cyber Risk Handbook
by Domenic Antonucci
The Cyber Risk Handbook
Foreword The State of Cybersecurity
The Global Cyber Crisis
The Time for Change
Increasing Cyber Risk Management Maturity
About ISACA
About Ron Hale
About the Editor
List of Contributors
Acknowledgments
Chapter 1: Introduction
The CEO under Pressure
Toward an Effectively Cyber Risk–Managed Organization
Handbook Structured for the Enterprise
Handbook Structure, Rationale, and Benefits
Which Chapters Are Written for Me?
Chapter 2: Board Cyber Risk Oversight: What Needs to Change?
What Are Boards Expected to Do Now?
What Barriers to Action Will Well-Intending Boards Face?
What Practical Steps Should Boards Take Now to Respond?
Cybersecurity—The Way Forward
Notes
About Risk Oversight Solutions Inc.
About Tim J. Leech, FCPA, CIA, CRMA, CFE
About Lauren C. Hanlon, CPA, CIA, CRMA, CFE
Chapter 3: Principles Behind Cyber Risk Management
Cyber Risk Management Principles Guide Actions
Meeting Stakeholder Needs
Covering the Enterprise End to End
Applying a Single, Integrated Framework
Enabling a Holistic Approach
Separating Governance from Management
Conclusion
Notes
About RIMS
About Carol Fox
Chapter 4: Cybersecurity Policies and Procedures
Social Media Risk Policy
Ransomware Risk Policies and Procedures
Cloud Computing and Third-Party Vendors
Big Data Analytics
The Internet of Things
Mobile or Bring Your Own Devices (BYOD)
Conclusion
Notes
About IRM
About Elliot Bryan, BA (Hons), ACII
About Alexander Larsen, FIRM, President of Baldwin Global Risk Services
Chapter 5: Cyber Strategic Performance Management
Pitfalls in Measuring Cybersecurity Performance
Cybersecurity Strategy Required to Measure Cybersecurity Performance
Creating an Effective Cybersecurity Performance Management System
Conclusion
Note
About McKinsey Company
About James Kaplan
About Jim Boehm
Chapter 6: Standards and Frameworks for Cybersecurity
Putting Cybersecurity Standards and Frameworks in Context
Commonly Used Frameworks and Standards (a Selection)
Constraints on Standards and Frameworks
Conclusion
Notes
About Boston Consulting Group (BCG)
About William Yin
About Dr. Stefan A. Deutscher
Chapter 7: Identifying, Analyzing, and Evaluating Cyber Risks
The Landscape of Risk
The People Factor
A Structured Approach to Assessing and Managing Risk
Security Culture
Regulatory Compliance
Maturing Security
Prioritizing Protection
Conclusion
Notes
About the Information Security Forum (ISF)
About Steve Durbin
Chapter 8: Treating Cyber Risks
Introduction
Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization’s Risk Profile
Determining the Cyber Risk Profile
Treating Cyber Risk
Alignment of Cyber Risk Treatment
Practicing Cyber Risk Treatment
Conclusion
About KPMG
About John Hermans
About Ton Diemont
Chapter 9: Treating Cyber Risks Using Process Capabilities
Cybersecurity Processes Are the Glue That Binds
No Intrinsic Motivation to Document
Leveraging ISACA COBIT 5 Processes
COBIT 5 Domains Support Complete Cybersecurity Life Cycle
Conclusion
About ISACA
About Todd Fitzgerald
Chapter 10: Treating Cyber Risks—Using Insurance and Finance
Tailoring a Quantified Cost-Benefit Model
Planning for Cyber Risk Insurance
The Risk Manager’s Perspective on Planning for Cyber Insurance
Cyber Insurance Market Constraints
Conclusion
Notes
About Aon
About Kevin Kalinich, Esq.
Chapter 11: Monitoring and Review Using Key Risk Indicators (KRIs)
Definitions
KRI Design for Cyber Risk Management
Conclusion
Notes
About Wability
About Ann Rodriguez
Chapter 12: Cybersecurity Incident and Crisis Management
Cybersecurity Incident Management
Cybersecurity Crisis Management
Conclusion
About CLUSIF
About Gérôme Billois, CISA, CISSP and ISO27001 Certified
About Wavestone
Chapter 13: Business Continuity Management and Cybersecurity
Good International Practices for Cyber Risk Management and Business Continuity
Embedding Cybersecurity Requirements in BCMS
Developing and Implementing BCM Responses for Cyber Incidents
Conclusion
Appendix: Glossary of Key Terms
About Marsh
About Marsh Risk Consulting
About Sek Seong Lim, CBCP, PMC
Chapter 14: External Context and Supply Chain
External Context
Building Cybersecurity Management Capabilities from an External Perspective
Measuring Cybersecurity Management Capabilities from an External Perspective
Conclusion
About The SCRLC
About Nick Wildgoose, BA (Hons), FCA, FCIPS
Chapter 15: Internal Organization Context
The Internal Organization Context for Cybersecurity
Tailoring Cybersecurity to Enterprise Exposures
Conclusion
Note
About Domenic Antonucci
About Bassam Alwarith
Chapter 16: Culture and Human Factors
Organizations as Social Systems
Human Factors and Cybersecurity
Training
Frameworks and Standards
Technology Trends and Human Factors
Conclusion
Note
About Avinash Totade
About Sandeep Godbole
Chapter 17: Legal and Compliance
European Union and International Regulatory Schemes
U.S. Regulations
Counsel’s Advice and “Boom” Planning
Conclusion
Notes
About the Cybersecurity Legal Task Force
About Harvey Rishikof
About Conor Sullivan
Chapter 18: Assurance and Cyber Risk Management
What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively
How to Deal with Two Differing Assurance Maturity Scenarios
Combined Assurance Reporting by ERM Head
Conclusion
About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert.
Chapter 19: Information Asset Management for Cyber
The Invisible Attacker
A Troubling Trend
Thinking Like a General
The Immediate Need—Best Practices
Cybersecurity for the Future
Time to Act
Conclusion
About Booz Allen Hamilton
About Christopher Ling
Chapter 20: Physical Security
Tom Commits to a Plan
Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity
Manage or Review the Cybersecurity Organization
Design or Review Integrated Security Measures
Reworking the Data Center Scenario
Calculate or Review Exposure to Adversary Attacks
Optimize Return on Security Investment
Conclusion
About Radar Risk Group
About Inge Vandijck
About Paul van Lerberghe
Chapter 21: Cybersecurity for Operations and Communications
Do You Know What You Do Not Know?
Threat Landscape—What Do You Know About Your Organization Risk and Who Is Targeting You?
Data and Its Integrity—Does Your Risk Analysis Produce Insight?
Digital Revolution—What Threats Will Emerge as Organizations Continue to Digitize?
Changes—How Will Your Organization or Operational Changes Affect Risk?
People—How Do You Know Whether an Insider or Outsider Presents a Risk?
What’s Hindering Your Cybersecurity Operations?
Challenges from Within
What to Do Now
Conclusion
About EY
About Chad Holmes
About James Phillippe
Chapter 22: Access Control
Taking a Fresh Look at Access Control
Organization Requirements for Access Control
User Access Management
User Responsibility
System and Application Access Control
Mobile Devices
Teleworking
Other Considerations
Conclusion
Notes
About Sidriaan de Villiers, PwC Partner South Africa
Chapter 23: Cybersecurity Systems: Acquisition, Development, and Maintenance
Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices
Specific Considerations
Conclusion
Notes
About Deloitte Advisory Cyber Risk Services
About Michael Wyatt
Chapter 24: People Risk Management in the Digital Age
Rise of the Machines
Enterprise-Wide Risk Management
Tomorrow’s Talent
Crisis Management
Risk Culture
Conclusion
Notes
About Airmic
About Julia Graham
Chapter 25: Cyber Competencies and the Cybersecurity Officer
The Evolving Information Security Professional
The Duality of the CISO
Job Responsibilities and Tasks
Conclusion
Notes
About ISACA
About Ron Hale
Chapter 26: Human Resources Security
Needs of Lower-Maturity HR Functions
Needs of Mid-Maturity HR Functions
Needs of Higher-Maturity HR Functions
Conclusion
Notes
About Domenic Antonucci
Epilogue
Background
Becoming CyberSmart
Notes
About Domenic Antonucci
About Didier Verstichel
Glossary
Index
EULA
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Foreword The State of Cybersecurity
CONTENTS
Foreword The State of Cybersecurity
The Global Cyber Crisis
The Time for Change
Increasing Cyber Risk Management Maturity
About ISACA
About Ron Hale
About the Editor
List of Contributors
Acknowledgments
Chapter 1: Introduction
The CEO under Pressure
Toward an Effectively Cyber Risk–Managed Organization
Handbook Structured for the Enterprise
Handbook Structure, Rationale, and Benefits
Which Chapters Are Written for Me?
Chapter 2: Board Cyber Risk Oversight: What Needs to Change?
What Are Boards Expected to Do Now?
What Barriers to Action Will Well-Intending Boards Face?
What Practical Steps Should Boards Take Now to Respond?
Cybersecurity—The Way Forward
Notes
About Risk Oversight Solutions Inc.
About Tim J. Leech, FCPA, CIA, CRMA, CFE
About Lauren C. Hanlon, CPA, CIA, CRMA, CFE
Chapter 3: Principles Behind Cyber Risk Management
Cyber Risk Management Principles Guide Actions
Meeting Stakeholder Needs
Covering the Enterprise End to End
Applying a Single, Integrated Framework
Enabling a Holistic Approach
Separating Governance from Management
Conclusion
Notes
About RIMS
About Carol Fox
Chapter 4: Cybersecurity Policies and Procedures
Social Media Risk Policy
Ransomware Risk Policies and Procedures
Cloud Computing and Third-Party Vendors
Big Data Analytics
The Internet of Things
Mobile or Bring Your Own Devices (BYOD)
Conclusion
Notes
About IRM
About Elliot Bryan, BA (Hons), ACII
About Alexander Larsen, FIRM, President of Baldwin Global Risk Services
Chapter 5: Cyber Strategic Performance Management
Pitfalls in Measuring Cybersecurity Performance
Cybersecurity Strategy Required to Measure Cybersecurity Performance
Creating an Effective Cybersecurity Performance Management System
Conclusion
Note
About McKinsey Company
About James Kaplan
About Jim Boehm
Chapter 6: Standards and Frameworks for Cybersecurity
Putting Cybersecurity Standards and Frameworks in Context
Commonly Used Frameworks and Standards (a Selection)
Constraints on Standards and Frameworks
Conclusion
Notes
About Boston Consulting Group (BCG)
About William Yin
About Dr. Stefan A. Deutscher
Chapter 7: Identifying, Analyzing, and Evaluating Cyber Risks
The Landscape of Risk
The People Factor
A Structured Approach to Assessing and Managing Risk
Security Culture
Regulatory Compliance
Maturing Security
Prioritizing Protection
Conclusion
Notes
About the Information Security Forum (ISF)
About Steve Durbin
Chapter 8: Treating Cyber Risks
Introduction
Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization’s Risk Profile
Determining the Cyber Risk Profile
Treating Cyber Risk
Alignment of Cyber Risk Treatment
Practicing Cyber Risk Treatment
Conclusion
About KPMG
About John Hermans
About Ton Diemont
Chapter 9: Treating Cyber Risks Using Process Capabilities
Cybersecurity Processes Are the Glue That Binds
No Intrinsic Motivation to Document
Leveraging ISACA COBIT 5 Processes
COBIT 5 Domains Support Complete Cybersecurity Life Cycle
Conclusion
About ISACA
About Todd Fitzgerald
Chapter 10: Treating Cyber Risks—Using Insurance and Finance
Tailoring a Quantified Cost-Benefit Model
Planning for Cyber Risk Insurance
The Risk Manager’s Perspective on Planning for Cyber Insurance
Cyber Insurance Market Constraints
Conclusion
Notes
About Aon
About Kevin Kalinich, Esq.
Chapter 11: Monitoring and Review Using Key Risk Indicators (KRIs)
Definitions
KRI Design for Cyber Risk Management
Conclusion
Notes
About Wability
About Ann Rodriguez
Chapter 12: Cybersecurity Incident and Crisis Management
Cybersecurity Incident Management
Cybersecurity Crisis Management
Conclusion
About CLUSIF
About Gérôme Billois, CISA, CISSP and ISO27001 Certified
About Wavestone
Chapter 13: Business Continuity Management and Cybersecurity
Good International Practices for Cyber Risk Management and Business Continuity
Embedding Cybersecurity Requirements in BCMS
Developing and Implementing BCM Responses for Cyber Incidents
Conclusion
Appendix: Glossary of Key Terms
About Marsh
About Marsh Risk Consulting
About Sek Seong Lim, CBCP, PMC
Chapter 14: External Context and Supply Chain
External Context
Building Cybersecurity Management Capabilities from an External Perspective
Measuring Cybersecurity Management Capabilities from an External Perspective
Conclusion
About The SCRLC
About Nick Wildgoose, BA (Hons), FCA, FCIPS
Chapter 15: Internal Organization Context
The Internal Organization Context for Cybersecurity
Tailoring Cybersecurity to Enterprise Exposures
Conclusion
Note
About Domenic Antonucci
About Bassam Alwarith
Chapter 16: Culture and Human Factors
Organizations as Social Systems
Human Factors and Cybersecurity
Training
Frameworks and Standards
Technology Trends and Human Factors
Conclusion
Note
About Avinash Totade
About Sandeep Godbole
Chapter 17: Legal and Compliance
European Union and International Regulatory Schemes
U.S. Regulations
Counsel’s Advice and “Boom” Planning
Conclusion
Notes
About the Cybersecurity Legal Task Force
About Harvey Rishikof
About Conor Sullivan
Chapter 18: Assurance and Cyber Risk Management
What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively
How to Deal with Two Differing Assurance Maturity Scenarios
Combined Assurance Reporting by ERM Head
Conclusion
About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert.
Chapter 19: Information Asset Management for Cyber
The Invisible Attacker
A Troubling Trend
Thinking Like a General
The Immediate Need—Best Practices
Cybersecurity for the Future
Time to Act
Conclusion
About Booz Allen Hamilton
About Christopher Ling
Chapter 20: Physical Security
Tom Commits to a Plan
Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity
Manage or Review the Cybersecurity Organization
Design or Review Integrated Security Measures
Reworking the Data Center Scenario
Calculate or Review Exposure to Adversary Attacks
Optimize Return on Security Investment
Conclusion
About Radar Risk Group
About Inge Vandijck
About Paul van Lerberghe
Chapter 21: Cybersecurity for Operations and Communications
Do You Know What You Do Not Know?
Threat Landscape—What Do You Know About Your Organization Risk and Who Is Targeting You?
Data and Its Integrity—Does Your Risk Analysis Produce Insight?
Digital Revolution—What Threats Will Emerge as Organizations Continue to Digitize?
Changes—How Will Your Organization or Operational Changes Affect Risk?
People—How Do You Know Whether an Insider or Outsider Presents a Risk?
What’s Hindering Your Cybersecurity Operations?
Challenges from Within
What to Do Now
Conclusion
About EY
About Chad Holmes
About James Phillippe
Chapter 22: Access Control
Taking a Fresh Look at Access Control
Organization Requirements for Access Control
User Access Management
User Responsibility
System and Application Access Control
Mobile Devices
Teleworking
Other Considerations
Conclusion
Notes
About Sidriaan de Villiers, PwC Partner South Africa
Chapter 23: Cybersecurity Systems: Acquisition, Development, and Maintenance
Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices
Specific Considerations
Conclusion
Notes
About Deloitte Advisory Cyber Risk Services
About Michael Wyatt
Chapter 24: People Risk Management in the Digital Age
Rise of the Machines
Enterprise-Wide Risk Management
Tomorrow’s Talent
Crisis Management
Risk Culture
Conclusion
Notes
About Airmic
About Julia Graham
Chapter 25: Cyber Competencies and the Cybersecurity Officer
The Evolving Information Security Professional
The Duality of the CISO
Job Responsibilities and Tasks
Conclusion
Notes
About ISACA
About Ron Hale
Chapter 26: Human Resources Security
Needs of Lower-Maturity HR Functions
Needs of Mid-Maturity HR Functions
Needs of Higher-Maturity HR Functions
Conclusion
Notes
About Domenic Antonucci
Epilogue
Background
Becoming CyberSmart
Notes
About Domenic Antonucci
About Didier Verstichel
Glossary
Index
EULA
List of Tables
Chapter 1
Table 1.1
Chapter 3
Table 3.1
Chapter 9
Table 9.1
Chapter 11
Table 11.1
Chapter 12
Table 12.1
Chapter 14
Table 14.1
Chapter 15
Table 15.1
Table 15.2
Table 15.3
Table 15.4
Table 15.5
Table 15.6
Table 15.7
Table 15.8
Table 15.9
Table 15.10
Table 15.11
Table 15.12
Table 15.13
Table 15.14
Table 15.15
Table 15.16
Table 15.17
Table 15.18
Table 15.19
Table 15.20
Table 15.21
Table 15.22
Chapter 17
Table 17.1
Table 17.2
Chapter 18
Table 18.1
Chapter 25
Table 25.1
Epilogue
Table E.1
Table E.2
List of Illustrations
Chapter 1
Figure 1.1
Conceptualizing information security within the organization
Figure 1.2
How seven sets of capabilities work together
Chapter 2
Figure 2.1
Five lines of assurance
Figure 2.2
Risk status approach to assessment and treatment
Chapter 3
Figure 3.1
Risk management unifies processes
Chapter 5
Figure 5.1
Measuring progress against initiatives
Figure 5.2
DRA provides insight into cybersecurity capabilities
Figure 5.3
Measuring protection of most critical information Courtesy of John Greenwood of McKinsey & Co.
Chapter 7
Figure 7.1
Three types of insider threat identified by the Information Security Forum (ISF)
Figure 7.2
The six phases of the ISF IRAM2 .
Chapter 8
Figure 8.1
An organizational cyber risk profile
Figure 8.2
Selecting the right set of treatment measures
Figure 8.3
An integrated approach to cyber risk management
Figure 8.4
An overarching perspective over cyber risks requiring treatment
Chapter 10
Figure 10.1
Financial statement impact
Figure 10.2
Cyber risk impacts all quadrants
Figure 10.3
Asset value comparison: Property, plant and equipment (PP&E) versus information assets
Figure 10.4
Probable maximum loss (PML) value for PP&E versus information assets
Figure 10.5
Impact of business interruption
Figure 10.6
Information assets covered by insurance compared to PP&E
Figure 10.7
Optimal cyber insurance components
Figure 10.8
Cyber insurance placement minimum timings and steps
Chapter 11
Figure 11.1
Risk taxonomy for KRIs
Figure 11.2
KRI sample of dashboards and reports
Chapter 12
Figure 12.1
Cyber crisis management steps
Chapter 13
Figure 13.1
Conceptual overview of main cyber response components
Chapter 14
Figure 14.1
Top three causes of supply chain disruption
Figure 14.2
Origins of supply chain disruption
Chapter 16
Figure 16.1
The ISACA business model for information security (BMIS)
Figure 16.2
HIMIS methodology to reduce cyber risks that occur due to human mistakes.
Chapter 18
Figure 18.1
Combined assurance approach
Chapter 20
Figure 20.1
Tom’s plan to build a state-of-the-art physical security risk management system
Figure 20.2
How to identify physical security risk scenarios using seven key elements
Figure 20.3
Risk assessment stepped approach
Figure 20.4
Risk landscape heat map example
Figure 20.5
Tom’s RASCI plan for the physical security organization
Figure 20.6
“Typical” physical security design in three steps
Figure 20.7
Security zone model example
Figure 20.8
Typical security design example
Figure 20.9
Key objectives for security measures
Figure 20.10
Adversary path analyzer in four steps
Figure 20.11
The three points in time to mitigate an adversary attack
Figure 20.12
Adversary Sequence Diagram
Figure 20.13
Probability (
p
) factors for interrupting an adversary’s attack
Figure 20.14
Optimizing return on investment
Chapter 21
Figure 21.1
The big picture: How your organization can integrate and expand your cybersecurity protocol
Figure 21.2
Checklist of do’s and don’ts for getting started
Chapter 22
Figure 22.1
“The Global State of Information Security Survey 2016” .
Chapter 23
Figure 23.1
Application life cycle and typical controls
Guide
Cover
Table of Contents
1
Pages
xxiii
xxiv
xxv
xxvi
xxvii
xxviii
xxix
xxxi
xxxiii
xxxv
1
2
3
4
5
6
7
8
11
12
13
14
15
16
17
18
19
20
21
23
24
25
26
27
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
67
68
69
70
71
72
73
74
75
76
77
78
79
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
109
110
111
112
113
114
115
116
117
118
119
120
121
123
124
125
134
135
136
137
138
139
140
141
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
165
166
167
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
211
212
214
215
216
217
218
219
240
241
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
265
266
267
268
269
270
271
272
273
274
275
276
277
278
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
305
306
307
308
309
310
311
312
313
315
316
317
318
319
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
378
379
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset