O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

The Cyber Risk Handbook

Book Description

Actionable guidance and expert perspective for real-world cybersecurity

The Cyber Risk Handbook is the practitioner's guide to implementing, measuring and improving the counter-cyber capabilities of the modern enterprise. The first resource of its kind, this book provides authoritative guidance for real-world situations, and cross-functional solutions for enterprise-wide improvement. Beginning with an overview of counter-cyber evolution, the discussion quickly turns practical with design and implementation guidance for the range of capabilities expected of a robust cyber risk management system that is integrated with the enterprise risk management (ERM) system. Expert contributors from around the globe weigh in on specialized topics with tools and techniques to help any type or size of organization create a robust system tailored to its needs. Chapter summaries of required capabilities are aggregated to provide a new cyber risk maturity model used to benchmark capabilities and to road-map gap-improvement.

Cyber risk is a fast-growing enterprise risk, not just an IT risk. Yet seldom is guidance provided as to what this means. This book is the first to tackle in detail those enterprise-wide capabilities expected by Board, CEO and Internal Audit, of the diverse executive management functions that need to team up with the Information Security function in order to provide integrated solutions.

  • Learn how cyber risk management can be integrated to better protect your enterprise
  • Design and benchmark new and improved practical counter-cyber capabilities
  • Examine planning and implementation approaches, models, methods, and more
  • Adopt a new cyber risk maturity model tailored to your enterprise needs

The need to manage cyber risk across the enterprise—inclusive of the IT operations—is a growing concern as massive data breaches make the news on an alarmingly frequent basis. With a cyber risk management system now a business-necessary requirement, practitioners need to assess the effectiveness of their current system, and measure its gap-improvement over time in response to a dynamic and fast-moving threat landscape. The Cyber Risk Handbook brings the world's best thinking to bear on aligning that system to the enterprise and vice-a-versa. Every functional head of any organization must have a copy at-hand to understand their role in achieving that alignment.

Table of Contents

  1. Foreword The State of Cybersecurity
    1. The Global Cyber Crisis
    2. The Time for Change
    3. Increasing Cyber Risk Management Maturity
    4. About ISACA
    5. About Ron Hale
  2. About the Editor
  3. List of Contributors
  4. Acknowledgments
  5. Chapter 1: Introduction
    1. The CEO under Pressure
    2. Toward an Effectively Cyber Risk–Managed Organization
    3. Handbook Structured for the Enterprise
    4. Handbook Structure, Rationale, and Benefits
    5. Which Chapters Are Written for Me?
  6. Chapter 2: Board Cyber Risk Oversight: What Needs to Change?
    1. What Are Boards Expected to Do Now?
    2. What Barriers to Action Will Well-Intending Boards Face?
    3. What Practical Steps Should Boards Take Now to Respond?
    4. Cybersecurity—The Way Forward
    5. Notes
    6. About Risk Oversight Solutions Inc.
    7. About Tim J. Leech, FCPA, CIA, CRMA, CFE
    8. About Lauren C. Hanlon, CPA, CIA, CRMA, CFE
  7. Chapter 3: Principles Behind Cyber Risk Management
    1. Cyber Risk Management Principles Guide Actions
    2. Meeting Stakeholder Needs
    3. Covering the Enterprise End to End
    4. Applying a Single, Integrated Framework
    5. Enabling a Holistic Approach
    6. Separating Governance from Management
    7. Conclusion
    8. Notes
    9. About RIMS
    10. About Carol Fox
  8. Chapter 4: Cybersecurity Policies and Procedures
    1. Social Media Risk Policy
    2. Ransomware Risk Policies and Procedures
    3. Cloud Computing and Third-Party Vendors
    4. Big Data Analytics
    5. The Internet of Things
    6. Mobile or Bring Your Own Devices (BYOD)
    7. Conclusion
    8. Notes
    9. About IRM
    10. About Elliot Bryan, BA (Hons), ACII
    11. About Alexander Larsen, FIRM, President of Baldwin Global Risk Services
  9. Chapter 5: Cyber Strategic Performance Management
    1. Pitfalls in Measuring Cybersecurity Performance
    2. Cybersecurity Strategy Required to Measure Cybersecurity Performance
    3. Creating an Effective Cybersecurity Performance Management System
    4. Conclusion
    5. Note
    6. About McKinsey Company
    7. About James Kaplan
    8. About Jim Boehm
  10. Chapter 6: Standards and Frameworks for Cybersecurity
    1. Putting Cybersecurity Standards and Frameworks in Context
    2. Commonly Used Frameworks and Standards (a Selection)
    3. Constraints on Standards and Frameworks
    4. Conclusion
    5. Notes
    6. About Boston Consulting Group (BCG)
    7. About William Yin
    8. About Dr. Stefan A. Deutscher
  11. Chapter 7: Identifying, Analyzing, and Evaluating Cyber Risks
    1. The Landscape of Risk
    2. The People Factor
    3. A Structured Approach to Assessing and Managing Risk
    4. Security Culture
    5. Regulatory Compliance
    6. Maturing Security
    7. Prioritizing Protection
    8. Conclusion
    9. Notes
    10. About the Information Security Forum (ISF)
    11. About Steve Durbin
  12. Chapter 8: Treating Cyber Risks
    1. Introduction
    2. Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization’s Risk Profile
    3. Determining the Cyber Risk Profile
    4. Treating Cyber Risk
    5. Alignment of Cyber Risk Treatment
    6. Practicing Cyber Risk Treatment
    7. Conclusion
    8. About KPMG
    9. About John Hermans
    10. About Ton Diemont
  13. Chapter 9: Treating Cyber Risks Using Process Capabilities
    1. Cybersecurity Processes Are the Glue That Binds
    2. No Intrinsic Motivation to Document
    3. Leveraging ISACA COBIT 5 Processes
    4. COBIT 5 Domains Support Complete Cybersecurity Life Cycle
    5. Conclusion
    6. About ISACA
    7. About Todd Fitzgerald
  14. Chapter 10: Treating Cyber Risks—Using Insurance and Finance
    1. Tailoring a Quantified Cost-Benefit Model
    2. Planning for Cyber Risk Insurance
    3. The Risk Manager’s Perspective on Planning for Cyber Insurance
    4. Cyber Insurance Market Constraints
    5. Conclusion
    6. Notes
    7. About Aon
    8. About Kevin Kalinich, Esq.
  15. Chapter 11: Monitoring and Review Using Key Risk Indicators (KRIs)
    1. Definitions
    2. KRI Design for Cyber Risk Management
    3. Conclusion
    4. Notes
    5. About Wability
    6. About Ann Rodriguez
  16. Chapter 12: Cybersecurity Incident and Crisis Management
    1. Cybersecurity Incident Management
    2. Cybersecurity Crisis Management
    3. Conclusion
    4. About CLUSIF
    5. About Gérôme Billois, CISA, CISSP and ISO27001 Certified
    6. About Wavestone
  17. Chapter 13: Business Continuity Management and Cybersecurity
    1. Good International Practices for Cyber Risk Management and Business Continuity
    2. Embedding Cybersecurity Requirements in BCMS
    3. Developing and Implementing BCM Responses for Cyber Incidents
    4. Conclusion
    5. Appendix: Glossary of Key Terms
    6. About Marsh
    7. About Marsh Risk Consulting
    8. About Sek Seong Lim, CBCP, PMC
  18. Chapter 14: External Context and Supply Chain
    1. External Context
    2. Building Cybersecurity Management Capabilities from an External Perspective
    3. Measuring Cybersecurity Management Capabilities from an External Perspective
    4. Conclusion
    5. About The SCRLC
    6. About Nick Wildgoose, BA (Hons), FCA, FCIPS
  19. Chapter 15: Internal Organization Context
    1. The Internal Organization Context for Cybersecurity
    2. Tailoring Cybersecurity to Enterprise Exposures
    3. Conclusion
    4. Note
    5. About Domenic Antonucci
    6. About Bassam Alwarith
  20. Chapter 16: Culture and Human Factors
    1. Organizations as Social Systems
    2. Human Factors and Cybersecurity
    3. Training
    4. Frameworks and Standards
    5. Technology Trends and Human Factors
    6. Conclusion
    7. Note
    8. About Avinash Totade
    9. About Sandeep Godbole
  21. Chapter 17: Legal and Compliance
    1. European Union and International Regulatory Schemes
    2. U.S. Regulations
    3. Counsel’s Advice and “Boom” Planning
    4. Conclusion
    5. Notes
    6. About the Cybersecurity Legal Task Force
    7. About Harvey Rishikof
    8. About Conor Sullivan
  22. Chapter 18: Assurance and Cyber Risk Management
    1. What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively
    2. How to Deal with Two Differing Assurance Maturity Scenarios
    3. Combined Assurance Reporting by ERM Head
    4. Conclusion
    5. About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert.
  23. Chapter 19: Information Asset Management for Cyber
    1. The Invisible Attacker
    2. A Troubling Trend
    3. Thinking Like a General
    4. The Immediate Need—Best Practices
    5. Cybersecurity for the Future
    6. Time to Act
    7. Conclusion
    8. About Booz Allen Hamilton
    9. About Christopher Ling
  24. Chapter 20: Physical Security
    1. Tom Commits to a Plan
    2. Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity
    3. Manage or Review the Cybersecurity Organization
    4. Design or Review Integrated Security Measures
    5. Reworking the Data Center Scenario
    6. Calculate or Review Exposure to Adversary Attacks
    7. Optimize Return on Security Investment
    8. Conclusion
    9. About Radar Risk Group
    10. About Inge Vandijck
    11. About Paul van Lerberghe
  25. Chapter 21: Cybersecurity for Operations and Communications
    1. Do You Know What You Do Not Know?
    2. Threat Landscape—What Do You Know About Your Organization Risk and Who Is Targeting You?
    3. Data and Its Integrity—Does Your Risk Analysis Produce Insight?
    4. Digital Revolution—What Threats Will Emerge as Organizations Continue to Digitize?
    5. Changes—How Will Your Organization or Operational Changes Affect Risk?
    6. People—How Do You Know Whether an Insider or Outsider Presents a Risk?
    7. What’s Hindering Your Cybersecurity Operations?
    8. Challenges from Within
    9. What to Do Now
    10. Conclusion
    11. About EY
    12. About Chad Holmes
    13. About James Phillippe
  26. Chapter 22: Access Control
    1. Taking a Fresh Look at Access Control
    2. Organization Requirements for Access Control
    3. User Access Management
    4. User Responsibility
    5. System and Application Access Control
    6. Mobile Devices
    7. Teleworking
    8. Other Considerations
    9. Conclusion
    10. Notes
    11. About Sidriaan de Villiers, PwC Partner South Africa
  27. Chapter 23: Cybersecurity Systems: Acquisition, Development, and Maintenance
    1. Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices
    2. Specific Considerations
    3. Conclusion
    4. Notes
    5. About Deloitte Advisory Cyber Risk Services
    6. About Michael Wyatt
  28. Chapter 24: People Risk Management in the Digital Age
    1. Rise of the Machines
    2. Enterprise-Wide Risk Management
    3. Tomorrow’s Talent
    4. Crisis Management
    5. Risk Culture
    6. Conclusion
    7. Notes
    8. About Airmic
    9. About Julia Graham
  29. Chapter 25: Cyber Competencies and the Cybersecurity Officer
    1. The Evolving Information Security Professional
    2. The Duality of the CISO
    3. Job Responsibilities and Tasks
    4. Conclusion
    5. Notes
    6. About ISACA
    7. About Ron Hale
  30. Chapter 26: Human Resources Security
    1. Needs of Lower-Maturity HR Functions
    2. Needs of Mid-Maturity HR Functions
    3. Needs of Higher-Maturity HR Functions
    4. Conclusion
    5. Notes
    6. About Domenic Antonucci
  31. Epilogue
    1. Background
    2. Becoming CyberSmart
    3. Notes
    4. About Domenic Antonucci
    5. About Didier Verstichel
  32. Glossary
  33. Index
  34. EULA