The cyber risk handbook: Creating and measuring effective cybersecurity capabilities

Introduction

• The CEO under Pressure
• Toward an Effectively Cyber Risk–Managed Organization
• Handbook Structured for the Enterprise
• Handbook Structure, Rationale, and Benefits

A Cybersecurity Primer

• Cybersecurity Defined
• The Meaning of Security
• Measuring Cybersecurity's Success
• Deter, Identify, Protect, Detect, Respond
• Cybersecurity Controls and Defense in Depth
• Defense in Depth
• The Threats
• Threat Agents
• Key Trends Influencing Threat Agents
• The Nature of Hackers
• Attack Process
• Types of Attacks
• A Brief Cyberglossary of Terms

Board Cyber Risk Oversight: What Needs to Change?

• What Are Boards Expected to Do Now?
• What Barriers to Action Will Well-Intending Boards Face?
• What Practical Steps Should Boards Take Now to Respond?
• Cybersecurity—The Way Forward
• About the Authors: Risk Oversight Solutions Inc.
• About the Authors: Tim J. Leech, FCPA, CIA, CRMA, CFE
• About the Authors: Lauren C. Hanlon, CPA, CIA, CRMA, CFE

Management, Governance, and Alignment

• Why Governance Matters
• Strategy, Steering, and Standards
• Critical Success Factors

Culture and Human Factors

• Organizations as Social Systems
• Human Factors and Cybersecurity
• Training
• Frameworks and Standards
• Technology Trends and Human Factors
• Conclusion
• About the Authors: ISACA
• About the Authors: Avinash Totade
• About the Authors: Sandeep Godbole

Cybersecurity Policies and Procedures

• Social Media Risk Policy
• Ransomware Risk Policies and Procedures
• Cloud Computing and Third-Party Vendors
• Big Data Analytics
• The Internet of Things
• Mobile or Bring Your Own Devices (BYOD)
• Conclusion
• About the Authors: IRM
• About the Authors: Elliot Bryan, BA (Hons), ACII
• About the Authors: Alexander Larsen, FIRM, President of Baldwin Global Risk Services

Understanding Risk

• How Much Is It Worth to You?
• Risk! Not Just a Board Game

Treating Cyber Risks Using Process Capabilities

• Cybersecurity Processes Are the Glue That Binds
• No Intrinsic Motivation to Document
• Leveraging ISACA COBIT 5 Processes
• COBIT 5 Domains Support Complete Cybersecurity Life Cycle
• Conclusion
• About the Authors: ISACA
• About the Authors: Todd Fitzgerald

Your Cybersecurity Program: A High-Level Overview

• Vision and Mission Statements
• Culture and Strategy
• Off to See the Wizard
• What's at Risk?
• Threat Assessment
• At the Club House Turn!
• Mitigating Risk
• Incident‐Response Planning

Principles Behind Cyber Risk Management

• Cyber Risk Management Principles Guide Actions
• Meeting Stakeholder Needs
• Covering the Enterprise End to End
• Applying a Single, Integrated Framework
• Enabling a Holistic Approach
• Separating Governance from Management
• Conclusion
• About the Authors: RIMS
• About the Authors: Carol Fox

Identifying, Analyzing, and Evaluating Cyber Risks

• The Landscape of Risk
• The People Factor
• A Structured Approach to Assessing and Managing Risk
• Security Culture
• Regulatory Compliance
• Maturing Security
• Prioritizing Protection
• Conclusion
• About the Authors: the Information Security Forum (ISF)
• About the Authors: Steve Durbin

Treating Cyber Risks

• Introduction
• Treating Cybersecurity Risk with the Proper Nuan... Line with an Organization’s Risk Profile
• Determining the Cyber Risk Profile
• Treating Cyber Risk
• Alignment of Cyber Risk Treatment
• Practicing Cyber Risk Treatment
• Conclusion
• About the Authors: KPMG
• About the Authors: John Hermans
• About the Authors: Ton Diemont

Treating Cyber Risks—Using Insurance and Finance

• Tailoring a Quantified Cost-Benefit Model
• Planning for Cyber Risk Insurance
• The Risk Manager’s Perspective on Planning for Cyber Insurance
• Cyber Insurance Market Constraints
• Conclusion
• About the Authors: Aon
• About the Authors: Kevin Kalinich, Esq.

Business Continuity Management and Cybersecurity

• Good International Practices for Cyber Risk Management and Business Continuity
• Embedding Cybersecurity Requirements in BCMS
• Developing and Implementing BCM Responses for Cyber Incidents
• Conclusion
• About the Authors: Marsh
• About the Authors: Marsh Risk Consulting
• About the Authors: Sek Seong Lim, CBCP, PMC

Information Asset Management for Cyber

• The Invisible Attacker
• A Troubling Trend
• Thinking Like a General
• The Immediate Need—Best Practices
• Cybersecurity for the Future
• Time to Act
• Conclusion
• About the Authors: Booz Allen Hamilton
• About the Authors: Christopher Ling

Living Cybersecure!

• General Data Protection Regulation (GDPR), Privacy, and Regulators
• Artificial Intelligence and Machine Learning
• Blockchain
• Quantum Computing

Legal and Compliance

• European Union and International Regulatory Schemes
• U.S. Regulations
• Counsel’s Advice and “Boom” Planning
• Conclusion
• About the Authors: the Cybersecurity Legal Task Force
• About the Authors: Harvey Rishikof
• About the Authors: Conor Sullivan

Access Control

• Taking a Fresh Look at Access Control
• Organization Requirements for Access Control
• User Access Management
• User Responsibility
• System and Application Access Control
• Mobile Devices
• Teleworking
• Other Considerations
• Conclusion
• About the Authors: PwC
• About the Authors: Sidriaan de Villiers, PwC Partner South Africa

Controls

• Preventative Controls
• Detective Controls
• Corrective Controls
• Compensatory Controls
• Defense in Depth
• People, Technology, and Operations
• Communications
• Policies, Standards, Procedures, and Guidelines
• Regulatory Compliance: The European Example
• Pulling It All Together

Cyber Strategic Performance Management

• Pitfalls in Measuring Cybersecurity Performance
• Cybersecurity Strategy Required to Measure Cybersecurity Performance
• Creating an Effective Cybersecurity Performance Management System
• Conclusion
• About the Authors: McKinsey Company
• About the Authors: James Kaplan
• About the Authors: Jim Boehm

Epilogue

• Background
• Becoming CyberSmart
• About the Authors: Domenic Antonucci
• About the Authors: Didier Verstichel

Supplemental: Environments

• On‐Premises (Onsite) Computing Environments
• Private‐Cloud Computing Environments
• Public‐Cloud Computing Environments
• Hybrid‐Cloud Computing Environments
• The Internet of Things (IoT)
• Distributed Workforces

Supplemental: Clear and Present Danger

Supplemental: The State of Cybersecurity

• The Global Cyber Crisis
• The Time for Change
• Increasing Cyber Risk Management Maturity
• About the Authors: ISACA
• About the Authors: Ron Hale

Supplemental: Standards and Frameworks for Cybersecurity

• Putting Cybersecurity Standards and Frameworks in Context
• Commonly Used Frameworks and Standards (a Selection)
• Constraints on Standards and Frameworks
• Conclusion
• About the Authors: Boston Consulting Group (BCG)
• About the Authors: William Yin
• About the Authors: Dr. Stefan A. Deutscher

Supplemental: Cyber Competencies and the Cybersecurity Officer

• The Evolving Information Security Professional
• The Duality of the CISO
• Job Responsibilities and Tasks
• Conclusion
• About ISACA
• About Ron Hale

Supplemental: Human Resources Security

• Needs of Lower-Maturity HR Functions
• Needs of Mid-Maturity HR Functions
• Needs of Higher-Maturity HR Functions
• Conclusion
• About the Author: Domenic Antonucci