Details

The Cyber Risk Handbook


The Cyber Risk Handbook

Creating and Measuring Effective Cybersecurity Capabilities
Wiley Finance 1. Aufl.

von: Domenic Antonucci

65,99 €

Verlag: Wiley
Format: EPUB
Veröffentl.: 03.04.2017
ISBN/EAN: 9781119308959
Sprache: englisch
Anzahl Seiten: 448

DRM-geschütztes eBook, Sie benötigen z.B. Adobe Digital Editions und eine Adobe ID zum Lesen.

Beschreibungen

<b>Actionable guidance and expert perspective for real-world cybersecurity</b> <p><i>The Cyber Risk Handbook</i> is the practitioner's guide to implementing, measuring and improving the counter-cyber capabilities of the modern enterprise. The first resource of its kind, this book provides authoritative guidance for real-world situations, and cross-functional solutions for enterprise-wide improvement. Beginning with an overview of counter-cyber evolution, the discussion quickly turns practical with design and implementation guidance for the range of capabilities expected of a robust cyber risk management system that is integrated with the enterprise risk management (ERM) system. Expert contributors from around the globe weigh in on specialized topics with tools and techniques to help any type or size of organization create a robust system tailored to its needs. Chapter summaries of required capabilities are aggregated to provide a new cyber risk maturity model used to benchmark capabilities and to road-map gap-improvement. <p>Cyber risk is a fast-growing enterprise risk, not just an IT risk. Yet seldom is guidance provided as to what this means. This book is the first to tackle in detail those enterprise-wide capabilities expected by Board, CEO and Internal Audit, of the diverse executive management functions that need to team up with the Information Security function in order to provide integrated solutions. <ul> <li>Learn how cyber risk management can be integrated to better protect your enterprise</li> <li>Design and benchmark new and improved practical counter-cyber capabilities</li> <li>Examine planning and implementation approaches, models, methods, and more</li> <li>Adopt a new cyber risk maturity model tailored to your enterprise needs</li> </ul> <p>The need to manage cyber risk across the enterprise—inclusive of the IT operations—is a growing concern as massive data breaches make the news on an alarmingly frequent basis. With a cyber risk management system now a business-necessary requirement, practitioners need to assess the effectiveness of their current system, and measure its gap-improvement over time in response to a dynamic and fast-moving threat landscape. <i>The Cyber Risk Handbook</i> brings the world's best thinking to bear on aligning that system to the enterprise and vice-a-versa. Every functional head of any organization must have a copy at-hand to understand their role in achieving that alignment.
<p>Foreword by Ron Hale xxiii</p> <p>About the Editor xxxi</p> <p>List of Contributors xxxiii</p> <p>Acknowledgments xxxv</p> <p><b>CHAPTER 1 Introduction 1<br /></b><i>Domenic Antonucci, Editor and Chief Risk Officer, Australia</i></p> <p>The CEO under Pressure 1</p> <p>Toward an Effectively Cyber Risk–Managed Organization 3</p> <p>Handbook Structured for the Enterprise 4</p> <p>Handbook Structure, Rationale, and Benefits 7</p> <p>Which Chapters Are Written for Me? 8</p> <p><b>CHAPTER 2 Board Cyber Risk Oversight 11<br /></b><i>Tim J. Leech, Risk Oversight Solutions Inc., Canada Lauren C. Hanlon, Risk Oversight Solutions Inc., Canada</i></p> <p>What Are Boards Expected to Do Now? 11</p> <p>What Barriers to Action Will Well-Intending Boards Face? 13</p> <p>What Practical Steps Should Boards Take Now to Respond? 16</p> <p>Cybersecurity—The Way Forward 20</p> <p>About Risk Oversight Solutions Inc. 21</p> <p>About Tim J. Leech, FCPA, CIA, CRMA, CFE 21</p> <p>About Lauren C. Hanlon, CPA, CIA, CRMA, CFE 21</p> <p><b>CHAPTER 3 </b><b>Principles Behind Cyber Risk Management 23<br /></b><i>RIMS,</i> <i>the </i>risk management society™ <i>Carol Fox, Vice President, Strategic Initiatives at RIMS, USA</i></p> <p>Cyber Risk Management Principles Guide Actions 23</p> <p>Meeting Stakeholder Needs 25</p> <p>Covering the Enterprise End to End 26</p> <p>Applying a Single, Integrated Framework 27</p> <p>Enabling a Holistic Approach 28</p> <p>Separating Governance from Management 31</p> <p>Conclusion 31</p> <p>About RIMS 32</p> <p>About Carol Fox 32</p> <p><b>CHAPTER 4 Cybersecurity Policies and Procedures 35<br /></b><i>The Institute for Risk Management (IRM) Elliot Bryan, IRM and Willis Towers Watson, UK <br /></i><i>Alexander Larsen, IRM, and President of Baldwin Global Risk Services Ltd., UK</i></p> <p>Social Media Risk Policy 35</p> <p>Ransomware Risk Policies and Procedures 41</p> <p>Cloud Computing and Third-Party Vendors 45</p> <p>Big Data Analytics 50</p> <p>The Internet of Things 53</p> <p>Mobile or Bring Your Own Devices (BYOD) 55</p> <p>Conclusion 60</p> <p>About IRM 64</p> <p>About Elliot Bryan, BA (Hons), ACII 65</p> <p>About Alexander Larsen, FIRM, President of Baldwin Global Risk Services 65</p> <p><b>CHAPTER 5 Cyber Strategic Performance Management 67<br /></b><i>McKinsey & Company<br /></i><i>James M. Kaplan, Partner, McKinsey & Company, New York, USA Jim Boehm, Consultant, McKinsey & Company, Washington, USA</i></p> <p>Pitfalls in Measuring Cybersecurity Performance 68</p> <p>Cybersecurity Strategy Required to Measure Cybersecurity Performance 69</p> <p>Creating an Effective Cybersecurity Performance Management System 72</p> <p>Conclusion 77</p> <p>About McKinsey Company 78</p> <p>About James Kaplan 78</p> <p>About Jim Boehm 79</p> <p><b>CHAPTER 6 Standards and Frameworks for Cybersecurity 81<br /></b><i>Stefan A. Deutscher, Principal, Boston Consulting Group (BCG), Berlin Germany<br /></i><i>William Yin, Senior Partner and Managing Director, Boston Consulting Group (BCG), Hong Kong<br /></i><br />Putting Cybersecurity Standards and Frameworks in Context 81<br /><br />Commonly Used Frameworks and Standards (a Selection) 84</p> <p>Constraints on Standards and Frameworks 93</p> <p>Good Practice Consistently Applied 93</p> <p>Conclusion 94</p> <p>About Boston Consulting Group (BCG) 95</p> <p>About William Yin 96</p> <p>About Dr. Stefan A. Deutscher 96</p> <p><b>CHAPTER 7 Identifying, Analyzing, and Evaluating Cyber Risks 97<br /></b><i>Information Security Forum (ISF)<br /></i><i>Steve Durbin, Managing Director, Information Security Forum Ltd.</i></p> <p>The Landscape of Risk 97</p> <p>The People Factor 98</p> <p>A Structured Approach to Assessing and Managing Risk 100</p> <p>Security Culture 101</p> <p>Regulatory Compliance 102</p> <p>Maturing Security 103</p> <p>Prioritizing Protection 104</p> <p>Conclusion 104</p> <p>About the Information Security Forum (ISF) 106</p> <p>About Steve Durbin 106</p> <p><b>CHAPTER 8 Treating Cyber Risks 109<br /></b><i>John Hermans, Cyber Lead Partner Europe, Middle East, and Africa at KPMG, The Netherlands<br /></i><i>Ton Diemont, Senior Manager at KPMG, The Netherlands</i></p> <p>Introduction 109</p> <p>Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization’s Risk Profile 110</p> <p>Determining the Cyber Risk Profile 111</p> <p>Treating Cyber Risk 112</p> <p>Alignment of Cyber Risk Treatment 114</p> <p>Practicing Cyber Risk Treatment 115</p> <p>Conclusion 119</p> <p>About KPMG 120</p> <p>About John Hermans 121</p> <p>About Ton Diemont 121</p> <p><b>CHAPTER 9 Treating Cyber Risks Using Process Capabilities 123<br /></b><i>ISACA<br /></i><i>Todd Fitzgerald, CISO and ISACA, USA</i></p> <p>Cybersecurity Processes Are the Glue That Binds 123</p> <p>No Intrinsic Motivation to Document 124</p> <p>Leveraging ISACA COBIT 5 Processes 125</p> <p>COBIT 5 Domains Support Complete Cybersecurity Life Cycle 137</p> <p>Conclusion 139</p> <p>About ISACA 140</p> <p>About Todd Fitzgerald 141</p> <p><b>CHAPTER 10 Treating Cyber Risks—Using Insurance and Finance 143<br /></b><i>Aon Global Cyber Solutions<br /></i><i>Kevin Kalinich, Esq., Aon Risk Solutions Global Cyber Insurance </i><i>Practice Leader, USA</i></p> <p>Tailoring a Quantifi ed Cost-Benefi t Model 143</p> <p>Planning for Cyber Risk Insurance 149</p> <p>The Risk Manager’s Perspective on Planning for Cyber Insurance 150</p> <p>Cyber Insurance Market Constraints 152</p> <p>Conclusion 154</p> <p>About Aon 157</p> <p>About Kevin Kalinich, Esq. 158</p> <p><b>CHAPTER 11 Monitoring and Review Using Key Risk Indicators (KRIs) 159<br /></b><i>Ann Rodriguez, Managing Partner, Wability, Inc., USA</i></p> <p>Definitions 160</p> <p>KRI Design for Cyber Risk Management 160</p> <p>Conclusion 169</p> <p>About Wability 169</p> <p>About Ann Rodriguez 170</p> <p><b>CHAPTER 12 Cybersecurity Incident and Crisis Management 171<br /></b><i>CLUSIF Club de la Sécurité de l’Information Français Gérôme Billois, CLUSIF Administrator and Board Member Cybersecurity at Wavestone Consultancy, France</i></p> <p>Cybersecurity Incident Management 171</p> <p>Cybersecurity Crisis Management 174</p> <p>Conclusion 182</p> <p>About CLUSIF 183</p> <p>About Gérôme Billois, CISA, CISSP and ISO27001 Certifi ed 183</p> <p>About Wavestone 183</p> <p><b>CHAPTER 13 Business Continuity Management and Cybersecurity 185<br /></b><i>Marsh<br /></i><i>Sek Seong Lim, Marsh Risk Consulting Business Continuity Leader </i><i>for Asia, Singapore</i></p> <p>Good International Practices for Cyber Risk Management and Business Continuity 186</p> <p>Embedding Cybersecurity Requirements in BCMS 188</p> <p>Developing and Implementing BCM Responses for Cyber Incidents 189</p> <p>Conclusion 190</p> <p>Appendix: Glossary of Key Terms 191</p> <p>About Marsh 191</p> <p>About Marsh Risk Consulting 192</p> <p>About Sek Seong Lim, CBCP, PMC 192</p> <p><b>CHAPTER 14 External Context and Supply Chain 193<br /></b><i>Supply Chain Risk Leadership Council (SCRLC) <br /></i><i>Nick Wildgoose, Board Member and ex-Chairperson of SCRLC, and Zurich Insurance Group, UK <br /><br /></i>External Context 194</p> <p>Building Cybersecurity Management Capabilities from an External Perspective 200</p> <p>Measuring Cybersecurity Management Capabilities from an External Perspective 204</p> <p>Conclusion 204</p> <p>About the SCRLC 205</p> <p>About Nick Wildgoose, BA (Hons), FCA, FCIPS 205</p> <p><b>CHAPTER 15 Internal Organization Context 207<br /></b><i>Domenic Antonucci, Editor and Chief Risk Offi cer, Australia<br /></i><i>Bassam Alwarith, Head of the National Digitization Program, Ministry of Economy and Planning, Saudi Arabia</i></p> <p>The Internal Organization Context for Cybersecurity 207</p> <p>Tailoring Cybersecurity to Enterprise Exposures 209</p> <p>Conclusion 240</p> <p>About Domenic Antonucci 241</p> <p>About Bassam Alwarith 241</p> <p><b>CHAPTER 16 Culture and Human Factors 243<br /></b><i>Avinash Totade, ISACA Past President UAE Chapter and Management Consultant, UAE<br /></i><i>Sandeep Godbole, ISACA Past President Pune Chapter, India</i></p> <p>Organizations as Social Systems 243</p> <p>Human Factors and Cybersecurity 246</p> <p>Training 248</p> <p>Frameworks and Standards 249</p> <p>Technology Trends and Human Factors 250</p> <p>Conclusion 252</p> <p>About ISACA 253</p> <p>About Avinash Totade 253</p> <p>About Sandeep Godbole 254</p> <p><b>CHAPTER 17 Legal and Compliance 255<br /></b><i>American Bar Association Cybersecurity Legal Task Force<br /></i><i>Harvey Rishikof, Chair, Advisory Committee to the Standing Committee on Law and National Security, USA<br /></i><i>Conor Sullivan, Law Clerk for the Standing Committee on National </i><i>Security, USA</i></p> <p>European Union and International Regulatory Schemes 255</p> <p>U.S. Regulations 258</p> <p>Counsel’s Advice and “Boom” Planning 261</p> <p>Conclusion 266</p> <p>About the Cybersecurity Legal Task Force 269</p> <p>About Harvey Rishikof 269</p> <p>About Conor Sullivan 270</p> <p><b>CHAPTER 18 Assurance and Cyber Risk Management 271<br /></b><i>Stig J. Sunde, Senior Internal Auditor (ICT), Emirates Nuclear Energy Corporation (ENEC), UAE</i></p> <p>Cyber Risk Is Ever Present 271</p> <p>What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively 272</p> <p>How to Deal with Two Differing Assurance Maturity Scenarios 277</p> <p>Combined Assurance Reporting by ERM Head 278</p> <p>Conclusion 278</p> <p>About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert. 280</p> <p><b>CHAPTER 19 Information Asset Management for Cyber 281<br /></b><i>Booz Allen Hamilton<br /></i><i>Christopher Ling, Executive Vice President, Booz Allen Hamilton, USA</i></p> <p>The Invisible Attacker 281</p> <p>A Troubling Trend 282</p> <p>Thinking Like a General 283</p> <p>The Immediate Need—Best Practices 283</p> <p>Cybersecurity for the Future 284</p> <p>Time to Act 286</p> <p>Conclusion 286</p> <p>About Booz Allen Hamilton 287</p> <p>About Christopher Ling 287</p> <p><b>CHAPTER 20 Physical Security 289<br /></b><i>Radar Risk Group<br /></i><i>Inge Vandijck, CEO, Radar Risk Group, Belgium<br /></i><i>Paul Van Lerberghe, CTO, Radar Risk Group, Belgium</i></p> <p>Tom Commits to a Plan 290</p> <p>Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity 291</p> <p>Manage or Review the Cybersecurity Organization 294</p> <p>Design or Review Integrated Security Measures 295</p> <p>Reworking the Data Center Scenario 299</p> <p>Calculate or Review Exposure to Adversary Attacks 302</p> <p>Optimize Return on Security Investment 305</p> <p>Conclusion 306</p> <p>About Radar Risk Group 307</p> <p>About Inge Vandijck 307</p> <p>About Paul Van Lerberghe 307</p> <p><b>CHAPTER 21 Cybersecurity for Operations and Communications 309<br /></b><i>EY<br /></i><i>Chad Holmes, Principal, Cybersecurity, Ernst & Young LLP (EY US)<br /></i><i>James Phillippe, Principal, Cybersecurity, Ernst & Young LLP (EY US)</i></p> <p>Do You Know What You Do Not Know? 309</p> <p>Threat Landscape—What Do You Know About Your Organization Risk and Who Is Targeting You? 310</p> <p>Data and Its Integrity—Does Your Risk Analysis Produce Insight? 310</p> <p>Digital Revolution—What Threats Will Emerge as Organizations Continue to Digitize? 311</p> <p>Changes—How Will Your Organization or Operational Changes Affect Risk? 312</p> <p>People—How Do You Know Whether an Insider or Outsider Presents a Risk? 312</p> <p>What’s Hindering Your Cybersecurity Operations? 312</p> <p>Challenges from Within 313</p> <p>What to Do Now 313</p> <p>Conclusion 318</p> <p>About EY 319</p> <p>About Chad Holmes 319</p> <p>About James Phillippe 319</p> <p><b>CHAPTER 22 Access Control 321<br /></b><i>PwC Sidriaan de Villiers, Partner—Africa Cybersecurity Practice, PwC South Africa</i></p> <p>Taking a Fresh Look at Access Control 321</p> <p>Organization Requirements for Access Control 322</p> <p>User Access Management 323</p> <p>User Responsibility 327</p> <p>System and Application Access Control 327</p> <p>Mobile Devices 329</p> <p>Teleworking 331</p> <p>Other Considerations 332</p> <p>Conclusion 333</p> <p>About PwC 334</p> <p>About Sidriaan de Villiers, PwC Partner South Africa 334</p> <p><b>CHAPTER 23 Cybersecurity Systems: Acquisition, Development, and Maintenance 335<br /></b><i>Deloitte<br /></i><i>Michael Wyatt, Managing Director, Cyber Risk Services, Deloitte Advisory, USA</i></p> <p>Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices 336</p> <p>Specific Considerations 342</p> <p>Conclusion 344</p> <p>About Deloitte Advisory Cyber Risk Services 346</p> <p>About Michael Wyatt 346</p> <p><b>CHAPTER 24 People Risk Management in the Digital Age 347<br /></b><i>Airmic<br /></i><i>Julia Graham, Deputy CEO and Technical Director at Airmic, UK</i></p> <p>Rise of the Machines 347</p> <p>Enterprise-Wide Risk Management 348</p> <p>Tomorrow’s Talent 350</p> <p>Crisis Management 354</p> <p>Risk Culture 355</p> <p>Conclusion 356</p> <p>About Airmic 358</p> <p>About Julia Graham 358</p> <p><b>CHAPTER 25 Cyber Competencies and the Cybersecurity Offi cer 359<br /></b><i>Ron Hale, PhD, CISM, ISACA, USA</i></p> <p>The Evolving Information Security Professional 359</p> <p>The Duality of the CISO 360</p> <p>Job Responsibilities and Tasks 363</p> <p>Conclusion 366</p> <p>About ISACA 368</p> <p>About Ron Hale 368</p> <p><b>CHAPTER 26 Human Resources Security 369<br /></b><i>Domenic Antonucci, Editor and Chief Risk Offi cer, Australia</i></p> <p>Needs of Lower-Maturity HR Functions 369</p> <p>Needs of Mid-Maturity HR Functions 370</p> <p>Needs of Higher-Maturity HR Functions 372</p> <p>Conclusion 373</p> <p>About Domenic Antonucci 374</p> <p><b>Epilogue 375<br /></b><i>Becoming CyberSmart </i><sup>TM</sup><i>: a Risk Maturity Road Map for Measuring </i><i>Capability Gap-Improvement<br /></i><i>Domenic Antonucci, Editor and Chief Risk Offi cer (CRO), Australia<br /></i><i>Didier Verstichel, Chief Information Security Offi cer (CISO) and Chief Risk Offi cer (CRO), Belgium</i></p> <p>Background 375</p> <p>Becoming CyberSmart<sup>TM</sup> 376</p> <p>About Domenic Antonucci 392</p> <p>About Didier Verstichel 392</p> <p>Glossary 393</p> <p>Index 399</p>
<p><b>DOMENIC ANTONUCCI</b> is a practicing international chief risk officer overseeing cybersecurity and a former counter-terrorist officer. Based in Dubai, UAE, he specializes in bringing organizations "up the risk maturity curve." He is the content author for the Benchmarker™ Risk Maturity Model software and author of <i>Risk Maturity Models</i>.
<p><b>Praise for</b><b> The Cyber Risk Handbook</b> <p>"Domenic Antonucci and his outstanding collection of contributors have produced a most timely and comprehensive reference and teaching guide on one of the most potentially impactful and evolving risks facing organizations (and governments) today. This book should be an extremely valuable resource for directors, executives, chief information officers, risk managers, auditors, and all concerned with this critical topic. I particularly like how the risks and controls are presented in the context of overall governance and enterprise risk management."<br> <b>—John R. S. Fraser, FCPA, FCA,</b> Retired Chief Risk Officer and Adjunct Professor, York University <p>"Domenic makes a most practical and valuable contribution…he curates a wide-ranging body of knowledge on this most vexing topic from a globally diverse group of subject matter experts. Unlike books written by IT experts for IT practitioners, Mr. Antonucci provides an invaluable resource for management to enable them to ask the right questions of their IT experts … so as to assure themselves that the matters that should be keeping them awake at night are being addressed and that reporting systems are providing them with the management information they need to know rather than what they want to hear. Mr. Antonucci and his contributors are to be commended for their work."<br> <b>—Kevin W. Knight, AM,</b> Immediate Past Chairman, ISO/TC 262 – Risk Management and Adjunct Professor, University of Queensland Business School <p>"This timely cyber security reference guide, structured on a maturity model to aid comprehension of current capabilities, addresses what has become, for many organizations, their priority risk management activity. Cyber security is evolving in nature and becoming more prevalent, sophisticated, and invasive. The book rightly identifies cyber security as a C-Suite responsibility with enterprise-wide implications – not for delegation to the IT department. The way an organization addresses cyber-crime (as seen in the financial sector) has a direct bearing on its reputation, customer base, profitability, and indeed its very longevity."<br> <b>—Dr. Robert Chapman,</b> Managing Director, Dr. Chapman & Associates <p>"<i>The Cyber Risk Handbook</i> provides comprehensive and practical guidance. One of the key pluses of this book is its holistic focus on the importance of people, behavior, and processes, rather than just technological solutions. Domenic Antonucci has assembled a team of experts, all of whom are uniquely qualified to contribute to the ongoing discussion regarding this capricious and exponentially significant risk. I found <i>The</i> <i>Cyber Risk Handbook</i> an easy read, and I particularly liked the comprehensive overview of the key developments in cyber risk management. This book will appeal to a wide audience enabling them to learn solutions to critical issues and formulate a good practice methodology that ensures they stay ahead of the latest threats."<br> <b>—Nicola Crawford,</b> Chair, The Institute of Risk Management (IRM) and Managing Director, i-Risk Europe Ltd <p>"Very thorough and comprehensive. A wide variety of experts describing all facets of cyber risks … a necessary focus on top management involvement. Information and systems as the new risk frontier."<br> <b>—Franck Baron,</b> Chairman and VP, Pan Asia Risk & Insurance Management Association (PARIMA)

Diese Produkte könnten Sie auch interessieren:

Mentorship Unlocked
Mentorship Unlocked
von: Janice Omadeke
PDF ebook
21,99 €
Mentorship Unlocked
Mentorship Unlocked
von: Janice Omadeke
EPUB ebook
24,18 €
Mindfulness
Mindfulness
von: Gill Hasson
PDF ebook
12,99 €