Cyber Strategy: Risk-Driven Security and Resiliency

✍ Scribed by Carol A. Siegel, Mark Sweeney

Publisher: Auerbach Publications
Year: 2020
Tongue: English
Leaves: 215
Edition: 1
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

Cyber Strategy: Risk-Driven Security and Resiliency provides a process and roadmap for any company to develop its unified Cybersecurity and Cyber Resiliency strategies. It demonstrates a methodology for companies to combine their disassociated efforts into one corporate plan with buy-in from senior management that will efficiently utilize resources, target high risk threats, and evaluate risk assessment methodologies and the efficacy of resultant risk mitigations. The book discusses all the steps required from conception of the plan from preplanning (mission/vision, principles, strategic objectives, new initiatives derivation), project management directives, cyber threat and vulnerability analysis, cyber risk and controls assessment to reporting and measurement techniques for plan success and overall strategic plan performance. In addition, a methodology is presented to aid in new initiative selection for the following year by identifying all relevant inputs.

Tools utilized include:

Key Risk Indicators (KRI) and Key Performance Indicators (KPI)

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) Target State Maturity interval mapping per initiative

Comparisons of current and target state business goals and critical success factors

A quantitative NIST-based risk assessment of initiative technology components

Responsible, Accountable, Consulted, Informed (RACI) diagrams for Cyber Steering Committee tasks and Governance Boards’ approval processes

Swimlanes, timelines, data flow diagrams (inputs, resources, outputs), progress report templates, and Gantt charts for project management

The last chapter provides downloadable checklists, tables, data flow diagrams, figures, and assessment tools to help develop your company’s cybersecurity and cyber resiliency strategic plan.

✦ Table of Contents

Cover
Half Title
Title Page
Copyright Page
Contents
Author Biographies
Chapter 1: Why Cybersecurity and Cyber Resiliency Strategies Are Mandatory for Organizations Today
1.1. The Value Proposition
1.2. The 6 STEPs for Developing and Maintaining a Cyber security and Cyber Resiliency Strategy
1.3. Cybersecurity and Cyber Resiliency Strategy
Key Players
1.4. Initiating the Strategy
1.5. Triggers to Create a Corporate Cybersecurity
and Cyber Resiliency Strategy
1.6. Information Security vs. Cybersecurity
1.6.1. Information Security
1.6.2. Cybersecurity
1.7. Cyber Resiliency vs. Traditional Resiliency
1.8. Cybersecurity and Cyber Resiliency Strategy
Life Cycle
1.9. Cyber Strategies vs. Cyber Programs
1.10. Cybersecurity and Cyber Resiliency Programs
for Organizations
1.11. Cybersecurity and Cyber Resiliency Architecture:
Standards and Frameworks
1.11.1. Enterprise Information Security Architecture
1.11.2. Regulatory Security Architecture
1.11.3. Introduction to the NIST Cybersecurity
Framework (CSF)
1.12. Cyber Program Preplanning
1.13. Technical Areas of Concentration for a Cyber Program
Chapter 2: The 6 STEPs in Developing and Maintaining a Cybersecurity and Cyber Resiliency Strategy
2.1. STEP 1: Preplanning: Preparation for Strategy
Development
2.1.1. Corporate Culture and Organizational
Analysis
2.1.2. Matrixed Organizational Structure
2.1.3. Siloed Organizational Structure
2.1.4. Enabling the Organization for Strategy Adoption
2.1.5. Forming a Steering Committee
2.1.6. Creating Strategic Plan Critical Success Factors
2.1.7. Designating a Project Manager
for the Steering Committee
2.1.8. Developing Steering Committee Tasks
2.1.9. Establishing Corporate Business Values
2.1.10. Determining the Mission/Vision, Principles, and Strategic Objectives for Cybersecurity and Cyber Resiliency
2.1.10.1. Mission/Vision
2.1.10.2. Cyber Program Principles
2.1.10.3. Strategic Objectives
2.2. STEP 2: Strategy Project Management
2.2.1. Initiatives for Cybersecurity
Strategic Objectives
2.2.2. Initiatives for Cyber Resiliency
Strategic Objectives
2.2.3. Creating a Strategy Project Charter
2.2.4. Aligning the Strategy with Other Existing Corporate Strategies and Corporate Business Objectives
2.2.5. Developing a Strategic Plan Overview
Reporting Template
2.2.6. Determining Work Efforts
2.2.7. Strategy Timeline
2.2.8. Strategy Swimlane
2.2.9. NIST CSF Initiative Mapping
2.2.10. The Final Strategy Document Deliverable
2.3. STEP 3: Cyber Threats, Vulnerabilities,
and Intelligence Analysis
2.3.1. Cyber Threats
2.3.1.1. Cyber Threat Risk Reporting
2.3.2. Threat Intelligence, Identification,
and Modeling
2.3.3. Vulnerabilities
2.3.3.1. Asset Related Vulnerabilities
2.3.3.2. Vulnerability Severity Risk Reporting
2.4. STEP 4: Cyber Risks and Controls
2.4.1. Cyber Risk Category Definitions for Business
2.4.2. Risk Appetite and Risk Tolerance
2.4.3. Cyber Risk Measurement Methodologies
2.4.3.1. Cyber Risk Management
2.4.3.2. Cyber Risk Calculation
2.4.4. Controls
2.4.5. Cyber Insurance
2.5. STEP 5: Assessing Current and Target States
2.5.1. Types of Assessments
2.6. STEP 6: Measuring Strategic Plan Performance
and End of Year (EoY) Tasks
2.6.1. Cyber Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)
2.7. Governance Cycles and Processes
2.8. Proposing New Initiatives to Mitigate Threats
and Reduce Risk
2.8.1. Cybersecurity and Cyber Resiliency
Reporting – Yearly Report Example
2.8.2. Refining the Strategy over Time – End of Year (EoY) Tasks
2.8.2.1. Gathering Data to Measure Strategy Performance
2.8.2.2. Creating Yearly Reports to Show Performance
2.8.2.3. Determining New Initiatives
for the Following Year
2.8.2.4. Perform Various Project Management Tasks
2.9. Checklists and Templates
Notes
Chapter 3: Strategy Project Management
3.1. Vision to Initiative Flow
3.2. Strategy Project Charter
3.3. Strategy Preparation Checklist
3.4. Strategy Timeline
3.5. Strategy Gantt Chart
3.6. Strategy Swimlane
3.7. Data Flow Diagrams for STEPs 2, 3, 4, 5, and 6
3.8. RACI Strategy Development Matrix
3.9. NIST CSF Initiative Mapping
3.10. The Final Strategy Deliverable
Chapter 4: Cyber Threats, Vulnerabilities, and Intelligence Analysis
4.1. Threats in the Context of a Cybersecurity
and Cyber Resiliency Strategy
4.1.1. Definition of a Threat
4.1.2. Evolution of Cyber Threats
4.1.2.1. The Early Stages of Cyber Threats
4.1.2.2. Present-Day and Future Cyber
Threat Actors
4.1.3. Types of Threats and Actors
4.1.3.1. Script Kiddies
4.1.3.2. Hacktivists
4.1.3.3. Organized Crime Groups
4.1.3.4. Nation-States
4.1.3.5. Insider Threats
4.1.3.6. Artificial Intelligence Powered Threats
4.1.4. Threat Intelligence, Identification,
and Modeling
4.1.4.1. MITRE ATT&CK
4.1.4.2. Threat Intelligence, Identification, and Modeling within a Strategy and a Program
4.1.4.3. Monitoring for Threats
4.1.4.4. Reporting on Threat Intelligence
4.2. Vulnerabilities
4.2.1. Open Web Application Security Project (OWASP) Application Security Vulnerabilities
4.2.2. Identifying Vulnerabilities
4.2.2.1. Modern-Day Vulnerability Management Issues
4.2.3. Asset-Related Vulnerabilities
4.2.4. Common Vulnerability Scoring
System (CVSS)
4.2.5. Vulnerabilities in the Context of a Strategy
4.3. Cyberattacks
4.3.1. Common Types of Cyberattacks
4.3.2. Typical Types of Losses Due to Cyberattacks
Notes
Chapter 5: Cyber Risks and Controls
5.1. Cyber Risk
5.1.1. Cyber Risk Framework
5.1.2. Risk Category Definitions
5.1.3. Risk Tolerance and Risk Appetite
5.1.3.1. Risk Appetite
5.1.3.2. Risk Tolerance
5.1.3.3. Risk Appetite vs. Risk Tolerance
5.1.4. Cyber Risk Measurement Methodologies
5.1.4.1. US National Institute of Standards and Technology’s Special Publications 800-30
5.1.5. A NIST 800-30 Cyber Risk Assessment Example
5.1.5.1. NIST Risk Descriptions for Government Entities
5.1.5.2. NIST Adversarial Threat Ratings
5.1.6. Other Well-Known Cyber Risk Assessment Methodologies
5.1.6.1. ISACA Risk Framework – Risk IT
5.1.6.2. The International Organization for Standardization/International Electrotechnical Commission’s (ISO/IEC) 27000
5.1.6.3. A Guide to the Project Management Body of Knowledge (PMBOK® Guide)
5.1.6.4. Open Web Application Security ProjectTM (OWASP) Risk Rating Methodology
5.1.6.5. Committee of Sponsoring Organization of the Treadway Commission (COSO) Enterprise Risk Management (ERM)
5.1.6.6. Factor Analysis of Information
Risk (FAIR)
5.1.6.7. Carnegie Mellon® Risk Quantification Method (CM RQM)
5.1.7. Risk Disclosure: The Securities and
Exchange Commission (SEC) Guidance on Risk (Feb 2018)
5.2. IT Controls
5.2.1. Main Functions of Controls
5.2.2. Maturity of Controls
5.2.3. The Center for Internet Security Critical
Security Controls
5.2.4. Auditing of Information Technology (IT) Controls
5.3. Cyber Insurance
5.3.1. Risk Transfer
Notes
Chapter 6: Current and Target State Assessments
6.1. Introduction to Assessments
6.2. Current State Assessments
6.2.1. Categories of Assessments
6.2.1.1. Self-Assessments
6.2.1.2. External/Third-Party Assessments
6.2.1.3. Audits (Internal & External)
6.2.2. Frameworks, Industry Standards, Regulations, and Models
6.2.2.1. NIST Cybersecurity Framework
Core Identifiers and Categories
6.3. Conducting a Current State Assessment
6.4. Unmapped Initiatives Discussion
6.5. Target State Assessment
6.5.1. NIST CSF Target States
6.6. How to Rate Current and Target States
Chapter 7: Measuring Strategic Plan Performance and End of Year (EoY) Tasks
7.1. Evaluating the Strategy Against the Critical
Success Factors
7.2. Key Risk Indicators (KRIs)
7.3. Key Performance Indicators (KPIs)
7.4. Reporting on the Strategies
7.4.1. Cybersecurity and Cyber Resiliency Initiatives Mapped to NIST CSF Subcategories
7.4.2. Cybersecurity Initiatives NOT Mapped
to the NIST CSF
7.4.3. Initiative to CSF Mapping Per Objective
7.4.4. Strategic Plan Progress Reports – Cybersecurity and Cyber Resiliency
7.4.5. Current State to End of Year and Target State Maturity Tier Rating
7.4.6. Preparation of the EoY Performance Report
7.5. Determining New Initiatives for the Next Year
7.6. End of Year Tasks
7.6.1. Define the Strategy’s Pyramid Parameters
for Following Year
7.6.2. Create the Timeline for Following Year
7.6.3. Confirm Steering Group Member
Composition
7.6.4. Distribute EoY Performance Reports
to Senior Management
7.6.5. End of Year Steering Committee
Responsibilities RACI
7.6.6. Ensure Compliance with Regulations
7.6.7. Complete Governance Hoops
7.6.7.1. Governance Organization Diagram
7.6.7.2. Strategy Governance Body RACI
7.6.7.3. Governance Approval Swimlane for the Cybersecurity and Cyber Resiliency Strategy
7.6.8. Cybersecurity and Cyber Resiliency Strategy Life Cycle
Chapter 8: Checklists and Templates to Help Create an Enterprise-Wide Cybersecurity and Cyber Resiliency Strategy
8.1. Guides to Strategy Preparation
8.2. STEP 1: Preplanning: Preparation for Strategy Development.
8.2.1. Preplanning Checklist
8.2.2. Mission/Vision, Principles, Strategic
Objectives, and Initiatives Pyramid
8.2.3. Analyze Organizational and Cultural
Structure
8.2.4. RACI Completion for STEP 1
8.2.5. Critical Success Factors Validation
8.2.6. Evaluate Organizational Readiness
8.3. STEP 2: Strategy Project Management
8.3.1. Project Charter
8.3.2. RACI Completion for STEP 2
8.3.3. Complete RACI Development for the
Steering Committee Tasks
8.3.4. Data Flow Analysis for STEP 2
8.3.5. Develop Draft Final Deliverable Table
of Contents
8.4. STEPs 3 and 4: Cyber Threats, Vulnerabilities, Intelligence Analysis, Risks, and Controls
8.4.1. RACI for STEPs 3 and 4: Cyber Threats, Vulnerabilities & Cyber Risks, and Controls
8.4.2. Data Flow Analysis for STEPs 3 and 4
8.4.3. Incidents to Controls Mapping
8.5. STEP 5: Current and Target State Assessments
8.5.1. RACI for STEP 5: Current and Target State Assessments
8.5.2. Data Flow Analysis for STEP 5:
Current and Target State Assessments
8.5.3. Performing a Quantitative Risk Assessment
8.6. STEP 6: Measuring Plan Performance
and EoY Tasks
8.6.1. Checklist for STEP 6: End of Year Tasks
8.6.2. RACI for STEP 6: Measuring Plan
Performance and EoY Tasks
8.6.3. Data Flow Diagram for STEP 6: Measuring Strategic Plan Performance and EoY Tasks
8.6.4. Derive the Critical Success Factors
8.6.5. Review the Key Risk Indicators and Key Performance Indicators
8.6.6. Strategic Plan Reporting Template
8.6.7. Initiative to CSF Mapping Per Objective
8.6.8. Cybersecurity and Cyber Resiliency
Yearly Report
8.6.9. Governance Hoops
8.6.10. Governance Approval Organization Hierarchy
8.6.11. Governance Approval RACI
8.6.12. Governance Approval Swimlane
8.7. Assembling the Full Project RACI
8.8. Chapter 8 Downloadable Files

📜 SIMILAR VOLUMES

Cyber Strategy: Risk-Driven Security and

📁 Cyber Strategy: Risk-Driven Security and Resiliency

✍ Carol A. Siegel, Mark Sweeney 📂 Library 📅 2020 🏛 Auerbach Publications 🌐 English

<span><p><strong>Cyber Strategy: Risk-Driven Security and Resiliency</strong> provides a process and roadmap for any company to develop its unified Cybersecurity and Cyber Resiliency strategies. It demonstrates a methodology for companies to combine their disassociated efforts into one corporate pla

Cyber Security and Resiliency Policy Fra

📁 Cyber Security and Resiliency Policy Framework

✍ A. Vaseashta; P. Susmann; E. Braman 📂 Library 📅 2014 🏛 IOS Press, Incorporated 🌐 English

Cyberspace is a ubiquitous realm interconnecting every aspect of modern society, enabled by broadband networks and wireless signals around us, existing within local area networks in our schools, hospitals and businesses, and within the massive grids that power most countries. Securing cyberspace to

Advances in Nature-Inspired Cyber Securi

📁 Advances in Nature-Inspired Cyber Security and Resilience

✍ Shishir Kumar Shandilya, Neal Wagner, V.B. Gupta, Atulya K. Nagar 📂 Library 📅 2022 🏛 Springer 🌐 English

<p><span>This book presents a comprehensive reference source for dynamic and innovative research in the field of cyber security, focusing on nature-inspired research and applications. The authors present the design and development of future-ready cyber security measures, providing a critical and des

Advances in Nature-Inspired Cyber Securi

📁 Advances in Nature-Inspired Cyber Security and Resilience

✍ Shishir Kumar Shandilya; Neal Wagner; V.B. Gupta; Atulya K. Nagar 📂 Library 📅 2022 🏛 Springer Nature 🌐 English

This book presents a comprehensive reference source for dynamic and innovative research in the field of cyber security, focusing on nature-inspired research and applications. The authors present the design and development of future-ready cyber security measures, providing a critical and descriptive

Strategic Cyber Security

📁 Strategic Cyber Security

✍ Geers K. 📂 Library 🌐 English

NATO Cooperative Cyber Defence Centre of Excellence, 2011. 169 p.<div class="bb-sep"></div>This book argues that computer security has evolved from a technical discipline to a strategic concept. The world’s growing dependence on a powerful but vulnerable Internet – combined with the disruptive capab

Cyber Intelligence-Driven Risk: How to B

📁 Cyber Intelligence-Driven Risk: How to Build and Use Cyber Intelligence for Business Risk Decisions

✍ Richard O. Moore, III 📂 Library 📅 2020 🏛 John Wiley & Sons

Turn cyber intelligence into meaningful business decisions and reduce losses from cyber events Cyber Intelligence-Driven Risk provides a solution to one of the most pressing issues that executives and risk managers face: How can we weave information security into our business decisions to minimize o