book

The Cyber Risk Handbook

Name: The Cyber Risk Handbook
Author: Domenic Antonucci
ISBN: 9781119308805

by Domenic Antonucci

May 2017

Intermediate to advanced

448 pages

11h 33m

English

Wiley

Read now

Unlock full access

Foreword The State of Cybersecurity
The Global Cyber CrisisThe Time for ChangeIncreasing Cyber Risk Management MaturityAbout ISACAAbout Ron Hale
About the Editor
List of Contributors
Acknowledgments
Chapter 1: Introduction
The CEO under PressureToward an Effectively Cyber Risk–Managed OrganizationHandbook Structured for the EnterpriseHandbook Structure, Rationale, and BenefitsWhich Chapters Are Written for Me?
Chapter 2: Board Cyber Risk Oversight: What Needs to Change?
What Are Boards Expected to Do Now?What Barriers to Action Will Well-Intending Boards Face?What Practical Steps Should Boards Take Now to Respond?Cybersecurity—The Way ForwardNotesAbout Risk Oversight Solutions Inc.About Tim J. Leech, FCPA, CIA, CRMA, CFEAbout Lauren C. Hanlon, CPA, CIA, CRMA, CFE
Chapter 3: Principles Behind Cyber Risk Management
Cyber Risk Management Principles Guide ActionsMeeting Stakeholder NeedsCovering the Enterprise End to EndApplying a Single, Integrated FrameworkEnabling a Holistic ApproachSeparating Governance from ManagementConclusionNotesAbout RIMSAbout Carol Fox
Chapter 4: Cybersecurity Policies and Procedures
Social Media Risk PolicyRansomware Risk Policies and ProceduresCloud Computing and Third-Party VendorsBig Data AnalyticsThe Internet of ThingsMobile or Bring Your Own Devices (BYOD)ConclusionNotesAbout IRMAbout Elliot Bryan, BA (Hons), ACIIAbout Alexander Larsen, FIRM, President of Baldwin Global Risk Services
Chapter 5: Cyber Strategic Performance Management
Pitfalls in Measuring Cybersecurity PerformanceCybersecurity Strategy Required to Measure Cybersecurity PerformanceCreating an Effective Cybersecurity Performance Management SystemConclusionNoteAbout McKinsey CompanyAbout James KaplanAbout Jim Boehm
Chapter 6: Standards and Frameworks for Cybersecurity
Putting Cybersecurity Standards and Frameworks in ContextCommonly Used Frameworks and Standards (a Selection)Constraints on Standards and FrameworksConclusionNotesAbout Boston Consulting Group (BCG)About William YinAbout Dr. Stefan A. Deutscher

Chapter 7: Identifying, Analyzing, and Evaluating Cyber Risks
The Landscape of RiskThe People FactorA Structured Approach to Assessing and Managing RiskSecurity CultureRegulatory ComplianceMaturing SecurityPrioritizing ProtectionConclusionNotesAbout the Information Security Forum (ISF)About Steve Durbin
Chapter 8: Treating Cyber Risks
IntroductionTreating Cybersecurity Risk with the Proper Nuance in Line with an Organization’s Risk ProfileDetermining the Cyber Risk ProfileTreating Cyber RiskAlignment of Cyber Risk TreatmentPracticing Cyber Risk TreatmentConclusionAbout KPMGAbout John HermansAbout Ton Diemont
Chapter 9: Treating Cyber Risks Using Process Capabilities
Cybersecurity Processes Are the Glue That BindsNo Intrinsic Motivation to DocumentLeveraging ISACA COBIT 5 ProcessesCOBIT 5 Domains Support Complete Cybersecurity Life CycleConclusionAbout ISACAAbout Todd Fitzgerald
Chapter 10: Treating Cyber Risks—Using Insurance and Finance
Tailoring a Quantified Cost-Benefit ModelPlanning for Cyber Risk InsuranceThe Risk Manager’s Perspective on Planning for Cyber InsuranceCyber Insurance Market ConstraintsConclusionNotesAbout AonAbout Kevin Kalinich, Esq.
Chapter 11: Monitoring and Review Using Key Risk Indicators (KRIs)
DefinitionsKRI Design for Cyber Risk ManagementConclusionNotesAbout WabilityAbout Ann Rodriguez
Chapter 12: Cybersecurity Incident and Crisis Management
Cybersecurity Incident ManagementCybersecurity Crisis ManagementConclusionAbout CLUSIFAbout Gérôme Billois, CISA, CISSP and ISO27001 CertifiedAbout Wavestone
Chapter 13: Business Continuity Management and Cybersecurity
Good International Practices for Cyber Risk Management and Business ContinuityEmbedding Cybersecurity Requirements in BCMSDeveloping and Implementing BCM Responses for Cyber IncidentsConclusionAppendix: Glossary of Key TermsAbout MarshAbout Marsh Risk ConsultingAbout Sek Seong Lim, CBCP, PMC
Chapter 14: External Context and Supply Chain
External ContextBuilding Cybersecurity Management Capabilities from an External PerspectiveMeasuring Cybersecurity Management Capabilities from an External PerspectiveConclusionAbout The SCRLCAbout Nick Wildgoose, BA (Hons), FCA, FCIPS
Chapter 15: Internal Organization Context
The Internal Organization Context for CybersecurityTailoring Cybersecurity to Enterprise ExposuresConclusionNoteAbout Domenic AntonucciAbout Bassam Alwarith
Chapter 16: Culture and Human Factors
Organizations as Social SystemsHuman Factors and CybersecurityTrainingFrameworks and StandardsTechnology Trends and Human FactorsConclusionNoteAbout Avinash TotadeAbout Sandeep Godbole
Chapter 17: Legal and Compliance
European Union and International Regulatory SchemesU.S. RegulationsCounsel’s Advice and “Boom” PlanningConclusionNotesAbout the Cybersecurity Legal Task ForceAbout Harvey RishikofAbout Conor Sullivan
Chapter 18: Assurance and Cyber Risk Management
What the Internal Auditor Expects from an Organization Managing Its Cyber Risks EffectivelyHow to Deal with Two Differing Assurance Maturity ScenariosCombined Assurance Reporting by ERM HeadConclusionAbout Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert.
Chapter 19: Information Asset Management for Cyber
The Invisible AttackerA Troubling TrendThinking Like a GeneralThe Immediate Need—Best PracticesCybersecurity for the FutureTime to ActConclusionAbout Booz Allen HamiltonAbout Christopher Ling
Chapter 20: Physical Security
Tom Commits to a PlanGet a Clear View on the Physical Security Risk Landscape and the Impact on CybersecurityManage or Review the Cybersecurity OrganizationDesign or Review Integrated Security MeasuresReworking the Data Center ScenarioCalculate or Review Exposure to Adversary AttacksOptimize Return on Security InvestmentConclusionAbout Radar Risk GroupAbout Inge VandijckAbout Paul van Lerberghe
Chapter 21: Cybersecurity for Operations and Communications
Do You Know What You Do Not Know?Threat Landscape—What Do You Know About Your Organization Risk and Who Is Targeting You?Data and Its Integrity—Does Your Risk Analysis Produce Insight?Digital Revolution—What Threats Will Emerge as Organizations Continue to Digitize?Changes—How Will Your Organization or Operational Changes Affect Risk?People—How Do You Know Whether an Insider or Outsider Presents a Risk?What’s Hindering Your Cybersecurity Operations?Challenges from WithinWhat to Do NowConclusionAbout EYAbout Chad HolmesAbout James Phillippe
Chapter 22: Access Control
Taking a Fresh Look at Access ControlOrganization Requirements for Access ControlUser Access ManagementUser ResponsibilitySystem and Application Access ControlMobile DevicesTeleworkingOther ConsiderationsConclusionNotesAbout Sidriaan de Villiers, PwC Partner South Africa
Chapter 23: Cybersecurity Systems: Acquisition, Development, and Maintenance
Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound PracticesSpecific ConsiderationsConclusionNotesAbout Deloitte Advisory Cyber Risk ServicesAbout Michael Wyatt
Chapter 24: People Risk Management in the Digital Age
Rise of the MachinesEnterprise-Wide Risk ManagementTomorrow’s TalentCrisis ManagementRisk CultureConclusionNotesAbout AirmicAbout Julia Graham
Chapter 25: Cyber Competencies and the Cybersecurity Officer
The Evolving Information Security ProfessionalThe Duality of the CISOJob Responsibilities and TasksConclusionNotesAbout ISACAAbout Ron Hale
Chapter 26: Human Resources Security
Needs of Lower-Maturity HR FunctionsNeeds of Mid-Maturity HR FunctionsNeeds of Higher-Maturity HR FunctionsConclusionNotesAbout Domenic Antonucci
Epilogue
BackgroundBecoming CyberSmartNotesAbout Domenic AntonucciAbout Didier Verstichel
Glossary
Index
EULA

Content preview from The Cyber Risk Handbook

Chapter 26 Human Resources Security

Domenic Antonucci, Editor and Chief Risk Officer, Australia

Grace, the head of human relations, is in CEO Tom’s office for the last time before Tom is to present to the board. Tom said, “Well, Grace, I’ve heard nearly everyone mention something that also seemed to involve your HR function. Can you just spell out the basic capabilities for human resources security that you are responsible for in HR?”

If people are said to be the weakest links in any security system, then the HR function and its processes have a role to play. As the needs of organizations and their HR functions of varying size and maturity may differ, let us summarize in this chapter recommended capabilities expected of lower-, mid-, and higher-maturity HR functions. For more detail on what constitutes the HR function’s process maturity, refer to the SEI capability maturity model approach.¹

Needs of Lower-Maturity HR Functions

Some HR functions are small or at lower-levels of HR process capability maturity. Here, managers take basic and possibly some managed levels of responsibility for managing and developing their people within the cybersecurity and enterprise functions. No matter how small or immature, there is no excuse for not communicating to staff minimum protocols or a standard for HR cybersecurity.

An Example Human Resource Security Standard

For heads of HR in a hurry, the City University of Hong Kong Human Resource Security Standard is a public domain document ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781119308805Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design