Boardroom Cybersecurity : A Director’s Guide to Mastering Cybersecurity Fundamentals
معرفی کتاب «Boardroom Cybersecurity : A Director’s Guide to Mastering Cybersecurity Fundamentals» نوشتهٔ Joël Dicker و Dan Weis، منتشرشده توسط نشر Apress L. P. در سال 2025. این کتاب در فرمت epub، زبان انگلیسی ارائه شده است.
This book delves into the critical realm of cyber security, specifically focusing on the ever-present threats that can cripple your organization. We will dissect real-world attacks methods and mitigation strategies, analyze industry and regulatory requirements as they impact your boardroom decisions, and expose the vulnerabilities that leave organizations susceptible to data breaches. But why should cyber security be a top priority for CEOs, directors, and board members? A successful cyber-attack can be catastrophic. Beyond financial losses, data breaches can erode customer trust, damage brand reputation, disrupt critical operations, and even lead to legal ramifications for the board and for directors, such as regulatory fines and lawsuits. This book empowers you to make informed decisions for your organization regarding cyber risk. We will equip you to not only understand the evolving threat landscape and the potential impact of an attack, but also to proactively reduce and mitigate those risks. This knowledge will ensure you fulfill your reporting obligations and demonstrate strong corporate governance in the face of ever-present cyber threats. The digital age presents immense opportunities, but it also demands a heightened awareness of cyber security risks. This book is your roadmap to navigating this complex landscape, understanding your obligations as a director or board member, and ensuring your organization remains secure and thrives in this increasingly digital world. What You Will Learn: Typical methods employed by cybercriminal gangs. Board and management responsibilities and obligations. Common governance principles and standards. What are the cybersecurity frameworks and how do they work together? Best practices for developing a cybersecurity strategy. Understanding penetration testing reports and compliance audits. Tips for reading and understanding the audit report. Table of Contents About the Author and why this book Preface Introduction Part I: Understanding the Cyber Security Landscape: Threats, Roles, Governance and Frameworks Chapter 1: The Evolving Threat Landscape: Understanding Cyber Threats in the Digital Age 1.1 Traditional Threats with a Modern Twist 1.2 The Rise of New Threats 1.3 Key Questions for Your Organization 1.4 Key Takeaways References Chapter 2: Understanding the Who and Why 2.1 The Typical Methods Employed by Cybercriminal Gangs 2.2 Key Questions for Your Organization 2.3 Key Takeaways References Chapter 3: Director Responsibilities and Obligations 3.1 Australian Privacy Principles (APP 11) [12] 3.2 Real-World Example – Telstra APP Breach 3.3 Notifiable Data Breaches Scheme [13] 3.3.1 A Note on PHI vs. PII in the Context of the NDBS 3.4 The Corporations Act 2001 (Cth) [14] 3.5 Real-World Example – Corporation Act Failure 3.6 International Obligations for Cybersecurity and PII for Australian Organizations Operating Globally 3.7 Key Questions for Your Organization 3.8 Key Takeaways References Chapter 4: Common Cyber Governance Principles and Standards 4.1 AICD Cyber Security Governance Principles 4.2 ASIC Cybersecurity Requirements 4.3 APRA Prudential Standard – CPS 231/234 4.4 ASIC Cybersecurity Requirements vs. AICD Cyber Security Governance Principles vs. APRA Requirements for Cybersecurity 4.5 How They Work Together 4.6 Real-World Example – Sunshine Coast Health Network 4.7 Key Questions for Your Organization 4.8 Key Takeaways Chapter 5: Cybersecurity Frameworks 5.1 ACSC Essential Eight 5.2 NIST Cybersecurity Framework 5.3 CIS Controls 5.4 So, What Are the Differences Between These Three Frameworks, and Why Would I Choose One Over Another? 5.5 Cloud Controls Matrix (CCM) 5.6 Australian Energy Sector Cyber Security Framework (AESCSF) 5.7 Control Objectives for Information Technology (COBIT) 5.8 Australian Government Protective Security Policy Framework (PSPF) 5.9 Real-World Example – EnergyAustralia 5.10 Prioritizing Framework Adoption 5.11 Key Questions for Your Organization 5.12 Key Takeaways References Part II: Overseeing Cybersecurity risk: Requirements, Attack Vectors, Strategies and Mitigation Controls Chapter 6: How They Work Together 6.1 First Layer – Cyber Governance and Principles 6.2 Second Layer – Cyber Frameworks 6.3 Third Layer – Controls/Processes 6.4 Fourth Layer – Compliance 6.5 Real-World Example – Qantas 6.6 MITRE ATT&CK 6.7 The Role of Threat Intelligence 6.8 Real-World Example – Threat Intelligence 6.9 Key Questions for Your Organization 6.10 Key Takeaways Chapter 7: Understanding Cyber Risk and Cyber Resilience 7.1 Oversight and Direction 7.1.1 Cyber Risk Appetite 7.1.2 Define Roles and Responsibilities 7.1.3 Board Training/Education 7.1.4 Reporting 7.1.5 Third-Party Guidance/Oversight 7.1.6 Understanding and Development of a Cybersecurity Strategy Best Practices for Developing a Cybersecurity Strategy 7.1.7 Key Questions for Your Organization 7.2 People 7.2.1 Attack Vectors Targeting People 7.2.2 Real-World Example – Attacks Against People 7.2.3 Mitigating People Risk 7.2.4 Mitigating Risks Associated with Hybrid Working Budget-Conscious Organizations and Zero Trust 7.2.5 Real-World Example – Hybrid Working Attack 7.2.6 Key Questions for Your Organization 7.3 Process and IT Functions 7.3.1 Attack Vectors Targeting Process and IT Functions 7.3.2 Lack of Internal IT Processes and Procedures 7.3.3 Underresourced Teams 7.3.4 Real-World Example – Helpful IT People That Are Underresourced and Missing IT Processes 7.3.5 Lack of Supply Chain Vetting 7.3.6 Real-World Example: Supply Chain Attack – Masquerading 7.3.7 How Do I Vet My Suppliers or Potential Suppliers? 7.3.8 Data 7.3.9 Governance of Data 7.3.10 Real-World Example – Data 7.3.11 Mitigating Risk Associated with Process and IT Functions Business Processes and Procedures IT Processes Systems Maintenance and Housekeeping Vulnerability Management and Patching Backups Housekeeping Practices That Increase Risk Data Governance and Missing Cleanup Practices Resources 7.3.12 Key Questions for Your Organization 7.4 Technology 7.4.1 Attack Vectors Targeting Technology 7.4.2 Mitigating Technology Risks 7.4.3 Multi-factor Authentication (MFA) 7.4.4 Passwords Passkeys 7.4.5 Password Manager 7.4.6 Endpoint Protection 7.4.7 Next-Gen Firewalls (NGFW) 7.4.8 Application Whitelisting 7.4.9 Email Filtering 7.4.10 USB Controls 7.4.11 Cloud Security Controls Microsoft 365 (M365)/Azure G-Suite (Google) 7.4.12 Real-World Example – Technology 7.4.13 Mitigating Risk Associated with Technology 7.4.14 Key Questions for Your Organization 7.5 Response and Visibility 7.5.1 In-House Security Teams and SOCs 7.5.2 What the Heck Is a SIEM? 7.5.3 The Role of Outsourced/External Security Providers 7.5.4 Threat Intelligence 7.5.5 Defining an Incident Response Plan 7.5.6 Testing of the Plan and Refinement 7.5.7 Real-World Example – Incident Response Plan Challenges 7.5.8 Resources and Funding 7.5.9 Cyber Insurance 7.5.10 Key Questions for Your Organization 7.6 Assurance and Compliance 7.6.1 Penetration Testing Types of Penetration Testing What Should I Be Testing? How Often Should I Be Performing Testing? What Should I Be Looking for in Choosing a Penetration Testing Firm? Experience and Certifications Testing Methodology Reputation and Reference Clients Approach Deliverables Costs Comparing Quotes 7.6.2 Vulnerability Scanning and Vulnerability Assessments (VA) Pentest vs. Vulnerability Assessment 7.6.3 Security Audits and Compliance Security Audits Compliance Audits 7.7 Key Questions for Your Organization 7.8 Key Takeaways References Chapter 8: We’ve Had an Incident 8.1 To Pay or Not to Pay a Ransom or Extortion 8.2 Understanding the Roles of Australian Agencies 8.3 The Executive and Board’s Responsibilities During a Breach/Significant Event 8.4 Real-World Example – Hollywood Presbyterian Medical Center 8.5 Key Questions for Your Organization 8.6 Key Takeaways Chapter 9: Understanding Penetration Testing Reports and Compliance Audits 9.1 Penetration Testing Reports 9.1.1 Understanding Scopes 9.1.2 Understanding Authentication 9.1.3 Understanding Severities 9.1.4 Putting It Together 9.1.5 How Fast Should We Fix Findings? Additional Factors to Consider Best Practices 9.1.6 Understanding Exploits and Exploitation 9.1.7 Benchmarking Benchmarking Pentests Effective Benchmarking 9.1.8 Mapping Pentest Results to Risk Reduction Director Duties 9.2 ISO 27001 Audit and Report Breakdown 9.2.1 Tips for Reading and Understanding an ISO 27001 Report 9.2.2 Benchmarking ISO 27001 Audit Results 9.2.3 Mapping ISO Audit Results to Risk Reduction Director Duties 9.3 Real-World Example – Certified Yet Compromised: The TalkTalk Incident 9.4 Key Questions for Your Organization 9.5 Key Takeaways References Appendix A: Additional Resources A.1 AICD Resources A.2 ACSC Resources A.3 Other Cyber Security and Risk Resources Appendix B: Glossary Other Glossaries Other Technology Glossaries Index
دانلود کتاب Boardroom Cybersecurity : A Director’s Guide to Mastering Cybersecurity Fundamentals