UNDERSTAND, MANAGE, AND MEASURE CYBER RISK : practical solutions for creating a sustainable... cyber program
معرفی کتاب «UNDERSTAND, MANAGE, AND MEASURE CYBER RISK : practical solutions for creating a sustainable... cyber program» نوشتهٔ Screech House و Ryan Leirvik، منتشرشده توسط نشر Apress L. P. در سال 2023. این کتاب در فرمت pdf، زبان انگلیسی ارائه شده است.
When it comes to managing cybersecurity in an organization, most organizations tussle with basic foundational components. This practitioner’s guide lays down those foundational components, with real client examples and pitfalls to avoid. A plethora of cybersecurity management resources are available―many with sound advice, management approaches, and technical solutions―but few with one common theme that pulls together management and technology, with a focus on executive oversight. Author Ryan Leirvik helps solve these common problems by providing a clear, easy-to-understand, and easy-to-deploy "playbook" for a cyber risk management approach applicable to your entire organization. This second edition provides tools and methods in a straight-forward, practical manner to guide the management of a cybersecurity program. Expanded sections include the critical integration of cyber risk management into enterprise risk management, the important connection between a Software Bill of Materials and Third-party Risk Programs, and additional "how to" tools and material for mapping frameworks to controls. Praise for Understand, Manage, and Measure Cyber Risk What lies ahead of you in the pages of this book? Clean practicality, not something that just looks good on paper ― brittle and impractical when exposed to the real world. I prize flexibility and simplicity instead of attempting to have answers for everything and the rigidity that results. This simplicity is what I find valuable within Ryan's book. Tim Collyer, Motorola Solutions It seems that I have found a kindred spirit ― a builder who has worked with a wide variety of client CISOs on their programs, gaining a deep understanding of how a successful and sustainable program should be constructed. Ryan's cyber work in the US Department of Defense, his McKinsey & Company consulting, and his advisory and survey work with IANS give him a unique global view of our shared passion. Nicholas J. Mankovich, PhD, MS, CISPP Who This Book Is For CISOs, CROs, CIOs, directors of risk management, and anyone struggling to pull together frameworks or basic metrics to quantify uncertainty and address risk Table of Contents 4 About the Author 10 About the Technical Reviewer 11 Acknowledgments 12 Foreword 1 13 Foreword 2 17 Introduction 21 Part I: The Problem 23 Keep in Mind 23 Chapter 1: What Is the Problem? 24 Introduction 24 Chapter 2: Why Is It Complicated? 28 Introduction 28 Technology Is Everywhere 29 Technology Is Complex 30 Technology Was Built on Trust 31 Technology Is an Opportunity for Misuse 32 The Fundamental Risk Is Not Always Understood 33 ... and Business Leaders Need to Know What to Do 34 Keep in Mind 35 Lack of a Common Cybersecurity Risk Language 36 Unclear Answers for Proper Oversight 38 Oh, and Umm... Distractors 39 Chapter 3: How to Address This Problem 41 Introduction 41 Understand the Risk 42 Manage the Risk 45 Apply a Framework 45 Structure the Organization 47 Set a Review Frequency 47 Prepare to Respond (and Recover) 48 Measure the Impact of Risk Management 48 Keep in Mind 48 Choose Risk-Informative Measures 49 Apply Appropriate Resources 50 Drive for Value 50 Be Clear on What to Measure 51 Avoid Chasing “Perfect” (It’s Not That Valuable) 52 Part II: The Solution 53 Keep in Mind 53 Chapter 4: Understanding the Problem 54 Introduction 54 Rules to Follow 56 Be Clear About the Problem (Critical Assets Are at Risk) 56 Settle on a Definition of Risk 57 Settle on a Definition of Critical 59 Inventory and Categorize Critical Assets 63 How to Inventory and Categorize Critical Assets 64 Step 1. Acknowledge That Asset Management Is Hard 65 Keep in Mind 65 Step 2. Develop the Business Case 66 Step 3. Define Your Asset Classes 67 Step 4. Collect and Inventory in Each New Asset Class 69 Step 5. Identify the Most Critical Assets 70 Identify the Risks to These Critical Assets 72 How to Identify the Risks to These Critical Assets 72 Step 5a. Perform a Threat Analysis 73 How to Walk Through an Overview of a Threat Model 75 Step 5b. Discover Vulnerabilities 76 Step 5c. Anticipate the Business Impact of an Event 79 Step 5d. Pull It Together in the Risk Register and Keep It Updated 82 Step 5e. Know the Applicable Laws and Regulations 83 Step 5f. Connect Cybersecurity Risk to Enterprise Risk 85 Understanding the Problem: A Recap 88 Recent Examples 88 Example 1. Getting Started with a Program 89 Example 2. From Legacy “Perfection” to “Good Enough” 95 Example 3. Data Protection Strategy, Please 98 Example 4. What Risk? 101 Pitfalls to Avoid 102 Chapter 5: Manage the Problem 104 Introduction 104 General Observations and Guidelines for Managing the Risk 106 Observations 106 Guidelines 107 Rules to Follow 109 Focus on One Framework 109 Structure the Program Approach 114 How to Structure the Approach 115 Step 1. Set the Structure 116 Step 2. Align the Risk-Mitigating Activities 118 Step 3. Assign Roles and Responsibilities 119 Step 4. Identify Gaps and the Appropriate Activities to Fill Them 122 Step 5. Look Externally (Third-Party Risk Management) 124 How to Build Out the TPRM Questionnaire 126 Step 5a. Split the Questionnaire into Logical Columns 127 Step 5b. Build Each Column Upon the One Before 127 Step 5c. Directly Relate the Question to the Risk 127 Keep in Mind 129 How to Verify Your External Look 132 Step 5d. Link a Software Bill of Materials to the TPRM Program 132 Step 5e. Build a Feedback Mechanism for Vendors 135 Step 5f. Align to Procurement and Purchasing 136 Keep in Mind: Third-Party Risk Management 138 Step 6. Pick the Right Tools and Avoid Distraction 139 Set a Program Review Frequency 142 Prepare to Respond and Recover 144 Managing the Problem, a Recap 144 Recent Examples 145 Example 1. Addressing Too Many Frameworks 145 Example 2. Many TPRM Tools 149 Example 3. From Controls Focus to a Risk Strategy 152 Example 4. Third-Party Without a Checklist 155 Pitfalls to Avoid 157 Chapter 6: Get Ready for Measures 159 Introduction 159 Keep in Mind: Consider the Broad View of Risk for Measurement 161 Chapter 7: Measure the Problem 163 Introduction 163 Rules to Follow 164 Choose Informative Measures That Provide Actionable Values 165 How to Choose Informative Measures 167 Step 1. Choose Actionable Measures 167 Step 2. Define Clear Addressable Activities 168 Step 3. Provide Actionable Reviews 169 Research What Others Have Done (Measures That Have Worked) 170 Measures That Have Worked 171 Be Clear About the Math 172 Straight Math 172 Less-Than-Straight Math 174 Gain Buy-In from Stakeholders 175 Develop a Reporting Structure for Consistency 177 Allow Measures to Mature Over Time 179 Keep in Mind: Consider the Insights 180 Recent Examples 181 Example 1. Simple Measures, Anyone? 181 Example 2. Too Much Data, Not Enough Information 187 Pitfalls to Avoid 190 Chapter 8: Report Upward 192 Introduction 192 Rules to Follow 193 Rules to Follow: Report Upward 194 Choose a Consistent Reporting Structure 194 Provide Clear and Informative Measures 196 Keep in Mind: Consider the Value 197 Use Straightforward Terms 198 Provide Recommendations for All Problems 199 Pitfalls to Avoid 199 Chapter 9: Questions Boards Should Ask 201 Introduction 201 A Tear Sheet for Boards 208 Chapter 10: Conclusion 211 Introduction 211 First, Understand the Risk 211 Next, Manage the Risk 217 Then, Measure the Risk 220 Go Forth and Prosper 224 Appendix 225 Illustration 225 Illustration: Structured Approach 225 Step 1. Set the Structure 226 Step 2. Align the Risk-Mitigating Activities 227 Step 3. Assign Roles and Responsibilities 229 Step 4. Identify Gaps (Including Third Parties) and the Appropriate Activities to Fill Them 231 Step 5. Set the Action Plan 232 Index 233 When it comes to managing cybersecurity in an organization, most tussle with basic foundational components. This practitioner’s guide lays down those foundational components, with real client examples and pitfalls to avoid.A plethora of cybersecurity management resources are available—many with sound advice, management approaches, and technical solutions—but few with one common theme that pulls together management and technology, with a focus on executive oversight. Author Ryan Leirvik helps solve these common problems by providing a clear, easy-to-understand, and easy-to-deploy "playbook" for a cyber risk management approach applicable to your entire organization.This second edition provides tools and methods in a straight-forward, practical manner to guide the management of a cybersecurity program. Expanded sections include the critical integration of cyber risk management into enterprise risk management, the important connection between a Software Bill of Materials and Third-party Risk Programs, and additional "how to" tools and material for mapping frameworks to controls.Features:✓ Simplifies the answer to “What is our cybersecurity program all about?”✓ Demystifies the “how to” of cybersecurity risk management and the pitfalls to avoid✓ Pulls together management, technology, and executive understanding using insightful cyber measures and indicatorsWho This Book Is For:CISOs, CROs, CIOs, directors of risk management, and anyone struggling to pull together frameworks or basic metrics to quantify uncertainty and address risk.
دانلود کتاب UNDERSTAND, MANAGE, AND MEASURE CYBER RISK : practical solutions for creating a sustainable... cyber program