Developing Cybersecurity Programs and Policies, 3rd Edition
©2019 |Pearson IT Certification | Available
Omar Santos, Best-selling Cisco Press author, expert trainer, and Principal Engineer at Cisco (PSIRT)
©2019 |Pearson IT Certification | Available
This book is a complete guide to establishing a cybersecurity program and governance in your organization. In this book, studentswill learn how to create cybersecurity policies, standards, procedures, guidelines, and plans — and the differences among them. This book covers the Confidentiality, Integrity & Availability (CIA) security model. Students will also learn how threat actors are launching attacks against their victims compromising confidentiality, integrity, and availability of systems and networks. This book covers the NIST Cybersecurity Framework and ISO/IEC 27000-series standards. Readers will learn how to align security with business strategy, as well as define, inventory, and classify information and systems.
This book teaches students how to systematically identify, prioritize, and manage cybersecurity risks and reduce social engineering (human) risks with role-based Security Education, Awareness, and Training (SETA). They will also learn how to implement effective physical, environmental, communications, and operational security; and effectively manage access control. In this book students will learn how to respond to incidents and ensure continuity of operations and how to comply with laws and regulations, including GLBA, HIPAA/HITECH, FISMA, state data security and notification rules, and PCI DSS.
Updated to cover the latest information in cybersecurity.
1. Updated to include “cybersecurity” (which expands the universe of information security). cross reference to ISO 27000 (current edition), ISO 27032:2012 Guidelines for Cybersecurity, NIST Cybersecurity Framework or alternately – not use cross references. The cross references drive the organization of the book.
2. If the book is going to be more cyber based, adding a chapter on Attacks and Attackers and the chapter on Incident Response is expanded
3. As applicable, newer technologies should be referenced (e.g. virtualization, DLP, NAC, Cloud, MDM)
4. Part 3 Regulatory Compliance (Chapters 13,14, 15) updated to reflect current regulatory expectations and contractual obligations.
5. FYI’s updated to reflect current examples.
6. All embedded examples reviewed to ensure they are still relevant.
7. All exercises and case studies reviewed to ensure they are still relevant.
8. The policies themselves will only need minor tweaking + any language specific to “cyber”.
Chapter 1: Understanding Cybersecurity Policy and Governance
Information Security vs. Cybersecurity Policies
Looking at Policy Through the Ages
Policy in Ancient Times
The United States Constitution as a Policy Revolution
What Are Assets?
Successful Policy Characteristics
What Is the Role of Government?
Additional Federal Banking Regulations
Government Cybersecurity Regulations in Other Countries
The Challenges of Global Policies
Cybersecurity Policy Life Cycle
Chapter 2: Cybersecurity Policy Organization, Format, and Styles
Plans and Programs
Writing Style and Technique
Using Plain Language
The Plain Language Movement
Plain Language Techniques for Policy Writing
Understand Your Audience
Policy Format Types
Chapter 3: Cybersecurity Framework
Confidentiality, Integrity, and Availability
What Is Confidentiality?
What Is Integrity?
What Is Availability?
Who Is Responsible for CIA?
NIST’s Cybersecurity Framework
What Is NIST’s Function?
So, What About ISO?
NIST Cybersecurity Framework
Chapter 4: Governance and Risk Management
Understanding Cybersecurity Policies
What Is Governance?
What Is Meant by Strategic Alignment?
User-Level Cybersecurity Policies
Vendor Cybersecurity Policies
Cybersecurity Vulnerability Disclosure Policies
Client Synopsis of Cybersecurity Policies
Who Authorizes Cybersecurity Policy?
What Is a Distributed Governance Model?
Evaluating Cybersecurity Policies
Revising Cybersecurity Policies: Change Drivers
NIST Cybersecurity Framework Governance Subcategories and Informative References
Is Risk Bad?
Understanding Risk Management
Risk Appetite and Tolerance
What Is a Risk Assessment?
Risk Assessment Methodologies
Chapter 5: Asset Management and Data Loss Prevention
Information Assets and Systems
Who Is Responsible for Information Assets?
How Does the Federal Government Classify Data?
Why Is National Security Information Classified Differently?
Who Decides How National Security Data Is Classified?
How Does the Private Sector Classify Data?
Can Information Be Reclassified or Even Declassified?
Labeling and Handling Standards
Why Handling Standards?
Information Systems Inventory
Why an Inventory Is Necessary and What Should Be Inventoried
Understanding Data Loss Prevention Technologies
Chapter 6: Human Resources Security
The Employee Life Cycle
What Does Recruitment Have to Do with Security?
What Happens in the Onboarding Phase?
What Is User Provisioning?
What Should an Employee Learn During Orientation?
Why Is Termination Considered the Most Dangerous Phase?
The Importance of Employee Agreements
What Are Confidentiality or Nondisclosure Agreements?
What Is an Acceptable Use Agreement?
The Importance of Security Education and Training
Influencing Behavior with Security Awareness
Teaching a Skill with Security Training
Security Education Is Knowledge Driven
Chapter 7: Physical and Environmental Security
Understanding the Secure Facility Layered Defense Model
How Do We Secure the Site?
How Is Physical Access Controlled?
No Power, No Processing?
How Dangerous Is Fire?
What About Disposal?
Chapter 8: Communications and Operations Security
Standard Operating Procedures
Why Document SOPs?
Operational Change Control
Why Manage Change?
Why Is Patching Handled Differently?
Are There Different Types of Malware?
How Is Malware Controlled?
What Is Antivirus Software?
Is There a Recommended Backup or Replication Strategy?
What Makes Email a Security Risk?
Are Email Servers at Risk?
Other Collaboration and Communication Tools
Activity Monitoring and Log Analysis
What Is Log Management?
Service Provider Oversight
What Is Due Diligence?
What Should Be Included in Service Provider Contracts?
Threat Intelligence and Information Sharing
How Good Is Cyber Threat Intelligence if It Cannot Be Shared?
Chapter 9: Access Control Management
Access Control Fundamentals
What Is a Security Posture?
How Is Identity Verified?
What Is Authorization?
Infrastructure Access Controls
Why Segment a Network?
What Is Layered Border Security?
Remote Access Security
User Access Controls
Why Manage User Access?
What Types of Access Should Be Monitored?
Chapter 10: Information Systems Acquisition, Development, and Maintenance
System Security Requirements
What Is SDLC?
What About Commercially Available or Open Source Software?
The Testing Environment
Protecting Test Data
The Open Web Application Security Project (OWASP)
What Is a “Key”?
What Is PKI?
Why Protect Cryptographic Keys?
Digital Certificate Compromise
Chapter 11: Cybersecurity Incident Response
What Is an Incident?
How Are Incidents Reported?
What Is an Incident Response Program?
The Incident Response Process
Tabletop Exercises and Playbooks
Information Sharing and Coordination
Computer Security Incident Response Teams
Product Security Incident Response Teams (PSIRTs)
Incident Response Training and Exercises
What Happened? Investigation and Evidence Handling
Working with Law Enforcement
Understanding Forensic Analysis
Data Breach Notification Requirements
Is There a Federal Breach Notification Law?
Does Notification Work?
Chapter 12: Business Continuity Management
What Is a Resilient Organization?
Business Continuity Risk Management
What Is a Business Continuity Threat Assessment?
What Is a Business Continuity Risk Assessment?
What Is a Business Impact Assessment?
The Business Continuity Plan
Roles and Responsibilities
Disaster Response Plans
Operational Contingency Plans
The Disaster Recovery Phase
The Resumption Phase
Plan Testing and Maintenance
Why Is Testing Important?
Chapter 13: Regulatory Compliance for Financial Institutions
The Gramm-Leach-Bliley Act
What Is a Financial Institution?
What Are the Interagency Guidelines?
New York’s Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500)
What Is a Regulatory Examination?
Personal and Corporate Identity Theft
What Is Required by the Interagency Guidelines Supplement A?
What Is Required by the Supplement to the Authentication in an Internet Banking Environment Guidance?
Chapter 14: Regulatory Compliance for the Health-Care Sector
The HIPAA Security Rule
What Is the Objective of the HIPAA Security Rule?
How Is the HIPAA Security Rule Organized?
What Are the Physical Safeguards?
What Are the Technical Safeguards?
What Are the Organizational Requirements?
What Are the Policies and Procedures Standards?
The HIPAA Security Rule Mapping to NIST Cybersecurity Framework
The HITECH Act and the Omnibus Rule
What Changed for Business Associates?
What Are the Breach Notification Requirements?
Understanding the HIPAA Compliance Enforcement Process
Chapter 15: PCI Compliance for Merchants
Protecting Cardholder Data
What Is the PAN?
The Luhn Algorithm
What Is the PCI DDS Framework?
What Are the PCI Requirements?
Who Is Required to Comply with PCI DSS?
What Is a Data Security Compliance Assessment?
What Is the PCI DSS Self-Assessment Questionnaire (SAQ)?
Are There Penalties for Noncompliance?
Chapter 16: NIST Cybersecurity Framework
Introducing the NIST Cybersecurity Framework Components
The Framework Core
Framework Implementation Tiers (“Tiers”)
Who Should Coordinate the Framework Implementation?
NIST’s Recommended Steps to Establish or Improve a Cybersecurity Program
Communication with Stakeholders and Supply Chain Relationships
NIST’s Cybersecurity Framework Reference Tool
Adopting the NIST Cybersecurity Framework in Real Life
Appendix A: Cybersecurity Program Resources 608
Appendix B: Answers to the Multiple Choice Questions 618
9780789759405 TOC 6/27/2018
Bridge Page t/a A First Course
Ullman & Widom
Pearson offers affordable and accessible purchase options to meet the needs of your students. Connect with us to learn more.
K12 Educators: Contact your Savvas Learning Company Account General Manager for purchase options. Instant Access ISBNs are for individuals purchasing with credit cards or PayPal.
Savvas Learning Company is a trademark of Savvas Learning Company LLC.
|Online purchase price||$39.96|
Omar Santos is a principal engineer in the Cisco Product Security Incident Response Team (PSIRT) within the Cisco Security Research and Operations. He mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products, including cloud services. Omar has been working with information technology and cybersecurity since the mid-1990s. Omar has designed, implemented, and supported numerous secure networks for Fortune 100 and 500 companies and the U.S. government. Prior to his current role, he was a technical leader within the World-Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.
Omar is an active member of the security community, where he leads several industrywide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure.
Omar often delivers technical presentations at many conferences and to Cisco customers and partners. He is the author of dozens of books and video courses. You can follow Omar on any of the following:
Personal website: omarsantos.io
We're sorry! We don't recognize your username or password. Please try again.
The work is protected by local and international copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning.
You have successfully signed out and will be required to sign back in should you need to download more resources.