Preface xxvii Chapter 1: Best Practices, Standards, and a Plan of Action 2 1.1 Defining Cyberspace and Cybersecurity 3 1.2 The Value of Standards and Best Practices Documents 6 1.3 The Standard of Good Practice for Information Security 7 1.4 The ISO/IEC 27000 Suite of Information Security Standards 12 ISO 27001 15 ISO 27002 17 1.5 Mapping the ISO 27000 Series to the ISF SGP 18 1.6 NIST Cybersecurity Framework and Security Documents 21 NIST Cybersecurity Framework 22 NIST Security Documents 25 1.7 The CIS Critical Security Controls for Effective Cyber Defense 27 1.

8 COBIT 5 for Information Security 29 1.9 Payment Card Industry Data Security Standard (PCI DSS) 30 1.10 ITU-T Security Documents 32 1.11 Effective Cybersecurity 34 The Cybersecurity Management Process 34 Using Best Practices and Standards Documents 36 1.12 Key Terms and Review Questions 38 Key Terms 38 Review Questions 38 1.13 References 39 PART I: PLANNING FOR CYBERSECURITY 41 Chapter 2: Security Governance 42 2.1 Security Governance and Security Management 43 2.2 Security Governance Principles and Desired Outcomes 45 Principles 45 Desired Outcomes 46 2.

3 Security Governance Components 47 Strategic Planning 47 Organizational Structure 51 Roles and Responsibilities 55 Integration with Enterprise Architecture 58 Policies and Guidance 63 2.4 Security Governance Approach 63 Security Governance Framework 63 Security Direction 64 Responsible, Accountable, Consulted, and Informed (RACI) Charts 66 2.5 Security Governance Evaluation 68 2.6 Security Governance Best Practices 69 2.7 Key Terms and Review Questions 70 Key Terms 70 Review Questions 71 2.8 References 71 Chapter 3: Information Risk Assessment 74 3.1 Risk Assessment Concepts 75 Risk Assessment Challenges 78 Risk Management 80 Structure of This 84 3.2 Asset Identification 85 Hardware Assets 85 Software Assets 85 Information Assets 86 Business Assets 87 Asset Register 87 3.

3 Threat Identification 89 The STRIDE Threat Model 89 Threat Types 90 Sources of Information 92 3.4 Control Identification 98 3.5 Vulnerability Identification 102 Vulnerability Categories 103 National Vulnerability Database and Common Vulnerability Scoring System 103 3.6 Risk Assessment Approaches 107 Quantitative Versus Qualitative Risk Assessment 107 Simple Risk Analysis Worksheet 113 Factor Analysis of Information Risk 114 3.7 Likelihood Assessment 116 Estimating Threat Event Frequency 118 Estimating Vulnerability 119 Loss Event Frequency 121 3.8 Impact Assessment 122 Estimating the Primary Loss 124 Estimating the Secondary Loss 125 Business Impact Reference Table 126 3.9 Risk Determination 128 3.10 Risk Evaluation 128 3.

11 Risk Treatment 129 Risk Reduction 130 Risk Retention 130 Risk Avoidance 130 Risk Transfer 131 3.12 Risk Assessment Best Practices 131 3.13 Key Terms and Review Questions 132 Key Terms 132 Review Questions 133 3.14 References 134 Chapter 4: Security Management 136 4.1 The Security Management Function 137 Security Planning 140 Capital Planning 142 4.2 Security Policy 145 Security Policy Categories 146 Security Policy Document Content 147 Management Guidelines for Security Policies 151 Monitoring the Policy 151 4.3 Acceptable Use Policy 152 4.4 Security Management Best Practices 154 4.

5 Key Terms and Review Questions 154 Key Terms 154 Review Questions 155 4.6 References 155 PART II: MANAGING THE CYBERSECURITY FUNCTION 157 Chapter 5: People Management 160 5.1 Human Resource Security 161 Security in the Hiring Process 162 During Employment 164 Termination of Employment 165 5.2 Security Awareness and Education 166 Security Awareness 168 Cybersecurity Essentials Program 173 Role-Based Training 173 Education and Certification 174 5.3 People Management Best Practices 175 5.4 Key Terms and Review Questions 176 Key Terms 176 Review Questions 176 5.5 References 177 Chapter 6: Information Management 178 6.1 Information Classification and Handling 179 Information Classification 179 Information Labeling 185 Information Handling 186 6.

2 Privacy 186 Privacy Threats 189 Privacy Principles and Policies 191 Privacy Controls 196 6.3 Document and Records Management 198 Document Management 200 Records Management 202 6.4 Sensitive Physical Information 204 6.5 Information Management Best Practices 205 6.6 Key Terms and Review Questions 206 Key Terms 206 Review Questions 207 6.7 References 208 Chapter.