Cybersecurity risk management : mastering the fundamentals using the NIST cybersecurity framework /

Cybersecurity risk management : mastering the fundamentals using the NIST cybersecurity framework /

"The National Institute of Standards and Technology (NIST), located in Gaithersburg, MD, is a U.S. Department of Commerce division. It is assigned the job of promoting innovation and industrial competitiveness. It is a research organization filled with some of the world's leading scientist...

Full description

Bibliographic Details
Main Authors: Brumfield, Cynthia (Author), Haugli, Brian (Author)
Format: Book
Language:English
Published: Hoboken, NJ : John Wiley & Sons, Inc., 2022
Hoboken, New Jersey : [2022]
Subjects:
Computer security > Risk management
Sécurité informatique > Gestion du risque
Table of Contents:
  • Academic Foreword xiii
  • Acknowledgments xv
  • Preface – Overview of the NIST Framework xvii
  • Background on the Framework xviii
  • Framework Based on Risk Management xix
  • The Framework Core xix
  • Framework Implementation Tiers xxi
  • Framework Profile xxii
  • Other Aspects of the Framework Document xxiii
  • Recent Developments At Nist xxiii
  • Chapter 1 Cybersecurity Risk Planning and Management 1
  • Introduction 2
  • I. What Is Cybersecurity Risk Management? 2
  • A. Risk Management Is a Process 3
  • II. Asset Management 4
  • A. Inventory Every Physical Device and System You Have and Keep the Inventory Updated 5
  • B. Inventory Every Software Platform and Application You Use and Keep the Inventory Updated 9
  • C. Prioritize Every Device, Software Platform, and Application Based on Importance 10
  • D. Establish Personnel Security Requirements Including Third-Party Stakeholders 11
  • III. Governance 13
  • A. Make Sure You Educate Management about Risks 13
  • IV. Risk Assessment and Management 15
  • A. Know Where You’re Vulnerable 15
  • B. Identify the Threats You Face, Both Internally and Externally 16
  • C. Focus on the Vulnerabilities and Threats That Are Most Likely AND Pose the Highest Risk to Assets 17
  • D. Develop Plans for Dealing with the Highest Risks 18
  • Summary 20
  • Chapter Quiz 20
  • Essential Reading on Cybersecurity Risk Management 22
  • Chapter 2 User and Network Infrastructure Planning and Management 23
  • I. Introduction 24
  • II. Infrastructure Planning and Management Is All about Protection, Where the Rubber Meets the Road 24
  • A. Identity Management, Authentication, and Access Control 25
  • 1. Always Be Aware of Who Has Access to Which System, for Which Period of Time, and from Where the Access Is Granted 27
  • 2. Establish, Maintain, and Audit an Active Control List and Process for Who Can Physically Gain Access to Systems 28
  • 3. Establish Policies, Procedures, and Controls for Who Has Remote Access to Systems 28
  • 4. Make Sure That Users Have the Least Authority Possible to Perform Their Jobs and Ensure That at Least Two Individuals Are Responsible for a Task 29
  • 5. Implement Network Security Controls on All Internal Communications, Denying Communications among Various Segments Where Necessary 31
  • A Word about Firewalls 31
  • 6. Associate Activities with a Real Person or a Single Specific Entity 32
  • 7. Use Single- or Multi-Factor Authentication Based on the Risk Involved in the Interaction 33
  • III. Awareness and Training 34
  • A. Make Sure That Privileged Users and Security Personnel Understand Their Roles and Responsibilities 35
  • IV. Data Security 35
  • A. Protect the Integrity of Active and Archived Databases 35
  • B. Protect the Confidentiality and Integrity of Corporate Data Once It Leaves Internal Networks 36
  • C. Assure That Information Can Only Be Accessed by Those Authorized to Do So and Protect Hardware and Storage Media 37
  • D. Keep Your Development and Testing Environments Separate from Your Production Environment 38
  • E. Implement Checking Mechanisms to Verify Hardware Integrity 39
  • V. Information Protection Processes and Procedures 39
  • A. Create a Baseline of IT and OT Systems 40
  • B. Manage System Configuration Changes in a Careful, Methodical Way 41
  • A Word about Patch Management 42
  • C. Perform Frequent Backups and Test Your Backup Systems Often 43
  • D. Create a Plan That Focuses on Ensuring That Assets and Personnel Will Be Able to Continue to Function in the Event of a Crippling Attack or Disaster 43
  • VI. Mainte nance 44
  • A. Perform Maintenance and Repair of Assets and Log Activities Promptly 45
  • B. Develop Criteria for Authorizing, Monitoring, and Controlling All Maintenance and Diagnostic Activities for Third Parties 45
  • VII. Protective Technology 46
  • A. Restrict the Use of Certain Types of Media On Your Systems 46
  • B. Wherever Possible, Limit Functionality to a Single Function Per Device (Least Functionality) 47
  • C. Implement Mechanisms to Achieve Resilience on Shared Infrastructure 48
  • Summary 49
  • Chapter Quiz 50
  • Essential Reading on Network Management 51
  • Chapter 3 Tools and Techniques for Detecting Cyber Incidents 53
  • Introduction 54
  • What Is an Incident? 55
  • I. Detect 56
  • A. Anomalies and Events 56
  • 1. Establish Baseline Data for Normal, Regular Traffic Activity and Standard Configuration for Network Devices 57
  • 2. Monitor Systems with Intrusion Detection Systems and Establish a Way of Sending and Receiving Notifications of Detected Events; Establish a Means of Verifying, Assessing, and Tracking the Source of Anomalies 58
  • A Word about Antivirus Software 60
  • 3. Deploy One or More Centralized Log File Monitors and Configure Logging Devices throughout the Organization to Send Data Back to the Centralized Log Monitor 61
  • 4. Determine the Impact of Events Both Before and After they Occur 61
  • 5. Develop a Threshold for How Many Times an Event Can Occur Before You Take Action 62
  • B. Continuous Monitoring 62
  • 1. Develop Strategies for Detecting Breaches as Soon as Possible, Emphasizing Continuous Surveillance of Systems through Network Monitoring 63
  • 2. Ensure That Appropriate Access to the Physical Environment Is Monitored, Most Likely through Electronic Monitoring or Alarm Systems 64
  • 3. Monitor Employee Behavior in Terms of Both Physical and Electronic Access to Detect Unauthorized Access 65
  • 4. Develop a System for Ensuring That Software Is Free of Malicious Code through Software Code Inspection and Vulnerability Assessments 65
  • 5. Monitor Mobile Code Applications (e.g., Java Applets) for Malicious Activity by Authenticating the Codes’ Origins, Verifying their Integrity, and Limiting the Actions they Can Perform 66
  • 6. Evaluate a Provider’s Internal and External Controls’ Adequacy and Ensure they Develop and Adhere to Appropriate Policies, Procedures, and Standards; Consider the Results of Internal and External Audits 66
  • 7. Monitor Employee Activity for Security Purposes and Assess When Unauthorized Access Occurs 67
  • 8. Use Vulnerability Scanning Tools to Find Your Organization’s Weaknesses 68
  • C. Detection Processes 68
  • 1. Establish a Clear Delineation between Network and Security Detection, with the Networking Group and the Security Group Having Distinct and Different Responsibilities 69
  • 2. Create a Formal Detection Oversight and Control Management Function; Define Leadership for a Security Review, Operational Roles, and a Formal Organizational Plan; Train Reviewers to Perform Their Duties Correctly and Implement the Review Process 70
  • 3. Test Detection Processes Either Manually or in an Automated Fashion in Conformance with the Organization’s Risk Assessment 71
  • 4. Inform Relevant Personnel Who Must Use Data or Network Security Information about What Is Happening and Otherwise Facilitate Organizational Communication 71
  • 5. Document the Process for Event Detection to Improve the Organization’s Detection Systems 72
  • Summary 72
  • Chapter Quiz 73
  • Essential Reading for Tools and Techniques for Detecting a Cyberattack 74
  • Chapter 4 Developing a Continuity of Operations Plan 75
  • Introduction 77
  • A. One Size Does Not Fit All 77
  • I. Response 77
  • A. Develop an Executable Response Plan 79
  • B. Understand the Importance of Communications in Incident Response 80
  • C. Prepare for Corporate-Wide Involvement During Some Cybersecurity Attacks 81
  • II. Analysis 82
  • A. Examine Your Intrusion Detection System in Analyzing an Incident 82
  • B. Understand the Impact of the Event 83
  • C. Gather and Preserve Evidence 84
  • D. Prioritize the Treatment of the Incident Consistent with Your Response Plan 84
  • E. Establish Processes for Handling Vulnerability Disclosures 85
  • III. Mitigation 86
  • A. Take Steps to Contain the Incident 86
  • B. Decrease the Threat Level by Eliminating or Intercepting the Adversary as Soon as the Incident Occurs 87
  • C. Mitigate Vulnerabilities or Designate Them as Accepted Risk 88
  • IV. Recover 88
  • A. Recovery Plan Is Executed During or After a Cybersecurity Incident 89
  • B. Update Recovery Procedures Based on New Information as Recovery Gets Underway 91
  • C. Develop Relationships with Media to Accurately Disseminate Information and Engage in Reputational Damage Limitation 92
  • Summary 92
  • Chapter Quiz 93
  • Essential Reading for Developing a Continuity of Operations Plan 94
  • Chapter 5 Supply Chain Risk Management 95
  • Introduction 96
  • I. NIST Special Publication 800-161 96
  • II. Software Bill of Materials 97
  • III. NIST Revised Framework Incorporates Major Supply Chain Category 98
  • A. Identify, Establish, and Assess Cyber Supply Chain Risk Management Processes and Gain Stakeholder Agreement 98
  • B. Identify, Prioritize, and Assess Suppliers and Third-Party Partners of Suppliers 99
  • C. Develop Contracts with Suppliers and Third-Party Partners to Address Your Organization’s Supply Chain Risk Management Goals 100
  • D. Routinely Assess Suppliers and Third-Party Partners Using Audits, Test Results, and Other Forms of Evaluation 101
  • E. Test to Make Sure Your Suppliers and Third-Party Providers Can Respond to and Recover from Service Disruption 102
  • Summary 103
  • Chapter Quiz 103
  • Essential Reading for Supply Chain Risk Management 104
  • Chapter 6 Manufacturing and Industrial Control Systems Security 105
  • Essential Reading on Manufacturing and Industrial Control Security 110
  • Appendix A: Helpful Advice for Small Organizations
  • Seeking to Implement Some of the Book’s Recommendations 111
  • Appendix B: Critical Security Controls Version 8.0 Mapped to NIST CSF v1.1 113
  • Answers to Chapter Quizzes 121
  • Index 131
  • Intro
  • Title page
  • Copyright
  • Dedication
  • Academic Foreword
  • Acknowledgments
  • Preface - Overview of the NIST Framework
  • Background on the Framework
  • Framework Based on Risk Management
  • The Framework Core
  • Framework Implementation Tiers
  • Framework Profile
  • Other Aspects of the Framework Document
  • Recent Developments At Nist
  • CHAPTER 1 Cybersecurity Risk Planning and Management
  • Introduction
  • I. What Is Cybersecurity Risk Management?
  • A. Risk Management Is a Process
  • II. Asset Management
  • A. Inventory Every Physical Device and System You Have and Keep the Inventory Updated
  • B. Inventory Every Software Platform and Application You Use and Keep the Inventory Updated
  • C. Prioritize Every Device, Software Platform, and Application Based on Importance
  • D. Establish Personnel Security Requirements Including Third-Party Stakeholders
  • III. Governance
  • A. Make Sure You Educate Management about Risks
  • IV. Risk Assessment and Management
  • A. Know Where You're Vulnerable
  • B. Identify the Threats You Face, Both Internally and Externally
  • C. Focus on the Vulnerabilities and Threats That Are Most Likely AND Pose the Highest Risk to Assets
  • D. Develop Plans for Dealing with the Highest Risks
  • Summary
  • Chapter Quiz
  • Essential Reading on Cybersecurity Risk Management
  • CHAPTER 2 User and Network Infrastructure Planning and Management
  • I. Introduction
  • II. Infrastructure Planning and Management Is All about Protection, Where the Rubber Meets the Road
  • A. Identity Management, Authentication, and Access Control
  • 1. Always Be Aware of Who Has Access to Which System, for Which Period of Time, and from Where the Access Is Granted
  • 2. Establish, Maintain, and Audit an Active Control List and Process for Who Can Physically Gain Access to Systems
  • 3. Establish Policies, Procedures, and Controls for Who Has Remote Access to Systems
  • 4. Make Sure That Users Have the Least Authority Possible to Perform Their Jobs and Ensure That at Least Two Individuals Are Responsible for a Task
  • 5. Implement Network Security Controls on All Internal Communications, Denying Communications among Various Segments Where Necessary
  • A Word about Firewalls
  • 6. Associate Activities with a Real Person or a Single Specific Entity
  • 7. Use Single- or Multi-Factor Authentication Based on the Risk Involved in the Interaction
  • III. Awareness and Training
  • A. Make Sure That Privileged Users and Security Personnel Understand Their Roles and Responsibilities
  • IV. Data Security
  • A. Protect the Integrity of Active and Archived Databases
  • B. Protect the Confidentiality and Integrity of Corporate Data Once It Leaves Internal Networks
  • C. Assure That Information Can Only Be Accessed by Those Authorized to Do So and Protect Hardware and Storage Media
  • D. Keep Your Development and Testing Environments Separate from Your Production Environment
  • E. Implement Checking Mechanisms to Verify Hardware Integrity
  • V. Information Protection Processes and Procedures
  • A. Create a Baseline of IT and OT Systems
  • B. Manage System Configuration Changes in a Careful, Methodical Way
  • A Word about Patch Management
  • C. Perform Frequent Backups and Test Your Backup Systems Often
  • D. Create a Plan That Focuses on Ensuring That Assets and Personnel Will Be Able to Continue to Function in the Event of a Crippling Attack or Disaster
  • VI. Maintenance
  • A. Perform Maintenance and Repair of Assets and Log Activities Promptly
  • B. Develop Criteria for Authorizing, Monitoring, and Controlling All Maintenance and Diagnostic Activities for Third Parties
  • VII. Protective Technology
  • 6. Evaluate a Provider' s Internal and External Controls' Adequacy and Ensure they Develop and Adhere to Appropriate Policies, Procedures, and Standards
  • Consider the Results of Internal and External Audits
  • 7. Monitor Employee Activity for Security Purposes and Assess When Unauthorized Access Occurs
  • 8. Use Vulnerability Scanning Tools to Find Your Organization' s Weaknesses
  • C. Detection Processes
  • 1. Establish a Clear Delineation between Network and Security Detection, with the Networking Group and the Security Group Having Distinct and Different Responsibilities
  • 2. Create a Formal Detection Oversight and Control Management Function
  • Define Leadership for a Security Review, Operational Roles, and a Formal Organizational Plan
  • Train Reviewers to Perform Their Duties Correctly and Implement the Review Process
  • 3. Test Detection Processes Either Manually or in an Automated Fashion in Conformance with the Organization' s Risk Assessment
  • 4. Inform Relevant Personnel Who Must Use Data or Network Security Information about What Is Happening and Otherwise Facilitate Organizational Communication
  • 5. Document the Process for Event Detection to Improve the Organization' s Detection Systems
  • Summary
  • Chapter Quiz
  • Essential Reading for Tools and Techniques for Detecting a Cyberattack
  • CHAPTER 4 Developing a Continuity of Operations Plan
  • Introduction
  • A. One Size Does Not Fit All
  • I. Response
  • A. Develop an Executable Response Plan
  • B. Understand the Importance of Communications in Incident Response
  • C. Prepare for Corporate-Wide Involvement During Some Cybersecurity Attacks
  • II. Analysis
  • A. Examine Your Intrusion Detection System in Analyzing an Incident
  • B. Understand the Impact of the Event
  • C. Gather and Preserve Evidence
  • D. Prioritize the Treatment of the Incident Consistent with Your Response Plan
  • A. Restrict the Use of Certain Types of Media On Your Systems
  • B. Wherever Possible, Limit Functionality to a Single Function Per Device (Least Functionality)
  • C. Implement Mechanisms to Achieve Resilience on Shared Infrastructure
  • Summary
  • Chapter Quiz
  • Essential Reading on Network Management
  • CHAPTER 3 Tools and Techniques for Detecting Cyber Incidents
  • Introduction
  • What Is an Incident?
  • I. Detect
  • A. Anomalies and Events
  • 1. Establish Baseline Data for Normal, Regular Traffic Activity and Standard Configuration for Network Devices
  • 2. Monitor Systems with Intrusion Detection Systems and Establish a Way of Sending and Receiving Notifications of Detected Events
  • Establish a Means of Verifying, Assessing, and Tracking the Source of Anomalies
  • A Word about Antivirus Software
  • 3. Deploy One or More Centralized Log File Monitors and Configure Logging Devices throughout the Organization to Send Data Back to the Centralized Log Monitor
  • 4. Determine the Impact of Events Both Before and After they Occur
  • 5. Develop a Threshold for How Many Times an Event Can Occur Before You Take Action
  • B. Continuous Monitoring
  • 1. Develop Strategies for Detecting Breaches as Soon as Possible, Emphasizing Continuous Surveillance of Systems through Network Monitoring
  • 2. Ensure That Appropriate Access to the Physical Environment Is Monitored, Most Likely through Electronic Monitoring or Alarm Systems
  • 3. Monitor Employee Behavior in Terms of Both Physical and Electronic Access to Detect Unauthorized Access
  • 4. Develop a System for Ensuring That Software Is Free of Malicious Code through Software Code Inspection and Vulnerability Assessments
  • 5. Monitor Mobile Code Applications (e.g., Java Applets) for Malicious Activity by Authenticating the Codes' Origins, Verifying their Integrity, and Limiting the Actions they Can Perform
  • Answers to Chapter Quizzes
  • E. Establish Processes for Handling Vulnerability Disclosures
  • III. Mitigation
  • A. Take Steps to Contain the Incident
  • B. Decrease the Threat Level by Eliminating or Intercepting the Adversary as Soon as the Incident Occurs
  • C. Mitigate Vulnerabilities or Designate Them as Accepted Risk
  • IV. Recover
  • A. Recovery Plan Is Executed During or After a Cybersecurity Incident
  • B. Update Recovery Procedures Based on New Information as Recovery Gets Underway
  • C. Develop Relationships with Media to Accurately Disseminate Information and Engage in Reputational Damage Limitation
  • Summary
  • Chapter Quiz
  • Essential Reading for Developing a Continuity of Operations Plan
  • CHAPTER 5 Supply Chain Risk Management
  • Introduction
  • I. NIST Special Publication 800-161
  • II. Software Bill of Materials
  • III. NIST Revised Framework Incorporates Major Supply Chain Category
  • A. Identify, Establish, and Assess Cyber Supply Chain Risk Management Processes and Gain Stakeholder Agreement
  • B. Identify, Prioritize, and Assess Suppliers and Third-Party Partners of Suppliers
  • C. Develop Contracts with Suppliers and Third-Party Partners to Address Your Organization s Supply Chain Risk Management Goals
  • D. Routinely Assess Suppliers and Third-Party Partners Using Audits, Test Results, and Other Forms of Evaluation
  • E. Test to Make Sure Your Suppliers and Third-Party Providers Can Respond to and Recover from Service Disruption
  • Summary
  • Chapter Quiz
  • Essential Reading for Supply Chain Risk Management
  • CHAPTER 6 Manufacturing and Industrial Control Systems Security
  • Essential Reading on Manufacturing and Industrial Control Security
  • Appendix A: Helpful Advice for Small Organizations Seeking to Implement Some of the Book's Recommendations
  • Appendix B: Critical Security Controls Version 8.0 Mapped to NIST CSF v1.1

Similar Items