The Cyber Risk Handbook
Description
More details
Other editions
Additional editions
Person
Content
Foreword by Ron Hale xxiii
About the Editor xxxi
List of Contributors xxxiii
Acknowledgments xxxv
CHAPTER 1 Introduction 1 Domenic Antonucci, Editor and Chief Risk Officer, Australia
The CEO under Pressure 1
Toward an Effectively Cyber Risk-Managed Organization 3
Handbook Structured for the Enterprise 4
Handbook Structure, Rationale, and Benefits 7
Which Chapters Are Written for Me? 8
CHAPTER 2 Board Cyber Risk Oversight 11 Tim J. Leech, Risk Oversight Solutions Inc., Canada Lauren C. Hanlon, Risk Oversight Solutions Inc., Canada
What Are Boards Expected to Do Now? 11
What Barriers to Action Will Well-Intending Boards Face? 13
What Practical Steps Should Boards Take Now to Respond? 16
Cybersecurity-The Way Forward 20
About Risk Oversight Solutions Inc. 21
About Tim J. Leech, FCPA, CIA, CRMA, CFE 21
About Lauren C. Hanlon, CPA, CIA, CRMA, CFE 21
CHAPTER 3 Principles Behind Cyber Risk Management 23 RIMS, the risk management society(TM) Carol Fox, Vice President, Strategic Initiatives at RIMS, USA
Cyber Risk Management Principles Guide Actions 23
Meeting Stakeholder Needs 25
Covering the Enterprise End to End 26
Applying a Single, Integrated Framework 27
Enabling a Holistic Approach 28
Separating Governance from Management 31
Conclusion 31
About RIMS 32
About Carol Fox 32
CHAPTER 4 Cybersecurity Policies and Procedures 35 The Institute for Risk Management (IRM) Elliot Bryan, IRM and Willis Towers Watson, UK Alexander Larsen, IRM, and President of Baldwin Global Risk Services Ltd., UK
Social Media Risk Policy 35
Ransomware Risk Policies and Procedures 41
Cloud Computing and Third-Party Vendors 45
Big Data Analytics 50
The Internet of Things 53
Mobile or Bring Your Own Devices (BYOD) 55
Conclusion 60
About IRM 64
About Elliot Bryan, BA (Hons), ACII 65
About Alexander Larsen, FIRM, President of Baldwin Global Risk Services 65
CHAPTER 5 Cyber Strategic Performance Management 67 McKinsey & Company James M. Kaplan, Partner, McKinsey & Company, New York, USA Jim Boehm, Consultant, McKinsey & Company, Washington, USA
Pitfalls in Measuring Cybersecurity Performance 68
Cybersecurity Strategy Required to Measure Cybersecurity Performance 69
Creating an Effective Cybersecurity Performance Management System 72
Conclusion 77
About McKinsey Company 78
About James Kaplan 78
About Jim Boehm 79
CHAPTER 6 Standards and Frameworks for Cybersecurity 81 Stefan A. Deutscher, Principal, Boston Consulting Group (BCG), Berlin Germany William Yin, Senior Partner and Managing Director, Boston Consulting Group (BCG), Hong Kong Putting Cybersecurity Standards and Frameworks in Context 81 Commonly Used Frameworks and Standards (a Selection) 84
Constraints on Standards and Frameworks 93
Good Practice Consistently Applied 93
Conclusion 94
About Boston Consulting Group (BCG) 95
About William Yin 96
About Dr. Stefan A. Deutscher 96
CHAPTER 7 Identifying, Analyzing, and Evaluating Cyber Risks 97 Information Security Forum (ISF) Steve Durbin, Managing Director, Information Security Forum Ltd.
The Landscape of Risk 97
The People Factor 98
A Structured Approach to Assessing and Managing Risk 100
Security Culture 101
Regulatory Compliance 102
Maturing Security 103
Prioritizing Protection 104
Conclusion 104
About the Information Security Forum (ISF) 106
About Steve Durbin 106
CHAPTER 8 Treating Cyber Risks 109 John Hermans, Cyber Lead Partner Europe, Middle East, and Africa at KPMG, The Netherlands Ton Diemont, Senior Manager at KPMG, The Netherlands
Introduction 109
Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization's Risk Profile 110
Determining the Cyber Risk Profile 111
Treating Cyber Risk 112
Alignment of Cyber Risk Treatment 114
Practicing Cyber Risk Treatment 115
Conclusion 119
About KPMG 120
About John Hermans 121
About Ton Diemont 121
CHAPTER 9 Treating Cyber Risks Using Process Capabilities 123 ISACA Todd Fitzgerald, CISO and ISACA, USA
Cybersecurity Processes Are the Glue That Binds 123
No Intrinsic Motivation to Document 124
Leveraging ISACA COBIT 5 Processes 125
COBIT 5 Domains Support Complete Cybersecurity Life Cycle 137
Conclusion 139
About ISACA 140
About Todd Fitzgerald 141
CHAPTER 10 Treating Cyber Risks-Using Insurance and Finance 143 Aon Global Cyber Solutions Kevin Kalinich, Esq., Aon Risk Solutions Global Cyber Insurance Practice Leader, USA
Tailoring a Quantifi ed Cost-Benefi t Model 143
Planning for Cyber Risk Insurance 149
The Risk Manager's Perspective on Planning for Cyber Insurance 150
Cyber Insurance Market Constraints 152
Conclusion 154
About Aon 157
About Kevin Kalinich, Esq. 158
CHAPTER 11 Monitoring and Review Using Key Risk Indicators (KRIs) 159 Ann Rodriguez, Managing Partner, Wability, Inc., USA
Definitions 160
KRI Design for Cyber Risk Management 160
Conclusion 169
About Wability 169
About Ann Rodriguez 170
CHAPTER 12 Cybersecurity Incident and Crisis Management 171 CLUSIF Club de la Sécurité de l'Information Français Gérôme Billois, CLUSIF Administrator and Board Member Cybersecurity at Wavestone Consultancy, France
Cybersecurity Incident Management 171
Cybersecurity Crisis Management 174
Conclusion 182
About CLUSIF 183
About Gérôme Billois, CISA, CISSP and ISO27001 Certifi ed 183
About Wavestone 183
CHAPTER 13 Business Continuity Management and Cybersecurity 185 Marsh Sek Seong Lim, Marsh Risk Consulting Business Continuity Leader for Asia, Singapore
Good International Practices for Cyber Risk Management and Business Continuity 186
Embedding Cybersecurity Requirements in BCMS 188
Developing and Implementing BCM Responses for Cyber Incidents 189
Conclusion 190
Appendix: Glossary of Key Terms 191
About Marsh 191
About Marsh Risk Consulting 192
About Sek Seong Lim, CBCP, PMC 192
CHAPTER 14 External Context and Supply Chain 193 Supply Chain Risk Leadership Council (SCRLC) Nick Wildgoose, Board Member and ex-Chairperson of SCRLC, and Zurich Insurance Group, UK External Context 194
Building Cybersecurity Management Capabilities from an External Perspective 200
Measuring Cybersecurity Management Capabilities from an External Perspective 204
Conclusion 204
About the SCRLC 205
About Nick Wildgoose, BA (Hons), FCA, FCIPS 205
CHAPTER 15 Internal Organization Context 207 Domenic Antonucci, Editor and Chief Risk Offi cer, Australia Bassam Alwarith, Head of the National Digitization Program, Ministry of Economy and Planning, Saudi Arabia
The Internal Organization Context for Cybersecurity 207
Tailoring Cybersecurity to Enterprise Exposures 209
Conclusion 240
About Domenic Antonucci 241
About Bassam Alwarith 241
CHAPTER 16 Culture and Human Factors 243 Avinash Totade, ISACA Past President UAE Chapter and Management Consultant, UAE Sandeep Godbole, ISACA Past President Pune Chapter, India
Organizations as Social Systems 243
Human Factors and Cybersecurity 246
Training 248
Frameworks and Standards 249
Technology Trends and Human Factors 250
Conclusion 252
About ISACA 253
About Avinash Totade 253
About Sandeep Godbole 254
CHAPTER 17 Legal and Compliance 255 American Bar Association Cybersecurity Legal Task Force Harvey Rishikof, Chair, Advisory Committee to the Standing Committee on Law and National Security, USA Conor Sullivan, Law Clerk for the Standing Committee on National Security, USA
European Union and International Regulatory Schemes 255
U.S. Regulations 258
Counsel's Advice and "Boom" Planning 261
Conclusion 266
About the Cybersecurity Legal Task Force 269
About Harvey Rishikof 269
About Conor Sullivan 270
CHAPTER 18 Assurance and Cyber Risk Management 271 Stig J. Sunde, Senior Internal Auditor (ICT), Emirates Nuclear Energy Corporation (ENEC), UAE
Cyber Risk Is Ever Present 271
What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively 272
How to Deal with Two Differing Assurance Maturity Scenarios 277
Combined Assurance Reporting by ERM Head 278
Conclusion 278
About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert. 280
CHAPTER 19 Information Asset Management for Cyber 281 Booz Allen Hamilton Christopher Ling, Executive Vice President, Booz Allen Hamilton, USA
The Invisible Attacker 281
A Troubling Trend 282
Thinking Like a General 283
The Immediate Need-Best Practices 283
Cybersecurity for the Future 284
Time to Act 286
Conclusion 286
About Booz Allen Hamilton 287
About Christopher Ling 287
CHAPTER 20 Physical Security 289 Radar Risk Group Inge Vandijck, CEO, Radar Risk Group, Belgium Paul Van Lerberghe, CTO, Radar Risk Group, Belgium
Tom Commits to a Plan 290
Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity 291
Manage or Review the Cybersecurity Organization 294
Design or Review Integrated Security Measures 295
Reworking the Data Center Scenario 299
Calculate or Review Exposure to Adversary Attacks 302
Optimize Return on Security Investment 305
Conclusion 306
About Radar Risk Group 307
About Inge Vandijck 307
About Paul Van Lerberghe 307
CHAPTER 21 Cybersecurity for Operations and Communications 309 EY Chad Holmes, Principal, Cybersecurity, Ernst & Young LLP (EY US) James Phillippe, Principal, Cybersecurity, Ernst & Young LLP (EY US)
Do You Know What You Do Not Know? 309
Threat Landscape-What Do You Know About Your Organization Risk and Who Is Targeting You? 310
Data and Its Integrity-Does Your Risk Analysis Produce Insight? 310
Digital Revolution-What Threats Will Emerge as Organizations Continue to Digitize? 311
Changes-How Will Your Organization or Operational Changes Affect Risk? 312
People-How Do You Know Whether an Insider or Outsider Presents a Risk? 312
What's Hindering Your Cybersecurity Operations? 312
Challenges from Within 313
What to Do Now 313
Conclusion 318
About EY 319
About Chad Holmes 319
About James Phillippe 319
CHAPTER 22 Access Control 321 PwC Sidriaan de Villiers, Partner-Africa Cybersecurity Practice, PwC South Africa
Taking a Fresh Look at Access Control 321
Organization Requirements for Access Control 322
User Access Management 323
User Responsibility 327
System and Application Access Control 327
Mobile Devices 329
Teleworking 331
Other Considerations 332
Conclusion 333
About PwC 334
About Sidriaan de Villiers, PwC Partner South Africa 334
CHAPTER 23 Cybersecurity Systems: Acquisition, Development, and Maintenance 335 Deloitte Michael Wyatt, Managing Director, Cyber Risk Services, Deloitte Advisory, USA
Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices 336
Specific Considerations 342
Conclusion 344
About Deloitte Advisory Cyber Risk Services 346
About Michael Wyatt 346
CHAPTER 24 People Risk Management in the Digital Age 347 Airmic Julia Graham, Deputy CEO and Technical Director at Airmic, UK
Rise of the Machines 347
Enterprise-Wide Risk Management 348
Tomorrow's Talent 350
Crisis Management 354
Risk Culture 355
Conclusion 356
About Airmic 358
About Julia Graham 358
CHAPTER 25 Cyber Competencies and the Cybersecurity Offi cer 359 Ron Hale, PhD, CISM, ISACA, USA
The Evolving Information Security Professional 359
The Duality of the CISO 360
Job Responsibilities and Tasks 363
Conclusion 366
About ISACA 368
About Ron Hale 368
CHAPTER 26 Human Resources Security 369 Domenic Antonucci, Editor and Chief Risk Offi cer, Australia
Needs of Lower-Maturity HR Functions 369
Needs of Mid-Maturity HR Functions 370
Needs of Higher-Maturity HR Functions 372
Conclusion 373
About Domenic Antonucci 374
Epilogue 375 Becoming CyberSmart TM: a Risk Maturity Road Map for Measuring Capability Gap-Improvement Domenic Antonucci, Editor and Chief Risk Offi cer (CRO), Australia Didier Verstichel, Chief Information Security Offi cer (CISO) and Chief Risk Offi cer (CRO), Belgium
Background 375
Becoming CyberSmartTM 376
About Domenic Antonucci 392
About Didier Verstichel 392
Glossary 393
Index 399
Foreword The State of Cybersecurity
Ron Hale, ISACA, USA
If cybercrime were compared to other global criminal enterprises, it would rank fourth out of five high-impact crimes in terms of the cost as a percentage of the global gross domestic product (GDP). Only transnational crime (1.2 percent), narcotics (0.9 percent), and counterfeiting/piracy (0.89 percent) rank higher in terms of financial impact. Cybercrime, however, is pushing toward the top, representing 0.8 percent of the global GDP, according to a 2014 study conducted by the Center for Strategic and International Studies. While many may not be aware of the worldwide cost of cybercrime, enterprises everywhere are certainly feeling the consequences of intrusions and compromise. It is hitting the bottom line in corporate financial statements.
Cybercrime is also gaining the attention of legislators, regulators, and boards as reports of intrusions and their consequences are released on a daily basis. Everyone is becoming alarmingly aware of cybercrime, as it is constantly in the news. Cybercrime is also very personal because each of us have probably had the experience of receiving notifications that our financial and other personal information may have been compromised in an attack. The incidence of cybercrime is eroding public trust as well.
The Global Cyber Crisis
We are in what can best be described as a global cyber crisis, and the future does not look promising. The June 2014 Center for Strategic and International Studies report estimated that the global impact of cybercrime was between $375 and $575 billion. As cyber incidents are frequently undetected and infrequently reported, it is difficult to arrive at a more accurate understanding of the extent of cybercrime. The Center's best estimate is $445 billion, given that the four largest economies, the United States, China, Japan, and Germany collectively account for at least $200 billion of this amount.
Despite the lack of details on the extent of cybercrime, we know that it is having a significant negative impact on business and that instead of slowing, cyber attacks are escalating at what could be considered an alarming rate. Even without verified and complete numbers, we calculate that the Internet economy generates between $3 and $5 trillion dollars globally and that cybercrime extracts between 15 percent and 20 percent of this value. The Center for Strategic and International Studies commented that cybercrime is a rapidly growing industry because of the high potential rate of return on investment and the low risk of detection and prosecution. Many legitimate enterprises would love to have the same economic opportunity that cybercriminals currently enjoy.
The April 2016 Internet Security Threat Report produced by Symantec highlights the extent of the cyber crisis. According to their analysis, 430 million new and unique pieces of malware were discovered in 2015. This represents an increase of 36 percent from the prior year. While this is a huge number, we know that malware does not go out of style in the underground cybercrime community. Attack tools and malicious code that were produced over the past several years are still commonly used and remain very effective. It is impossible to know the full extent of the library of malicious code that is either currently in use or available to hackers. The result, however, is that one-half billion personal records were either lost or stolen in 2015. This comes as the result of the known 1 million attacks that were launched against individuals each and every day in 2015. The state of cybersecurity can best be described as "hackers gone wild." There seems to be no system that cannot be compromised and no information that is safe.
While the daily impact of cybercrime is alarming, the most significant impact cybercriminals can have is on emerging technologies and business activities. The history of cybercrime demonstrates that as technology advances, so, too, do attacks against systems and the resulting damage that attacks bring. We are in an early stage of global transformation where the combined impact of cloud computing, mobile technologies, big data, analytics, robotics, and the interconnected world of smart devices has the potential to change everything. We have seen demonstrations where self-driving cars can be compromised and hackers can access avionics systems in flight. We know that devices such as insulin pumps and pacemakers are vulnerable.
How can we expect that advanced technology applications are safe when technologies that we have relied on and are business critical are not secure? The Symantec 2016 Internet Security Threat Report found that 78 percent of scanned web sites were vulnerable and that 15 percent had critical security flaws. The report also identified that zero day vulnerabilities increased by 125 percent between 2014 and 2015. If a technology with which we have long-term experience, such as web site deployments, is so ill protected from even traditional attack mechanisms, how prepared can we expect to be from zero day attacks and the even more insidious advanced persistent threats?
ISACA research recognizes that enterprises are more aware of the risk of advanced persistent threats (APTs) and are taking action to better manage this risk. Sixty-seven percent of respondents to the 2015 Advanced Persistent Threat Awareness survey were familiar or very familiar with APTs. Unfortunately, many organizations are relying on traditional defense and detection mechanisms, which may only be minimally effective against persistent threats. While Web intrusions resulting from configuration or other security lapses are possible and APTs are likely, there is a growing trend to attack mobile devices. The Symantec Threat Report indicated a 214 percent increase in mobile vulnerabilities in 2015.
While we see greater recognition of the cyber problem and its impact on business, this does not equate to implementing cyber defense better. What is needed is a rethinking of how information and cybersecurity are governed, managed, and implemented. What is needed is a more holistic, business-focused approach to cybersecurity, and recognition that cybersecurity is a business issue and not just a technical problem.
The Time for Change
The need to innovate, the accelerated integration of business and technology, the drive for better performance, and the exploitation of new technologies for business benefit can realistically happen only if cybersecurity is how business is done, instead of being addressed as an afterthought. While many organizations continue to see cybersecurity as a technical problem, we are beginning to see changes that will only enhance the effectiveness of cyber risk management.
The State of Cybersecurity: Implications for 2016
A joint research activity by the RSA Conference and ISACA, shows that cybersecurity is increasingly being seen as a business enabler. As organizations strive to become fully digital, and as they exploit benefits derived from emerging technology solutions, security must become a core organization capability involving all departments and not just information technology (IT). We see from the ISACA research that most boards of directors (82 percent) are concerned or very concerned about cybersecurity. Board concern should translate into action. A possible consequence of board attention is that most organizations have developed and are enforcing their cyber policies (66 percent) and are providing what security leaders believe is appropriate funding (63 percent). More importantly, perhaps, 75 percent of those responding to the survey indicated that their cyber strategy is now aligned with enterprise objectives.
Connecting cyber activities to business goals and aspirations is perhaps the most important element in becoming a cyber risk-managed organization. While many security leaders felt that they were adequately funded, board and executive leader attention is resulting in budget increases for 61 percent of the organizations participating in the study. Investments are necessary to do more than keep up with cyber threats. As cyber becomes integral to how new products, services, and capabilities are developed, additional funding is required. Participants in the ISACA/RSA survey reported that this additional funding will provide increased compensation for skilled cyber specialists, enhanced training, broader awareness activities, and more effective response and recovery planning.
Increasing Cyber Risk Management Maturity
Best-performing organizations, with more mature cyber risk management capabilities, share several common characteristics. They commonly:
- Recognize the importance of cybersecurity and address it as a board issue and value enhancer.
- Ensure that executive management is engaged in leading cyber efforts and support cybersecurity as a business issue.
- Manage cyber risks within an enterprise risk management approach providing the necessary human and capital support for programs and initiatives.
- Follow established cybersecurity standards or frameworks in building, managing, and monitoring the enterprise cyber program.
- Continuously evaluate cybersecurity performance against business goals and objectives.
- Track and report cybersecurity performance against the international standards and frameworks used to design and implement their program.
- Fine-tune cybersecurity priorities and activities as enterprise needs and threats change.
What sets best-performing...
