Building a Cyber Risk Management Program

Spis treści ebooka

• Preface
  • Brians Story
  • Brandons Story
  • Bringing It Together
  • Who Should Read This Book
  • Final Thoughts
  • Conventions Used in This Book
  • OReilly Online Learning
  • How to Contact Us
  • Acknowledgments
• 1. Cybersecurity in the Age of Digital Transformation
  • The Fourth Industrial Revolution
  • Cybersecurity Is Fundamentally a Risk Practice
    • Cyber Risk Management Oversight and Accountability
    • Digital Transformation and Maturing the Cyber Risk Management Program
    • Cybersecurity Isnt Just a Security Concern
  • Cyber Risk Management Program: An Urgent Enterprise Concern
  • This Books Roadmap
  • The Bottom Line
• 2. The Cyber Risk Management Program
  • The SEC Speaksand the World Listens
    • Incident Disclosure (Current Disclosures)
    • Risk Management, Strategy, and Governance Disclosures (Periodic Disclosures)
  • The Cyber Risk Management Program Framework
    • Cyber Risk Management Program: Key Drivers
    • Satisfying Obligations and Liability
  • When Risk Management Fails Completely: The Boeing 737 MAX Disasters
  • Risk Management Program Applied to the Boeing Disasters
    • Essential and Mission Critical: The Boeing Case
  • Benefits of a Security Risk Program
    • Benefit 1: Strategic Recognition of the Security Risk Function
    • Benefit 2: Ensuring the Cyber Risk Function Has an Effective Budget
    • Benefit 3: Protections for Risk Decision Makers
    • CRMP: Systematic but Not Zero-Risk
  • Board Accountability and Legal Liability
  • The Boeing Ruling and Cyber Risk Oversight Accountability
  • CISOs in the Line of Fire for Liability
  • The Bottom Line
• 3. Agile Governance
  • The Uber Hack Cover-Up
  • What Does Good Governance Look Like?
  • Aligning with the Enterprise Governance Strategy
  • Seven Principles of Agile Governance
    • Principle 1: Establish Policies and Processes
    • Principle 2: Establish Governance and Roles and Responsibilities Across the Three Lines Model
    • Principle 3: Align Governance Practices with Existing Risk Frameworks
    • Principle 4: Board of Directors and Senior Executives Define Scope
    • Principle 5: Board of Directors and Senior Executives Provide Oversight
    • Principle 6: Audit Governance Processes
    • Principle 7: Align Resources to the Defined Roles and Responsibilities
  • The Bottom Line
• 4. Risk-Informed System
  • Why Risk Information Mattersat the Highest Levels
  • Risk and Risk Information Defined
  • Five Principles of a Risk-Informed System
    • Principle 1: Define a Risk Assessment Framework and Methodology
    • Principle 2: Establish a Methodology for Risk Thresholds
    • Principle 3: Establish Understanding of Risk-Informed Needs
    • Principle 4: Agree on a Risk Assessment Interval
    • Principle 5: Enable Reporting Processes
  • The Bottom Line
• 5. Risk-Based Strategy and Execution
  • ChatGPT Shakes the Business World
  • AI Risks: Two Tech Giants Choose Two Paths
  • Wall Street: Move Fastor Be Replaced
  • The Digital Game Changers Just Keep Coming
  • Defining Risk-Based Strategy and Execution
  • Six Principles of Risk-Based Strategy and Execution
    • Principle 1: Define Acceptable Risk Thresholds
    • Principle 2: Align Strategy and Budget with Approved Risk Thresholds
    • Principle 3: Execute to Meet Approved Risk Thresholds
    • Principle 4: Monitor on an Ongoing Basis
    • Principle 5: Audit Against Risk Thresholds
    • Principle 6: Include Third Parties in Risk Treatment Plan
  • The Bottom Line
• 6. Risk Escalation and Disclosure
  • The SEC and Risk Disclosure
  • Regulatory Bodies Worldwide Require Risk Disclosure
  • Risk Escalation
    • Cyber Risk Classification
    • Escalation and Disclosure: Not Just Security Incidents
  • Disclosure: A Mandatory Concern for Enterprises
    • The Equifax Scandal
    • SEC Materiality Considerations
  • Cyber Risk Management Program and ERM Alignment
  • Five Principles of Risk Escalation and Disclosure
    • Principle 1: Establish Escalation Processes
    • Principle 2: Establish Disclosure ProcessesAll Enterprises
    • Principle 3: Establish Disclosure ProcessesPublic Companies
      • Material incident reporting
      • Risk management and strategy
      • Governance
    • Principle 4: Test Escalation and Disclosure Processes
    • Principle 5: Audit Escalation and Disclosure Processes
  • The Bottom Line
• 7. Implementing the Cyber Risk Management Program
  • The Cyber Risk Management Journey
  • Beginning the Cyber Risk Management Journey
  • Implementing the Cyber Risk Management Program
    • Agile Governance
      • Common challenges with Agile governance
        • Establish a starting point
        • Gain senior-level commitment
        • Obtain necessary budget and other resource limitations
        • Adapt to the specific enterprises environment
    • Risk-Informed System
      • Common challenges with a risk-informed system
        • Dealing with too much dataor the wrong kind of data
        • Communicating information in terms specific stakeholders will understand and accept
        • Getting the right information to the right people at the right time
      • Additional considerations
        • Maturity modeling
        • Metric reporting
        • Risk assessments (qualitative and quantitative)
    • Risk-Based Strategy and Execution
      • Common challenges with risk-based strategy and execution
        • Inadequate budget and other resources
        • Compliance-driven strategy
    • Risk Escalation and Disclosure
      • Common challenges with risk escalation and disclosure
        • A view of escalation thats largely limited to reacting to an incident
        • The failure to identify and focus on enterprise-specific obligations
        • Generic, isolated, or excessively broad materiality considerations
  • Selling the Program
  • The Bottom Line
• 8. The CRMP Applied to Operational Risk and Resilience
  • Enterprise Functions That Interact with and Contribute to Operational Resilience
  • A Malware Attack Shuts Down Maersks Systems Worldwide
  • Guiding Operational Resilience Using the Four Core Cyber Risk Management Program Components
    • Agile Governance
    • Risk-Informed System
    • Risk-Based Strategy and Execution
    • Risk Escalation and Disclosure
  • The Bottom Line
• 9. AI and Beyondthe Future of Risk Management in a Digitalized World
  • AI Defined
  • AI: A Whole New World of Risk
  • Adversarial Machine Learning: NIST Taxonomy and Terminology
    • Risk Management Frameworks with AI Implications
      • NIST AI Risk Management Framework
      • Model risk management (MRM) and the Federal Reserve Boards guidance
    • Key AI Implementation Concepts and Frameworks
      • Fairness and the risk of bias
      • Soundness
      • Robustness
      • Explainability
  • Beyond AI: The Digital Frontier Never Stops Moving
  • The Bottom Line
• A. The Cyber Risk Management Program Framework v1.0
  • Purpose and Context
  • Structure of the Cyber Risk Management Program Framework
  • Note: Framework Disclosure
• Index

pokaż cały spis treści

ukryj recenzje