商品描述
Authoritative resource delivering the professional practice of cybersecurity from the perspective of enterprise governance and risk management.
Stepping Through Cybersecurity Risk Management covers the professional practice of cybersecurity from the perspective of enterprise governance and risk management. Itdescribes the state of the art in cybersecurity risk identification, classification, measurement, remediation, monitoring and reporting. It includes industry standard techniques for examining cybersecurity threat actors, cybersecurity attacks in the context of cybersecurity-related events, technology controls, cybersecurity measures and metrics, cybersecurity issue tracking and analysis, and risk and control assessments.
The text provides precise definitions for information relevant to cybersecurity management decisions and recommendations for collecting and consolidating that information in the service of enterprise risk management. The objective is to enable the reader to recognize, understand, and apply risk-relevant information to the analysis, evaluation, and mitigation of cybersecurity risk. A well-rounded resource, the text describes both reports and studies that improve cybersecurity decision support.
Composed of 10 chapters, the author provides learning objectives, exercises and quiz questions per chapter in an appendix, with quiz answers and exercise grading criteria available to professors.
Written by a highly qualified professional with significant experience in the field, Stepping Through Cybersecurity Risk Management includes information on:
- Threat actors and networks, attack vectors, event sources, security operations, and CISO risk evaluation criteria with respect to this activity
- Control process, policy, standard, procedures, automation, and guidelines, along with risk and control self assessment and compliance with regulatory standards
- Cybersecurity measures and metrics, and corresponding key risk indicators
- The role of humans in security, including the "three lines of defense" approach, auditing, and overall human risk management
- Risk appetite, tolerance, and categories, and analysis of alternative security approaches via reports and studies
Providing comprehensive coverage on the topic of cybersecurity through the unique lens of perspective of enterprise governance and risk management, Stepping Through Cybersecurity Risk Management is an essential resource for professionals engaged in compliance with diverse business risk appetites, as well as regulatory requirements such as FFIEC, HIIPAA, and GDPR, as well as a comprehensive primer for those new to the field.
A complimentary forward by Professor Gene Spafford explains why "This book will be helpful to the newcomer as well as to the hierophants in the C-suite. The newcomer can read this to understand general principles and terms. The C-suite occupants can use the material as a guide to check that their understanding encompasses all it should."
商品描述(中文翻譯)
這本書是從企業治理和風險管理的角度,提供專業的資訊安全實踐的權威資源。
《Stepping Through Cybersecurity Risk Management》從企業治理和風險管理的角度,介紹了資訊安全實踐的專業知識。書中描述了資訊安全風險識別、分類、測量、修復、監控和報告的最新技術。內容包括行業標準技術,用於檢查資訊安全威脅行為者、資訊安全攻擊、技術控制、資訊安全措施和指標、資訊安全問題追踪和分析,以及風險和控制評估。
這本書提供了與資訊安全管理決策相關的精確定義,並提出了收集和整合這些資訊以支持企業風險管理的建議。其目標是使讀者能夠識別、理解和應用與風險相關的資訊,以分析、評估和減輕資訊安全風險。這本書還描述了改進資訊安全決策支持的報告和研究。
這本書共有10章,每章附有學習目標、練習和測驗問題,並提供教授們測驗答案和練習評分標準。
《Stepping Through Cybersecurity Risk Management》由一位在該領域具有豐富經驗的高資歷專業人士撰寫,內容包括以下資訊:
- 威脅行為者和網絡、攻擊向量、事件來源、安全操作和CISO風險評估準則
- 控制流程、政策、標準、程序、自動化和指南,以及風險和控制自我評估和遵循監管標準
- 資訊安全措施和指標,以及相應的關鍵風險指標
- 人在安全中的角色,包括“三線防禦”方法、審計和整體人員風險管理
- 風險偏好、容忍度和類別,以及通過報告和研究分析替代安全方法
《Stepping Through Cybersecurity Risk Management》從企業治理和風險管理的獨特角度全面涵蓋了資訊安全主題,是從事符合不同業務風險偏好以及FFIEC、HIIPAA和GDPR等監管要求的專業人士的必備資源,也是新手入門的全面入門指南。
書中還有一篇由Gene Spafford教授撰寫的免費前言,解釋了為什麼“這本書對新手和C-suite高層都有幫助。新手可以通過閱讀本書來了解一般原則和術語。C-suite高層可以將本書作為指南,檢查他們對資訊安全的理解是否全面。”
作者簡介
Jennifer L. Bayuk is a cybersecurity due diligence expert with a MS in Computer Science and a PhD in Systems Engineering. She has been a Global Financial Services Technology Risk Management Officer, a Wall Street Chief Information Security Officer, a Big 4 Information Risk Management Consultant, a Manager of Information Technology Internal Audit, a Security Architect, a Bell Labs Security Software Engineer, a Professor of Systems Security Engineering, and a Private Cybersecurity Investigator and Expert Witness
作者簡介(中文翻譯)
Jennifer L. Bayuk 是一位擁有計算機科學碩士學位和系統工程博士學位的網絡安全盡職調查專家。她曾擔任全球金融服務科技風險管理官、華爾街首席信息安全官、四大信息風險管理顧問、信息技術內部審計經理、安全架構師、貝爾實驗室安全軟件工程師、系統安全工程教授,以及私人網絡安全調查員和專家證人。
