Table of Contents
Chapter 1: Understanding Cybersecurity Policy and Governance
Information Security vs. Cybersecurity Policies
Looking at Policy Through the Ages
The United States Constitution as a Policy Revolution
Successful Policy Characteristics
What Is the Role of Government?
Additional Federal Banking Regulations
Government Cybersecurity Regulations in Other Countries
The Challenges of Global Policies
Cybersecurity Policy Life Cycle
Chapter 2: Cybersecurity Policy Organization, Format, and Styles
Plain Language Techniques for Policy Writing
Chapter 3: Cybersecurity Framework
Confidentiality, Integrity, and Availability
NIST’s Cybersecurity Framework
Chapter 4: Governance and Risk Management
Understanding Cybersecurity Policies
What Is Meant by Strategic Alignment?
User-Level Cybersecurity Policies
Cybersecurity Vulnerability Disclosure Policies
Client Synopsis of Cybersecurity Policies
Who Authorizes Cybersecurity Policy?
What Is a Distributed Governance Model?
Evaluating Cybersecurity Policies
Revising Cybersecurity Policies: Change Drivers
NIST Cybersecurity Framework Governance Subcategories and Informative References
Chapter 5: Asset Management and Data Loss Prevention
Information Assets and Systems
Who Is Responsible for Information Assets?
How Does the Federal Government Classify Data?
Why Is National Security Information Classified Differently?
Who Decides How National Security Data Is Classified?
How Does the Private Sector Classify Data?
Can Information Be Reclassified or Even Declassified?
Labeling and Handling Standards
Why an Inventory Is Necessary and What Should Be Inventoried
Understanding Data Loss Prevention Technologies
Chapter 6: Human Resources Security
What Does Recruitment Have to Do with Security?
What Happens in the Onboarding Phase?
What Should an Employee Learn During Orientation?
Why Is Termination Considered the Most Dangerous Phase?
The Importance of Employee Agreements
What Are Confidentiality or Nondisclosure Agreements?
What Is an Acceptable Use Agreement?
The Importance of Security Education and Training
Influencing Behavior with Security Awareness
Teaching a Skill with Security Training
Security Education Is Knowledge Driven
Chapter 7: Physical and Environmental Security
Understanding the Secure Facility Layered Defense Model
How Is Physical Access Controlled?
Chapter 8: Communications and Operations Security
Why Is Patching Handled Differently?
Are There Different Types of Malware?
Is There a Recommended Backup or Replication Strategy?
What Makes Email a Security Risk?
Other Collaboration and Communication Tools
Activity Monitoring and Log Analysis
What Should Be Included in Service Provider Contracts?
Threat Intelligence and Information Sharing
How Good Is Cyber Threat Intelligence if It Cannot Be Shared?
Chapter 9: Access Control Management
Infrastructure Access Controls
What Is Layered Border Security?
What Types of Access Should Be Monitored?
Chapter 10: Information Systems Acquisition, Development, and Maintenance
What About Commercially Available or Open Source Software?
The Open Web Application Security Project (OWASP)
Why Protect Cryptographic Keys?
Digital Certificate Compromise
Chapter 11: Cybersecurity Incident Response
What Is an Incident Response Program?
Tabletop Exercises and Playbooks
Information Sharing and Coordination
Computer Security Incident Response Teams
Product Security Incident Response Teams (PSIRTs)
Incident Response Training and Exercises
What Happened? Investigation and Evidence Handling
Understanding Forensic Analysis
Data Breach Notification Requirements
Is There a Federal Breach Notification Law?
Chapter 12: Business Continuity Management
What Is a Resilient Organization?
Business Continuity Risk Management
What Is a Business Continuity Threat Assessment?
What Is a Business Continuity Risk Assessment?
What Is a Business Impact Assessment?
Chapter 13: Regulatory Compliance for Financial Institutions
What Is a Financial Institution?
What Are the Interagency Guidelines?
New York’s Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500)
What Is a Regulatory Examination?
Personal and Corporate Identity Theft
What Is Required by the Interagency Guidelines Supplement A?
Chapter 14: Regulatory Compliance for the Health-Care Sector
What Is the Objective of the HIPAA Security Rule?
How Is the HIPAA Security Rule Organized?
What Are the Physical Safeguards?
What Are the Technical Safeguards?
What Are the Organizational Requirements?
What Are the Policies and Procedures Standards?
The HIPAA Security Rule Mapping to NIST Cybersecurity Framework
The HITECH Act and the Omnibus Rule
What Changed for Business Associates?
What Are the Breach Notification Requirements?
Understanding the HIPAA Compliance Enforcement Process
Chapter 15: PCI Compliance for Merchants
What Is the PCI DDS Framework?
What Are the PCI Requirements?
Who Is Required to Comply with PCI DSS?
What Is a Data Security Compliance Assessment?
What Is the PCI DSS Self-Assessment Questionnaire (SAQ)?
Are There Penalties for Noncompliance?
Chapter 16: NIST Cybersecurity Framework
Introducing the NIST Cybersecurity Framework Components
Framework Implementation Tiers (“Tiers”)
Who Should Coordinate the Framework Implementation?
NIST’s Recommended Steps to Establish or Improve a Cybersecurity Program
Communication with Stakeholders and Supply Chain Relationships
NIST’s Cybersecurity Framework Reference Tool
Adopting the NIST Cybersecurity Framework in Real Life
Appendix A: Cybersecurity Program Resources
Appendix B: Answers to the Multiple Choice Questions