PART I

Planning for Cybersecurity

Ah, miss, it is a pity you didn’t let me know what you were planning, for I would have told you that your pains were wasted.

— The Adventure of the Copper Beaches, Sir Arthur Conan Doyle

Everyone has a plan ‘till they get punched in the face.

— Mike Tyson

CHAPTER 2:   Security Governance

CHAPTER 3:   Information Risk Assessment

CHAPTER 4:   Security Management

Part I provides an overview of approaches for managing and controlling the cybersecurity function; defining the requirements specific to a given IT environment; and developing policies and procedures for managing the security function. Chapter 2 introduces the concept of information security governance. The chapter discusses how security governance enables the direction and oversight of information security-related activities across an enterprise, as an integrated part of corporate governance. Chapter 3 discusses the range of issues dealing with defining security requirements for an organization and developing procedures to ensure compliance. Chapter 4 focuses on security issues that are primarily related to the internal policies and operation of an organization. This includes: (a) security policy and organization: issues related to defining a comprehensive security policy, keeping it up to date, and effectively communicating it; and (b) information security management: issues relating to the management of the information security function, to ensure good practice in information security is applied effectively and consistently throughout the organization.