CONTENTS

Part 1: Introduction

Chapter 1: The threat landscape

Chapter 2: Information and cyber security

Chapter 3: Cyber resilience

Chapter 4: Regulatory and contractual requirements

4.1 International data privacy laws

4.2 Cyber security requirements for critical infrastructure

4.3 Contractual requirements

Chapter 5: Implementing cyber security

5.1 Making trade-offs

5.2 Three security pillars

5.3 The IT Governance Cyber Resilience Framework (CRF)

5.4 Structure of the book

Part 2: Threats and vulnerabilities

Chapter 6: The anatomy of threats

Chapter 7: Technical threats

7.1 The attackers

7.2 Malware

7.3 Technical threat example: TalkTalk data breach

Chapter 8: Human threats

8.1 Staff awareness

8.2 Social engineering

8.3 Remote working

8.4 Human threat example: WannaCry

Chapter 9: Physical threats

9.1 Physical entry threats

9.2 Physical security and mobile devices

9.3 Environmental threats

9.4 Physical threat example: KVM attacks

Chapter 10: Third-party threats

10.1 Supply chain threats

10.2 Third-party threat example: Target data breach

Part 3: The CRF processes

Chapter 11: An overview of the CRF processes

Chapter 12: Manage and protect

12.1 Asset management

12.2 Information security policies

12.3 Physical and environmental security

12.4 Identity and access control

12.5 Malware protection

12.6 Configuration and patch management

12.7 Encryption

12.8 System security

12.9 Network and communications security

12.10 Security competence and training

12.11 Staff awareness training

12.12 Comprehensive risk management programme

12.13 Supply chain risk management

Chapter 13: Identify and detect

13.1 Threat and vulnerability intelligence

13.2 Security monitoring

Chapter 14: Respond and recover

14.1 Incident response management

14.2 ICT continuity management

14.3 Business continuity management

Chapter 15: Govern and assure

15.1 Formal information security management programme

15.2 Continual improvement process

15.3 Board-level commitment and involvement

15.4 Governance structure and processes

15.5 Internal audit

15.6 External certification/validation

Chapter 16: Maturity levels

16.1 Determining the level of maturity to aim for

Part 4: Eight steps to implementing cyber security

Chapter 17: Introducing the IT Governance eight-step approach

Chapter 18: Step 1 – Start the project

18.1 Project mandate

18.2 Project team

18.3 Project leadership

Chapter 19: Step 2 – Determine requirements and objectives

19.1 Project vs cyber security objectives

Chapter 20: Step 3 – Determine the scope

Chapter 21: Step 4 – Define current and ideal target states

Using the CRF

Gap analysis

Chapter 22: Step 5 – Establish a continual improvement model

Chapter 23: Step 6 – Conduct a risk assessment

Chapter 24: Step 7 – Select and implement controls

Chapter 25: Step 8 – Measure and review performance

25.1 Continual improvement

25.2 Management review

Part 5: Reference frameworks

Chapter 26: Why you should consider reference frameworks

26.1 Standard types

26.2 Certification benefits

Chapter 27: Core

27.1 Cyber Essentials

27.2 CRF alignment

Chapter 28: Baseline

28.1 NIST CSF

28.2 ISO 27001

28.3 CRF alignment

Chapter 29: Extended

29.1 ISO 22301 – BCM

29.2 ISO 27017 – Cloud security

29.3 ISO 27035 – Information security incident management

29.4 ISO 27036 – Information security in the supply chain

29.5 ISO 27701 – Privacy management

29.6 CRF alignment

Chapter 30: Embedded

30.1 COBIT®

30.2 ISO 27014

30.3 CRF alignment

Part 6: Conclusion and appendices

Chapter 31: Conclusion

Appendix 1: IT and information asset checklist

Appendix 2: Template outline project plan

Appendix 3: Glossary of acronyms and abbreviations

GRC International Group resources

Publishing services

GRC International Group cyber security services

Cyber security training and staff awareness

Professional services and consultancy

Newsletter