| Foreword |
|
xv | |
| Preface |
|
xix | |
| Acknowledgments |
|
xxiii | |
| Authors |
|
xxv | |
| Organization Of The Text |
|
xxvii | |
| Part I Cybersecurity Risk Management And The Framework For Improving Critical Infrastructure Cybersecurity |
|
|
Chapter 1 Cybersecurity Risk Management |
|
|
3 | (28) |
|
|
|
3 | (4) |
|
Cybersecurity: A Definition |
|
|
4 | (3) |
|
Cybersecurity Risk Management |
|
|
7 | (11) |
|
Risk Management Components |
|
|
8 | (4) |
|
Risk Management Tiered Approach |
|
|
12 | (6) |
|
Tier 1: Organizational Level |
|
|
13 | (1) |
|
Tier 2: Mission/Business Process Level |
|
|
14 | (1) |
|
Tier 3: Information System Level |
|
|
15 | (3) |
|
Managing ICT Security Risk through Governance, Control, and Audit |
|
|
18 | (8) |
|
|
|
19 | (2) |
|
|
|
21 | (1) |
|
|
|
22 | (4) |
|
Implementing Best Practices Using a Single Cybersecurity Framework |
|
|
26 | (2) |
|
|
|
28 | (1) |
|
|
|
29 | (2) |
|
Chapter 2 Introduction To The Framework For Improving Critical Infrastructure Cybersecurity |
|
|
31 | (24) |
|
Overview of the Framework |
|
|
32 | (5) |
|
Benefits of Adopting the Framework |
|
|
34 | (3) |
|
|
|
37 | (6) |
|
|
|
38 | (1) |
|
|
|
38 | (1) |
|
|
|
39 | (1) |
|
|
|
40 | (3) |
|
Framework Implementation Tiers |
|
|
43 | (3) |
|
|
|
46 | (4) |
|
Framework Is Descriptive and Not Prescriptive |
|
|
50 | (3) |
|
Structure of the Book's Presentation of the Framework |
|
|
53 | (1) |
|
|
|
53 | (1) |
|
|
|
54 | (1) |
|
Chapter 3 Identify Function |
|
|
55 | (48) |
|
Identify Function Overview |
|
|
57 | (2) |
|
Asset Management Category |
|
|
59 | (17) |
|
ID.AM-1: Physical Devices and Systems within the Organization Are Inventoried |
|
|
62 | (1) |
|
ID.AM-2: Software Platforms and Applications within the Organization Are Inventoried |
|
|
63 | (1) |
|
ID.AM-3: Organizational Communication and Data Flows Are Mapped |
|
|
64 | (1) |
|
ID.AM-4: External Information Systems Are Cataloged |
|
|
65 | (1) |
|
ID.AM-5: Resources Are Prioritized Based on Their Classification, Criticality, and Business Value |
|
|
66 | (2) |
|
ID.AM-6: Cybersecurity Roles and Responsibilities for the Entire Workforce and Third-Party Stakeholders Are Established |
|
|
68 | (1) |
|
Business Environment Category |
|
|
69 | (1) |
|
ID.BE-1: The Organization's Role in the Supply Chain Is Identified and Communicated |
|
|
70 | (1) |
|
ID.BE-2: The Organization's Place in Critical Infrastructure and Its Industry Sector Is Identified and Communicated |
|
|
71 | (1) |
|
ID.BE-3: Priorities for Organizational Mission, Objectives, and Activities Are Established and Communicated |
|
|
72 | (1) |
|
ID.BE-4: Dependencies and Critical Functions for Delivery of Critical Services Are Established |
|
|
73 | (1) |
|
ID.BE-5: Resilience Requirements to Support Delivery of Critical Services Are Established |
|
|
74 | (2) |
|
|
|
76 | (8) |
|
ID.GV-1: Organizational Information Security Policy Is Established |
|
|
77 | (2) |
|
ID.GV-2: Information Security Roles and Responsibilities Are Coordinated and Aligned with Internal Roles and External Partners |
|
|
79 | (1) |
|
ID.GV-3: Legal and Regulatory Requirements Regarding Cybersecurity, including Privacy and Civil Liberties Obligations Are Understood and Managed |
|
|
80 | (1) |
|
ID.GV-4: Governance and Risk Management Processes Address Cybersecurity Risks |
|
|
81 | (3) |
|
|
|
84 | (8) |
|
ID.RA-1: Asset Vulnerabilities Are Identified and Documented |
|
|
85 | (3) |
|
ID.RA-2: Threat and Vulnerability Information Is Received from Information Sharing Forums and Sources |
|
|
88 | (1) |
|
ID.RA-3: Threats, Both Internal and External, Are Identified and Documented |
|
|
88 | (2) |
|
ID.RA-4: Potential Business Impacts and Likelihoods Are Identified |
|
|
90 | (1) |
|
ID.RA-5: Threats, Vulnerabilities, Likelihoods, and Impacts Are Used to Determine Risk |
|
|
91 | (1) |
|
ID.RA-6: Risk Responses Are Identified and Prioritized |
|
|
91 | (1) |
|
|
|
92 | (8) |
|
|
|
94 | (2) |
|
Implementing Risk Management |
|
|
96 | (1) |
|
|
|
97 | (3) |
|
Linking COBIT to the Identify Function |
|
|
100 | (1) |
|
|
|
101 | (1) |
|
|
|
101 | (2) |
|
Chapter 4 Protect Function |
|
|
103 | (60) |
|
Protect Function Overview |
|
|
104 | (2) |
|
|
|
106 | (7) |
|
PR.AC-1: Identities and Credentials Are Managed for Authorized Devices and Users |
|
|
107 | (2) |
|
PR.AC-2: Physical Access to Assets Is Managed and Protected |
|
|
109 | (1) |
|
PR.AC-3: Remote Access Is Managed |
|
|
110 | (1) |
|
PR.AC-4: Access Permissions Are Managed, Incorporating the Principles of Least Privilege and Separation of Duties |
|
|
111 | (1) |
|
PR.AC-5: Network Integrity Is Protected, Incorporating Network Segregation Where Appropriate |
|
|
112 | (1) |
|
Awareness and Training Category |
|
|
113 | (3) |
|
PR.AT-1 through PR.AT-5: Awareness and Training Subcategories |
|
|
115 | (1) |
|
|
|
116 | (11) |
|
PR.DS-1: Data-at-Rest Are Protected |
|
|
117 | (2) |
|
PR.DS-2: Data-in-Transit Are Protected |
|
|
119 | (1) |
|
PR.DS-3: Assets Are Formally Managed throughout Removal, Transfers, and Disposition |
|
|
120 | (1) |
|
PR.DS-4: Adequate Capacity to Ensure Availability Is Maintained |
|
|
121 | (1) |
|
PR.DS-5: Protections against Data Leaks Are Implemented |
|
|
121 | (2) |
|
PR.DS-6: Integrity Checking Mechanisms Are Used to Verify Software, Firmware, and Information Integrity |
|
|
123 | (1) |
|
PR.DS-7: Development and Testing Environment(s) Are Separate from the Production Environment |
|
|
123 | (4) |
|
Information Protection Processes and Procedures Category |
|
|
127 | (22) |
|
PR.IP-1 and PR.IP-3: Configuration Management Baselines Are Established and Change Control Is Put into Place |
|
|
128 | (7) |
|
PR.IP-2: A System Development Life Cycle to Manage Systems Is Implemented |
|
|
135 | (3) |
|
PR.IP-4: Backups of Information Are Conducted, Maintained, and Tested Periodically |
|
|
138 | (1) |
|
PR.IP-5: Policy and Regulations Regarding the Physical Operating Environment for Organizational Assets Are Met |
|
|
139 | (1) |
|
PR.IP-6: Data Are Destroyed According to Policy |
|
|
140 | (1) |
|
PR.IP-7: Protection Processes Are Continuously Improved |
|
|
141 | (1) |
|
PR.IP-8: Effectiveness of Protection Technologies Is Shared with Appropriate Parties |
|
|
142 | (1) |
|
PR.IP-9: Response Plans and Recovery Plans Are in Place and Managed |
|
|
143 | (2) |
|
PR.IP-10: Response and Recovery Plans Are Tested |
|
|
145 | (1) |
|
PR.IP-11: Cybersecurity Is Included in Human Resources Practices |
|
|
146 | (2) |
|
PR.IP-12: A Vulnerability Management Plan Is Developed and Implemented |
|
|
148 | (1) |
|
|
|
149 | (2) |
|
PR.MA-1: Maintenance and Repair of Organizational Assets Is Performed and Logged in a Timely Manner, with Approved and Controlled Tools |
|
|
149 | (2) |
|
PR.MA-2: Remote Maintenance of Organizational Assets Is Approved, Logged, and Performed in a Manner That Prevents Unauthorized Access |
|
|
151 | (1) |
|
|
|
151 | (7) |
|
PR.PT-1: Audit/Log Records Are Determined, Documented, Implemented, and Reviewed in Accordance with Policy |
|
|
152 | (2) |
|
PR.PT-2: Removable Media Is Protected and Its Use Restricted According to Policy |
|
|
154 | (1) |
|
PR.PT-3: Access to Systems and Assets Is Controlled, Incorporating the Principle of Least Functionality |
|
|
155 | (1) |
|
PR.PT-4: Communications and Control Networks Are Protected |
|
|
156 | (2) |
|
Linking COBIT to the Protect Function |
|
|
158 | (2) |
|
|
|
160 | (1) |
|
|
|
161 | (2) |
|
Chapter 5 Detect Function |
|
|
163 | (34) |
|
|
|
164 | (4) |
|
Anomalies and Events Category |
|
|
168 | (8) |
|
DE.AE-1: A Baseline of Network Operations and Expected Data Flows for Users and Systems Is Established and Managed |
|
|
170 | (2) |
|
DE.AE-2: Detected Events Are Analyzed to Understand Attack Targets and Methods |
|
|
172 | (3) |
|
DE.AE-3: Event Data Are Aggregated and Correlated from Multiple Sources and Sensors |
|
|
175 | (1) |
|
DE.AE-4: Impact of Events Is Determined |
|
|
175 | (1) |
|
DE.AE-5: Incident Alert Thresholds Are Established |
|
|
176 | (1) |
|
Security Continuous Monitoring Category |
|
|
176 | (11) |
|
DE.CM-1: Network Is Monitored to Detect Potential Cybersecurity Events |
|
|
177 | (3) |
|
DE.CM-2: Physical Environment Is Monitored to Detect Potential Cybersecurity Events |
|
|
180 | (1) |
|
DE.CM-3: Personnel Activity Is Monitored to Detect Potential Cybersecurity Events |
|
|
181 | (1) |
|
DE.CM-4: Malicious Code Is Detected |
|
|
182 | (1) |
|
DE.CM-5: Unauthorized Mobile Code Is Detected |
|
|
183 | (1) |
|
DE.CM-6: External Service Provider Activity Is Monitored to Detect Potential Cybersecurity Events |
|
|
184 | (1) |
|
DE.CM-7: Monitoring for Unauthorized Personnel, Connections, Devices, and Software Is Performed |
|
|
185 | (1) |
|
DE.CM-8: Vulnerability Scans Are Performed |
|
|
186 | (1) |
|
Detection Processes Category |
|
|
187 | (8) |
|
DE.DP-1: Roles and Responsibilities for Detection Are Well Defined to Ensure Accountability |
|
|
189 | (2) |
|
DE.DP-2: Detection Activities Comply with All Applicable Requirements |
|
|
191 | (1) |
|
DE.DP-3: Detection Processes Are Tested |
|
|
192 | (1) |
|
DE.DP-4: Event Detection Information Is Communicated to Appropriate Parties |
|
|
192 | (1) |
|
DE.DP-5: Detection Processes Are Continuously Improved |
|
|
193 | (2) |
|
|
|
195 | (1) |
|
|
|
195 | (2) |
|
Chapter 6 Respond Function |
|
|
197 | (24) |
|
Respond Function Overview |
|
|
198 | (4) |
|
Response Planning Category |
|
|
202 | (2) |
|
|
|
204 | (5) |
|
RS.CO-1: Personnel Know Their Roles and Order of Operations When a Response Is Needed |
|
|
205 | (1) |
|
RS.CO-2: Events Are Reported Consistent with Established Criteria |
|
|
206 | (1) |
|
RS.CO-3: Information Is Shared Consistent with Response Plans |
|
|
207 | (1) |
|
RS.CO-4: Coordination with Stakeholders Occurs Consistent with Response Plans |
|
|
208 | (1) |
|
RS.00-5: Voluntary Information Sharing Occurs with External Stakeholders to Achieve Broader Cybersecurity Situational Awareness |
|
|
208 | (1) |
|
|
|
209 | (5) |
|
RS.AN-1: Notifications from Detection Systems Are Investigated |
|
|
209 | (2) |
|
RS.AN-2: Impact of the Incident Is Understood |
|
|
211 | (1) |
|
RS.AN-3: Forensics Are Performed |
|
|
211 | (1) |
|
RS.AN-4: Incidents Are Categorized Consistent with Response Plans |
|
|
212 | (2) |
|
|
|
214 | (3) |
|
RS.MI-1: Incidents Are Contained |
|
|
215 | (1) |
|
RS.MI-2: Incidents Are Mitigated |
|
|
216 | (1) |
|
RS.MI-3: Newly Identified Vulnerabilities Are Mitigated or Documented as Accepted Risks |
|
|
217 | (1) |
|
|
|
217 | (2) |
|
RS.IM-1: Response Plans Incorporate Lessons Learned |
|
|
218 | (1) |
|
RS.IM-2: Response Strategies Are Updated |
|
|
219 | (1) |
|
|
|
219 | (1) |
|
|
|
220 | (1) |
|
Chapter 7 Recover Function |
|
|
221 | (20) |
|
Distinguishing between Business Continuity and Disaster Recovery |
|
|
222 | (9) |
|
Recover Function Overview |
|
|
224 | (2) |
|
Recovery Planning Category |
|
|
226 | (5) |
|
|
|
227 | (2) |
|
|
|
229 | (2) |
|
|
|
231 | (1) |
|
|
|
231 | (2) |
|
RC.IM-1: Recovery Plans Incorporate Lessons Learned |
|
|
232 | (1) |
|
RC.IM-2: Recovery Strategies Are Updated |
|
|
233 | (1) |
|
|
|
233 | (2) |
|
RC.CO-1: Public Relations Are Managed |
|
|
234 | (1) |
|
RC.CO-2: Reputation after an Event Is Repaired |
|
|
235 | (1) |
|
RC.CO-3: Recovery Activities Are Communicated to Internal Stakeholders and Executive and Management Teams |
|
|
235 | (1) |
|
|
|
235 | (1) |
|
|
|
236 | (5) |
| Part II Cybersecurity, Governance, Audit, And The Cobit 5 Framework |
|
|
Chapter 8 The Cobit Framework |
|
|
241 | (28) |
|
|
|
241 | (1) |
|
|
|
242 | (1) |
|
|
|
243 | (3) |
|
Practical Technical Scenarios (PTSs) |
|
|
246 | (3) |
|
|
|
249 | (2) |
|
|
|
251 | (12) |
|
P1: Meeting Stakeholder Needs |
|
|
251 | (4) |
|
P2: Covering the Enterprise End to End |
|
|
255 | (3) |
|
P3: Applying a Single, Integrated Framework |
|
|
258 | (1) |
|
P4: Enabling a Holistic Approach |
|
|
258 | (5) |
|
Enabler 1: Principles, Policies, and Frameworks |
|
|
258 | (1) |
|
|
|
259 | (1) |
|
Enabler 3: Organizational Structures |
|
|
260 | (1) |
|
Enabler 4: Culture, Ethics, and Behavior |
|
|
261 | (1) |
|
|
|
261 | (1) |
|
Enabler 6: Services, Infrastructure, and Applications |
|
|
262 | (1) |
|
Enabler 7: People, Skills, and Competencies |
|
|
263 | (1) |
|
P5: Separating Governance from Management |
|
|
263 | (1) |
|
|
|
263 | (1) |
|
|
|
263 | (1) |
|
Other Governance Frameworks and Best Practices |
|
|
263 | (2) |
|
|
|
264 | (1) |
|
Information Technology Infrastructure Library |
|
|
264 | (1) |
|
Committee of Sponsoring Organizations Enterprise Risk Management |
|
|
265 | (1) |
|
|
|
265 | (1) |
|
|
|
266 | (3) |
|
Chapter 9 Decomposition Of Framework |
|
|
269 | (8) |
|
Framework Principles: Creation |
|
|
269 | (1) |
|
Definition of Categories and Seven Enablers |
|
|
269 | (4) |
|
|
|
273 | (1) |
|
|
|
274 | (1) |
|
|
|
275 | (1) |
|
|
|
276 | (1) |
|
Chapter 10 Framework Structure's Generic Domains |
|
|
277 | (14) |
|
COBIT's Framework Structure |
|
|
277 | (1) |
|
Planning and Organization |
|
|
278 | (5) |
|
Acquisition and Implementation |
|
|
283 | (1) |
|
|
|
284 | (3) |
|
|
|
287 | (1) |
|
|
|
288 | (1) |
|
|
|
288 | (3) |
|
Chapter 11 Decomposition Of Cobit 5 Principles |
|
|
291 | (8) |
|
Purpose of COBIT Control Objectives and Principles |
|
|
291 | (2) |
|
Principle 1: Installing the Integrated IT Architectural Framework |
|
|
293 | (1) |
|
Principle 2: What Do Stakeholders Value? |
|
|
294 | (1) |
|
Principle 3: The Business Context Focus |
|
|
295 | (1) |
|
Principle 4: Managing Risk |
|
|
296 | (1) |
|
Principle 5: Measuring Performance |
|
|
296 | (1) |
|
|
|
297 | (1) |
|
|
|
297 | (2) |
|
Chapter 12 Cobit Management Guidelines |
|
|
299 | (8) |
|
|
|
299 | (1) |
|
|
|
300 | (1) |
|
|
|
301 | (1) |
|
|
|
302 | (2) |
|
|
|
304 | (1) |
|
|
|
304 | (3) |
|
Chapter 13 Cobit Management Dashboard |
|
|
307 | (6) |
|
|
|
307 | (1) |
|
|
|
308 | (1) |
|
|
|
308 | (1) |
|
|
|
308 | (3) |
|
|
|
311 | (1) |
|
|
|
311 | (2) |
|
Chapter 14 What Cobit Sets Out To Accomplish |
|
|
313 | (4) |
|
Adaptability to Existing Frameworks |
|
|
313 | (1) |
|
Constituency of Governance for Finance |
|
|
314 | (1) |
|
Constituency of Governance for IT |
|
|
315 | (1) |
|
|
|
315 | (1) |
|
|
|
316 | (1) |
|
Chapter 15 Internal Audits |
|
|
317 | (6) |
|
Purpose of Internal Audits |
|
|
317 | (1) |
|
Roles That Potentially Use COBIT |
|
|
318 | (1) |
|
Approaches to Using COBIT in an Internal Audit |
|
|
319 | (1) |
|
Types of Audits That Can Be Facilitated Using COBIT |
|
|
319 | (1) |
|
Advantages of Using COBIT in Internal Audits |
|
|
320 | (1) |
|
|
|
321 | (1) |
|
|
|
321 | (2) |
|
Chapter 16 Tying It All Together |
|
|
323 | (4) |
|
COBIT Works with SarbanesOxley (SOx) |
|
|
323 | (1) |
|
GETIT Working Hand in Hand with COBIT |
|
|
323 | (1) |
|
Process Assessment Model (PAM) |
|
|
324 | (1) |
|
|
|
324 | (1) |
|
|
|
325 | (2) |
| Bibliography |
|
327 | (6) |
| Index |
|
333 | |
