Security Risk Management The Driving Force For Operational Resilience

The importance of businesses being ‘operationally resilient’ is becoming increasingly important, and a driving force behind whether an organization can ensure that its valuable business operations can ‘bounce back’ from or manage to evade impactful occurrences is its security risk management capabilities. In this book, we change the perspective on an organization’s operational resilience capabilities so that it shifts from being a reactive (tick box) approach to being proactive. The perspectives of every chapter in this book focus on risk profiles and how your business can reduce these profiles using effective mitigation measures. The book is divided into two sections: 1. Security Risk Management (SRM). All the components of security risk management contribute to your organization’s operational resilience capabilities, to help reduce your risks. • Reduce the probability/ likelihood. 2. Survive to Operate. If your SRM capabilities fail your organization, these are the components that are needed to allow you to quickly ‘bounce back.’ • Reduce the severity/ impact. Rather than looking at this from an operational resilience compliance capabilities aspect, we have written these to be agnostic of any specific operational resilience framework (e.g., CERT RMM, ISO 22316, SP 800- 160 Vol. 2 Rev. 1, etc.), with the idea of looking at operational resilience through a risk management lens instead. This book is not intended to replace these numerous operational resilience standards/ frameworks but, rather, has been designed to complement them by getting you to appreciate their value in helping to identify and mitigate your operational resilience risks. Unlike the cybersecurity or information security domains, operational resilience looks at risks from a business-oriented view, so that anything that might disrupt your essential business operations are risk-assessed and appropriate countermeasures identified and applied. Consequently, this book is not limited to cyberattacks or the loss of sensitive data but, instead, looks at things from a holistic business-based perspective.

CERT® Resilience Management Model (CERT-RMM) is an innovative and transformative way to manage operational resilience in complex, risk-evolving environments. CERT-RMM distills years of research into best practices for managing the security and survivability of people, information, technology, and facilities. It integrates these best practices into a unified, capability-focused maturity model that encompasses security, business continuity, and IT operations. By using CERT-RMM, organizations can escape silo-driven approaches to managing operational risk and align to achieve strategic resilience management goals. This book both introduces CERT-RMM and presents the model in its entirety. It begins with essential background for all professionals, whether they have previously used process improvement models or not. Next, it explains CERT-RMM’s Generic Goals and Practices and discusses various approaches for using the model. Short essays by a number of contributors illustrate how CERT-RMM can be applied for different purposes or can be used to improve an existing program. Finally, the book provides a complete baseline understanding of all 26 process areas included in CERT-RMM. Part One summarizes the value of a process improvement approach to managing resilience, explains CERT-RMM’s conventions and core principles, describes the model architecturally, and shows how itsupports relationships tightly linked to your objectives. Part Two focuses on using CERT-RMM to establish a foundation for sustaining operational resilience management processes in complex environments where risks rapidly emerge and change. Part Three details all 26 CERT-RMM process areas, from asset definition through vulnerability resolution. For each, complete descriptions of goals and practices are presented, with realistic examples. Part Four contains appendices, including Targeted Improvement Roadmaps, a glossary, and other reference materials. This book will be valuable to anyone seeking to improve the mission assurance of high-value services, including leaders of large enterprise or organizational units, security or business continuity specialists, managers of large IT operations, and those using methodologies such as ISO 27000, COBIT, ITIL, or CMMI.

Cybersecurity Operations and Fusion Centers: A Comprehensive Guide to SOC and TIC Strategy by Dr. Kevin Lynn McLaughlin is a must-have resource for anyone involved in the establishment and operation of a Cybersecurity Operations and Fusion Center (SOFC). Think of a combination cybersecurity SOC and cybersecurity Threat Intelligence Center (TIC). In this book, Dr. McLaughlin, who is a well-respected cybersecurity expert, provides a comprehensive guide to the critical importance of having an SOFC and the various options available to organizations to either build one from scratch or purchase a ready-made solution. The author takes the reader through the crucial steps of designing an SOFC model, offering expert advice on selecting the right partner, allocating resources, and building a strong and effective team. The book also provides an in-depth exploration of the design and implementation of the SOFC infrastructure and toolset, including the use of virtual tools, the physical security of the SOFC, and the impact of COVID-19 on remote workforce operations. A bit of gamification is described in the book as a way to motivate and maintain teams of high-performing and well-trained cybersecurity professionals. The day-to-day operations of an SOFC are also thoroughly examined, including the monitoring and detection process, security operations (SecOps), and incident response and remediation. The book highlights the significance of effective reporting in driving improvements in an organization’s security posture. With its comprehensive analysis of all aspects of the SOFC, from team building to incident response, this book is an invaluable resource for anyone looking to establish and operate a successful SOFC. Whether you are a security analyst, senior analyst, or executive, this book will provide you with the necessary insights and strategies to ensure maximum performance and long-term success for your SOFC. By having this book as your guide, you can rest assured that you have the knowledge and skills necessary to protect an organization’s data, assets, and operations.

CERT® Resilience Management Model (CERT-RMM) is an innovative and transformative way to manage operational resilience in complex, risk-evolving environments. CERT-RMM distills years of research into best practices for managing the security and survivability of people, information, technology, and facilities. It integrates these best practices into a unified, capability-focused maturity model that encompasses security, business continuity, and IT operations. By using CERT-RMM, organizations can escape silo-driven approaches to managing operational risk and align to achieve strategic resili.

This book is about the primary symptoms present in a dysfunctional culture that could have devastating outcomes for any organization. The book outlines each of the seven sins in each chapter. Each of the first seven chapters (Chapters 1–7) starts with a famous quote related to each of the sins and then immediately recounts stories ripped from the headlines describing well-known corporate failures but with a personal touch from former employees who experienced those stories from inside the company. (The sources for these stories are all cited in their Bibliographies.) The seven sins of organizational culture are linked with seven different corporate scandals that serve as a "lesson learned" as well as seven stories of organizations that have been successful with each respective organizational attribute as follows: Flawed Mission and Misaligned Values uses WorldCom as the lesson learned and Patagonia as the success case. Flawed Incentives uses Wells Fargo as the lesson learned and Bridgeport Financial as the success case. Lack of Accountability uses HSBC as the lesson learned and McDonald’s as the success case. Ineffective Talent Management uses Enron as the lesson learned and Southwest Airlines as the success case. Lack of Transparency uses Theranos as the lesson learned and Zappos as the success case. Ineffective Risk Management uses the 2008 mortgage industry collapse as the lesson learned and Michael Burry as the success case. Ineffective Leadership summarizes all of the foregoing sins as failures of Leadership. In each chapter and for each organizational sin, the author offers seven attributes of a healthy culture to counter the cultural dysfunction. The seven healthy attributes for each of the seven sins are all original content. In Chapter 8, the author offers an approach for assessing an organization’s culture by providing seven ways to measure the different drivers of organizational culture. The ideas for how to measure corporate culture is original content, with some references to existing frameworks (all cited in the Bibliography.) Finally, in Chapter 9, the author offers a step-by-step outline for transforming the culture. The chapter starts with a story about how Korean Air suffered multiple crashes due to their corporate culture but were able to successfully transform their culture. (The source for the Korean Air story is cited in the Bibliography.) There are seven appendices, most of which are by the author except for the maturity of risk management, which references an OECD (government entity) risk management maturity framework.

Well publicised failures in risk management have appeared with shocking frequency over the past few years. Affected firms can suffer significant commercial damage or even bankruptcy as a result. Only now is there a growing realisation that risk management is a key management responsibility. This book will help turn your firm into a 'risk aware' organization which will be able to avoid catastrophic loss. It will also enable senior management to make better strategic and operational decisions, thanks to an informed understanding of business hazards. Case studies from a wide cross section of different firms and markets are used to explain how to define, analyse and control operational risk. An insightful guide to one of the key topics of modern strategic and operational management, written by a team of expert risk management professionals Learn about the application of operational risk management to a wide range of market sectors, including commercial, retail and investment banking, investment management, insurance, the energy industry, telecommunications, manufacturing and logistics Case studies and worked examples from around the world, including North America, Western Europe, South East Asia and Latin America

The book will review how new and old privacy-preserving techniques can provide practical protection for data in transit, use, and rest. We will position techniques like Data Integrity and Ledger and will provide practical lessons in Data Integrity, Trust, and data’s business utility. Based on a good understanding of new and old technologies, emerging trends, and a broad experience from many projects in this domain, this book will provide a unique context about the WHY (requirements and drivers), WHAT (what to do), and HOW (how to implement), as well as reviewing the current state and major forces representing challenges or driving change, what you should be trying to achieve and how you can do it, including discussions of different options. We will also discuss WHERE (in systems) and WHEN (roadmap). Unlike other general or academic texts, this book is being written to offer practical general advice, outline actionable strategies, and include templates for immediate use. It contains diagrams needed to describe the topics and Use Cases and presents current real-world issues and technological mitigation strategies. The inclusion of the risks to both owners and custodians provides a strong case for why people should care. This book reflects the perspective of a Chief Technology Officer (CTO) and Chief Security Strategist (CSS). The Author has worked in and with startups and some of the largest organizations in the world, and this book is intended for board members, senior decision-makers, and global government policy officials—CISOs, CSOs, CPOs, CTOs, auditors, consultants, investors, and other people interested in data privacy and security. The Author also embeds a business perspective, answering the question of why this an important topic for the board, audit committee, and senior management regarding achieving business objectives, strategies, and goals and applying the risk appetite and tolerance. The focus is on Technical Visionary Leaders, including CTO, Chief Data Officer, Chief Privacy Officer, EVP/SVP/VP of Technology, Analytics, Data Architect, Chief Information Officer, EVP/SVP/VP of I.T., Chief Information Security Officer (CISO), Chief Risk Officer, Chief Compliance Officer, Chief Security Officer (CSO), EVP/SVP/VP of Security, Risk Compliance, and Governance. It can also be interesting reading for privacy regulators, especially those in developed nations with specialist privacy oversight agencies (government departments) across their jurisdictions (e.g., federal and state levels).

A framework for formalizing risk management thinking intoday¿s complex business environment Security Risk Management Body of Knowledge details thesecurity risk management process in a format that can easily beapplied by executive managers and security risk managementpractitioners. Integrating knowledge, competencies, methodologies,and applications, it demonstrates how to document and incorporatebest-practice concepts from a range of complementarydisciplines. Developed to align with International Standards for RiskManagement such as ISO 31000 it enables professionals to applysecurity risk management (SRM) principles to specific areas ofpractice. Guidelines are provided for: Access Management; BusinessContinuity and Resilience; Command, Control, and Communications;Consequence Management and Business Continuity Management;Counter-Terrorism; Crime Prevention through Environmental Design;Crisis Management; Environmental Security; Events and MassGatherings; Executive Protection; Explosives and Bomb Threats;Home-Based Work; Human Rights and Security; Implementing SecurityRisk Management; Intellectual Property Protection; IntelligenceApproach to SRM; Investigations and Root Cause Analysis; MaritimeSecurity and Piracy; Mass Transport Security; OrganizationalStructure; Pandemics; Personal Protective Practices; Psych-ology ofSecurity; Red Teaming and Scenario Modeling; Resilience andCritical Infrastructure Protection; Asset-, Function-, Project-,and Enterprise-Based Security Risk Assessment; SecuritySpecifications and Postures; Security Training; Supply ChainSecurity; Transnational Security; and Travel Security. Security Risk Management Body of Knowledge is supportedby a series of training courses, DVD seminars, tools, andtemplates. This is an indispensable resource for risk and securityprofessional, students, executive management, and line managerswith security responsibilities.