Developing Cybersecurity Programs and Policies in an AI-Driven World
portes grátis
Developing Cybersecurity Programs and Policies in an AI-Driven World
Santos, Omar
Pearson Education (US)
09/2024
768
Mole
Inglês
9780138074104
Pré-lançamento - envio 15 a 20 dias após a sua edição
Descrição não disponível.
Introduction xviii
Chapter 1: Understanding Cybersecurity Policy and Governance 2
Information Security vs. Cybersecurity Policies.. . . . . . . . . . . . . . . . 6
Looking at Policy Through the Ages.. . . . . . . . . . . . . . . . . . . . 6
Cybersecurity Policy.. . . . . . . . . . . . . . . . . . . . . . . . . . 10
Cybersecurity Policy Life Cycle.. . . . . . . . . . . . . . . . . . . . . . 28
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 2: Cybersecurity Policy Organization, Format, and Styles 46
Policy Hierarchy.. . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Writing Style and Technique.. . . . . . . . . . . . . . . . . . . . . . . 51
Plain Language Techniques for Policy Writing.. . . . . . . . . . 53
Policy Format.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Chapter 3: Cybersecurity Frameworks 80
Confidentiality, Integrity, and Availability (CIA). . . . . . . . . . . . . . . . 81
What Is a Cybersecurity Framework?.. . . . . . . . . . . . . . . . . . . 94
NIST Cybersecurity Framework.. . . . . . . . . . . . . . . . . . . . . 110
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 4: Cloud Security 132
Why Cloud Computing?.. . . . . . . . . . . . . . . . . . . . . . . . 133
Cloud Computing Models.. . . . . . . . . . . . . . . . . . . . . . . . 139
Cloud Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Multitenancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Core Components of the Cloud Computing Reference Architecture.. . . . . . 151
Key Concepts and Functional Layers of Cloud Computing. . . . . . . . . . 152
Understanding Top Cybersecurity Risks in Cloud Computing. . . . . . . . . 153
AI and the Cloud: Revolutionizing the Future of Computing.. . . . . . . . . . 166
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Chapter 5: Governance and Risk Management 176
Understanding Cybersecurity Policies. . . . . . . . . . . . . . . . . . . 177
Cybersecurity Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Chapter 6: Asset Management and Data Loss Prevention 220
Information Assets and Systems.. . . . . . . . . . . . . . . . . . . . . 221
Information Classification.. . . . . . . . . . . . . . . . . . . . . . . . 224
Labeling and Handling Standards.. . . . . . . . . . . . . . . . . . . . 233
Information Systems Inventory.. . . . . . . . . . . . . . . . . . . . . . 236
Understanding Data Loss Prevention Technologies.. . . . . . . . . . . . . 242
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Chapter 7: Human Resources Security and Education 256
The Employee Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . 257
The Importance of Employee Agreements.. . . . . . . . . . . . . . . . . 269
The Importance of Security Education and Training. . . . . . . . . . . . . 272
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Chapter 8: Physical and Environmental Security 290
Understanding the Secure Facility Layered Defense Model.. . . . . . . . . . 292
Protecting Equipment.. . . . . . . . . . . . . . . . . . . . . . . . . 299
Environmental Sustainability. . . . . . . . . . . . . . . . . . . . . . . 308
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Chapter 9: Cybersecurity Operations (CyberOps), Incident Response, Digital Forensics, and Threat Hunting 320
Incident Response.. . . . . . . . . . . . . . . . . . . . . . . . . . . 321
What Happened? Investigation and Evidence Handling.. . . . . . . . . . . 349
Understanding Threat Hunting.. . . . . . . . . . . . . . . . . . . . . . 351
Understanding Digital Forensic Analysis.. . . . . . . . . . . . . . . . . . 357
Data Breach Notification Requirements. . . . . . . . . . . . . . . . . . 360
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Chapter 10: Access Control Management 384
Access Control Fundamentals.. . . . . . . . . . . . . . . . . . . . . . 385
Infrastructure Access Controls.. . . . . . . . . . . . . . . . . . . . . . 399
User Access Controls.. . . . . . . . . . . . . . . . . . . . . . . . . 416
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Chapter 11: Supply Chain Security, Information Systems Acquisition, Development, and Maintenance 434
Strengthening the Links: A Deep Dive into Supply Chain Security.. . . . . . . 435
System Security Requirements.. . . . . . . . . . . . . . . . . . . . . 441
Secure Code.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Cryptography.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Chapter 12: Business Continuity Management 474
Emergency Preparedness.. . . . . . . . . . . . . . . . . . . . . . . . 475
Business Continuity Risk Management.. . . . . . . . . . . . . . . . . . 479
The Business Continuity Plan.. . . . . . . . . . . . . . . . . . . . . . 485
Business Continuity and Disaster Recovery in Cloud Services.. . . . . . . . . 493
Plan Testing and Maintenance.. . . . . . . . . . . . . . . . . . . . . . 500
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Chapter 13: Regulatory Compliance for Financial Institutions 514
The Gramm-Leach-Bliley Act.. . . . . . . . . . . . . . . . . . . . . . 515
New York's Department of Financial Services Cybersecurity Regulation.. . . . . 533
What Is a Regulatory Examination?.. . . . . . . . . . . . . . . . . . . . 535
Personal and Corporate Identity Theft. . . . . . . . . . . . . . . . . . . 537
Regulation of Fintech, Digital Assets, and Cryptocurrencies. . . . . . . . . . 540
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Chapter 14: Regulatory Compliance for the Health-care Sector 556
The HIPAA Security Rule. . . . . . . . . . . . . . . . . . . . . . . . 558
The HITECH Act and the Omnibus Rule.. . . . . . . . . . . . . . . . . . 581
Understanding the HIPAA Compliance Enforcement Process. . . . . . . . . 586
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Chapter 15: PCI Compliance for Merchants 600
Protecting Cardholder Data.. . . . . . . . . . . . . . . . . . . . . . . 601
PCI Compliance.. . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Chapter 16: Privacy in an AI-Driven Landscape 634
Defining Privacy in the Digital Context. . . . . . . . . . . . . . . . . . . 635
The Interplay Between AI and Privacy.. . . . . . . . . . . . . . . . . . . 636
General Data Protection Regulation (GDPR).. . . . . . . . . . . . . . . . 637
California Consumer Privacy Act (CCPA). . . . . . . . . . . . . . . . . . 640
Personal Information Protection and Electronic Documents Act (PIPEDA).. . . . 641
Data Protection Act 2018 in the United Kingdom.. . . . . . . . . . . . . . 643
Leveraging AI to Enhance Privacy Protections.. . . . . . . . . . . . . . . 645
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Chapter 17: Artificial Intelligence Governance and Regulations 652
The AI Double-Edged Sword.. . . . . . . . . . . . . . . . . . . . . . 653
Generative AI, LLMs, and Traditional Machine Learning Implementations. . . . 653
Introduction to AI Governance.. . . . . . . . . . . . . . . . . . . . . . 654
The U.S. Executive Order on the Safe, Secure, and Trustworthy
Development and Use of Artificial Intelligence.. . . . . . . . . . . . . . . 655
The Importance of High Accuracy and Precision in AI Systems.. . . . . . . . 661
Explainable AI (XAI): Building Trust and Understanding.. . . . . . . . . . . . 663
Government and Society-wide Approaches to AI Governance.. . . . . . . . . 665
The EU AI Act. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Guidelines for Secure AI System Development.. . . . . . . . . . . . . . . 670
OWASP Top 10 Risks for LLM.. . . . . . . . . . . . . . . . . . . . . . 674
MITRE ATLAS Framework. . . . . . . . . . . . . . . . . . . . . . . . 683
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Appendix A: Answers to the Multiple Choice Questions 696
978138074104, TOC, 6/18/2024
Chapter 1: Understanding Cybersecurity Policy and Governance 2
Information Security vs. Cybersecurity Policies.. . . . . . . . . . . . . . . . 6
Looking at Policy Through the Ages.. . . . . . . . . . . . . . . . . . . . 6
Cybersecurity Policy.. . . . . . . . . . . . . . . . . . . . . . . . . . 10
Cybersecurity Policy Life Cycle.. . . . . . . . . . . . . . . . . . . . . . 28
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 2: Cybersecurity Policy Organization, Format, and Styles 46
Policy Hierarchy.. . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Writing Style and Technique.. . . . . . . . . . . . . . . . . . . . . . . 51
Plain Language Techniques for Policy Writing.. . . . . . . . . . 53
Policy Format.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Chapter 3: Cybersecurity Frameworks 80
Confidentiality, Integrity, and Availability (CIA). . . . . . . . . . . . . . . . 81
What Is a Cybersecurity Framework?.. . . . . . . . . . . . . . . . . . . 94
NIST Cybersecurity Framework.. . . . . . . . . . . . . . . . . . . . . 110
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 4: Cloud Security 132
Why Cloud Computing?.. . . . . . . . . . . . . . . . . . . . . . . . 133
Cloud Computing Models.. . . . . . . . . . . . . . . . . . . . . . . . 139
Cloud Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Multitenancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Core Components of the Cloud Computing Reference Architecture.. . . . . . 151
Key Concepts and Functional Layers of Cloud Computing. . . . . . . . . . 152
Understanding Top Cybersecurity Risks in Cloud Computing. . . . . . . . . 153
AI and the Cloud: Revolutionizing the Future of Computing.. . . . . . . . . . 166
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Chapter 5: Governance and Risk Management 176
Understanding Cybersecurity Policies. . . . . . . . . . . . . . . . . . . 177
Cybersecurity Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Chapter 6: Asset Management and Data Loss Prevention 220
Information Assets and Systems.. . . . . . . . . . . . . . . . . . . . . 221
Information Classification.. . . . . . . . . . . . . . . . . . . . . . . . 224
Labeling and Handling Standards.. . . . . . . . . . . . . . . . . . . . 233
Information Systems Inventory.. . . . . . . . . . . . . . . . . . . . . . 236
Understanding Data Loss Prevention Technologies.. . . . . . . . . . . . . 242
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Chapter 7: Human Resources Security and Education 256
The Employee Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . 257
The Importance of Employee Agreements.. . . . . . . . . . . . . . . . . 269
The Importance of Security Education and Training. . . . . . . . . . . . . 272
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Chapter 8: Physical and Environmental Security 290
Understanding the Secure Facility Layered Defense Model.. . . . . . . . . . 292
Protecting Equipment.. . . . . . . . . . . . . . . . . . . . . . . . . 299
Environmental Sustainability. . . . . . . . . . . . . . . . . . . . . . . 308
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Chapter 9: Cybersecurity Operations (CyberOps), Incident Response, Digital Forensics, and Threat Hunting 320
Incident Response.. . . . . . . . . . . . . . . . . . . . . . . . . . . 321
What Happened? Investigation and Evidence Handling.. . . . . . . . . . . 349
Understanding Threat Hunting.. . . . . . . . . . . . . . . . . . . . . . 351
Understanding Digital Forensic Analysis.. . . . . . . . . . . . . . . . . . 357
Data Breach Notification Requirements. . . . . . . . . . . . . . . . . . 360
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Chapter 10: Access Control Management 384
Access Control Fundamentals.. . . . . . . . . . . . . . . . . . . . . . 385
Infrastructure Access Controls.. . . . . . . . . . . . . . . . . . . . . . 399
User Access Controls.. . . . . . . . . . . . . . . . . . . . . . . . . 416
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Chapter 11: Supply Chain Security, Information Systems Acquisition, Development, and Maintenance 434
Strengthening the Links: A Deep Dive into Supply Chain Security.. . . . . . . 435
System Security Requirements.. . . . . . . . . . . . . . . . . . . . . 441
Secure Code.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Cryptography.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Chapter 12: Business Continuity Management 474
Emergency Preparedness.. . . . . . . . . . . . . . . . . . . . . . . . 475
Business Continuity Risk Management.. . . . . . . . . . . . . . . . . . 479
The Business Continuity Plan.. . . . . . . . . . . . . . . . . . . . . . 485
Business Continuity and Disaster Recovery in Cloud Services.. . . . . . . . . 493
Plan Testing and Maintenance.. . . . . . . . . . . . . . . . . . . . . . 500
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Chapter 13: Regulatory Compliance for Financial Institutions 514
The Gramm-Leach-Bliley Act.. . . . . . . . . . . . . . . . . . . . . . 515
New York's Department of Financial Services Cybersecurity Regulation.. . . . . 533
What Is a Regulatory Examination?.. . . . . . . . . . . . . . . . . . . . 535
Personal and Corporate Identity Theft. . . . . . . . . . . . . . . . . . . 537
Regulation of Fintech, Digital Assets, and Cryptocurrencies. . . . . . . . . . 540
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Chapter 14: Regulatory Compliance for the Health-care Sector 556
The HIPAA Security Rule. . . . . . . . . . . . . . . . . . . . . . . . 558
The HITECH Act and the Omnibus Rule.. . . . . . . . . . . . . . . . . . 581
Understanding the HIPAA Compliance Enforcement Process. . . . . . . . . 586
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Chapter 15: PCI Compliance for Merchants 600
Protecting Cardholder Data.. . . . . . . . . . . . . . . . . . . . . . . 601
PCI Compliance.. . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Chapter 16: Privacy in an AI-Driven Landscape 634
Defining Privacy in the Digital Context. . . . . . . . . . . . . . . . . . . 635
The Interplay Between AI and Privacy.. . . . . . . . . . . . . . . . . . . 636
General Data Protection Regulation (GDPR).. . . . . . . . . . . . . . . . 637
California Consumer Privacy Act (CCPA). . . . . . . . . . . . . . . . . . 640
Personal Information Protection and Electronic Documents Act (PIPEDA).. . . . 641
Data Protection Act 2018 in the United Kingdom.. . . . . . . . . . . . . . 643
Leveraging AI to Enhance Privacy Protections.. . . . . . . . . . . . . . . 645
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Chapter 17: Artificial Intelligence Governance and Regulations 652
The AI Double-Edged Sword.. . . . . . . . . . . . . . . . . . . . . . 653
Generative AI, LLMs, and Traditional Machine Learning Implementations. . . . 653
Introduction to AI Governance.. . . . . . . . . . . . . . . . . . . . . . 654
The U.S. Executive Order on the Safe, Secure, and Trustworthy
Development and Use of Artificial Intelligence.. . . . . . . . . . . . . . . 655
The Importance of High Accuracy and Precision in AI Systems.. . . . . . . . 661
Explainable AI (XAI): Building Trust and Understanding.. . . . . . . . . . . . 663
Government and Society-wide Approaches to AI Governance.. . . . . . . . . 665
The EU AI Act. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Guidelines for Secure AI System Development.. . . . . . . . . . . . . . . 670
OWASP Top 10 Risks for LLM.. . . . . . . . . . . . . . . . . . . . . . 674
MITRE ATLAS Framework. . . . . . . . . . . . . . . . . . . . . . . . 683
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Appendix A: Answers to the Multiple Choice Questions 696
978138074104, TOC, 6/18/2024
Este título pertence ao(s) assunto(s) indicados(s). Para ver outros títulos clique no assunto desejado.
Introduction xviii
Chapter 1: Understanding Cybersecurity Policy and Governance 2
Information Security vs. Cybersecurity Policies.. . . . . . . . . . . . . . . . 6
Looking at Policy Through the Ages.. . . . . . . . . . . . . . . . . . . . 6
Cybersecurity Policy.. . . . . . . . . . . . . . . . . . . . . . . . . . 10
Cybersecurity Policy Life Cycle.. . . . . . . . . . . . . . . . . . . . . . 28
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 2: Cybersecurity Policy Organization, Format, and Styles 46
Policy Hierarchy.. . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Writing Style and Technique.. . . . . . . . . . . . . . . . . . . . . . . 51
Plain Language Techniques for Policy Writing.. . . . . . . . . . 53
Policy Format.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Chapter 3: Cybersecurity Frameworks 80
Confidentiality, Integrity, and Availability (CIA). . . . . . . . . . . . . . . . 81
What Is a Cybersecurity Framework?.. . . . . . . . . . . . . . . . . . . 94
NIST Cybersecurity Framework.. . . . . . . . . . . . . . . . . . . . . 110
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 4: Cloud Security 132
Why Cloud Computing?.. . . . . . . . . . . . . . . . . . . . . . . . 133
Cloud Computing Models.. . . . . . . . . . . . . . . . . . . . . . . . 139
Cloud Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Multitenancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Core Components of the Cloud Computing Reference Architecture.. . . . . . 151
Key Concepts and Functional Layers of Cloud Computing. . . . . . . . . . 152
Understanding Top Cybersecurity Risks in Cloud Computing. . . . . . . . . 153
AI and the Cloud: Revolutionizing the Future of Computing.. . . . . . . . . . 166
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Chapter 5: Governance and Risk Management 176
Understanding Cybersecurity Policies. . . . . . . . . . . . . . . . . . . 177
Cybersecurity Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Chapter 6: Asset Management and Data Loss Prevention 220
Information Assets and Systems.. . . . . . . . . . . . . . . . . . . . . 221
Information Classification.. . . . . . . . . . . . . . . . . . . . . . . . 224
Labeling and Handling Standards.. . . . . . . . . . . . . . . . . . . . 233
Information Systems Inventory.. . . . . . . . . . . . . . . . . . . . . . 236
Understanding Data Loss Prevention Technologies.. . . . . . . . . . . . . 242
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Chapter 7: Human Resources Security and Education 256
The Employee Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . 257
The Importance of Employee Agreements.. . . . . . . . . . . . . . . . . 269
The Importance of Security Education and Training. . . . . . . . . . . . . 272
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Chapter 8: Physical and Environmental Security 290
Understanding the Secure Facility Layered Defense Model.. . . . . . . . . . 292
Protecting Equipment.. . . . . . . . . . . . . . . . . . . . . . . . . 299
Environmental Sustainability. . . . . . . . . . . . . . . . . . . . . . . 308
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Chapter 9: Cybersecurity Operations (CyberOps), Incident Response, Digital Forensics, and Threat Hunting 320
Incident Response.. . . . . . . . . . . . . . . . . . . . . . . . . . . 321
What Happened? Investigation and Evidence Handling.. . . . . . . . . . . 349
Understanding Threat Hunting.. . . . . . . . . . . . . . . . . . . . . . 351
Understanding Digital Forensic Analysis.. . . . . . . . . . . . . . . . . . 357
Data Breach Notification Requirements. . . . . . . . . . . . . . . . . . 360
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Chapter 10: Access Control Management 384
Access Control Fundamentals.. . . . . . . . . . . . . . . . . . . . . . 385
Infrastructure Access Controls.. . . . . . . . . . . . . . . . . . . . . . 399
User Access Controls.. . . . . . . . . . . . . . . . . . . . . . . . . 416
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Chapter 11: Supply Chain Security, Information Systems Acquisition, Development, and Maintenance 434
Strengthening the Links: A Deep Dive into Supply Chain Security.. . . . . . . 435
System Security Requirements.. . . . . . . . . . . . . . . . . . . . . 441
Secure Code.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Cryptography.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Chapter 12: Business Continuity Management 474
Emergency Preparedness.. . . . . . . . . . . . . . . . . . . . . . . . 475
Business Continuity Risk Management.. . . . . . . . . . . . . . . . . . 479
The Business Continuity Plan.. . . . . . . . . . . . . . . . . . . . . . 485
Business Continuity and Disaster Recovery in Cloud Services.. . . . . . . . . 493
Plan Testing and Maintenance.. . . . . . . . . . . . . . . . . . . . . . 500
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Chapter 13: Regulatory Compliance for Financial Institutions 514
The Gramm-Leach-Bliley Act.. . . . . . . . . . . . . . . . . . . . . . 515
New York's Department of Financial Services Cybersecurity Regulation.. . . . . 533
What Is a Regulatory Examination?.. . . . . . . . . . . . . . . . . . . . 535
Personal and Corporate Identity Theft. . . . . . . . . . . . . . . . . . . 537
Regulation of Fintech, Digital Assets, and Cryptocurrencies. . . . . . . . . . 540
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Chapter 14: Regulatory Compliance for the Health-care Sector 556
The HIPAA Security Rule. . . . . . . . . . . . . . . . . . . . . . . . 558
The HITECH Act and the Omnibus Rule.. . . . . . . . . . . . . . . . . . 581
Understanding the HIPAA Compliance Enforcement Process. . . . . . . . . 586
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Chapter 15: PCI Compliance for Merchants 600
Protecting Cardholder Data.. . . . . . . . . . . . . . . . . . . . . . . 601
PCI Compliance.. . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Chapter 16: Privacy in an AI-Driven Landscape 634
Defining Privacy in the Digital Context. . . . . . . . . . . . . . . . . . . 635
The Interplay Between AI and Privacy.. . . . . . . . . . . . . . . . . . . 636
General Data Protection Regulation (GDPR).. . . . . . . . . . . . . . . . 637
California Consumer Privacy Act (CCPA). . . . . . . . . . . . . . . . . . 640
Personal Information Protection and Electronic Documents Act (PIPEDA).. . . . 641
Data Protection Act 2018 in the United Kingdom.. . . . . . . . . . . . . . 643
Leveraging AI to Enhance Privacy Protections.. . . . . . . . . . . . . . . 645
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Chapter 17: Artificial Intelligence Governance and Regulations 652
The AI Double-Edged Sword.. . . . . . . . . . . . . . . . . . . . . . 653
Generative AI, LLMs, and Traditional Machine Learning Implementations. . . . 653
Introduction to AI Governance.. . . . . . . . . . . . . . . . . . . . . . 654
The U.S. Executive Order on the Safe, Secure, and Trustworthy
Development and Use of Artificial Intelligence.. . . . . . . . . . . . . . . 655
The Importance of High Accuracy and Precision in AI Systems.. . . . . . . . 661
Explainable AI (XAI): Building Trust and Understanding.. . . . . . . . . . . . 663
Government and Society-wide Approaches to AI Governance.. . . . . . . . . 665
The EU AI Act. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Guidelines for Secure AI System Development.. . . . . . . . . . . . . . . 670
OWASP Top 10 Risks for LLM.. . . . . . . . . . . . . . . . . . . . . . 674
MITRE ATLAS Framework. . . . . . . . . . . . . . . . . . . . . . . . 683
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Appendix A: Answers to the Multiple Choice Questions 696
978138074104, TOC, 6/18/2024
Chapter 1: Understanding Cybersecurity Policy and Governance 2
Information Security vs. Cybersecurity Policies.. . . . . . . . . . . . . . . . 6
Looking at Policy Through the Ages.. . . . . . . . . . . . . . . . . . . . 6
Cybersecurity Policy.. . . . . . . . . . . . . . . . . . . . . . . . . . 10
Cybersecurity Policy Life Cycle.. . . . . . . . . . . . . . . . . . . . . . 28
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 2: Cybersecurity Policy Organization, Format, and Styles 46
Policy Hierarchy.. . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Writing Style and Technique.. . . . . . . . . . . . . . . . . . . . . . . 51
Plain Language Techniques for Policy Writing.. . . . . . . . . . 53
Policy Format.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Chapter 3: Cybersecurity Frameworks 80
Confidentiality, Integrity, and Availability (CIA). . . . . . . . . . . . . . . . 81
What Is a Cybersecurity Framework?.. . . . . . . . . . . . . . . . . . . 94
NIST Cybersecurity Framework.. . . . . . . . . . . . . . . . . . . . . 110
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Chapter 4: Cloud Security 132
Why Cloud Computing?.. . . . . . . . . . . . . . . . . . . . . . . . 133
Cloud Computing Models.. . . . . . . . . . . . . . . . . . . . . . . . 139
Cloud Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Multitenancy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Core Components of the Cloud Computing Reference Architecture.. . . . . . 151
Key Concepts and Functional Layers of Cloud Computing. . . . . . . . . . 152
Understanding Top Cybersecurity Risks in Cloud Computing. . . . . . . . . 153
AI and the Cloud: Revolutionizing the Future of Computing.. . . . . . . . . . 166
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Chapter 5: Governance and Risk Management 176
Understanding Cybersecurity Policies. . . . . . . . . . . . . . . . . . . 177
Cybersecurity Risk. . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Chapter 6: Asset Management and Data Loss Prevention 220
Information Assets and Systems.. . . . . . . . . . . . . . . . . . . . . 221
Information Classification.. . . . . . . . . . . . . . . . . . . . . . . . 224
Labeling and Handling Standards.. . . . . . . . . . . . . . . . . . . . 233
Information Systems Inventory.. . . . . . . . . . . . . . . . . . . . . . 236
Understanding Data Loss Prevention Technologies.. . . . . . . . . . . . . 242
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Chapter 7: Human Resources Security and Education 256
The Employee Life Cycle. . . . . . . . . . . . . . . . . . . . . . . . 257
The Importance of Employee Agreements.. . . . . . . . . . . . . . . . . 269
The Importance of Security Education and Training. . . . . . . . . . . . . 272
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Chapter 8: Physical and Environmental Security 290
Understanding the Secure Facility Layered Defense Model.. . . . . . . . . . 292
Protecting Equipment.. . . . . . . . . . . . . . . . . . . . . . . . . 299
Environmental Sustainability. . . . . . . . . . . . . . . . . . . . . . . 308
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Chapter 9: Cybersecurity Operations (CyberOps), Incident Response, Digital Forensics, and Threat Hunting 320
Incident Response.. . . . . . . . . . . . . . . . . . . . . . . . . . . 321
What Happened? Investigation and Evidence Handling.. . . . . . . . . . . 349
Understanding Threat Hunting.. . . . . . . . . . . . . . . . . . . . . . 351
Understanding Digital Forensic Analysis.. . . . . . . . . . . . . . . . . . 357
Data Breach Notification Requirements. . . . . . . . . . . . . . . . . . 360
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Chapter 10: Access Control Management 384
Access Control Fundamentals.. . . . . . . . . . . . . . . . . . . . . . 385
Infrastructure Access Controls.. . . . . . . . . . . . . . . . . . . . . . 399
User Access Controls.. . . . . . . . . . . . . . . . . . . . . . . . . 416
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Chapter 11: Supply Chain Security, Information Systems Acquisition, Development, and Maintenance 434
Strengthening the Links: A Deep Dive into Supply Chain Security.. . . . . . . 435
System Security Requirements.. . . . . . . . . . . . . . . . . . . . . 441
Secure Code.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Cryptography.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Chapter 12: Business Continuity Management 474
Emergency Preparedness.. . . . . . . . . . . . . . . . . . . . . . . . 475
Business Continuity Risk Management.. . . . . . . . . . . . . . . . . . 479
The Business Continuity Plan.. . . . . . . . . . . . . . . . . . . . . . 485
Business Continuity and Disaster Recovery in Cloud Services.. . . . . . . . . 493
Plan Testing and Maintenance.. . . . . . . . . . . . . . . . . . . . . . 500
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Chapter 13: Regulatory Compliance for Financial Institutions 514
The Gramm-Leach-Bliley Act.. . . . . . . . . . . . . . . . . . . . . . 515
New York's Department of Financial Services Cybersecurity Regulation.. . . . . 533
What Is a Regulatory Examination?.. . . . . . . . . . . . . . . . . . . . 535
Personal and Corporate Identity Theft. . . . . . . . . . . . . . . . . . . 537
Regulation of Fintech, Digital Assets, and Cryptocurrencies. . . . . . . . . . 540
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Chapter 14: Regulatory Compliance for the Health-care Sector 556
The HIPAA Security Rule. . . . . . . . . . . . . . . . . . . . . . . . 558
The HITECH Act and the Omnibus Rule.. . . . . . . . . . . . . . . . . . 581
Understanding the HIPAA Compliance Enforcement Process. . . . . . . . . 586
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
Chapter 15: PCI Compliance for Merchants 600
Protecting Cardholder Data.. . . . . . . . . . . . . . . . . . . . . . . 601
PCI Compliance.. . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
Chapter 16: Privacy in an AI-Driven Landscape 634
Defining Privacy in the Digital Context. . . . . . . . . . . . . . . . . . . 635
The Interplay Between AI and Privacy.. . . . . . . . . . . . . . . . . . . 636
General Data Protection Regulation (GDPR).. . . . . . . . . . . . . . . . 637
California Consumer Privacy Act (CCPA). . . . . . . . . . . . . . . . . . 640
Personal Information Protection and Electronic Documents Act (PIPEDA).. . . . 641
Data Protection Act 2018 in the United Kingdom.. . . . . . . . . . . . . . 643
Leveraging AI to Enhance Privacy Protections.. . . . . . . . . . . . . . . 645
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Chapter 17: Artificial Intelligence Governance and Regulations 652
The AI Double-Edged Sword.. . . . . . . . . . . . . . . . . . . . . . 653
Generative AI, LLMs, and Traditional Machine Learning Implementations. . . . 653
Introduction to AI Governance.. . . . . . . . . . . . . . . . . . . . . . 654
The U.S. Executive Order on the Safe, Secure, and Trustworthy
Development and Use of Artificial Intelligence.. . . . . . . . . . . . . . . 655
The Importance of High Accuracy and Precision in AI Systems.. . . . . . . . 661
Explainable AI (XAI): Building Trust and Understanding.. . . . . . . . . . . . 663
Government and Society-wide Approaches to AI Governance.. . . . . . . . . 665
The EU AI Act. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
Guidelines for Secure AI System Development.. . . . . . . . . . . . . . . 670
OWASP Top 10 Risks for LLM.. . . . . . . . . . . . . . . . . . . . . . 674
MITRE ATLAS Framework. . . . . . . . . . . . . . . . . . . . . . . . 683
Summary.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
Appendix A: Answers to the Multiple Choice Questions 696
978138074104, TOC, 6/18/2024
Este título pertence ao(s) assunto(s) indicados(s). Para ver outros títulos clique no assunto desejado.
