About This E-Book
EPUB is an open, industry-standard format for e-books. However, support for
EPUB and its many features varies across reading devices and applications. Use
your device or app settings to customize the presentation to your liking. Settings
that you can customize often include font, font size, single or double column,
landscape or portrait mode, and figures that you can click or tap to enlarge. For
additional information about the settings and features on your reading device or
app, visit the device manufacturer’s Web site.
Many titles include programming code or configuration examples. To optimize
the presentation of these elements, view the e-book in single-column, landscape
mode and adjust the font size to the smallest setting. In addition to presenting
code and configurations in the reflowable text format, we have included images
of the code that mimic the presentation found in the print book; therefore, where
the reflowable format may compromise the presentation of the code listing, you
will see a “Click here to view code image” link. Click the link to view the printfidelity code image. To return to the previous page viewed, click the Back button
on your device or app.
Programs and Policies
Developing Cybersecurity Programs and Policies
Copyright © 2019 by Pearson Education, Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by
any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from
the publisher. No patent liability is assumed with respect to the use of the information contained herein.
Although every precaution has been taken in the preparation of this book, the publisher and author assume
no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of
the information contained herein.
Library of Congress Control Number: 2018942730
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately
capitalized. Pearson IT Certification cannot attest to the accuracy of this information. Use of a term in this
book should not be regarded as affecting the validity of any trademark or service mark.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but no warranty or
fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have
neither liability nor responsibility to any person or entity with respect to any loss or damages arising from
the information contained in this book.
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training goals,
marketing focus, or branding interests), please contact our corporate sales department at
firstname.lastname@example.org or (800) 382-3419.
For government sales inquiries, please contact email@example.com.
For questions about sales outside the U.S., please contact firstname.lastname@example.org.
Product Line Manager
Mary Beth Ray
Senior Project Editor
Contents at a Glance
1 Understanding Cybersecurity Policy and Governance
2 Cybersecurity Policy Organization, Format, and Styles
3 Cybersecurity Framework
4 Governance and Risk Management
5 Asset Management and Data Loss Prevention
6 Human Resources Security
7 Physical and Environmental Security
8 Communications and Operations Security
9 Access Control Management
10 Information Systems Acquisition, Development, and Maintenance
11 Cybersecurity Incident Response
12 Business Continuity Management
13 Regulatory Compliance for Financial Institutions
14 Regulatory Compliance for the Health-Care Sector
15 PCI Compliance for Merchants
16 NIST Cybersecurity Framework
Appendix A: Cybersecurity Program Resources
Appendix B: Answers to the Multiple Choice Questions
Table of Contents
Chapter 1: Understanding Cybersecurity Policy and Governance
Information Security vs. Cybersecurity Policies
Looking at Policy Through the Ages
Policy in Ancient Times
The United States Constitution as a Policy Revolution
What Are Assets?
Successful Policy Characteristics
What Is the Role of Government?
Additional Federal Banking Regulations
Government Cybersecurity Regulations in Other Countries
The Challenges of Global Policies
Cybersecurity Policy Life Cycle
Chapter 2: Cybersecurity Policy Organization, Format, and Styles
Plans and Programs
Writing Style and Technique
Using Plain Language
The Plain Language Movement
Plain Language Techniques for Policy Writing
Understand Your Audience
Policy Format Types
Chapter 3: Cybersecurity Framework
Confidentiality, Integrity, and Availability
What Is Confidentiality?
What Is Integrity?
What Is Availability?
Who Is Responsible for CIA?
NIST’s Cybersecurity Framework
What Is NIST’s Function?
So, What About ISO?
NIST Cybersecurity Framework
Chapter 4: Governance and Risk Management
Understanding Cybersecurity Policies
What Is Governance?
What Is Meant by Strategic Alignment?
User-Level Cybersecurity Policies
Vendor Cybersecurity Policies
Cybersecurity Vulnerability Disclosure Policies
Client Synopsis of Cybersecurity Policies
Who Authorizes Cybersecurity Policy?
What Is a Distributed Governance Model?
Evaluating Cybersecurity Policies
Revising Cybersecurity Policies: Change Drivers
NIST Cybersecurity Framework Governance Subcategories and
Is Risk Bad?
Understanding Risk Management
Risk Appetite and Tolerance
What Is a Risk Assessment?
Risk Assessment Methodologies
Chapter 5: Asset Management and Data Loss Prevention
Information Assets and Systems
Who Is Responsible for Information Assets?
How Does the Federal Government Classify Data?
Why Is National Security Information Classified Differently?
Who Decides How National Security Data Is Classified?
How Does the Private Sector Classify Data?
Can Information Be Reclassified or Even Declassified?
Labeling and Handling Standards
Why Handling Standards?
Information Systems Inventory
Why an Inventory Is Necessary and What Should Be Inventoried
Understanding Data Loss Prevention Technologies
Chapter 6: Human Resources Security
The Employee Life Cycle
What Does Recruitment Have to Do with Security?
What Happens in the Onboarding Phase?
What Is User Provisioning?
What Should an Employee Learn During Orientation?
Why Is Termination Considered the Most Dangerous Phase?
The Importance of Employee Agreements
What Are Confidentiality or Nondisclosure Agreements?
What Is an Acceptable Use Agreement?
The Importance of Security Education and Training
Influencing Behavior with Security Awareness
Teaching a Skill with Security Training
Security Education Is Knowledge Driven
Chapter 7: Physical and Environmental Security
Understanding the Secure Facility Layered Defense Model
How Do We Secure the Site?
How Is Physical Access Controlled?
No Power, No Processing?
How Dangerous Is Fire?
What About Disposal?
Chapter 8: Communications and Operations Security
Standard Operating Procedures
Why Document SOPs?
Operational Change Control
Why Manage Change?
Why Is Patching Handled Differently?
Are There Different Types of Malware?
How Is Malware Controlled?
What Is Antivirus Software?
Is There a Recommended Backup or Replication Strategy?
What Makes Email a Security Risk?
Are Email Servers at Risk?
Other Collaboration and Communication Tools
Activity Monitoring and Log Analysis
What Is Log Management?
Service Provider Oversight
What Is Due Diligence?
What Should Be Included in Service Provider Contracts?
Threat Intelligence and Information Sharing
How Good Is Cyber Threat Intelligence if It Cannot Be Shared?
Chapter 9: Access Control Management
Access Control Fundamentals
What Is a Security Posture?
How Is Identity Verified?
What Is Authorization?
Infrastructure Access Controls
Why Segment a Network?
What Is Layered Border Security?
Remote Access Security
User Access Controls
Why Manage User Access?
What Types of Access Should Be Monitored?
Chapter 10: Information Systems Acquisition, Development, and
System Security Requirements
What Is SDLC?
What About Commercially Available or Open Source Software?
The Testing Environment
Protecting Test Data
The Open Web Application Security Project (OWASP)
What Is a “Key”?
What Is PKI?
Why Protect Cryptographic Keys?
Digital Certificate Compromise
Chapter 11: Cybersecurity Incident Response
What Is an Incident?
How Are Incidents Reported?
What Is an Incident Response Program?
The Incident Response Process
Tabletop Exercises and Playbooks
Information Sharing and Coordination
Computer Security Incident Response Teams
Product Security Incident Response Teams (PSIRTs)
Incident Response Training and Exercises
What Happened? Investigation and Evidence Handling
Working with Law Enforcement
Understanding Forensic Analysis
Data Breach Notification Requirements
Is There a Federal Breach Notification Law?
Does Notification Work?
Chapter 12: Business Continuity Management
What Is a Resilient Organization?
Business Continuity Risk Management
What Is a Business Continuity Threat Assessment?
What Is a Business Continuity Risk Assessment?
What Is a Business Impact Assessment?
The Business Continuity Plan
Roles and Responsibilities
Disaster Response Plans
Operational Contingency Plans
The Disaster Recovery Phase
The Resumption Phase
Plan Testing and Maintenance
Why Is Testing Important?
Chapter 13: Regulatory Compliance for Financial Institutions
The Gramm-Leach-Bliley Act
What Is a Financial Institution?
What Are the Interagency Guidelines?
New York’s Department of Financial Services Cybersecurity Regulation (23
NYCRR Part 500)
What Is a Regulatory Examination?
Personal and Corporate Identity Theft
What Is Required by the Interagency Guidelines Supplement A?
What Is Required by the Supplement to the Authentication in an
Internet Banking Environment Guidance?
Chapter 14: Regulatory Compliance for the Health-Care Sector
The HIPAA Security Rule
What Is the Objective of the HIPAA Security Rule?
How Is the HIPAA Security Rule Organized?
What Are the Physical Safeguards?
What Are the Technical Safeguards?
What Are the Organizational Requirements?
What Are the Policies and Procedures Standards?
The HIPAA Security Rule Mapping to NIST Cybersecurity
The HITECH Act and the Omnibus Rule
What Changed for Business Associates?
What Are the Breach Notification Requirements?
Understanding the HIPAA Compliance Enforcement Process
Chapter 15: PCI Compliance for Merchants
Protecting Cardholder Data
What Is the PAN?
The Luhn Algorithm
What Is the PCI DDS Framework?
What Are the PCI Requirements?
Who Is Required to Comply with PCI DSS?
What Is a Data Security Compliance Assessment?
What Is the PCI DSS Self-Assessment Questionnaire (SAQ)?
Are There Penalties for Noncompliance?
Chapter 16: NIST Cybersecurity Framework
Introducing the NIST Cybersecurity Framework Components
The Framework Core
Framework Implementation Tiers (“Tiers”)
Who Should Coordinate the Framework Implementation?
NIST’s Recommended Steps to Establish or Improve a Cybersecurity Program
Communication with Stakeholders and Supply Chain Relationships
NIST’s Cybersecurity Framework Reference Tool
Adopting the NIST Cybersecurity Framework in Real Life
Appendix A: Cybersecurity Program Resources
Appendix B: Answers to the Multiple Choice Questions
About the Author
Omar Santos is a principal engineer in the Cisco Product Security Incident
Response Team (PSIRT) within the Cisco Security Research and Operations. He
mentors and leads engineers and incident managers during the investigation and
resolution of security vulnerabilities in all Cisco products, including cloud
services. Omar has been working with information technology and cybersecurity
since the mid-1990s. Omar has designed, implemented, and supported numerous
secure networks for Fortune 100 and 500 companies and the U.S. government.
Prior to his current role, he was a technical leader within the World-Wide
Security Practice and the Cisco Technical Assistance Center (TAC), where he
taught, led, and mentored many engineers within both organizations.
Omar is an active member of the security community, where he leads several
industrywide initiatives and standard bodies. His active role helps businesses,
academic institutions, state and local law enforcement agencies, and other
participants that are dedicated to increasing the security of the critical
Omar often delivers technical presentations at many conferences and to Cisco
customers and partners. He is the author of dozens of books and video courses.
You can follow Omar on any of the following:
Personal website: omarsantos.io
I would like to dedicate this book to my lovely wife, Jeannette, and my two
beautiful children, Hannah and Derek, who have inspired and supported me
throughout the development of this book.
I also dedicate this book to my father, Jose, and to the memory of my
mother, Generosa. Without their knowledge, wisdom, and guidance, I would
not have the goals that I strive to achieve today.
This manuscript is a result of concerted efforts of various individuals—without
their help, this book would have not been a reality. I would like to thank the
technical reviewers Sari Green and Klee Michaelis for their significant
contributions and expert guidance.
I would also like to express my gratitude to Chris Cleveland, development editor,
and Mary Beth Ray, executive editor, for their help and continuous support
during the development of this book.
We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator.
We value your opinion and want to know what we’re doing right, what we could
do better, what areas you’d like to see us publish in, and any other words of
wisdom you’re willing to pass our way.
We welcome your comments. You can email or write to let us know what you
did or didn’t like about this book—as well as what we can do to make our books
Please note that we cannot help you with technical problems related to the topic
of this book.
When you write, please be sure to include this book’s title and author as well as
your name and email address. We will carefully review your comments and
share them with the author and editors who worked on the book.
Register your copy of Developing Cybersecurity Programs and Policies at
www.pearsonitcertification.com for convenient access to downloads, updates,
and corrections as they become available. To start the registration process, go to
www.pearsonitcertification.com/register and log in or create an account*. Enter
the product ISBN 9780789759405 and click Submit. When the process is
complete, you will find any available bonus content under Registered Products.
*Be sure to check the box that you would like to hear from us to receive
exclusive discounts on future editions of this product.
The number of cyber attacks continues to rise. Demand for safe and secure data
and other concerns mean that companies need professionals to keep their
information safe. Cybersecurity risk includes not only the risk of a data breach,
but also the risk of the entire organization being undermined via business
activities that rely on digitization and accessibility. As a result, learning how to
develop an adequate cybersecurity program is crucial for any organization.
Cybersecurity can no longer be something that you delegate to the information
technology (IT) team. Everyone needs to be involved, including the Board of
This book focuses on industry-leading practices and standards, such as the
International Organization for Standardization (ISO) standards and the National
Institute of Standards and Technology (NIST) Cybersecurity Framework and
Special Publications. This book provides detailed guidance on how to effectively
develop a cybersecurity program within your organization. This book is intended
for anyone who is preparing for a leadership position in business, government,
academia, financial services, or health-care. Mastering the material presented in
this book is a must for any cybersecurity professional.
This book starts by providing an overview of cybersecurity policy and
governance, and how to create cybersecurity policies and develop a
cybersecurity framework. It then provides details about governance, risk
management, asset management, and data loss prevention. You will learn how to
incorporate human resource, physical, and environmental security as important
elements of your cybersecurity program. This book also teaches you best
practices in communications and operations security, access control
management, and information systems acquisition, development, and
maintenance. You will learn principles of cybersecurity incident response and
how to develop an incident response plan. Organizations across the globe have to
be aware of new cybersecurity regulations and how they affect their business in
order to remain compliant. Compliance is especially crucial because the
punishments for noncompliance typically include large fines. Three chapters in
this book cover regulatory compliance for financial institutions and health-care
institutions and provide detailed insights about the Payment Card Industry Data
Security Standard (PCI DSS). The last chapter provides an overview of the NIST
Cybersecurity Framework, and Appendix A provides comprehensive lists of
resources covered throughout the book. Anyone—from cybersecurity engineers
to incident managers, auditors, and executives—can benefit from the material
covered in this book.
Understanding Cybersecurity Policy and
After reading this chapter and completing the exercises, you should be
able to do the following:
Describe the significance of cybersecurity policies.
Evaluate the role policy plays in corporate culture and civil society.
Articulate the objective of cybersecurity-related policies.
Identify the different characteristics of successful cybersecurity policies.
Define the life cycle of a cybersecurity policy.
We live in an interconnected world where both individual and collective actions
have the potential to result in inspiring goodness or tragic harm. The objective of
cybersecurity is to protect each of us, our economy, our critical infrastructure,
and our cou ...
Purchase answer to see full