Cybersecurity Risk Management
Mastering the Fundamentals Using the NIST Cybersecurity Framework
Cynthia Brumfield
Cybersecurity analyst, writer and President of DCT Associates, Washington, D.C., USA
with
Brian Haugli
Managing Partner, SideChannel, Boston, USA
This edition first published 2022
© 2022 Cynthia Brumfield and Brian Haugli
Published by John Wiley & Sons, Inc.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.
The right of Cynthia Brumfield and Brian Haugli to be identified as the authors of this work has been asserted in accordance with law.
Registered Office
John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA
Editorial Office
The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, UK
For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.
Wiley also publishes its books in a variety of electronic formats and by print-on-demand. Some content that appears in standard print versions of this book may not be available in other formats.
Limit of Liability/Disclaimer of Warranty
While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
Library of Congress Cataloging-in-Publication Data
Names: Brumfield, Cynthia, author. | Haugli, Brian, author. | John Wiley & Sons, publisher.
Title: Cybersecurity risk management : mastering the fundamentals using the NIST cybersecurity framework / Cynthia Brumfield, Brian Haugli.
Description: Hoboken, NJ : John Wiley & Sons, Inc., 2022. | Includes bibliographical references and index.
Identifiers: LCCN 2021024435 (print) | LCCN 2021024436 (ebook) | ISBN 9781119816287 (hardback) | ISBN 9781119816294 (pdf) | ISBN 9781119816300 (epub) | ISBN 9781119816348 (ebook)
Subjects: LCSH: Computer security--Risk management.
Classification: LCC QA76.9.A25 B82 2022 (print) | LCC QA76.9.A25 (ebook) | DDC 005.8--dc23
LC record available at https://lccn.loc.gov/2021024435 LC ebook record available at https://lccn.loc.gov/2021024436
Cover image: © Henrik5000/Getty Images
Cover design by Wiley
Set in 11.5/13pt BemboStd by Integra Software Services, Pondicherry, India
This book is dedicated to Lloyd and Delma Brumfield, who gave me everything I needed, and then some.
Contents
1 Cover
7 Preface – Overview of the NIST FrameworkBackground on the FrameworkFramework Based on Risk ManagementThe Framework CoreFramework Implementation TiersFramework ProfileOther Aspects of the Framework DocumentRecent Developments At Nist
8 CHAPTER 1 Cybersecurity Risk Planning and ManagementIntroductionI. What Is Cybersecurity Risk Management?A. Risk Management Is a ProcessII. Asset ManagementA. Inventory Every Physical Device and System You Have and Keep the Inventory UpdatedB. Inventory Every Software Platform and Application You Use and Keep the Inventory UpdatedC. Prioritize Every Device, Software Platform, and Application Based on Importance D. Establish Personnel Security Requirements Including Third-Party StakeholdersIII. GovernanceA. Make Sure You Educate Management about RisksIV. Risk Assessment and ManagementA. Know Where You’re Vulnerable B. Identify the Threats You Face, Both Internally and ExternallyC. Focus on the Vulnerabilities and Threats That Are Most Likely AND Pose the Highest Risk to AssetsD. Develop Plans for Dealing with the Highest RisksSummaryChapter QuizEssential Reading on Cybersecurity Risk Management
9 CHAPTER 2 User and Network Infrastructure Planning and ManagementI. IntroductionII. Infrastructure Planning and Management Is All about Protection, Where the Rubber Meets the RoadA. Identity Management, Authentication, and Access Control1. Always Be Aware of Who Has Access to Which System, for Which Period of Time, and from Where the Access Is Granted2. Establish, Maintain, and Audit an Active Control List and Process for Who Can Physically Gain Access to Systems3. Establish Policies, Procedures, and Controls for Who Has Remote Access to Systems4. Make Sure That Users Have the Least Authority Possible to Perform Their Jobs and Ensure That at Least Two Individuals Are Responsible for a Task5.