Start free trial
EnglishEnglish
EspañolSpanish
简体中文Chinese
繁體中文Chinese (Traditional)
FrançaisFrench
DeutschGerman
日本語Japanese
PortuguêsPortuguese
ItalianoItalian
한국어Korean
РусскийRussian
NederlandsDutch
العربيةArabic
PolskiPolish
हिन्दीHindi
Tiếng ViệtVietnamese
SvenskaSwedish
ΕλληνικάGreek
TürkçeTurkish
ไทยThai
ČeštinaCzech
RomânăRomanian
MagyarHungarian
УкраїнськаUkrainian
IndonesiaIndonesian
DanskDanish
SuomiFinnish
БългарскиBulgarian
עבריתHebrew
NorskNorwegian
HrvatskiCroatian
CatalàCatalan
SlovenčinaSlovak
LietuviųLithuanian
SlovenščinaSlovenian
СрпскиSerbian
EestiEstonian
LatviešuLatvian
فارسیPersian
മലയാളംMalayalam
தமிழ்Tamil
اردوUrdu
Searching...
SoBrief
Developing Cybersecurity Programs and Policies

Developing Cybersecurity Programs and Policies

Move cybersecurity from the server room to the boardroom: a complete policy and governance playbook.
by Omar Santos 2018 672 pages
4.00
3 ratings
Amazon Kindle Audible
Summary in 30 Seconds
Cybersecurity governance starts at the board level, structured around NIST or ISO 27001. Controls trace to the CIA triad: encryption, hashing, and redundancy. Access enforces least privilege, need-to-know, and separation of duties. Risk management follows a cycle: identify, assess, treat, monitor. Security spans the employee lifecycle from hiring checks to access revocation. Incident response and continuity strategies maintain resilience.
Contains spoilers
🏛️cybersecurity governance 📋information security policy ⚖️risk management frameworks 🏷️data classification 🔐access control 🚨incident response 🔄business continuity planning 🎓security awareness training 📊NIST frameworks 👔security leadership
Try Full Access for 3 Days
Unlock listening & more!
Continue

Key Takeaways

1. Cybersecurity is a critical business discipline for protecting information assets

Cybersecurity can no longer be something that you delegate to the information technology (IT) team. Everyone needs to be involved, including the Board of Directors.

Holistic approach. Cybersecurity must be integrated throughout an organization, not siloed within IT. It requires involvement from leadership, employees, and partners to be effective. Organizations should adopt a security framework like NIST or ISO 27001 to provide structure.

Business enabler. When strategically aligned, security functions as a business enabler that adds value. It should be given the same consideration as other fundamental business drivers. This requires leadership that recognizes cybersecurity's value, invests in people and processes, and treats it as essential to achieving organizational objectives.

Policy foundation. Written cybersecurity policies, authorized by leadership, provide direction and codify the organization's commitment. Policies should be relevant, realistic, adaptable, and inclusive. They must be regularly reviewed and updated as the threat landscape evolves.

2. The CIA triad forms the foundation of information security objectives

Confidentiality, integrity, and availability (CIA) are the unifying attributes of an information security program.

Confidentiality protects information from unauthorized access or disclosure. Controls include encryption, access restrictions, and data classification.

Integrity ensures information is not improperly modified or destroyed. It relies on controls like hashing, digital signatures, and change management processes.

Availability means information and systems are accessible when needed. This requires redundancy, fault tolerance, and business continuity planning.

  • The relative importance of C, I, and A may vary based on the organization's mission and regulatory requirements
  • All security controls and processes should map back to protecting one or more elements of the CIA triad
  • Risk assessments evaluate potential impacts to CIA to determine appropriate safeguards

3. Effective cybersecurity policies require proper governance and risk management

Governance is the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies are aligned with and support business objectives.

Leadership involvement. The Board and executives must actively participate in cybersecurity governance. This includes authorizing policies, providing resources, and receiving regular briefings on the security posture.

Risk-based approach. Organizations should adopt a formal risk management process to identify, assess, and mitigate cybersecurity risks. This allows for prioritization of efforts and resources.

Key governance roles:

  • Chief Information Security Officer (CISO)
  • Cybersecurity steering committee
  • Information owners
  • Information custodians
    Risk management steps:
  1. Risk identification
  2. Risk assessment
  3. Risk treatment (accept, mitigate, transfer, avoid)
  4. Ongoing monitoring

4. Asset management and data classification are essential for protection

Information owners are responsible for classifying data.

Asset inventory. Organizations must maintain a comprehensive inventory of information assets, including hardware, software, and data. This provides visibility into what needs to be protected.

Classification scheme. Data should be classified based on its sensitivity and criticality to the organization. Common private sector classifications include:

  • Protected/Confidential
  • Internal Use
  • Public

Handling standards. Each classification level should have defined handling requirements for storage, transmission, access, and disposal. This ensures appropriate safeguards are consistently applied.

Asset management responsibilities:

  • Identifying and documenting assets
  • Assigning ownership
  • Defining acceptable use
  • Ensuring proper disposal
    Benefits of classification:
  • Focuses security efforts on most critical assets
  • Enables tailored controls based on sensitivity
  • Supports compliance with regulations

5. Human resources play a vital role in maintaining cybersecurity

Security awareness programs, security training, and security education all serve to reinforce the message that security is important.

Employee lifecycle. Security considerations should be integrated throughout the employee lifecycle:

  • Recruitment: Background checks, security expectations in job descriptions
  • Onboarding: Confidentiality agreements, acceptable use policies
  • Ongoing: Regular training and awareness programs
  • Termination: Prompt revocation of access

Security culture. HR initiatives can help foster a culture of security awareness where employees understand their role in protecting information assets.

Training program. A comprehensive security education program should include:

  • Awareness: Reminders about security practices (e.g., posters, newsletters)
  • Training: Teaching specific skills (e.g., how to identify phishing emails)
  • Education: In-depth knowledge for security professionals

6. Physical and environmental security safeguard information and systems

The objective of physical and environmental security is to prevent unauthorized access, damage, and interference to business premises and equipment.

Layered approach. Physical security should employ multiple layers of protection:

  • Site selection and design
  • Perimeter security (fences, gates, guards)
  • Building access controls
  • Secure areas within buildings
  • Equipment-level protections

Environmental controls. Safeguards against environmental threats include:

  • Fire detection and suppression
  • Climate control (temperature, humidity)
  • Power protection (UPS, generators)
  • Water detection/protection

Asset disposal. Proper disposal of equipment and media is crucial to prevent data breaches:

  • Secure wiping of storage devices
  • Physical destruction when necessary
  • Documented chain of custody
  • Certified destruction services

7. Access control management is crucial for preventing unauthorized access

The primary objective of access controls is to protect information and information systems from unauthorized access (confidentiality), modification (integrity), or disruption (availability).

Fundamental principles:

  • Least privilege: Users should have only the minimum access needed for their role
  • Need-to-know: Access should be restricted to information required for job functions
  • Separation of duties: Critical tasks should be divided among multiple individuals

Access control models:

  • Mandatory Access Control (MAC): System-enforced, policy-based (used in high-security environments)
  • Discretionary Access Control (DAC): Owner-defined permissions (common in commercial systems)
  • Role-Based Access Control (RBAC): Permissions assigned to roles, users assigned to roles

Authentication factors:

  1. Something you know (password, PIN)
  2. Something you have (smart card, token)
  3. Something you are (biometrics)
  • Multi-factor authentication combines two or more factors for stronger security
  • Access should be regularly reviewed and promptly revoked when no longer needed

8. Operational security procedures protect day-to-day activities

Standard operating procedures (SOPs) are detailed explanations of how to perform a task.

Change management. A formal process for requesting, evaluating, approving, and implementing changes helps maintain stability and security:

  • Request for Change (RFC) submission
  • Impact assessment
  • Approval workflow
  • Implementation planning
  • Post-change review

Patch management. Timely application of security patches is critical:

  • Regular vulnerability assessments
  • Prioritization based on risk
  • Testing before deployment
  • Emergency procedures for critical vulnerabilities

Malware protection. A multi-layered approach is necessary:

  • Anti-malware software
  • Email and web filtering
  • User awareness training
  • Network segmentation
  • Endpoint protection

9. Incident response and business continuity ensure resilience

Incident response capability and how to comply with the myriad of state data-breach notification laws.

Incident response plan. Organizations need a documented plan for detecting, responding to, and recovering from security incidents:

  • Roles and responsibilities
  • Detection and analysis procedures
  • Containment strategies
  • Eradication and recovery steps
  • Post-incident activities

Business continuity. Planning for disruptions helps maintain critical operations:

  • Business impact analysis
  • Recovery time objectives (RTO)
  • Recovery point objectives (RPO)
  • Alternate site planning
  • Regular testing and exercises

Regulatory compliance. Many industries have specific requirements for incident reporting and notification:

  • Understanding applicable laws and regulations
  • Documenting evidence for investigations
  • Timely notification to affected parties
  • Cooperation with law enforcement when appropriate

Last updated:

Report Issue
Want to read the full book?

Download PDF

To save this Developing Cybersecurity Programs and Policies summary for later, download the free PDF. You can print it out, or read offline at your convenience.
Download PDF
File size: 0.22 MB     Pages: 7

Download EPUB

To read this Developing Cybersecurity Programs and Policies summary on your e-reader device or app, download the free EPUB. The .epub digital book format is ideal for reading ebooks on phones, tablets, and e-readers.
Download EPUB
File size: 1.38 MB     Pages: 8
Want to read the full book?
Follow
Listen
Now playing
Developing Cybersecurity Programs and Policies
0:00
-0:00
Now playing
Developing Cybersecurity Programs and Policies
0:00
-0:00
1x
Queue
Home
Swipe
Library
Get App
Try Full Access for 3 Days
Listen, bookmark, and more
Compare Features Free Pro
📖 Read Summaries
Read unlimited summaries. Free users get 3 per month
🎧 Listen to Summaries
Listen to unlimited summaries in 40 languages
❤️ Unlimited Bookmarks
Free users are limited to 4
📜 Unlimited History
Free users are limited to 4
📥 Unlimited Downloads
Free users are limited to 1
Risk-Free Timeline
Today: Get Instant Access
Listen to full summaries of 26,000+ books. That's 12,000+ hours of audio!
Day 2: Trial Reminder
We'll send you a notification that your trial is ending soon.
Day 3: Your subscription begins
You'll be charged on Jul 15,
cancel anytime before.
Consume 2.8× More Books
2.8× more books Listening Reading
Our users love us
600,000+ readers
Trustpilot Rating
TrustPilot
4.6 Excellent
This site is a total game-changer. I've been flying through book summaries like never before. Highly, highly recommend.
— Dave G
Worth my money and time, and really well made. I've never seen this quality of summaries on other websites. Very helpful!
— Em
Highly recommended!! Fantastic service. Perfect for those that want a little more than a teaser but not all the intricate details of a full audio book.
— Greg M
Save 62%
Yearly
$119.88 $44.99/year/yr
$3.75/mo
Monthly
$9.99/mo
Start a 3-Day Free Trial
3 days free, then $44.99/year. Cancel anytime.
Unlock a world of fiction & nonfiction books
26,000+ books for the price of 2 books
Read any book in 10 minutes
Discover new books like Tinder
Request any book if it's not summarized
Read more books than anyone you know
#1 app for book lovers
Lifelike & immersive summaries
30-day money-back guarantee
Download summaries in EPUBs or PDFs
Cancel anytime in a few clicks
Scanner
Find a barcode to scan

We have a special gift for you
Open
38% OFF
DISCOUNT FOR YOU
$79.99
$49.99/year
only $4.16 per month
Continue
2 taps to start, super easy to cancel
Settings
General
Widget
Loading...
We have a special gift for you
Open
38% OFF
DISCOUNT FOR YOU
$79.99
$49.99/year
only $4.16 per month
Continue
2 taps to start, super easy to cancel