Cybersecurity and Decision Makers

Оглавление

Marie De Fréminville. Cybersecurity and Decision Makers

Table of Contents

List of Tables

List of Illustrations

Guide

Pages

Cybersecurity and Decision Makers. Data Security and Digital Trust

Foreword

Preface

Introduction: Financial and Cyber Performance

1. An Increasingly Vulnerable World. 1.1. The context. 1.1.1. Technological disruptions and globalization

1.1.2. Data at the heart of industrial productivity

1.1.3. Cyberspace, an area without boundaries

1.1.4. IT resources

1.2. Cybercrime. 1.2.1. The concept of cybercrime

1.2.2. Five types of threats

1.2.2.1. Cyber espionage

1.2.2.2. Indirect attacks

1.2.2.3. Sabotage

1.2.2.4. Cryptojacking or cryptocurrency mining

1.2.2.5. Online fraud and cybercrime

1.2.3. Five types of attackers. 1.2.3.1. Looking for easy money

1.2.3.2. Cyberactivists/hacktivists

1.2.3.3. Competitors (or States) for the purpose of espionage or sabotage

1.2.3.4. Employees: the most frequent threat

1.2.3.5. The States

1.3. The cybersecurity market. 1.3.1. The size of the market and its evolution

1.3.2. The market by sector of activity

1.3.3. Types of purchases and investments

1.3.4. Geographical distribution

1.4. Cyber incidents. 1.4.1. The facts

1.4.1.1. Information on cybercrime

1.4.1.2. The origin of the threats

1.4.1.3. Their implementation

1.4.1.4. The targets

1.4.1.5. The worst shoemakers in the world

1.4.2. Testimonials versus silence

1.4.3. Trends. 1.4.3.1. Cybercriminal methods

1.4.3.2. The attackers

1.4.3.3. Connected objects

1.4.3.4. Cyberwarfare

1.4.4. Examples. 1.4.4.1. Information leaks

1.4.4.2. Some examples of famous attacks

1.5. Examples of particularly exposed sectors of activity. 1.5.1. Cinema

1.5.2. Banks

1.5.3. Health

1.5.4. Tourism and business hotels

1.5.5. Critical national infrastructure. 1.5.5.1. Military Programming Act

1.5.5.2. Issues for officers and directors

1.6. Responsibilities of officers and directors

Box 1.1.The five questions to ask yourself regularly

2. Corporate Governance and Digital Responsibility. 2.1. Corporate governance and stakeholders

2.2. The shareholders

2.2.1. Valuation of the company

2.2.2. Cyber rating agencies

2.2.3. Insider trading

2.2.4. Activist shareholders

2.2.5. The stock exchange authorities

2.2.6. The annual report

2.3. The board of directors. 2.3.1. The facts

2.3.2. The four missions of the board of directors

2.3.3. Civil and criminal liability

2.3.4. The board of directors and cybersecurity

2.3.4.1. Taking charge of the company’s digital destiny

2.3.4.2. Reinventing the board of directors?

2.3.5. The board of directors and data protection

2.3.6. The statutory auditors

2.3.7. The numerical responsibility of the board of directors

2.4. Customers and suppliers

2.5. Operational management. 2.5.1. The impacts of digital transformation

2.5.2. The digital strategy

2.5.2.1. Several possible and complementary answers

2.5.3. The consequences of poor digital performance

2.5.4. Cybersecurity

2.5.5. Merger and acquisition transactions

2.5.6. Governance and data protection, cybersecurity. 2.5.6.1. Internal data

2.5.6.2. Customer data

2.5.6.3. Open data and personal data protection

2.5.6.4. Public data – acute spying?

Box 2.1.Cyber-risks are strategic risks: the five arguments to convince the board of directors and management

3. Risk Mapping. 3.1. Cyber-risks

3.2. The context

3.3. Vulnerabilities

3.3.1. Fraud against the president

3.3.2. Supplier fraud

3.3.3. Other economic impacts

3.4. Legal risks. 3.4.1. Class actions

3.4.2. Sanctions by the CNIL and the ICO

3.5. The objectives of risk mapping

3.6. The different methods of risk analysis

3.7. Risk assessment (identify)

3.7.1. The main actors

3.7.2. The steps

3.8. Protecting

3.9. Detecting

3.10. Reacting

3.11. Restoring

3.12. Decentralized mapping. 3.12.1. The internal threat

3.12.2. Industrial risks

3.12.3. Suppliers, subcontractors and service providers

3.12.4. Connected objects

3.13. Insurance

3.14. Non-compliance risks and ethics

Box 3.1.The five questions to ask my CISO, trades and functions

4. Regulations. 4.1. The context

4.1.1. Complaints filed with the CNIL

4.1.2. Vectaury

4.1.3. Optical Center

4.1.4. Dailymotion

4.2. The different international regulations (data protection)

4.2.1. The United States

4.2.2. China

4.2.3. Asia

4.2.4. Europe

4.3. Cybersecurity regulations, the NIS Directive

4.4. Sectoral regulations. 4.4.1. The banking industry

4.4.2. Health

4.5. The General Data Protection Regulation (GDPR)

4.5.1. The foundations

4.5.2. Definition of personal data

4.5.3. The so-called “sensitive” data

4.5.4. The principles of the GDPR. 4.5.4.1. Transparency

4.5.4.2. Minimization

4.5.4.3. Data security

4.5.4.4. Accountability

4.5.5. The five actions to be in compliance with the GDPR

4.5.6. The processing register

4.5.7. The five actions to be carried out. 4.5.7.1. Appointment of a DPO

4.5.7.2. Compliance plan

4.5.7.3. Produce/update the processing of personal data

4.5.7.4. Update websites/documents

4.5.7.5. Write to subcontractors and partners affected

4.5.8. Cookies

4.6. Consequences for the company and the board of directors

Box 4.1.The five points of vigilance regarding data protection

5. Best Practices of the Board of Directors

5.1. Digital skills

5.2. Situational awareness

5.2.1. The main issues

5.2.1.1. It starts with the CEO! –tone from the top

5.2.1.2. Avoiding the method of checking checklists of checkpoints

5.2.1.3. Assigning clear supervisory responsibilities at the board level

5.2.1.4. Requiring evaluations, tests and reports

5.2.1.5. Remaining vigilant at all times

5.2.1.6. Being informed and understanding incidents

5.2.1.7. Anticipating

Box 5.1.Five questions for the board of directors

5.2.2. Insurance

5.3. Internal governance. 5.3.1. The CISO

5.3.2. The CISO and the company

5.3.3. Clarifying responsibilities

5.3.4. Streamlining the supplier portfolio

5.3.5. Security policies and procedures

5.3.5.1. The cloud strategy

5.3.5.2. The bring your own device (BYOD) strategy

5.3.6. The human being

5.4. Data protection

5.4.1. Emails

5.4.2. The tools

5.4.3. Double authentication: better, but not 100% reliable

5.5. Choosing your service providers

5.6. The budget

5.7. Cyberculture

5.8. The dashboard for officers and directors

Box 5.2.Best practices: the five questions to be asked regularly

6. Resilience and Crisis Management. 6.1. How to ensure resilience?

6.2. Definition of a CERT

6.3. Definition of a SOC

6.4. The role of ENISA

Box 6.1.The conditions of resilience: five points to remember

6.5. The business continuity plan

6.6. Crisis management. 6.6.1. The preparation

6.6.2. Exiting the state of sideration

6.6.3. Ensuring business continuity

6.6.4. Story of the TV5 Monde attack

6.6.5. Management of the first few hours. 6.6.5.1. Emergency measures

6.6.5.2. The payment of the ransom

6.6.5.3. Medium-term management

6.6.5.4. Long-term management

6.7. Crisis simulation

Box 6.2.Crisis management: five recommendations

Conclusion: The Digital Committee

Appendix 1. Cybersecurity Dashboard

Appendix 2. Ensuring Cybersecurity in Practice and on a Daily Basis

Appendix 3. Tools to Identify, Protect, Detect, Train, React and Restore. A3.1 Identify

A3.2. Protecting

A3.3. Training and governance

A3.4. Detecting

A3.5. Reacting

A3.6. Restoring

Glossary

References

Index. A, B, C, D

E, F, G, I, L

M, N, P, R, S

WILEY END USER LICENSE AGREEMENT

Отрывок из книги

Marie de Fréminville

.....

Cyber-risk is an integral part of companies and also of personal organizations (everyone is concerned individually and as a member of an organization). It is not just a technical risk.

People are the weakest (and strongest) link in the entire safety chain.

.....