King Saud University Financial Security Breach Discussion Consider a person or organization with which you are familiar. Briefly describe how they were imp

King Saud University Financial Security Breach Discussion Consider a person or organization with which you are familiar. Briefly describe how they were impacted by a financial security breach. What type of Personally Identifiable Information (PII) was taken? What financial data was disclosed?At least three resources including the attached textbook.Introduction, body and conclusion with citation. About This E-Book
EPUB is an open, industry-standard format for e-books. However, support for
EPUB and its many features varies across reading devices and applications. Use
your device or app settings to customize the presentation to your liking. Settings
that you can customize often include font, font size, single or double column,
landscape or portrait mode, and figures that you can click or tap to enlarge. For
additional information about the settings and features on your reading device or
app, visit the device manufacturer’s Web site.
Many titles include programming code or configuration examples. To optimize
the presentation of these elements, view the e-book in single-column, landscape
mode and adjust the font size to the smallest setting. In addition to presenting
code and configurations in the reflowable text format, we have included images
of the code that mimic the presentation found in the print book; therefore, where
the reflowable format may compromise the presentation of the code listing, you
will see a “Click here to view code image” link. Click the link to view the printfidelity code image. To return to the previous page viewed, click the Back button
on your device or app.
Developing Cybersecurity
Programs and Policies
Omar Santos
Developing Cybersecurity Programs and Policies
Copyright © 2019 by Pearson Education, Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by
any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from
the publisher. No patent liability is assumed with respect to the use of the information contained herein.
Although every precaution has been taken in the preparation of this book, the publisher and author assume
no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of
the information contained herein.
ISBN-13: 978-0-7897-5940-5
ISBN-10: 0-7897-5940-3
Library of Congress Control Number: 2018942730
01 18
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately
capitalized. Pearson IT Certification cannot attest to the accuracy of this information. Use of a term in this
book should not be regarded as affecting the validity of any trademark or service mark.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but no warranty or
fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have
neither liability nor responsibility to any person or entity with respect to any loss or damages arising from
the information contained in this book.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may
include electronic versions; custom cover designs; and content particular to your business, training goals,
marketing focus, or branding interests), please contact our corporate sales department at or (800) 382-3419.
For government sales inquiries, please contact
For questions about sales outside the U.S., please contact
Mark Taub
Product Line Manager
Brett Bartow
Executive Editor
Mary Beth Ray
Development Editor
Christopher Cleveland
Managing Editor
Sandra Schroeder
Senior Project Editor
Tonya Simpson
Copy Editor
Barbara Hacha
Erika Millen
Larry Sulky
Technical Editors
Sari Greene
Klee Michaelis
Publishing Coordinator
Vanessa Evans
Cover Designer
Chuti Prasertsith
Contents at a Glance
1 Understanding Cybersecurity Policy and Governance
2 Cybersecurity Policy Organization, Format, and Styles
3 Cybersecurity Framework
4 Governance and Risk Management
5 Asset Management and Data Loss Prevention
6 Human Resources Security
7 Physical and Environmental Security
8 Communications and Operations Security
9 Access Control Management
10 Information Systems Acquisition, Development, and Maintenance
11 Cybersecurity Incident Response
12 Business Continuity Management
13 Regulatory Compliance for Financial Institutions
14 Regulatory Compliance for the Health-Care Sector
15 PCI Compliance for Merchants
16 NIST Cybersecurity Framework
Appendix A: Cybersecurity Program Resources
Appendix B: Answers to the Multiple Choice Questions
Table of Contents
Chapter 1: Understanding Cybersecurity Policy and Governance
Information Security vs. Cybersecurity Policies
Looking at Policy Through the Ages
Policy in Ancient Times
The United States Constitution as a Policy Revolution
Policy Today
Cybersecurity Policy
What Are Assets?
Successful Policy Characteristics
What Is the Role of Government?
Additional Federal Banking Regulations
Government Cybersecurity Regulations in Other Countries
The Challenges of Global Policies
Cybersecurity Policy Life Cycle
Policy Development
Policy Publication
Policy Adoption
Policy Review
Chapter 2: Cybersecurity Policy Organization, Format, and Styles
Policy Hierarchy
Plans and Programs
Writing Style and Technique
Using Plain Language
The Plain Language Movement
Plain Language Techniques for Policy Writing
Policy Format
Understand Your Audience
Policy Format Types
Policy Components
Chapter 3: Cybersecurity Framework
Confidentiality, Integrity, and Availability
What Is Confidentiality?
What Is Integrity?
What Is Availability?
Who Is Responsible for CIA?
NIST’s Cybersecurity Framework
What Is NIST’s Function?
So, What About ISO?
NIST Cybersecurity Framework
ISO Standards
Chapter 4: Governance and Risk Management
Understanding Cybersecurity Policies
What Is Governance?
What Is Meant by Strategic Alignment?
Regulatory Requirements
User-Level Cybersecurity Policies
Vendor Cybersecurity Policies
Cybersecurity Vulnerability Disclosure Policies
Client Synopsis of Cybersecurity Policies
Who Authorizes Cybersecurity Policy?
What Is a Distributed Governance Model?
Evaluating Cybersecurity Policies
Revising Cybersecurity Policies: Change Drivers
NIST Cybersecurity Framework Governance Subcategories and
Informative References
Regulatory Requirements
Cybersecurity Risk
Is Risk Bad?
Understanding Risk Management
Risk Appetite and Tolerance
What Is a Risk Assessment?
Risk Assessment Methodologies
Chapter 5: Asset Management and Data Loss Prevention
Information Assets and Systems
Who Is Responsible for Information Assets?
Information Classification
How Does the Federal Government Classify Data?
Why Is National Security Information Classified Differently?
Who Decides How National Security Data Is Classified?
How Does the Private Sector Classify Data?
Can Information Be Reclassified or Even Declassified?
Labeling and Handling Standards
Why Label?
Why Handling Standards?
Information Systems Inventory
Why an Inventory Is Necessary and What Should Be Inventoried
Understanding Data Loss Prevention Technologies
Chapter 6: Human Resources Security
The Employee Life Cycle
What Does Recruitment Have to Do with Security?
What Happens in the Onboarding Phase?
What Is User Provisioning?
What Should an Employee Learn During Orientation?
Why Is Termination Considered the Most Dangerous Phase?
The Importance of Employee Agreements
What Are Confidentiality or Nondisclosure Agreements?
What Is an Acceptable Use Agreement?
The Importance of Security Education and Training
Influencing Behavior with Security Awareness
Teaching a Skill with Security Training
Security Education Is Knowledge Driven
Chapter 7: Physical and Environmental Security
Understanding the Secure Facility Layered Defense Model
How Do We Secure the Site?
How Is Physical Access Controlled?
Protecting Equipment
No Power, No Processing?
How Dangerous Is Fire?
What About Disposal?
Stop, Thief!
Chapter 8: Communications and Operations Security
Standard Operating Procedures
Why Document SOPs?
Developing SOPs
Operational Change Control
Why Manage Change?
Why Is Patching Handled Differently?
Malware Protection
Are There Different Types of Malware?
How Is Malware Controlled?
What Is Antivirus Software?
Data Replication
Is There a Recommended Backup or Replication Strategy?
Secure Messaging
What Makes Email a Security Risk?
Are Email Servers at Risk?
Other Collaboration and Communication Tools
Activity Monitoring and Log Analysis
What Is Log Management?
Service Provider Oversight
What Is Due Diligence?
What Should Be Included in Service Provider Contracts?
Threat Intelligence and Information Sharing
How Good Is Cyber Threat Intelligence if It Cannot Be Shared?
Chapter 9: Access Control Management
Access Control Fundamentals
What Is a Security Posture?
How Is Identity Verified?
What Is Authorization?
Infrastructure Access Controls
Why Segment a Network?
What Is Layered Border Security?
Remote Access Security
User Access Controls
Why Manage User Access?
What Types of Access Should Be Monitored?
Chapter 10: Information Systems Acquisition, Development, and
System Security Requirements
What Is SDLC?
What About Commercially Available or Open Source Software?
The Testing Environment
Protecting Test Data
Secure Code
The Open Web Application Security Project (OWASP)
Why Encrypt?
Regulatory Requirements
What Is a “Key”?
What Is PKI?
Why Protect Cryptographic Keys?
Digital Certificate Compromise
Chapter 11: Cybersecurity Incident Response
Incident Response
What Is an Incident?
How Are Incidents Reported?
What Is an Incident Response Program?
The Incident Response Process
Tabletop Exercises and Playbooks
Information Sharing and Coordination
Computer Security Incident Response Teams
Product Security Incident Response Teams (PSIRTs)
Incident Response Training and Exercises
What Happened? Investigation and Evidence Handling
Documenting Incidents
Working with Law Enforcement
Understanding Forensic Analysis
Data Breach Notification Requirements
Is There a Federal Breach Notification Law?
Does Notification Work?
Chapter 12: Business Continuity Management
Emergency Preparedness
What Is a Resilient Organization?
Regulatory Requirements
Business Continuity Risk Management
What Is a Business Continuity Threat Assessment?
What Is a Business Continuity Risk Assessment?
What Is a Business Impact Assessment?
The Business Continuity Plan
Roles and Responsibilities
Disaster Response Plans
Operational Contingency Plans
The Disaster Recovery Phase
The Resumption Phase
Plan Testing and Maintenance
Why Is Testing Important?
Plan Maintenance
Chapter 13: Regulatory Compliance for Financial Institutions
The Gramm-Leach-Bliley Act
What Is a Financial Institution?
Regulatory Oversight
What Are the Interagency Guidelines?
New York’s Department of Financial Services Cybersecurity Regulation (23
NYCRR Part 500)
What Is a Regulatory Examination?
Examination Process
Examination Ratings
Personal and Corporate Identity Theft
What Is Required by the Interagency Guidelines Supplement A?
What Is Required by the Supplement to the Authentication in an
Internet Banking Environment Guidance?
Chapter 14: Regulatory Compliance for the Health-Care Sector
The HIPAA Security Rule
What Is the Objective of the HIPAA Security Rule?
How Is the HIPAA Security Rule Organized?
What Are the Physical Safeguards?
What Are the Technical Safeguards?
What Are the Organizational Requirements?
What Are the Policies and Procedures Standards?
The HIPAA Security Rule Mapping to NIST Cybersecurity
The HITECH Act and the Omnibus Rule
What Changed for Business Associates?
What Are the Breach Notification Requirements?
Understanding the HIPAA Compliance Enforcement Process
Chapter 15: PCI Compliance for Merchants
Protecting Cardholder Data
What Is the PAN?
The Luhn Algorithm
What Is the PCI DDS Framework?
Business-as-Usual Approach
What Are the PCI Requirements?
PCI Compliance
Who Is Required to Comply with PCI DSS?
What Is a Data Security Compliance Assessment?
What Is the PCI DSS Self-Assessment Questionnaire (SAQ)?
Are There Penalties for Noncompliance?
Chapter 16: NIST Cybersecurity Framework
Introducing the NIST Cybersecurity Framework Components
The Framework Core
Framework Implementation Tiers (“Tiers”)
Who Should Coordinate the Framework Implementation?
NIST’s Recommended Steps to Establish or Improve a Cybersecurity Program
Communication with Stakeholders and Supply Chain Relationships
NIST’s Cybersecurity Framework Reference Tool
Adopting the NIST Cybersecurity Framework in Real Life
Appendix A: Cybersecurity Program Resources
Appendix B: Answers to the Multiple Choice Questions
About the Author
Omar Santos is a principal engineer in the Cisco Product Security Incident
Response Team (PSIRT) within the Cisco Security Research and Operations. He
mentors and leads engineers and incident managers during the investigation and
resolution of security vulnerabilities in all Cisco products, including cloud
services. Omar has been working with information technology and cybersecurity
since the mid-1990s. Omar has designed, implemented, and supported numerous
secure networks for Fortune 100 and 500 companies and the U.S. government.
Prior to his current role, he was a technical leader within the World-Wide
Security Practice and the Cisco Technical Assistance Center (TAC), where he
taught, led, and mentored many engineers within both organizations.
Omar is an active member of the security community, where he leads several
industrywide initiatives and standard bodies. His active role helps businesses,
academic institutions, state and local law enforcement agencies, and other
participants that are dedicated to increasing the security of the critical
Omar often delivers technical presentations at many conferences and to Cisco
customers and partners. He is the author of dozens of books and video courses.
You can follow Omar on any of the following:
Personal website:
Twitter: @santosomar
I would like to dedicate this book to my lovely wife, Jeannette, and my two
beautiful children, Hannah and Derek, who have inspired and supported me
throughout the development of this book.
I also dedicate this book to my father, Jose, and to the memory of my
mother, Generosa. Without their knowledge, wisdom, and guidance, I would
not have the goals that I strive to achieve today.
This manuscript is a result of concerted efforts of various individuals—without
their help, this book would have not been a reality. I would like to thank the
technical reviewers Sari Green and Klee Michaelis for their significant
contributions and expert guidance.
I would also like to express my gratitude to Chris Cleveland, development editor,
and Mary Beth Ray, executive editor, for their help and continuous support
during the development of this book.
We Want to Hear from You!
As the reader of this book, you are our most important critic and commentator.
We value your opinion and want to know what we’re doing right, what we could
do better, what areas you’d like to see us publish in, and any other words of
wisdom you’re willing to pass our way.
We welcome your comments. You can email or write to let us know what you
did or didn’t like about this book—as well as what we can do to make our books
Please note that we cannot help you with technical problems related to the topic
of this book.
When you write, please be sure to include this book’s title and author as well as
your name and email address. We will carefully review your comments and
share them with the author and editors who worked on the book.
Reader Services
Register your copy of Developing Cybersecurity Programs and Policies at for convenient access to downloads, updates,
and corrections as they become available. To start the registration process, go to and log in or create an account*. Enter
the product ISBN 9780789759405 and click Submit. When the process is
complete, you will find any available bonus content under Registered Products.
*Be sure to check the box that you would like to hear from us to receive
exclusive discounts on future editions of this product.
The number of cyber attacks continues to rise. Demand for safe and secure data
and other concerns mean that companies need professionals to keep their
information safe. Cybersecurity risk includes not only the risk of a data breach,
but also the risk of the entire organization being undermined via business
activities that rely on digitization and accessibility. As a result, learning how to
develop an adequate cybersecurity program is crucial for any organization.
Cybersecurity can no longer be something that you delegate to the information
technology (IT) team. Everyone needs to be involved, including the Board of
This book focuses on industry-leading practices and standards, such as the
International Organization for Standardization (ISO) standards and the National
Institute of Standards and Technology (NIST) Cybersecurity Framework and
Special Publications. This book provides detailed guidance on how to effectively
develop a cybersecurity program within your organization. This book is intended
for anyone who is preparing for a leadership position in business, government,
academia, financial services, or health-care. Mastering the material presented in
this book is a must for any cybersecurity professional.
This book starts by providing an overview of cybersecurity policy and
governance, and how to create cybersecurity policies and develop a
cybersecurity framework. It then provides details about governance, risk
management, asset management, and data loss prevention. You will learn how to
incorporate human resource, physical, and environmental security as important
elements of your cybersecurity program. This book also teaches you best
practices in communications and operations security, access control
management, and information systems acquisition, development, and
maintenance. You will learn principles of cybersecurity incident response and
how to develop an incident response plan. Organizations across the globe have to
be aware of new cybersecurity regulations and how they affect their business in
order to remain compliant. Compliance is especially crucial because the
punishments for noncompliance typically include large fines. Three chapters in
this book cover regulatory compliance for financial institutions and health-care
institutions and provide detailed insights about the Payment Card Industry Data
Security Standard (PCI DSS). The last chapter provides an overview of the NIST
Cybersecurity Framework, and Appendix A provides comprehensive lists of
resources covered throughout the book. Anyone—from cybersecurity engineers
to incident managers, auditors, and executives—can benefit from the material
covered in this book.
Chapter 1
Understanding Cybersecurity Policy and
Chapter Objectives
After reading this chapter and completing the exercises, you should be
able to do the following:
Describe the significance of cybersecurity policies.
Evaluate the role policy plays in corporate culture and civil society.
Articulate the objective of cybersecurity-related policies.
Identify the different characteristics of successful cybersecurity policies.
Define the life cycle of a cybersecurity policy.
We live in an interconnected world where both individual and collective actions
have the potential to result in inspiring goodness or tragic harm. The objective of
cybersecurity is to protect each of us, our economy, our critical infrastructure,
and our cou…
Purchase answer to see full

Don't use plagiarized sources. Get Your Custom Essay on
King Saud University Financial Security Breach Discussion Consider a person or organization with which you are familiar. Briefly describe how they were imp
Just from $13/Page
Order Essay
Homework Writings Pro
Calculate your paper price
Pages (550 words)
Approximate price: -

Why should I choose Homework Writings Pro as my essay writing service?

We Follow Instructions and Give Quality Papers

We are strict in following paper instructions. You are welcome to provide directions to your writer, who will follow it as a law in customizing your paper. Quality is guaranteed! Every paper is carefully checked before delivery. Our writers are professionals and always deliver the highest quality work.

Professional and Experienced Academic Writers

We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.

Reasonable Prices and Free Unlimited Revisions

Typical student budget? No problem. Affordable rates, generous discounts - the more you order, the more you save. We reward loyalty and welcome new customers. Furthermore, if you think we missed something, please send your order for a free review. You can do this yourself by logging into your personal account or by contacting our support..

Essay Delivered On Time and 100% Money-Back-Guarantee

Your essay will arrive on time, or even before your deadline – even if you request your paper within hours. You won’t be kept waiting, so relax and work on other tasks.We also guatantee a refund in case you decide to cancel your order.

100% Original Essay and Confidentiality

Anti-plagiarism policy. The authenticity of each essay is carefully checked, resulting in truly unique works. Our collaboration is a secret kept safe with us. We only need your email address to send you a unique username and password. We never share personal customer information.

24/7 Customer Support

We recognize that people around the world use our services in different time zones, so we have a support team that is happy to help you use our service. Our writing service has a 24/7 support policy. Contact us and discover all the details that may interest you!

Try it now!

Calculate the price of your order

Total price:

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

Our reputation for excellence in providing professional tailor-made essay writing services to students of different academic levels is the best proof of our reliability and quality of service we offer.


Essay Writing Service

When using our academic writing services, you can get help with different types of work including college essays, research articles, writing, essay writing, various academic reports, book reports and so on. Whatever your task, has experienced specialists qualified enough to handle it professionally.


Admission Essays & Business Writing Help

An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.


Editing Support

Our professional editor will check your grammar to make sure it is free from errors. You can rest assured that we will do our best to provide you with a piece of dignified academic writing. Homeworkwritingpro experts can manage any assignment in any academic field.


Revision Support

If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.