The Cybersecurity Control Playbook From Fundamentals to Advanced Strategies (CONVERTED) (Edwards, Jason) (Z-Library)

📄 File Format: PDF

💾 File Size: 6.1 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

Table of Contents Cover Table of Contents Title Page Copyright Preface Acknowledgments 1 Understanding Cybersecurity Controls Definition and Importance Types of Controls Mowing the Lawn: An Allegory for Cybersecurity Controls The Lifecycle of a Control Leadership Insight: Guiding Teams in Understanding and Valuing Controls Chapter Recommendations Chapter Conclusion Questions 2 The Risk‐Based Approach Identifying Cyber Risks Prioritizing Risks Developing a Risk Taxonomy Leadership Insight: Leading Risk Assessment and Prioritization Efforts Chapter Recommendations Chapter Conclusion Questions

📄 Page 3

3 Small Business Implementation Unique Challenges and Solutions Cost‐Effective Strategies Leadership Insight: Leading Security Initiatives in Small Businesses AI Recommendations: Leveraging AI for Cybersecurity in Small Businesses Selecting the Right Managed Security Service Provider (MSSP) for Your Small Business Chapter Recommendations Chapter Conclusion Questions 4 Medium‐Sized Enterprises Balancing Resources and Security Managing Limited IT and Security Budgets Cost‐Effective Security Solutions Maximizing Existing Resources Allocating Human Resources Outsourcing Cybersecurity Functions Collaborating Across Teams Maximizing Impact Through Strategic Planning Sizing Security Teams for Medium‐Sized Enterprises Leadership Insight: Managing Security Teams in Medium‐Sized Enterprises AI Recommendations: Leveraging AI for Education on Cybersecurity and Medium Enterprise Risks and Controls Chapter Recommendations Chapter Conclusion

📄 Page 4

Questions 5 Large Enterprises Advanced Control Strategies Collaborating Across the Organization to Design Controls Choosing the Right Cybersecurity Framework Prioritizing Controls in a Large Enterprise Setting Advanced Strategies for Large Organizations with Complex Environments Managing Complexity and Scale Leadership Insight: Leading Large‐Scale Security Operations AI Recommendations: GRC AI Uses for Large Enterprises Chapter Recommendations Chapter Conclusion Questions 6 Introduction to MITRE ATT&CK & DEFEND What Is MITRE ATT&CK? What Is MITRE DEFEND? Benefits of Using ATT&CK and DEFEND Together Leadership Insight: Encouraging Adoption of MITRE ATT&CK and DEFEND Within Teams AI Recommendations: Learning MITRE ATT&CK and DEFEND Chapter Recommendations Chapter Conclusion Questions 7 Mapping Threats to Controls Using MITRE ATT&CK Practical Guide to Threat Mapping

📄 Page 5

Steps for Threat Mapping Tools for Effective Threat Mapping Mapping Specific Techniques to Controls Leadership Insight: Leading Threat‐Mapping Exercises Aligning Threat Mapping with Business Objectives Driving Continuous Improvement AI Recommendations: Leveraging AI for Threat Mapping and Analysis Chapter Recommendations Chapter Conclusion Questions 8 Enhancing Defenses with MITRE DEFEND Integrating MITRE DEFEND into Organizational Defense Strategies Alignment with NIST Cybersecurity Framework (CSF) Alignment with ISO 27001: Establishing a Strong Information Security Management System (ISMS) Alignment with CIS Controls: Prioritizing Actions to Mitigate Common Threats Embedding MITRE DEFEND into Risk Management Tools and Techniques for Defensive Implementation Leadership Strategies for MITRE DEFEND Integration Enhancing Defense with AI and MITRE DEFEND Chapter Recommendations Chapter Conclusion Questions 9 Cybersecurity Frameworks Overview

📄 Page 6

Why Cybersecurity Frameworks Are Critical Leadership Insight: Choosing and Championing the Right Frameworks for Your Organization Integrating AI with Cybersecurity Frameworks Chapter Recommendations Comparison of Popular Cybersecurity Control Frameworks Chapter Conclusion Questions 10 NIST 800‐53 Overview of NIST SP 800‐53 Control Families Categorization of Information Systems (FIPS 199) Control Baselines Implementation Strategies Prioritizing Controls Based on Risk Tailoring Controls to the Organization Overcoming Challenges in Implementation NIST 800‐171—Controls for Non‐federal Entities Chapter Recommendations Chapter Conclusion Questions 11 Center for Internet Security (CIS) 18 Controls Overview of CIS Controls In‐Depth Exploration of the 18 CIS Controls Leadership Insight: Driving the Application of CIS Controls Overcoming Resistance to Change Chapter Recommendations

📄 Page 7

Chapter Conclusion Questions 12 Agile Implementation of Controls and Control Frameworks Agile Implementation of Controls and Control Frameworks Leadership Insight: Leading Agile Cybersecurity Teams Chapter Recommendations Chapter Conclusion Questions 13 Adaptive Control Testing & Continuous Improvement What Is Control Testing? Using Metrics to Monitor and Evaluate Controls Continuous Improvement and Adaptation Leveraging AI in Control Testing: Enhancing Efficiency and Accuracy Increased Testing Frequency Without Resource Drain Chapter Recommendations Chapter Conclusion Questions 14 Testing Controls in Small and Medium Enterprises Streamlined Control Testing for Small Businesses Simplified Testing Methods for Medium‐Sized Enterprises Managed Security Service Providers (MSSPs) for Small Businesses MSSPs for Medium‐Sized Enterprises

📄 Page 8

Third‐Party Testing for Small Businesses Advanced Testing for Medium‐Sized Enterprises Leadership Insight: Managing Control Testing in Small Businesses Leadership Insight: Managing Control Testing in Medium Enterprises Integration of AI into Small and Medium Enterprise Control Testing Chapter Recommendations Chapter Conclusion Questions 15 Control Testing in Larger and Complex Enterprises Dealing with Organizational Complexity Tailoring Tests to Specific Environments Quantitative Testing Methods Qualitative Testing Methods Sampling Best Practices Control Testing Frequency Involvement of GRC Systems and Risk/Compliance Teams Outside Testing Options, Including Penetration Testing Leadership Insight: Managing Large‐Scale Control Testing Efforts Chapter Recommendations Chapter Conclusion Questions 16 Control Failures: Identification, Management, and Reporting Defining Control Failures

📄 Page 9

Handling Control Failures Reporting Control Failures Key vs. Non‐key Control Failures Inherited or Common Control Failures Reporting and Escalating Control Failures Impact of Control Failures on Metrics and KPIs Proactive Measures for Reducing Control Failures Chapter Recommendations Chapter Conclusion Questions 17 Control Testing for Regulated Companies Navigating Legal Requirements Maintaining Awareness of Regulatory Changes Integrating Compliance with Security Strategy Technology Solutions for Managing Compliance Compliance Testing and Audits Leadership Insight: Leading Compliance Efforts Chapter Recommendations Chapter Conclusion Questions 18 Emerging Threats and Technologies Adapting Controls to New Attack Vectors Control Flexibility and Scalability Enhancing Control Development Through Threat Intelligence Fostering Proactive Control Development AI‐Powered Control Development Chapter Recommendations

📄 Page 10

Chapter Conclusion Questions Appendix A: Glossary of Terms Appendix B: Creating and Using a Cybersecurity Risk Register How to Create a Cybersecurity Risk Register Using the Sample Risk Register Sample Cybersecurity Risk Register Appendix C: Creating and Using a Cybersecurity Risk Taxonomy How to Build a Risk Taxonomy How to Use This Sample Risk Taxonomy Appendix D: SME Security Team Structures Small‐to‐Lower‐Medium Enterprise Security Team Structure Mid‐Medium Enterprise Security Team Structure Upper‐Medium Enterprise Security Team Structure Appendix E: Developing Process Maps Process Mapping and Risk Identification Guide Control Identification and Implementation Guide Control Testing and Continuous Monitoring Guide Appendix F: Establishing a Regulatory Change Management Program Establish a Regulatory Monitoring Process Define Roles and Responsibilities Create a Regulatory Impact Assessment Process Update Policies, Procedures, and Controls Implement a Training and Awareness Program Establish a Reporting and Documentation System

📄 Page 11

Create a Review and Continuous Improvement Cycle Integrate Regulatory Changes into Risk Management Processes Communicate Changes to External Stakeholders Implement Continuous Monitoring and Auditing Appendix G: Recommended Metrics for MITRE ATT&CK Techniques Answers Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18 Index End User License Agreement

📄 Page 12

List of Tables Chapter 2 Table 2.1 Risk Categories and Examples. Table 2.2 Risk Assessment Tools. Table 2.3 Leadership Responsibilities. Chapter 3 Table 3.1 Prioritizing Security Investments Based on Risk. Chapter 4 Table 4.1 Scaling Cybersecurity Roles. Table 4.2 Leadership Priorities for Cybersecurity. Table 4.3 AI‐Powered Cybersecurity Solutions. Chapter 5 Table 5.1 Risk Assessment and Control Mapping. Table 5.2 Process Mapping and Control Identification Checklist. Table 5.3 AI Tools for Cybersecurity Applications. Chapter 6 Table 6.1 Example Enterprise Controls for Each of the ATT&CK Tactics. Table 6.2 Example Enterprise Controls for Each of the DEFEND Tactics. Table 6.3 Possible KRIs for ATT&CK and DEFEND. Chapter 7 Table 7.1 Example Enterprise Assessment of Techniques to Controls.

📄 Page 13

Chapter 8 Table 8.1 Mapping NIST 800‐53 Control Families to MITRE DEFEND Techniques. Table 8.2 Example Mapping of NIST CSF Functions to MITRE DEFEND Techniques.... Table 8.3 Example Mapping CIS 18 Controls to MITRE DEFEND Techniques. Table 8.4 Example KPIs for Measuring the Effectiveness of MITRE DEFEND. Chapter 9 Table 9.1 Comparison of Popular Control Frameworks. Chapter 10 Table 10.1 Control Families to Risk‐Based Examples. Table 10.2 Control Family Differences Between NIST 800‐171 and NIST 800‐53.... Chapter 11 Table 11.1 Examples of CIS Controls by Risk Level. Chapter 12 Table 12.1 Integrating Security Controls with Agile Practices. Chapter 13 Table 13.1 Steps for Continuous Improvement. Table 13.2 Comparison of Traditional vs. AI‐Driven Control Testing. Chapter 14

📄 Page 14

Table 14.1 Control Testing Priorities for Small and Medium‐Sized Enterprises... Table 14.2 Cost‐Effective Security Testing Options for Small and Medium Busi... Table 14.3 AI‐Powered Tools for Control Testing. Chapter 15 Table 15.1 Testing Recommendations for Controls. Table 15.2 Sampling Recommendations for Control Testing. Chapter 16 Table 16.1 Example Categorization of Control Type Failures. Table 16.2 Control Failure Remediation and Response. Table 16.3 Control Failure Monitoring Metrics Table. Chapter 17 Table 17.1 Roles and Responsibilities of the Regulatory Change Management Te... Chapter 18 Table 18.1 Emerging Technologies and Associated Security Threats. Table 18.2 Control Development Recommendations for Emerging Threats. Table 18.3 AI‐Powered Control Features and Benefits.

📄 Page 15

List of Illustrations Chapter 1 Figure 1.1 Timing‐Based Controls. Figure 1.2 The Control Lifecycle. Chapter 2 Figure 2.1 Risk‐Based Cybersecurity Process Flow. Chapter 3 Figure 3.1 Cybersecurity Layers for Small Businesses. Chapter 4 Figure 4.1 Leadership‐Driven Cybersecurity Culture. Chapter 5 Figure 5.1 Risk‐Based Prioritization Workflow. Chapter 6 Figure 6.1 AI‐Enhanced Threat Detection Workflow. Chapter 7 Figure 7.1 Threat‐mapping Process Flowchart. Chapter 8 Figure 8.1 AI‐Driven Incident Response Workflow. Chapter 10 Figure 10.1 Continuous Monitoring Cycle. Chapter 11 Figure 11.1 Implementation Groups with Example CIS 18 Controls. Chapter 12

📄 Page 16

Figure 12.1 Example Agile Security Integration Flow. Chapter 13 Figure 13.1 Continuous Improvement in Control Testing. Chapter 15 Figure 15.1 Advanced Control Testing Lifecycle. Chapter 16 Figure 16.1 The Control Failure Lifecycle. Chapter 17 Figure 17.1 Compliance Testing Lifecycle. Chapter 18 Figure 18.1 AI‐Driven Threat Detection and Response Process.

📄 Page 17

The Cybersecurity Control Playbook From Fundamentals to Advanced Strategies Jason Edwards BareMetalCyber New Braunfels, TX, USA            

📄 Page 18

This edition first published 2025 © 2025 John Wiley & Sons Ltd. All rights reserved, including rights for text and data mining and training of artificial intelligence technologies or similar technologies. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions. The right of Jason Edwards to be identified as the author of this work has been asserted in accordance with law. Registered Offices John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA John Wiley & Sons Ltd, New Era House, 8 Oldlands Way, Bognor Regis, West Sussex, PO22 9NQ, UK For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com. The manufacturer's authorized representative according to the EU General Product Safety Regulation is Wiley‐VCH GmbH, Boschstr. 12, 69469 Weinheim, Germany, e-mail: Product_Safety@wiley.com. Wiley also publishes its books in a variety of electronic formats and by print‐on‐ demand. Some content that appears in standard print versions of this book may not be available in other formats. Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book. Limit of Liability/Disclaimer of Warranty In view of ongoing research, equipment modifications, changes in governmental regulations, and the constant flow of information relating to the use of experimental reagents, equipment, and devices, the reader is urged to review and evaluate the information provided in the package insert or instructions for each chemical, piece of equipment, reagent, or device for, among other things, any changes in the instructions or indication of usage and for added warnings and precautions. While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. The fact that an

📄 Page 19

organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Library of Congress Cataloging‐in‐Publication Data Applied for: Hardback ISBN: 9781394331857 Cover Design: Wiley Cover Image: © zf L/Getty Images

📄 Page 20

Preface In today's digital world, cybersecurity is no longer just an IT concern—it has become a foundational element of every organization's overall strategy. The evolution of technology has brought us immense convenience and innovation, but with these advancements come new risks, complexities, and threats that challenge even the most seasoned professionals. From the smallest startups to the largest corporations, protecting digital infrastructure is now critical for success. With this reality in mind, I present The Cybersecurity Control Playbook. This book emerged from years of experience working on the front lines of cybersecurity, navigating everything from day‐to‐day challenges to large‐ scale remediations, including my time at USAA working through Consent Order Remediations with teams of dedicated professionals. These experiences reinforced the importance of understanding not just the technical elements of cybersecurity but also the strategic, organizational, and leadership dimensions that make all the difference in protecting critical systems. As we move further into the age of digital transformation, organizations face increasingly sophisticated attacks, and the need for effective cybersecurity measures has never been more pressing. This book is designed for readers of all levels—from newcomers to seasoned veterans. It covers the essentials while providing advanced strategies for those managing large‐scale or complex environments. My goal is to offer practical, actionable insights that will empower you to take control of your organization's cybersecurity posture, regardless of its size or industry.