{"product_id":"cybersecurity-and-thirdparty-risk-9781119809555","title":"Cybersecurity and ThirdParty Risk","description":"\u003cb\u003eBook Synopsis\u003c\/b\u003e\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e\u003cb\u003eTable of Contents\u003c\/b\u003e\u003cbr\u003e\u003cp\u003eForeword xvi\u003c\/p\u003e \u003cp\u003eIntroduction xviii\u003c\/p\u003e \u003cp\u003e\u003cb\u003eSection 1 Cybersecurity Third-Party Risk\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 What is the Risk? 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe SolarWinds Supply-Chain Attack 4\u003c\/p\u003e \u003cp\u003eThe VGCA Supply-Chain Attack 6\u003c\/p\u003e \u003cp\u003eThe Zyxel Backdoor Attack 9\u003c\/p\u003e \u003cp\u003eOther Supply-Chain Attacks 10\u003c\/p\u003e \u003cp\u003eProblem Scope 12\u003c\/p\u003e \u003cp\u003eCompliance Does Not Equal Security 15\u003c\/p\u003e \u003cp\u003eThird-Party Breach Examples 17\u003c\/p\u003e \u003cp\u003eThird-Party Risk Management 24\u003c\/p\u003e \u003cp\u003eCybersecurity and Third-Party Risk 27\u003c\/p\u003e \u003cp\u003eCybersecurity Third-Party Risk as a Force Multiplier 32\u003c\/p\u003e \u003cp\u003eConclusion 33\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Cybersecurity Basics 35\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eCybersecurity Basics for Third-Party Risk 38\u003c\/p\u003e \u003cp\u003eCybersecurity Frameworks 46\u003c\/p\u003e \u003cp\u003eDue Care and Due Diligence 53\u003c\/p\u003e \u003cp\u003eCybercrime and Cybersecurity 56\u003c\/p\u003e \u003cp\u003eTypes of Cyberattacks 59\u003c\/p\u003e \u003cp\u003eAnalysis of a Breach 63\u003c\/p\u003e \u003cp\u003eThe Third-Party Breach Timeline: Target 66\u003c\/p\u003e \u003cp\u003eInside Look: Home Depot Breach 68\u003c\/p\u003e \u003cp\u003eConclusion 72\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk 75\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Pandemic Shutdown 77\u003c\/p\u003e \u003cp\u003eTimeline of the Pandemic Impact on Cybersecurity 80\u003c\/p\u003e \u003cp\u003ePost-Pandemic Changes and Trends 84\u003c\/p\u003e \u003cp\u003eRegulated Industries 98\u003c\/p\u003e \u003cp\u003eAn Inside Look: P\u0026amp;N Bank 100\u003c\/p\u003e \u003cp\u003eSolarWinds Attack Update 102\u003c\/p\u003e \u003cp\u003eConclusion 104\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Third-Party Risk Management 107\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThird-Party Risk Management Frameworks 113\u003c\/p\u003e \u003cp\u003eISO 27036:2013+ 114\u003c\/p\u003e \u003cp\u003eNIST 800-SP 116\u003c\/p\u003e \u003cp\u003eNIST 800-161 Revision 1: Upcoming Revision 125\u003c\/p\u003e \u003cp\u003eNISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks 125\u003c\/p\u003e \u003cp\u003eThe Cybersecurity and Third-Party Risk Program Management 127\u003c\/p\u003e \u003cp\u003eKristina Conglomerate (KC) Enterprises 128\u003c\/p\u003e \u003cp\u003eKC Enterprises’ Cyber Third-Party Risk Program 131\u003c\/p\u003e \u003cp\u003eInside Look: Marriott 140\u003c\/p\u003e \u003cp\u003eConclusion 141\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Onboarding Due Diligence 143\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIntake 145\u003c\/p\u003e \u003cp\u003eData Privacy 146\u003c\/p\u003e \u003cp\u003eCybersecurity 147\u003c\/p\u003e \u003cp\u003eAmount of Data 149\u003c\/p\u003e \u003cp\u003eCountry Risk and Locations 149\u003c\/p\u003e \u003cp\u003eConnectivity 150\u003c\/p\u003e \u003cp\u003eData Transfer 150\u003c\/p\u003e \u003cp\u003eData Location 151\u003c\/p\u003e \u003cp\u003eService-Level Agreement or Recovery Time Objective 151\u003c\/p\u003e \u003cp\u003eFourth Parties 152\u003c\/p\u003e \u003cp\u003eSoftware Security 152\u003c\/p\u003e \u003cp\u003eKC Enterprises Intake\/Inherent Risk Cybersecurity Questionnaire 153\u003c\/p\u003e \u003cp\u003eCybersecurity in Request for Proposals 154\u003c\/p\u003e \u003cp\u003eData Location 155\u003c\/p\u003e \u003cp\u003eDevelopment 155\u003c\/p\u003e \u003cp\u003eIdentity and Access Management 156\u003c\/p\u003e \u003cp\u003eEncryption 156\u003c\/p\u003e \u003cp\u003eIntrusion Detection\/Prevention System 157\u003c\/p\u003e \u003cp\u003eAntivirus and Malware 157\u003c\/p\u003e \u003cp\u003eData Segregation 158\u003c\/p\u003e \u003cp\u003eData Loss Prevention 158\u003c\/p\u003e \u003cp\u003eNotification 158\u003c\/p\u003e \u003cp\u003eSecurity Audits 159\u003c\/p\u003e \u003cp\u003eCybersecurity Third-Party Intake 160\u003c\/p\u003e \u003cp\u003eData Security Intake Due Diligence 161\u003c\/p\u003e \u003cp\u003eNext Steps 167\u003c\/p\u003e \u003cp\u003eWays to Become More Efficient 173\u003c\/p\u003e \u003cp\u003eSystems and Organization Controls Reports 174\u003c\/p\u003e \u003cp\u003eChargebacks 177\u003c\/p\u003e \u003cp\u003eGo-Live Production Reviews 179\u003c\/p\u003e \u003cp\u003eConnectivity Cyber Reviews 179\u003c\/p\u003e \u003cp\u003eInside Look: Ticketmaster and Fourth Parties 182\u003c\/p\u003e \u003cp\u003eConclusion 183\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 Ongoing Due Diligence 185\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eLow-Risk Vendor Ongoing Due Diligence 189\u003c\/p\u003e \u003cp\u003eModerate-Risk Vendor Ongoing Due Diligence 193\u003c\/p\u003e \u003cp\u003eHigh-Risk Vendor Ongoing Due Diligence 196\u003c\/p\u003e \u003cp\u003e“Too Big to Care” 197\u003c\/p\u003e \u003cp\u003eA Note on Phishing 200\u003c\/p\u003e \u003cp\u003eIntake and Ongoing Cybersecurity Personnel 203\u003c\/p\u003e \u003cp\u003eRansomware: A History and Future 203\u003c\/p\u003e \u003cp\u003eAsset Management 205\u003c\/p\u003e \u003cp\u003eVulnerability and Patch Management 206\u003c\/p\u003e \u003cp\u003e802.1x or Network Access Control (NAC) 206\u003c\/p\u003e \u003cp\u003eInside Look: GE Breach 207\u003c\/p\u003e \u003cp\u003eConclusion 208\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 On-site Due Diligence 211\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOn-site Security Assessment 213\u003c\/p\u003e \u003cp\u003eScheduling Phase 214\u003c\/p\u003e \u003cp\u003eInvestigation Phase 215\u003c\/p\u003e \u003cp\u003eAssessment Phase 217\u003c\/p\u003e \u003cp\u003eOn-site Questionnaire 221\u003c\/p\u003e \u003cp\u003eReporting Phase 227\u003c\/p\u003e \u003cp\u003eRemediation Phase 227\u003c\/p\u003e \u003cp\u003eVirtual On-site Assessments 229\u003c\/p\u003e \u003cp\u003eOn-site Cybersecurity Personnel 231\u003c\/p\u003e \u003cp\u003eOn-site Due Diligence and the Intake Process 233\u003c\/p\u003e \u003cp\u003eVendors Are Partners 234\u003c\/p\u003e \u003cp\u003eConsortiums and Due Diligence 235\u003c\/p\u003e \u003cp\u003eConclusion 237\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Continuous Monitoring 239\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhat is Continuous Monitoring? 241\u003c\/p\u003e \u003cp\u003eVendor Security-Rating Tools 241\u003c\/p\u003e \u003cp\u003eInside Look: Health Share of Oregon’s Breach 251\u003c\/p\u003e \u003cp\u003eEnhanced Continuous Monitoring 252\u003c\/p\u003e \u003cp\u003eSoftware Vulnerabilities\/Patching Cadence 253\u003c\/p\u003e \u003cp\u003eFourth-Party Risk 253\u003c\/p\u003e \u003cp\u003eData Location 254\u003c\/p\u003e \u003cp\u003eConnectivity Security 254\u003c\/p\u003e \u003cp\u003eProduction Deployment 255\u003c\/p\u003e \u003cp\u003eContinuous Monitoring Cybersecurity Personnel 258\u003c\/p\u003e \u003cp\u003eThird-Party Breaches and the Incident Process 258\u003c\/p\u003e \u003cp\u003eThird-Party Incident Management 259\u003c\/p\u003e \u003cp\u003eInside Look: Uber’s Delayed Data Breach Reporting 264\u003c\/p\u003e \u003cp\u003eInside Look: Nuance Breach 265\u003c\/p\u003e \u003cp\u003eConclusion 266\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Offboarding 267\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAccess to Systems, Data, and Facilities 270\u003c\/p\u003e \u003cp\u003ePhysical Access 274\u003c\/p\u003e \u003cp\u003eReturn of Equipment 275\u003c\/p\u003e \u003cp\u003eContract Deliverables and Ongoing Security 275\u003c\/p\u003e \u003cp\u003eUpdate the Vendor Profile 276\u003c\/p\u003e \u003cp\u003eLog Retention 276\u003c\/p\u003e \u003cp\u003eInside Look: Morgan Stanley\u003c\/p\u003e \u003cp\u003eDecommissioning Process Misses 277\u003c\/p\u003e \u003cp\u003eInside Look: Data Sanitization 279\u003c\/p\u003e \u003cp\u003eConclusion 283\u003c\/p\u003e \u003cp\u003e\u003cb\u003eSection 2 Next Steps \u003c\/b\u003e\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Securing the Cloud 285\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhy is the Cloud So Risky? 287\u003c\/p\u003e \u003cp\u003eIntroduction to NIST Service Models 288\u003c\/p\u003e \u003cp\u003eVendor Cloud Security Reviews 289\u003c\/p\u003e \u003cp\u003eThe Shared Responsibility Model 290\u003c\/p\u003e \u003cp\u003eInside Look: Cloud Controls Matrix by the Cloud Security Alliance 295\u003c\/p\u003e \u003cp\u003eSecurity Advisor Reports as Patterns 298\u003c\/p\u003e \u003cp\u003eInside Look: The Capital One Breach 312\u003c\/p\u003e \u003cp\u003eConclusion 313\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Cybersecurity and Legal Protections 315\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eLegal Terms and Protections 317\u003c\/p\u003e \u003cp\u003eCybersecurity Terms and Conditions 321\u003c\/p\u003e \u003cp\u003eOffshore Terms and Conditions 324\u003c\/p\u003e \u003cp\u003eHosted\/Cloud Terms and Conditions 327\u003c\/p\u003e \u003cp\u003ePrivacy Terms and Conditions 331\u003c\/p\u003e \u003cp\u003eInside Look: Heritage Valley Health vs. Nuance 334\u003c\/p\u003e \u003cp\u003eConclusion 335\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 12 Software Due Diligence 337\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Secure Software Development Lifecycle 340\u003c\/p\u003e \u003cp\u003eLessons from SolarWinds and Critical Software 342\u003c\/p\u003e \u003cp\u003eInside Look: Juniper 344\u003c\/p\u003e \u003cp\u003eOn-Premises Software 346\u003c\/p\u003e \u003cp\u003eCloud Software 348\u003c\/p\u003e \u003cp\u003eOpen Web Application Security Project Explained 350\u003c\/p\u003e \u003cp\u003eOWASP Top 10 350\u003c\/p\u003e \u003cp\u003eOWASP Web Security Testing Guide 352\u003c\/p\u003e \u003cp\u003eOpen Source Software 353\u003c\/p\u003e \u003cp\u003eSoftware Composition Analysis 355\u003c\/p\u003e \u003cp\u003eInside Look: Heartbleed 355\u003c\/p\u003e \u003cp\u003eMobile Software 357\u003c\/p\u003e \u003cp\u003eTesting Mobile Applications 358\u003c\/p\u003e \u003cp\u003eCode Storage 360\u003c\/p\u003e \u003cp\u003eConclusion 362\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 13 Network Due Diligence 365\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThird-Party Connections 368\u003c\/p\u003e \u003cp\u003ePersonnel Physical Security 368\u003c\/p\u003e \u003cp\u003eHardware Security 370\u003c\/p\u003e \u003cp\u003eSoftware Security 371\u003c\/p\u003e \u003cp\u003eOut-of-Band Security 372\u003c\/p\u003e \u003cp\u003eCloud Connections 374\u003c\/p\u003e \u003cp\u003eVendor Connectivity Lifecycle Management 375\u003c\/p\u003e \u003cp\u003eZero Trust for Third Parties 379\u003c\/p\u003e \u003cp\u003eInternet of Things and Third Parties 385\u003c\/p\u003e \u003cp\u003eTrusted Platform Module and Secure Boot 388\u003c\/p\u003e \u003cp\u003eInside Look: The Target Breach (2013) 390\u003c\/p\u003e \u003cp\u003eConclusion 391\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 14 Offshore Third-Party Cybersecurity Risk 393\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eOnboarding Offshore Vendors 397\u003c\/p\u003e \u003cp\u003eOngoing Due Diligence for Offshore Vendors 399\u003c\/p\u003e \u003cp\u003ePhysical Security 399\u003c\/p\u003e \u003cp\u003eOffboarding Due Diligence for Offshore Vendors 402\u003c\/p\u003e \u003cp\u003eInside Look: A Reminder on Country Risk 404\u003c\/p\u003e \u003cp\u003eCountry Risk 405\u003c\/p\u003e \u003cp\u003eKC’s Country Risk 406\u003c\/p\u003e \u003cp\u003eConclusion 409\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 15 Transform to Predictive 411\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Data 414\u003c\/p\u003e \u003cp\u003eVendor Records 415\u003c\/p\u003e \u003cp\u003eDue Diligence Records 416\u003c\/p\u003e \u003cp\u003eContract Language 416\u003c\/p\u003e \u003cp\u003eRisk Acceptances 417\u003c\/p\u003e \u003cp\u003eContinuous Monitoring 417\u003c\/p\u003e \u003cp\u003eEnhanced Continuous Monitoring 417\u003c\/p\u003e \u003cp\u003eHow Data is Stored 418\u003c\/p\u003e \u003cp\u003eLevel Set 418\u003c\/p\u003e \u003cp\u003eA Mature to Predictive Approach 420\u003c\/p\u003e \u003cp\u003eThe Predictive Approach at KC Enterprises 420\u003c\/p\u003e \u003cp\u003eUse Case #1: Early Intervention 423\u003c\/p\u003e \u003cp\u003eUse Case #2: Red Vendors 425\u003c\/p\u003e \u003cp\u003eUse Case #3: Reporting 426\u003c\/p\u003e \u003cp\u003eConclusion 427\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 16 Conclusion 429\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAdvanced Persistent Threats Are the New Danger 431\u003c\/p\u003e \u003cp\u003eCybersecurity Third-Party Risk 435\u003c\/p\u003e \u003cp\u003eIndex 445\u003c\/p\u003e","brand":"John Wiley \u0026 Sons Inc","offers":[{"title":"Default Title","offer_id":48866417049943,"sku":"9781119809555","price":26.4,"currency_code":"GBP","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0817\/1739\/5799\/files\/9781119809555.jpg?v=1722278544","url":"https:\/\/bookcurl.com\/products\/cybersecurity-and-thirdparty-risk-9781119809555","provider":"Book Curl","version":"1.0","type":"link"}