This section discusses IT audit cybersecurity and privacy control activities from two focus areas. First is focus on some of the many cybersecurity and privacy concerns that auditors should consider in their reviews of IT-based systems and processes. Second focus area includes IT Audit internal procedures. IT audit functions sometimes fail to implement appropriate security and privacy protection controls over their own IT audit processes, such as audit evidence materials, IT audit workpapers, auditor laptop computer resources, and many others. Although every audit department is different, this section suggests best practices for an IT audit function and concludes with a discussion on the payment card industry data security standard data security standards (PCI-DSS), a guideline that has been developed by major credit card companies to help enterprises that process card payments prevent credit card fraud and to provide some protection from various credit security vulnerabilities and threats. IT auditors should understand the high-level key elements of this standard and incorporate it in their review where appropriate.

Computers at Risk presents a comprehensive agenda for developing nationwide policies and practices for computer security. Specific recommendations are provided for industry and for government agencies engaged in computer security activities. The volume also outlines problems and opportunities in computer security research, recommends ways to improve the research infrastructure, and suggests topics for investigators. The book explores the diversity of the field, the need to engineer countermeasures based on speculation of what experts think computer attackers may do next, why the technology community has failed to respond to the need for enhanced security systems, how innovators could be encouraged to bring more options to the marketplace, and balancing the importance of security against the right of privacy.

Cyber Security Management: A Governance, Risk and Compliance Framework by Peter Trim and Yang-Im Lee has been written for a wide audience. Derived from research, it places security management in a holistic context and outlines how the strategic marketing approach can be used to underpin cyber security in partnership arrangements. The book is unique because it integrates material that is of a highly specialized nature but which can be interpreted by those with a non-specialist background in the area. Indeed, those with a limited knowledge of cyber security will be able to develop a comprehensive understanding of the subject and will be guided into devising and implementing relevant policy, systems and procedures that make the organization better able to withstand the increasingly sophisticated forms of cyber attack. The book includes a sequence-of-events model; an organizational governance framework; a business continuity management planning framework; a multi-cultural communication model; a cyber security management model and strategic management framework; an integrated governance mechanism; an integrated resilience management model; an integrated management model and system; a communication risk management strategy; and recommendations for counteracting a range of cyber threats. Cyber Security Management: A Governance, Risk and Compliance Framework simplifies complex material and provides a multi-disciplinary perspective and an explanation and interpretation of how managers can manage cyber threats in a pro-active manner and work towards counteracting cyber threats both now and in the future.

This publication provides a catalog of security and privacycontrols for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security andprivacy controls are customizable and implemented as part of anorganization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific typesof missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and assurance helps to ensure that information technology component products and the information systems built fromthose products using sound system and security engineering principles are sufficiently trustworthy. [Supersedes NIST SP 800-53, Rev. 3 (Aug. 2009 w/May 1, 2010 updates): http://www.nist.gov/manuscript-publicationsearch.cfm?pub_id=903280]

The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years. Breaches involving PII are hazardous to both individuals and org. Individual harms may include identity theft, embarrassment, or blackmail. Organ. harms may include a loss of public trust, legal liability, or remediation costs. To protect the confidentiality of PII, org. should use a risk-based approach. This report provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommend. here are intended primarily for U.S. Fed. gov¿t. agencies and those who conduct business on behalf of the agencies, but other org. may find portions of the publication useful.

Smart Cities Cybersecurity and Privacy examines the latest research developments and their outcomes for safe, secure, and trusting smart cities residents. Smart cities improve the quality of life of citizens in their energy and water usage, healthcare, environmental impact, transportation needs, and many other critical city services. Recent advances in hardware and software, have fueled the rapid growth and deployment of ubiquitous connectivity between a city’s physical and cyber components. This connectivity however also opens up many security vulnerabilities that must be mitigated. Smart Cities Cybersecurity and Privacy helps researchers, engineers, and city planners develop adaptive, robust, scalable, and reliable security and privacy smart city applications that can mitigate the negative implications associated with cyber-attacks and potential privacy invasion. It provides insights into networking and security architectures, designs, and models for the secure operation of smart city applications. Consolidates in one place state-of-the-art academic and industry research Provides a holistic and systematic framework for design, evaluating, and deploying the latest security solutions for smart cities Improves understanding and collaboration among all smart city stakeholders to develop more secure smart city architectures