Cybersecurity and Privacy Law Handbook

Book description

Get to grips with cybersecurity and privacy laws to protect your company's data and comply with international privacy standards

Key Features

  • Comply with cybersecurity standards and protect your data from hackers
  • Find the gaps in your company's security posture with gap analysis and business impact analysis
  • Understand what you need to do with security and privacy without needing to pay consultants

Book Description

Cybercriminals are incessantly coming up with new ways to compromise online systems and wreak havoc, creating an ever-growing need for cybersecurity practitioners in every organization across the globe who understand international security standards, such as the ISO27k family of standards.

If you're looking to ensure that your company's data conforms to these standards, Cybersecurity and Privacy Law Handbook has got you covered. It'll not only equip you with the rudiments of cybersecurity but also guide you through privacy laws and explain how you can ensure compliance to protect yourself from cybercrime and avoid the hefty fines imposed for non-compliance with standards.

Assuming that you're new to the field, this book starts by introducing cybersecurity frameworks and concepts used throughout the chapters. You'll understand why privacy is paramount and how to find the security gaps in your company's systems. There's a practical element to the book as well—you'll prepare policies and procedures to prevent your company from being breached. You'll complete your learning journey by exploring cloud security and the complex nature of privacy laws in the US.

By the end of this cybersecurity book, you'll be well-placed to protect your company's data and comply with the relevant standards.

What you will learn

  • Strengthen the cybersecurity posture throughout your organization
  • Use both ISO27001 and NIST to make a better security framework
  • Understand privacy laws such as GDPR, PCI CSS, HIPAA, and FTC
  • Discover how to implement training to raise cybersecurity awareness
  • Find out how to comply with cloud privacy regulations
  • Examine the complex privacy laws in the US

Who this book is for

If you're a seasoned pro with IT security and / or cybersecurity, this book isn't for you. This book is aimed at novices, freshers, students, experts in other fields, and managers, that, are willing to learn, understand, and manage how a security function is working, especially if you need to be. Although the reader will be able, by reading this book, to build and manage a security function on their own, it is highly recommended to supervise a team devoted to implementing cybersecurity and privacy practices in an organization.

Table of contents

  1. Cybersecurity and Privacy Law Handbook
  2. Contributors
  3. About the author
  4. About the reviewer
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share Your Thoughts
    8. Download a free PDF copy of this book
  6. Part 1: Start From the Basics
  7. Chapter 1: ISO27001 – Definitions and Security Concepts
    1. The 27k family of standards
    2. Confidentiality, integrity, and availability
    3. Information security concepts and definitions
    4. Governance, policies, and incident management
      1. Governance
      2. Policies and procedures
      3. Incident management
    5. Differences between ISO 27001 and NIST
      1. What’s NIST?
    6. Summary
  8. Part 2: Into the Wild
  9. Chapter 2: Mandatory Requirements
    1. iSMS, controls, commitment, context, scope policy, and objectives
      1. iSMS
      2. Statement of applicability, risk treatment plan, and action plan
      3. Controls
      4. Commitment and project management
    2. Identify, Protect, Detect, Respond, and Recover
      1. Identify
      2. Protect
      3. Detect
      4. Respond
      5. Recover
    3. Can ISO 27001 and NIST coexist?
    4. Summary
  10. Chapter 3: Data Protection
    1. What is privacy (and why do we desperately need it)?
    2. GDPR and his brothers
      1. Territorial scope
      2. The GDPR, CCPA, and LGPD each define personal data differently
      3. The importance of anonymous, pseudonymous, de-identified, and aggregated information
      4. Legal bases for data processing
      5. Data access privileges
      6. Fines and penalties
    3. Why deal with data protection?
    4. The six principles of the GDPR
    5. Summary
  11. Chapter 4: Data Processing
    1. The data controller
    2. The data processor
    3. Accountability
      1. Recommended documents
      2. The privacy dashboard
      3. Training materials
      4. Mandatory documents
      5. Data protection – the last warning
    4. EU–US Privacy Shield
      1. Brief summary
      2. Schrems II ruling
      3. The frequently asked questions issued by the EDPB
      4. What occurs next? Vade mecum for entities
      5. Conclusions
    5. Summary
  12. Chapter 5: Security Planning and Risk Management
    1. Security threats and challenges
      1. What are the different types of security threats?
      2. What is risk and what is a threat?
    2. Implementing a risk management program
      1. Why is risk management so important?
      2. Traditional risk management versus enterprise risk management
      3. What are the steps involved in risk management for information security?
      4. From the top-down to the bottom-up
      5. Benefits and challenges of risk management
      6. Building and implementing a risk management plan
      7. Qualitative risk analysis
      8. Quantitative risk analysis
      9. Difference between qualitative and quantitative risk analysis
      10. When to perform a qualitative and quantitative risk analysis
    3. Summary
  13. Part 3: Escape from Chaos
  14. Chapter 6: Define ISO 27001 Mandatory Requirements
    1. ISO 27001 operations
      1. The ISO 27001 standard – what it is and what requirements it establishes
      2. How to structure an iSMS
    2. ISO 27001 support requirements (or Clause 7)
      1. 7.1 – Resources required to establish and operate an iSMS
      2. 7.2 – Competency
      3. 7.3 – Awareness
      4. 7.4 – Communication
      5. 7.5 – Documented information
    3. Summary
  15. Chapter 7: Risk Management, Controls, and Policies
    1. Elements of project risk management
      1. The risk management plan
      2. Fundamental notions
      3. Risk evaluation
      4. Risk characteristics
      5. Risk heatmaps
      6. Risk mitigation
      7. Best risk mitigation strategies
      8. How to establish risk mitigation strategies
    2. Data classification
      1. Why is the classification of data important?
      2. What are the four levels of data classification?
      3. What are the various types of data classification?
      4. Difficulties with data classification
      5. Effects of compliance standards on data classification
      6. Data classification levels
      7. Developing a policy for data classification
      8. Data classification procedures
    3. ISO 27001 controls
      1. Control Category A.5 – Information Security Policies (1 objective and 2 controls)
      2. Control Category A.6 – Organization of Information Security (2 objectives and 7 controls)
      3. Control Category A.7 – Human Resource Security (3 objectives and 6 controls)
      4. Control Category A.8 – Asset Management (3 objectives and 10 controls)
      5. Control Category A.9 – Access Control (4 objectives and 14 controls)
      6. Control Category A.10 – Cryptography (1 objective and 2 controls)
      7. Control Category A.11 – Physical and Environmental Security (2 objectives and 15 controls)
      8. Control Category A.12 – Operations Security (7 objectives and 14 controls)
      9. Control Category A.13 – Communications Security (2 objectives and 7 controls)
      10. Control Category A.14 – System Acquisition, Development, and Maintenance (3 objectives and 13 controls)
      11. Control Category A.15 – Supplier relationships (2 objectives and 5 controls)
      12. Control Category A.16 – Information security incident management (1 objective and 7 controls)
      13. Control Category A.17 – Information security aspects of business continuity management (2 objectives and 4 controls)
      14. Control Category A.18 – Compliance (2 objectives and 8 controls)
      15. Who is charged for implementing Annex A controls?
      16. Using the ISO 27001 controls
      17. Identification of ISO 27001 controls to implement
    4. Summary
  16. Chapter 8: Preparing Policies and Procedures to Avoid Internal Risk
    1. Company policies
      1. How do you determine the appropriate policies for your business?
    2. Policy writing instructions
      1. What about procedures, then?
      2. The importance of policies and procedures versus their pain
      3. How to physically write a policy?
      4. Selecting a method for managing the process
      5. Establishing a policy management group
      6. Prioritizing a policy list
      7. Creating a preliminary draft
      8. Verifying the processes
      9. Sending a draft out for review
      10. Obtaining final approval and signatures
      11. Employee Code of Conduct example draft
      12. Template for the Employee Code of Conduct
      13. Cloud hosting policy
    3. Company procedures
      1. When is a procedure necessary?
      2. When a process requires a procedure
      3. How to write a procedure
      4. Step 1: gathering information
      5. Step 2: beginning to write
      6. Step 3: evaluating design elements
    4. Summary
  17. Chapter 9: Social Engineering, Password Guidance, and Policy
    1. The starting point
      1. OSINT
      2. Social scientist
    2. Common social engineering attack methods
      1. Pretexting
      2. Misdirection theft
      3. Phishing
      4. Targeted phishing
      5. Vishing
      6. Smishing
    3. Have you got a M.A.P.P.?
      1. Step 1 – learn how to recognize social engineering attacks
      2. Step 2 – develop realistic and implementable policies
      3. Step 3 – conduct periodic real-world audits
      4. Step 4 – implement applicable security awareness programs
    4. Summary
  18. Chapter 10: The Cloud
    1. How did the cloud emerge?
      1. What exactly is the cloud? How does it work?
      2. What is cloud security?
      3. Types of cloud services
      4. Distribution models
      5. Cloud security – examples of measures that can prevent risks
    2. The seven pain points of cloud computing
      1. Reduced visibility
      2. Compliance violations
      3. Absence of a strategy and architecture for cloud security
      4. Internal threats
      5. Contractual violations
      6. Unprotected user interface (API)
      7. Errors in the configuration of cloud services
    3. Cloud and GDPR concerns
      1. Security concerns specific to the cloud
      2. What effect is GDPR having on the cloud industry?
      3. Requirements for cloud service providers under GDPR
      4. Normative requirements
    4. The GDPR code of conduct for CSPs
    5. Summary
  19. Chapter 11: What about the US?
    1. The US status of privacy
      1. What the current national privacy laws (don’t) do
    2. The FTC
    3. An overview of Section 5 of the FTC Act
    4. NIST and FTC
    5. BYOD
      1. Benefits of BYOD
      2. Disadvantages of BYOD
      3. Managing mobile devices
      4. Criteria and recommendations
    6. Remote working
      1. Security issues
      2. Important ramifications
      3. Keeping a remote workforce secure
      4. A multifaceted strategy
      5. Assisting the transformation
      6. Computer safety
    7. What privacy rights are available to employees?
      1. What exemptions exist to worker monitoring?
      2. Do employees know what information employers can access?
      3. Should employees bring personal equipment to work?
    8. Summary
  20. Appendix
    1. ISO 27002
      1. What is different?
      2. Is it superior to the previous version?
      3. Is it a standard set of controls for information security?
      4. What must you do at this time?
    2. Privacy
    3. VA/PT
      1. VA
      2. PT
  21. Index
    1. Why subscribe?
  22. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Cybersecurity and Privacy Law Handbook
  • Author(s): Walter Rocchi
  • Release date: December 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781803242415