book

Cybersecurity and Privacy Law Handbook

Name: Cybersecurity and Privacy Law Handbook
Author: Walter Rocchi
ISBN: 9781803242415

by Walter Rocchi

December 2022

Beginner to intermediate

230 pages

6h 32m

English

Packt Publishing

Read now

Unlock full access

Cybersecurity and Privacy Law Handbook
ContributorsAbout the authorAbout the reviewer
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Part 1: Start From the Basics
Chapter 1: ISO27001 – Definitions and Security Concepts
The 27k family of standardsConfidentiality, integrity, and availabilityInformation security concepts and definitionsGovernance, policies, and incident managementGovernancePolicies and proceduresIncident managementDifferences between ISO 27001 and NISTWhat’s NIST?Summary
Part 2: Into the Wild
Chapter 2: Mandatory Requirements
iSMS, controls, commitment, context, scope policy, and objectivesiSMSStatement of applicability, risk treatment plan, and action planControlsCommitment and project managementIdentify, Protect, Detect, Respond, and RecoverIdentifyProtectDetectRespondRecoverCan ISO 27001 and NIST coexist?Summary
Chapter 3: Data Protection
What is privacy (and why do we desperately need it)?GDPR and his brothersTerritorial scopeThe GDPR, CCPA, and LGPD each define personal data differentlyThe importance of anonymous, pseudonymous, de-identified, and aggregated informationLegal bases for data processingData access privilegesFines and penaltiesWhy deal with data protection?The six principles of the GDPRSummary
Chapter 4: Data Processing
The data controllerThe data processorAccountabilityRecommended documentsThe privacy dashboardTraining materialsMandatory documentsData protection – the last warningEU–US Privacy ShieldBrief summarySchrems II rulingThe frequently asked questions issued by the EDPBWhat occurs next? Vade mecum for entitiesConclusionsSummary
Chapter 5: Security Planning and Risk Management
Security threats and challengesWhat are the different types of security threats?What is risk and what is a threat?Implementing a risk management programWhy is risk management so important?Traditional risk management versus enterprise risk managementWhat are the steps involved in risk management for information security?From the top-down to the bottom-upBenefits and challenges of risk managementBuilding and implementing a risk management planQualitative risk analysisQuantitative risk analysisDifference between qualitative and quantitative risk analysisWhen to perform a qualitative and quantitative risk analysisSummary
Part 3: Escape from Chaos

Chapter 6: Define ISO 27001 Mandatory Requirements
ISO 27001 operationsThe ISO 27001 standard – what it is and what requirements it establishesHow to structure an iSMSISO 27001 support requirements (or Clause 7)7.1 – Resources required to establish and operate an iSMS7.2 – Competency7.3 – Awareness7.4 – Communication7.5 – Documented informationSummary
Chapter 7: Risk Management, Controls, and Policies
Elements of project risk managementThe risk management planFundamental notionsRisk evaluationRisk characteristicsRisk heatmapsRisk mitigationBest risk mitigation strategiesHow to establish risk mitigation strategiesData classificationWhy is the classification of data important?What are the four levels of data classification?What are the various types of data classification?Difficulties with data classificationEffects of compliance standards on data classificationData classification levelsDeveloping a policy for data classificationData classification proceduresISO 27001 controlsControl Category A.5 – Information Security Policies (1 objective and 2 controls)Control Category A.6 – Organization of Information Security (2 objectives and 7 controls)Control Category A.7 – Human Resource Security (3 objectives and 6 controls)Control Category A.8 – Asset Management (3 objectives and 10 controls)Control Category A.9 – Access Control (4 objectives and 14 controls)Control Category A.10 – Cryptography (1 objective and 2 controls)Control Category A.11 – Physical and Environmental Security (2 objectives and 15 controls)Control Category A.12 – Operations Security (7 objectives and 14 controls)Control Category A.13 – Communications Security (2 objectives and 7 controls)Control Category A.14 – System Acquisition, Development, and Maintenance (3 objectives and 13 controls)Control Category A.15 – Supplier relationships (2 objectives and 5 controls)Control Category A.16 – Information security incident management (1 objective and 7 controls)Control Category A.17 – Information security aspects of business continuity management (2 objectives and 4 controls)Control Category A.18 – Compliance (2 objectives and 8 controls)Who is charged for implementing Annex A controls?Using the ISO 27001 controlsIdentification of ISO 27001 controls to implementSummary
Chapter 8: Preparing Policies and Procedures to Avoid Internal Risk
Company policiesHow do you determine the appropriate policies for your business?Policy writing instructionsWhat about procedures, then?The importance of policies and procedures versus their painHow to physically write a policy?Selecting a method for managing the processEstablishing a policy management groupPrioritizing a policy listCreating a preliminary draftVerifying the processesSending a draft out for reviewObtaining final approval and signaturesEmployee Code of Conduct example draftTemplate for the Employee Code of ConductCloud hosting policyCompany proceduresWhen is a procedure necessary?When a process requires a procedureHow to write a procedureStep 1: gathering informationStep 2: beginning to writeStep 3: evaluating design elementsSummary
Chapter 9: Social Engineering, Password Guidance, and Policy
The starting pointOSINTSocial scientistCommon social engineering attack methodsPretextingMisdirection theftPhishingTargeted phishingVishingSmishingHave you got a M.A.P.P.?Step 1 – learn how to recognize social engineering attacksStep 2 – develop realistic and implementable policiesStep 3 – conduct periodic real-world auditsStep 4 – implement applicable security awareness programsSummary
Chapter 10: The Cloud
How did the cloud emerge?What exactly is the cloud? How does it work?What is cloud security?Types of cloud servicesDistribution modelsCloud security – examples of measures that can prevent risksThe seven pain points of cloud computingReduced visibilityCompliance violationsAbsence of a strategy and architecture for cloud securityInternal threatsContractual violationsUnprotected user interface (API)Errors in the configuration of cloud servicesCloud and GDPR concernsSecurity concerns specific to the cloudWhat effect is GDPR having on the cloud industry?Requirements for cloud service providers under GDPRNormative requirementsThe GDPR code of conduct for CSPsSummary
Chapter 11: What about the US?
The US status of privacyWhat the current national privacy laws (don’t) doThe FTCAn overview of Section 5 of the FTC ActNIST and FTCBYODBenefits of BYODDisadvantages of BYODManaging mobile devicesCriteria and recommendationsRemote workingSecurity issuesImportant ramificationsKeeping a remote workforce secureA multifaceted strategyAssisting the transformationComputer safetyWhat privacy rights are available to employees?What exemptions exist to worker monitoring?Do employees know what information employers can access?Should employees bring personal equipment to work?Summary
Appendix
ISO 27002What is different?Is it superior to the previous version?Is it a standard set of controls for information security?What must you do at this time?PrivacyVA/PTVAPT
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Content preview from Cybersecurity and Privacy Law Handbook

8 Preparing Policies and Procedures to Avoid Internal Risk

In the previous chapter, we’ve been through the main principles for deciding what to use and how to use it in terms of controls and risk management related to our entity. As already explained, if we buy off-the-shelf software, there is no need to implement controls related to software (just remember to keep them beside our Statement of Applicability) and so on. However, once we decide to use some controls, we will need to prepare (or update) our policy and procedures accordingly.

In this chapter, we will go through all this, with a hands-on flavor: in fact, my aim is to also give you a good amount of practical tips on how to write down policies (and procedures).

We’ll have a (one-way, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781803242415

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cybersecurity and Privacy Law Handbook

by Walter Rocchi

8

Preparing Policies and Procedures to Avoid Internal Risk

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.