O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Information Security Law: The Emerging Standard for Corporate Compliance

Book Description

Information Security Law: The Emerging Standard for Corporate Compliance is designed to help companies understand this developing law of information security, the obligations it imposes on them, and the standard for corporate compliance that appears to be developing worldwide. ISO/IEC 27001, the international information security standard, should be read alongside this book.

Table of Contents

  1. Copyright
  2. Preface
  3. About the Author
  4. Introduction
  5. 1. Security Basics: The Legal Perspective
    1. 1.1. Definition of information security
    2. 1.2. Objectives of information security
      1. 1.2.1. Confidentiality
      2. 1.2.2. Access control
      3. 1.2.3. Authentication
      4. 1.2.4. Integrity
      5. 1.2.5. Availability
    3. 1.3. Threats addressed by information security
    4. 1.4. Information security controls
      1. 1.4.1. Types of security control
      2. 1.4.2. Categories of security control
  6. 2. Legal Response to Security
    1. 2.1. Declaring conduct illegal
    2. 2.2. Requiring the protection of data
  7. 3. The General Duty to Provide Security
    1. 3.1. The basic obligation
    2. 3.2. Where does the obligation come from?
    3. 3.3. Who does the obligation apply to?
    4. 3.4. What is covered?
      1. 3.4.1. Personal data
      2. 3.4.2. Most other corporate data
      3. 3.4.3. All digital records
    5. 3.5. Who is responsible for security?
  8. 4. The Legal Standard for Compliance
    1. 4.1. Recognition that security is relative
    2. 4.2. Legal definition of “reasonable security”
    3. 4.3. Adoption of the legal definition
  9. 5. Developing a Compliant Security Program
    1. 5.1. Identify information assets
    2. 5.2. Conduct a risk assessment
    3. 5.3. Select and implement security controls
      1. 5.3.1. Categories of security controls to consider
      2. 5.3.2. Key role of the risk assessment
    4. 5.4. Monitor and test the controls
    5. 5.5. Review and adjust the program
    6. 5.6. Oversee third party service providers
  10. 6. Security Controls to Consider
    1. 6.1. Physical security controls
      1. 6.1.1. Facility and equipment
      2. 6.1.2. Media
    2. 6.2. Technical security controls
      1. 6.2.1. Access controls
      2. 6.2.2. Identification and authentication
      3. 6.2.3. System and services acquisition controls
      4. 6.2.4. System configuration and change management controls
      5. 6.2.5. System and information integrity
      6. 6.2.6. Data communications protection
      7. 6.2.7. Maintenance
      8. 6.2.8. System activity monitoring and audit records
    3. 6.3. Administrative security controls
      1. 6.3.1. Personnel security
      2. 6.3.2. Employee awareness and training
      3. 6.3.3. Contingency planning – backup and disaster recovery
      4. 6.3.4. Incident response plan
    4. 6.4. Special rules for specific data elements
      1. 6.4.1. Sensitive data
      2. 6.4.2. Social Security numbers (SSNs)
      3. 6.4.3. Credit card data
  11. 7. The Role of Standards
    1. 7.1. Standards and industry customs
      1. 7.1.1. ISO/IEC 27000 series standards
      2. 7.1.2. NIST standards and guidelines
      3. 7.1.3. COBIT framework
      4. 7.1.4. Payment Card Industry Data Security Standard
      5. 7.1.5. ISF Standard of Good Practice for Information Security
    2. 7.2. The legal impact of standards
      1. 7.2.1. The relevance of industry custom
      2. 7.2.2. The relevance of standards
    3. 7.3. ISO27001: Road to global legal compliance?
  12. 8. Security Breach Notification
    1. 8.1. Objectives of the breach notification laws
    2. 8.2. Viewing the laws in perspective
    3. 8.3. The breach notification obligation
      1. 8.3.1. Covered information
      2. 8.3.2. Triggering event
      3. 8.3.3. Who must be notified
      4. 8.3.4. What must be included in the notice
      5. 8.3.5. Timing of the notice
      6. 8.3.6. Form of notice
      7. 8.3.7. Penalties
    4. 8.4. International adoption
    5. 8.5. What companies need to do
      1. 8.5.1. Information review
      2. 8.5.2. Implement security measures
      3. 8.5.3. Incident response planning
      4. 8.5.4. Third party issues
  13. Appendix
    1. A. US federal statutes
    2. B. US state statutes
    3. C. US federal regulations
    4. D. US state regulations
    5. E. US court decisions
    6. F. US FTC decisions and consent decrees
    7. G. US state Attorneys General consent decrees
    8. H. Country laws
  14. ITG Resources
    1. Best Practice Reports
    2. Pocket Guides
      1. Practical Information Security Pocket Guides
    3. Toolkits
    4. Newsletter