ebook img

Cybersecurity and Privacy Law Handbook: A beginner’s guide to dealing with privacy and security while keeping hackers at bay PDF

230 Pages·2022·8.37 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Cybersecurity and Privacy Law Handbook: A beginner’s guide to dealing with privacy and security while keeping hackers at bay

Cybersecurity and Privacy Law Handbook A beginner’s guide to dealing with privacy and security while keeping hackers at bay Walter Rocchi BIRMINGHAM—MUMBAI Cybersecurity and Privacy Law Handbook Copyright © 2022 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Mohd Riyan Khan Publishing Product Manager: Khushboo Samkaria Content Development Editor: Nihar Kapadia Technical Editor: Arjun Varma Copy Editor: Safis Editing Project Coordinator: Deeksha Thakkar Proofreader: Safis Editing Indexer: Manju Arasan Production Designer: Prashant Ghare Marketing Coordinator: Ankita Bhonsle First published: December 2022 Production reference: 1241122 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-80324-241-5 www.packt.com To my children, Bianca, Maria, and Enrico, and to those who supported and believed in me. – Walter Rocchi Contributors About the author Walter Rocchi, with 24 years of activity and ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISA, CEH, and IAPP CIPP/E – CIPT certifications, is a seasoned freelancer and has acted as CISO and in similar roles for several companies, mostly in finance, retail, telecoms, utilities, Big Pharma, and government agencies. He has consulted with big corporations and funded start-ups and he’s always looking for new challenges. He spends his free time reading, hiking, and enjoying his time with his two children. He’s also an avid blues listener and is addicted to TV series (especially Marvel and horror series). I want to thank the people who have been close to me and supported me, especially Roberta Carolina Ainara Bermúdez, for her invaluable help in simplifying the GDPR for mere mortals. Moreover, thanks to Francesco Tonin, who always reminded me of the frameworks that needed to be mentioned. Finally, all the guys at Packt, who gave me the opportunity to write a book, especially my editor Nihar Kapadia, and Safis, for their patience in dealing with my poor examples. About the reviewer Francesco Tonin is a senior information technology professional and expert in IT audit, risk, and compliance with over 14 years of working in highly regulated markets such as financial services, insurance, and healthcare. He is broadly skilled in relation to cyber security, IT auditing, IT risk, and governance but also in relation to business process design, SAP FI, CO, and MM and data warehousing, and data analytics for audit and process improvement. He’s a certified professional (with CISA, CISM, ISO 27001LA, and CIPP/E for GDPR and Data Privacy certifications) and took part in a part-time master’s program focused on planning and control in corporate finance. Table of Contents Preface xiii Part 1: Start From the Basics 1 ISO27001 – Definitions and Security Concepts 3 The 27k family of standards 3 Governance 11 Confidentiality, integrity, and Policies and procedures 12 availability 6 Incident management 14 Information security concepts and Differences between ISO 27001 definitions 8 and NIST 14 Governance, policies, and incident What’s NIST? 14 management 11 Summary 17 Part 2: Into the Wild 2 Mandatory Requirements 21 iSMS, controls, commitment, Identify, Protect, Detect, Respond, context, scope policy, and objectives 21 and Recover 26 iSMS 21 Identify 26 Statement of applicability, risk treatment Protect 27 plan, and action plan 23 Detect 28 Controls 25 Respond 28 Commitment and project management 25 Recover 29 viii Table of Contents Can ISO 27001 and NIST coexist? 29 Summary 35 3 Data Protection 37 What is privacy (and why do we Legal bases for data processing 44 desperately need it)? 38 Data access privileges 45 GDPR and his brothers 40 Fines and penalties 46 Territorial scope 41 Why deal with data protection? 46 The GDPR, CCPA, and LGPD each define The six principles of the GDPR 48 personal data differently 42 Summary 51 The importance of anonymous, pseudonymous, de-identified, and aggregated information 43 4 Data Processing 53 The data controller 53 EU–US Privacy Shield 61 The data processor 54 Brief summary 62 Accountability 54 Schrems II ruling 62 The frequently asked questions issued by Recommended documents 55 the EDPB 63 The privacy dashboard 55 What occurs next? Vade mecum for entities 64 Training materials 56 Conclusions 66 Mandatory documents 56 Data protection – the last warning 61 Summary 67 5 Security Planning and Risk Management 69 Security threats and challenges 69 Traditional risk management versus enterprise risk management 73 What are the different types of security threats? 70 What are the steps involved in risk What is risk and what is a threat? 70 management for information security? 75 Implementing a risk management From the top-down to the bottom-up 76 program 72 Benefits and challenges of risk management 76 Why is risk management so important? 73 Table of Contents ix Building and implementing a risk Difference between qualitative and management plan 77 quantitative risk analysis 80 Qualitative risk analysis 79 When to perform a qualitative and Quantitative risk analysis 79 quantitative risk analysis 80 Summary 80 Part 3: Escape from Chaos 6 Define ISO 27001 Mandatory Requirements 83 ISO 27001 operations 83 7.2 – Competency 90 The ISO 27001 standard – what it is and what 7.3 – Awareness 93 requirements it establishes 84 7.4 – Communication 94 How to structure an iSMS 85 7.5 – Documented information 97 ISO 27001 support requirements Summary 102 (or Clause 7) 88 7.1 – Resources required to establish and operate an iSMS 89 7 Risk Management, Controls, and Policies 103 Elements of project risk management 104 What are the various types of data classification? 111 The risk management plan 104 Difficulties with data classification 112 Fundamental notions 104 Effects of compliance standards on data Risk evaluation 105 classification 112 Risk characteristics 105 Data classification levels 113 Risk heatmaps 107 Developing a policy for data classification 114 Risk mitigation 108 Data classification procedures 115 Best risk mitigation strategies 108 How to establish risk mitigation strategies 110 ISO 27001 controls 116 Data classification 110 Control Category A.5 – Information Security Policies (1 objective and 2 controls) 116 Why is the classification of data important? 111 What are the four levels of data classification? 111

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.