Optimal Spending on Cybersecurity Measures: Digital Privacy and Data Protection

Cover
Half Title
Title Page
Copyright Page
Table of Contents
Preface
	Note
1 Introduction
	Why Should Organizations Implement Secure Measures to Meet Privacy Laws?
	Countering Identity Takeover Incidents
	Digital Privacy
	Data Protection
2 Digital Privacy: Privacy By Design
	Privacy By Design
	Data Governance
	Privacy as Code
	Minimization of PII
	Shared Management of PII
	Appendix: Privacy Checklists
	The Personal Information Protection and Electronic Documents Act (PIPEDA) Self-Assessment Tool
		Accountability
		Identifying Purpose
		Consent
		Limiting Collection
		Limiting Use, Disclosure, Retention
		Accuracy
		Safeguards
		Openness
		Individual Access
		Challenging Compliance
3 Data Protection
	E-Commerce
	Types of Reported Breaches
	Privacy Laws
		The Personal Information Protection and Electronic Documents Act (PIPEDA)
		The Personal Health Information Protection Act (PHIPA)
		The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
	Data Protection
	Scope, Penalties and Key Definitions
	Legal Terms
	Data Protection Principles
	Accountability
	Data Security
	Data Protection By Design and By Default
	Processing Data
	Consent
	Data Protection Officers (DPOs)
	An Individual’s Privacy Rights
	Regional Impacts as Documented in the 2023 ForgeRock Identity Breach Report
		United Kingdom
		Germany
		Australia
		Singapore
	GDPR Data Compliancy Checklist
4 Data Protection Impact Assessment
	European Data Protection Impact Assessment
	Privacy Impact Assessment
		Contents of a PIA
	PIA Process
		Preliminary Analysis
			What Is Personal Information?
		Project Analysis
			Define Scope
			Relevant Background Information
			Define Supporting Technology
			Define Roles and Responsibilities
			Define Relevant Information
			Document Personal Information Flows
		Privacy Analysis
			Privacy Impact
			Identify Gaps and Potential Privacy Impacts
			Analyse Findings
			Identify Privacy Solutions
			Identify Action Items
		4 PIA Report
			Obtain Approval
			Update Findings and Analysis, as Required
			Concluding the PIA Process
	Preliminary Analysis Questionnaire
		Project and Organization
		PIA Lead
		Project Description
		Collection, Use and Disclosure
		Privacy Legislation
		Conclusion
	Project Analysis Questionnaire
		Scope of PIA
		Project Authority
		Project Characteristics
		Technology
		Roles and Responsibilities
		Relevant Information
		Personal Information Flows
	Privacy Analysis Checklist
		Collection
			Key Requirements
		Use
			Key Requirements
		Disclosure
			Key Requirements
		Accuracy and Correction
			Key Requirements
		Security
			Key Requirements
		Requesting Access to Personal Information
			Key Requirements
		Retention
			Key Requirements
		Disposal and Destruction
			Key Requirements
		Privacy Management
			Key Requirements
	Notes
5 Governance
	Guiding Principles of Corporate Governance
	Enterprise Risk Management Framework
		Internal Environment
		Common Language Around Risk
		Risk Management Steering Committee
	Objective Setting
	ERM Methodology
		Risk Appetite
		Risk Tolerance
		Event Identification
		Risk Assessment
		Quantitative Risk Assessment
		Risk Calculation
		Qualitative Risk Assessment
		Risk Response
		Control Activities
		Risk Identification
		Risk Prioritization
		Risk Mitigation Plans
		Information and Communication
		Monitoring
		Risk Monitoring and Reporting
	Scenario Planning and Stress Testing
		Step 1: Brainstorm Future Scenarios
		Step 2: Identify Trends and Driving Forces
		Step 3: Create a Scenario Planning Template
		Step 4: Develop a Scenario
		Step 5: Evaluate a Scenario
			Scenario Analysis
			Scenario Examples
		Step 6: Update Strategies and Policies Accordingly
	Operational Risk Management
	Information Security Aspects of Operational Risk
	Cybersecurity Risk Assessment Process
	Risk Identification
		Identification of Assets
		Identification of Threats
		Identification of Existing Controls
		Identification of Vulnerabilities
		Identification of Consequences
	Expressing and Measuring Risk
	Risk Analysis
	Risk Evaluation and Quantification
	Risk Mitigation Planning and Verification
	Risk Treatment
	Risk Remediation
	Risk Communication
	Risk Monitoring and Review
	Loss Event Management
	Security Metrics
	Key Performance Indicators
	Key Risk Indicators
		KRI Examples
	Risk Culture and Risk Behaviours
6 Cybersecurity Risk Management Framework
	Cyber Risk Investment Model
		Technology Landscape
		Data Classification
		Risk Management Practices
		Cost–Benefit Analysis for Cybersecurity Measures
		Business Objectives
	Cybersecurity Risk Management Framework
		Risk Assessment Process
		Threat Modelling
		Risk Prioritization: Assess the Inherent Risk
			Impact Rating Scale
			Likelihood Rating Scale
			Qualitative Inherent Risk Rating
		Assess the Internal Controls
			Internal Control Environment
			Cybersecurity and Privacy Risk Framework
			Privacy Framework Functions
			Privacy Risk Assessments
			Cybersecurity Framework
			Vendor Assurance Reports
		Determine the Organizational Risk Appetite
		Risk Mitigation Strategy
7 Case Study #1: Course Registration System
	Current State
	Future State
	Questions
	Case Study: Course Registration System – Sample Report With Answers to Discussion Questions
		Summary
		Business Impact and Risk
		Objective and Scope
			Objective
			Scope
		Results
		Recommendations
		Risk Assessment
			Impact and Likelihood
			Inherent Risk
			PII Self-Assessment Questionnaire
			Analysis of Personal Information Elements for the Program Or Activity
			Flow of Personal Information for the Program Or Activity
			Privacy Compliance Analysis
			Accountability
			Identifying Purpose
			Consent
			Limiting Collection
			Limiting Use, Disclosure, Retention
			Accuracy
			Safeguards
			Openness
			Individual Access
			Challenging Compliance
			Internal Control Environment
			SOC for Service Organizations: Trust Services Criteria
			Organization’s Risk Appetite
		Risk Mitigation Strategy
			Supplier Chain Risk Management
			Identity Management, Authentication and Access Control
			Information Protection Processes and Procedures
			Awareness and Training
			Security Monitoring
	Note
8 Case Study #2: AWS Rapid Cloud Migration Programme
	Current State
	Future State
	Questions
	Case Study: Course Registration System – Sample Report With Answers to Discussion Questions
		Summary
		Financial Reporting
		Personally, Identifiable Information
		Cardholder Data and Sensitive Authentication Data
		Business Impact and Risk
		Objective and Scope
			Objective
			Scope
		Results
		Recommendations
		General
		Identity and Access Management
		Infrastructure Security
		Data Protection
		Detective Controls
		Incident Response
		Security Hub Report and Findings
			Logs– High Risk
			Security Groups – High Risk
			Firewall Manager – High Risk
			Root User – Moderate Risk
			Elevated Privileges – Moderate Risk
			S3 Buckets – Moderate Risk
			Key Management – Low Risk
		Risk Assessment
			ABC University’s Data and Information Security Classification SoP
			Financial Reporting
			Cardholder Data and Sensitive Authentication Data
			PII Self-Assessment Questionnaire
			Analysis of Personal Information Elements for the Program Or Activity
			Flow of Personal Information for the Program Or Activity
			Privacy Compliance Analysis
			Accountability
			Identifying Purpose
			Consent
			Limiting Collection
			Limiting Use, Disclosure, Retention
			Accuracy
			Safeguards
			Openness
			Individual Access
			Challenging Compliance
			Impact and Likelihood
			Inherent Risk
		Internal Control Environment
			Security Risk Compliance Assessment V 3.0
			Results of the CSA CAIQ
		Residual Risk
References
Index