Cybersecurity and Privacy Law Handbook E-Book

Cybersecurity and Privacy Law Handbook

A beginner’s guide to dealing with privacy and security while keeping hackers at bay

Walter Rocchi

BIRMINGHAM—MUMBAI

Cybersecurity and Privacy Law Handbook

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Mohd Riyan Khan

Publishing Product Manager: Khushboo Samkaria

Content Development Editor: Nihar Kapadia

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Project Coordinator: Deeksha Thakkar

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Prashant Ghare

Marketing Coordinator: Ankita Bhonsle

First published: December 2022

Production reference: 1241122

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-241-5

www.packt.com

To my children, Bianca, Maria, and Enrico, and to those who supported and believed in me.

– Walter Rocchi

Contributors

About the author

Walter Rocchi, with 24 years of activity and ISO 27001 Lead Implementer, ISO 27001 Lead Auditor, CISA, CEH, and IAPP CIPP/E – CIPT certifications, is a seasoned freelancer and has acted as CISO and in similar roles for several companies, mostly in finance, retail, telecoms, utilities, Big Pharma, and government agencies. He has consulted with big corporations and funded start-ups and he’s always looking for new challenges.

He spends his free time reading, hiking, and enjoying his time with his two children. He’s also an avid blues listener and is addicted to TV series (especially Marvel and horror series).

I want to thank the people who have been close to me and supported me, especially Roberta Carolina Ainara Bermúdez, for her invaluable help in simplifying the GDPR for mere mortals. Moreover, thanks to Francesco Tonin, who always reminded me of the frameworks that needed to be mentioned. Finally, all the guys at Packt, who gave me the opportunity to write a book, especially my editor Nihar Kapadia, and Safis, for their patience in dealing with my poor examples.

About the reviewer

Francesco Tonin is a senior information technology professional and expert in IT audit, risk, and compliance with over 14 years of working in highly regulated markets such as financial services, insurance, and healthcare. He is broadly skilled in relation to cyber security, IT auditing, IT risk, and governance but also in relation to business process design, SAP FI, CO, and MM and data warehousing, and data analytics for audit and process improvement. He’s a certified professional (with CISA, CISM, ISO 27001LA, and CIPP/E for GDPR and Data Privacy certifications) and took part in a part-time master’s program focused on planning and control in corporate finance.

Table of Contents

Preface

Part 1: Start From the Basics

1

ISO27001 – Definitions and Security Concepts

The 27k family of standards

Confidentiality, integrity, and availability

Information security concepts and definitions

Governance, policies, and incident management

Governance

Policies and procedures

Incident management

Differences between ISO 27001 and NIST

What’s NIST?

Summary

Part 2: Into the Wild

2

Mandatory Requirements

iSMS, controls, commitment, context, scope policy, and objectives

iSMS

Statement of applicability, risk treatment plan, and action plan

Controls

Commitment and project management

Identify, Protect, Detect, Respond, and Recover

Identify

Protect

Detect

Respond

Recover

Can ISO 27001 and NIST coexist?

Summary

3

Data Protection

What is privacy (and why do we desperately need it)?

GDPR and his brothers

Territorial scope

The GDPR, CCPA, and LGPD each define personal data differently

The importance of anonymous, pseudonymous, de-identified, and aggregated information

Legal bases for data processing

Data access privileges

Fines and penalties

Why deal with data protection?

The six principles of the GDPR

Summary

4

Data Processing

The data controller

The data processor

Accountability

Recommended documents

The privacy dashboard

Training materials

Mandatory documents

Data protection – the last warning

EU–US Privacy Shield

Brief summary

Schrems II ruling

The frequently asked questions issued by the EDPB

What occurs next? Vade mecum for entities

Conclusions

Summary

5

Security Planning and Risk Management

Security threats and challenges

What are the different types of security threats?

What is risk and what is a threat?

Implementing a risk management program

Why is risk management so important?

Traditional risk management versus enterprise risk management

What are the steps involved in risk management for information security?

From the top-down to the bottom-up

Benefits and challenges of risk management

Building and implementing a risk management plan

Qualitative risk analysis

Quantitative risk analysis

Difference between qualitative and quantitative risk analysis

When to perform a qualitative and quantitative risk analysis

Summary

Part 3: Escape from Chaos

6

Define ISO 27001 Mandatory Requirements

ISO 27001 operations

The ISO 27001 standard – what it is and what requirements it establishes

How to structure an iSMS

ISO 27001 support requirements (or Clause 7)

7.1 – Resources required to establish and operate an iSMS

7.2 – Competency

7.3 – Awareness

7.4 – Communication

7.5 – Documented information

Summary

7

Risk Management, Controls, and Policies

Elements of project risk management

The risk management plan

Fundamental notions

Risk evaluation

Risk characteristics

Risk heatmaps

Risk mitigation

Best risk mitigation strategies

How to establish risk mitigation strategies

Data classification

Why is the classification of data important?

What are the four levels of data classification?

What are the various types of data classification?

Difficulties with data classification

Effects of compliance standards on data classification

Data classification levels

Developing a policy for data classification

Data classification procedures

ISO 27001 controls

Control Category A.5 – Information Security Policies (1 objective and 2 controls)

Control Category A.6 – Organization of Information Security (2 objectives and 7 controls)

Control Category A.7 – Human Resource Security (3 objectives and 6 controls)

Control Category A.8 – Asset Management (3 objectives and 10 controls)

Control Category A.9 – Access Control (4 objectives and 14 controls)

Control Category A.10 – Cryptography (1 objective and 2 controls)

Control Category A.11 – Physical and Environmental Security (2 objectives and 15 controls)

Control Category A.12 – Operations Security (7 objectives and 14 controls)

Control Category A.13 – Communications Security (2 objectives and 7 controls)

Control Category A.14 – System Acquisition, Development, and Maintenance (3 objectives and 13 controls)

Control Category A.15 – Supplier relationships (2 objectives and 5 controls)

Control Category A.16 – Information security incident management (1 objective and 7 controls)

Control Category A.17 – Information security aspects of business continuity management (2 objectives and 4 controls)

Control Category A.18 – Compliance (2 objectives and 8 controls)

Who is charged for implementing Annex A controls?

Using the ISO 27001 controls

Identification of ISO 27001 controls to implement

Summary

8

Preparing Policies and Procedures to Avoid Internal Risk

Company policies

How do you determine the appropriate policies for your business?

Policy writing instructions

What about procedures, then?

The importance of policies and procedures versus their pain

How to physically write a policy?

Selecting a method for managing the process

Establishing a policy management group

Prioritizing a policy list

Creating a preliminary draft

Verifying the processes

Sending a draft out for review

Obtaining final approval and signatures

Employee Code of Conduct example draft

Template for the Employee Code of Conduct

Cloud hosting policy

Company procedures

When is a procedure necessary?

When a process requires a procedure

How to write a procedure

Step 1: gathering information

Step 2: beginning to write

Step 3: evaluating design elements

Summary

9

Social Engineering, Password Guidance, and Policy

The starting point

OSINT

Social scientist

Common social engineering attack methods

Pretexting

Misdirection theft

Phishing

Targeted phishing

Vishing

Smishing

Have you got a M.A.P.P.?

Step 1 – learn how to recognize social engineering attacks

Step 2 – develop realistic and implementable policies

Step 3 – conduct periodic real-world audits

Step 4 – implement applicable security awareness programs

Summary

10

The Cloud

How did the cloud emerge?

What exactly is the cloud? How does it work?

What is cloud security?

Types of cloud services

Distribution models

Cloud security – examples of measures that can prevent risks

The seven pain points of cloud computing

Reduced visibility

Compliance violations

Absence of a strategy and architecture for cloud security

Internal threats

Contractual violations

Unprotected user interface (API)

Errors in the configuration of cloud services

Cloud and GDPR concerns

Security concerns specific to the cloud

What effect is GDPR having on the cloud industry?

Requirements for cloud service providers under GDPR

Normative requirements

The GDPR code of conduct for CSPs

Summary

11

What about the US?

The US status of privacy

What the current national privacy laws (don’t) do

The FTC

An overview of Section 5 of the FTC Act

NIST and FTC

BYOD

Benefits of BYOD

Disadvantages of BYOD

Managing mobile devices

Criteria and recommendations

Remote working

Security issues

Important ramifications

Keeping a remote workforce secure

A multifaceted strategy

Assisting the transformation

Computer safety

What privacy rights are available to employees?

What exemptions exist to worker monitoring?

Do employees know what information employers can access?

Should employees bring personal equipment to work?

Summary

Appendix

ISO 27002

What is different?

Is it superior to the previous version?

Is it a standard set of controls for information security?

What must you do at this time?

Privacy

VA/PT

VA

PT

Index

Other Books You May Enjoy

Preface

Focusing on evolving frameworks? This book helps you to implement a fully working cybersecurity and privacy program to safeguard your company from hackers and malicious attacks.

Who this book is for

If you are a seasoned manager who wants to see how external cybersecurity consulting impacts your company’s profits, or a novice willing to learn how to deal with cybersecurity and privacy smoothly, this book’s for you.

What this book covers

Chapter 1, ISO27001 – Definitions and Security Concepts, describes in a clear and understandable way the 27k family of standards, confidentiality, integrity and availability, information security concepts and definitions, governance, policies, incident management, and differences within NIST, the National Institute of Standards and Technology.

Chapter 2, Mandatory Requirements, explores iSMS, information security management system, controls, commitment, context, scope policy, and objectives of the ISO 27001 and NIST framework.

Chapter 3, Data Protection, delves into the history of privacy, General Data Protection Regulation (GDPR), and other privacy laws, territorial scope, anonymous, pseudonymous, de-identified, and aggregated data, legal basis (or justification) for data processing, data access privileges, and fines, the six principles of GDPR, and, finally, why we have to deal with data protection.

Chapter 4, Data Processing, discusses the roles involved in data processing, looking at data controllers, data processors, accountability, privacy dashboards, a Data Protection Impact Analysis (DPIA), treatment register, the EU-US Privacy Shield, and Schrems II.

Chapter 5, Security Planning and Risk Management, focuses on risk management. We will understand what the security threats and challenges are, the various security threats, how to implement a risk management program, the differences between traditional risk management and enterprise risk management, and why risk management is so important.

Chapter 6, Define ISO 27001 Mandatory Requirements, dives deep into the ISO 27001 framework and its Annex A controls, with all the clauses within the ISO program.

Chapter 7, Risk Management, Controls and Policies, looks at how risk management interacts with controls and policies. We will be focusing on risk heat maps and risk mitigation techniques. Then, we’ll deep dive data classification and policies.

Chapter 8, Preparing Policies and Procedures to Avoid Internal Risk, discusses how to write policies and procedures in a corporate way.

Chapter 9, Social Engineering, Password Guidance, and Policy, reveals the most important social engineering attempts to steal your credentials and how to avoid them by using complex password management.

Chapter 10, The Cloud, deals with the cloud, from the basics to how it works now, in our quest for frameworks and privacy processes.

Chapter 11, What About the US?, discusses social engineering, password guidance, and privacy policies in the US, including local and national laws and bills. We’ll also be taking a glance at the privacy side of phenomena such as Bring Your Own Device (BYOD) and remote working.

Appendix, explains how security, privacy and pandemic are changing our lives

To get the most out of this book

I recommend obtaining a copy of the following standards/frameworks/privacy laws:

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/elBjz.

Conventions used

There are a number of text conventions used throughout this book.

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Cybersecurity and Privacy Law Handbook, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781803242415

Part 1: Start From the Basics

In this section of the book, you will come to understand how the company perimeter has changed and how it is important that security and privacy reflect those changes.

This part of the book comprises the following chapter:

1

ISO27001 – Definitions and Security Concepts

My aim in writing this book is providing you a comfortable way to understand and enhance the cybersecurity and privacy within your entity. Of course this book is not targeted at seasoned experts in ISO27001 implementation; moreover, when I planned it, mytargets were managers that know almost nothing about cybersecurity and privacy but want to improve company security, even using third-party consulting (and therefore wanting to know whether the external service is wasting internal budget), or novices that, for some reason, have to deal with IT security in a smoooth way.

It’s a long trip, although I will try my best to help you digest an enormous amount of information in a short, agile book. I hope you find it interesting and forgive those mistakes that, unfortunately, will appear no matter how many corrections I make.

Since it’s a long trip, I suggest you prepare by putting on a pair of comfortable slippers and making a huge cup of coffee (or tea, as you wish), and sit down and relax.

In this chapter, we will cover the following topics:

The 27k family of standards

There’s more than walls and fences, if any, to protect in your company. Let’s suppose your company has developed a new product. This product can guarantee a nine-figure income for at least the next decade. So, what’s the most important asset of your company?

One of your company’s most significant assets is information.

As you continue to read this book, this sentence will soon become your mantra. Ensuring the confidentiality, integrity, and availability of information is the goal of information security. These fundamental information security factors aid in ensuring that an entity’s data is secure. So, getting back to your product, what does your company need to defend itself from?

The main pain points are the following:

The preceding statements lead us to a couple of valuable mantras about information:

Everyone within the company should be responsible for the information system, and they must do their best to ensure that their information is secure.

A human being is always the weakest link of the security chain.

Let’s put it simply: everyone within the company needs to understand and help out to improve the security posture, and often, just following the company policies and procedures (or even using common sense) will vastly improve the standard security. For instance, just adopting and respecting a clean desk policy may prevent the cleaning staff from viewing unauthorized documents (and we don’t know whether the cleaning staff is somehow ready to sell our company and/or private information – insiders can wear any kind of hat).

Let’s see another example: your company spends thousands of dollars on implementing privacy screens (privacy filters designed for computer users to keep their private and confidential information safe). But if you leave your laptop unattended, then they are completely useless.

Information is adequately maintained and safeguarded against several threats.

Every entity can be at risk of data leakage by different means, and if a company wants to improve its security standards, it feels the need to improve those. The vast majority of companies (at least in Europe) use so-called frameworks (such as ISO 27001/27002, NIST, etc.) simply because they’re ready to apply and use. More specifically, in regard to European entities, by implementing ISO 27001, you are also implementing things such as General Data Protection Regulation (GDPR, aka the European privacy law) and security over the cloud. Basically, you’re killing three birds with one stone.

The following ISOs give us a foundation to establish an effective information management system:

While ISO 27001 has been prepared to provide requirements for establishing, implementing, maintaining, and continually improving an information security management system, ISO27002 is designed for organizations of all types and sizes. It is to be used as a reference for determining and implementing controls for information security risk treatment in an information security management system (ISMS) based on ISO/IEC 27001

Born as an independent, non-governmental entity, the International Organization for Standardization (ISO) comprises the national standards bodies from the 165 countries that make up its membership. There are more than 1,500 voluntary international standards developed by ISO.

According to Wikipedia:

More than 20,000 standards have been established, encompassing everything from manufactured goods and technology to food safety, agriculture, and healthcare services. ISO is a voluntary entity whose members are recognized authorities on standards, each one representing one country. Members meet annually at a General Assembly to discuss the strategic objectives of ISO. The entity is coordinated by a central secretariat based in Geneva.

A council with a rotating membership of 20 member bodies provides guidance and governance, including setting the annual budget of the central secretariat.

The technical management board is responsible for more than 250 technical committees, who develop the ISO standards.

Products and services of high quality can be produced by adhering to the standards. Using the standards, businesses can boost productivity while reducing waste and errors. Comparing products from different markets makes it easier for businesses to expand into new markets and helps global trade develop on an equal footing. The standards also protect consumers and end users of products and services by ensuring that certified products meet international minimum standards.

Since we are interested in the information security side of ISO, let’s set aside what’s irrelevant to our scope.

The ISO/IEC 27001 requirements for approved third-party Information Security Management System (ISMS) certifications can be applied to third-party accreditations of ISMSs. ISMS audits are conducted by accredited certification bodies as part of the accreditation process. With the help of ISO/IEC 27001, they can be confident that their management systems and procedures comply.

ISO/IEC 27002, a guidance document, provides information security best practices and implementation guidance. As part of the risk management process, ISO/IEC 27001-compliant entities can use these controls to protect their information assets.

Confidentiality, integrity, and availability

One of the main components of ISO 27k is something called the CIA triad (of course, this has nothing to do with either the Mafia and/or the US Central Intelligence Agency).

In information security, the CIA triad is widely accepted as a model. It’s not a single doctrine, and there is no single author of it either. On the contrary, the model seems to have evolved over time, with roots that go back as far as modern computing. It appears that Ben Miller, vice president of Dragos, is the only one who has done any research into the triad’s origins. When he went looking for the origins of this model, more than a decade ago, he couldn’t find anything. Concepts appear to have been pulled from a variety of sources, including a 1976 Air Force report and a paper from the 1980s comparing commercial and military computer systems.

It’s mostly based on a triangle made of confidentiality, integrity, and availability, which are the main pillars of IT security.

Figure 1.1 – CIA triad

Whatever the case may be, the CIA triad includes the following three elements:

Let’s see an example to better understand these concepts.

You are sending an email to me because you’d like me to clarify some concepts you don’t understand (probably because they were badly explained by me – who knows). While preparing the email, you also attach a document in which there’s the part you don’t understand. Finally, you send the email.

In this case, confidentiality means that you sent this email to me and to me only. Unless a third party was involved in our email exchange, this email is sent exclusively to me.

If you send me a message with a few words, including Dear Mr., some sort of body text, some salutation at the end, and an attachment, I will receive exactly that message body and that attachment (this is integrity; if we want, we can measure the number of kilobytes used to send that message and you can bet that the body text and attachment are the same size).

Finally, we can log in to an email server at any time, 24/7, using our email client, and check whether there are new messages: that’s availability.

But, of course, this is just an example of how to adopt the CIA triad.

Access control methods such as two-factor authentication and passwordless sign-on are examples of confidentiality. However, it’s not just about allowing authorized users access; it’s also about preventing certain files from being accessed. Both accidental disclosure and malicious attacks can be prevented by using encryption.

Access control and encryption can help maintain data integrity, but there are many other ways to protect data integrity, both from attacks and corruption. It can be as simple as making a file read-only at times. In some cases, data can be audited using hashing or data checksums, which ensure the integrity of the data. In some cases, the integrity of a system may be shielded from external influences.

Availability refers to the ability of your systems to remain operational in the event of an attack. Distributed Denial of Service (DDoS) attacks, for example, are based on a lack of resources. You can ensure uptime by building redundancy into your systems to combat DDoS attacks. In the absence of an attack, systems can still fail and become unavailable, so load balancing and fault tolerance can be used to prevent systems from failing.

It is important for security professionals of all kinds to understand these concepts. For information security professionals, the triad of these three concepts makes it easier to think about the interrelationships, overlaps, and conflicts between them. Security professionals can use the tension between the triad’s three legs to determine their information security priorities and procedures.

Information security concepts and definitions

Other best practices to remember are as follows:

Knowing the system is perhaps the most critical factor when attempting to defend it. It makes no difference whether you’re protecting a castle or a Linux server if you don’t understand the intricacies of what you’re defending.

Knowledge of what software is running on your systems is an excellent illustration of this in the area of information security. What daemons do you have running? What kind of exposure do they generate? A decent self-test for someone in a small- to medium-sized environment would be to choose an IP address at random from a list of your systems and see whether you can recall the precise list of ports that are open on the computers.

“It’s a web server, therefore everything’s just running on ports 80, 443, and 22 for remote management; that’s it,” a skilled administrator should be able to say—and so on for each sort of server in the ecosystem. When seeing port scan findings, there should be no surprises.

In this kind of test, you don’t want to hear, “Wow, what’s that port?” Having to ask that question indicates that the system administrator is not entirely aware of everything operating on the computer in question, which is exactly what we want to prevent.

The next crucial principle is that of least privilege. Least privilege simply states that people and objects should be able to do only what they need to do their tasks. I include these kind of examples because administrators frequently configure automatic processes that must be able to perform specific activities, such as backups. What usually occurs is that the administrator adds the user performing the backup to the domain admins group, even if they could get it to function in another way. Why? Because it is less difficult.

Finally, this is a philosophy that is intended to directly contradict human nature, namely laziness. It is always more difficult to grant granular access that allows only specified tasks than it is to grant a higher level of access that covers everything that needs to be done.

This rule of least privilege just reminds us not to succumb to this temptation. Don’t back down. Take the time to make all access as granular and as minimal as feasible.

Defense in depth is likely the least understood of the four concepts. Many people believe that it is as simple as stacking three firewalls instead of one or running two antivirus applications instead of one. This is technically correct, but it is not the fundamental nature of defense in depth.

The true concept is to build various types of protection between an attacker and an asset. These layers don’t even have to be products; they might be applications of other notions, such as least privilege.

Consider an attacker on the internet attempting to breach a web server in the Demilitarized Zone (DMZ; basically a physical or logical subnetwork that contains and exposes an entity’s external-facing services). Given a huge vulnerability, this may be quite simple, but with an infrastructure utilizing defense in depth, it may be substantially more difficult.

We need to take into consideration activities such as hardening (appliances such as routers, firewalls, IPDs/IDSs, and target hosts) and widely implementing antivirus and antimalware—any of these procedures can potentially prevent an attack from being totally or partially successful. The notion is that instead of thinking about what has to be put in place to stop an attack, we should think about what needs to happen for it to be successful. Perhaps an assault had to pass via network infrastructures to get to the host, execute, build an outbound connection to a host outside, download stuff, run it, and so on.

What if any of those steps were to fail? The key to defense in depth is to place barriers at as many sites as possible. Our aim is to try to make it so that it’s hard for potential intruders to get into our network. By using this kind of approach, it will be difficult for hostile code to run on your systems, run your daemons and/or services as the least-privileged user, and so forth.

The advantage is straightforward: you have more chances to prevent an attack from succeeding. Someone may go all the way in, all the way to the box in question, and be stopped by the fact that the malicious code would not run on the host. However, once that code is modified so that it may run, it may be detected by an upgraded IPS or a more stringent firewall ACL. The goal is to secure whatever you can at every stage. Secure everything—file permissions, stack protection, ACLs, host IPSs, limiting admin access, running as limited users; the list is endless.

The core premise is also straightforward: don’t rely on a single solution to protect your assets. Consider each layer of your defense as though it were the only one. When you follow this method, you have a better chance of stopping attacks before they reach their aim.

Also, in IT security (and ISO 27001 itself, which is a framework that is continuously improving), new concepts are arising on almost a yearly basis, and one of the most interesting concepts around is called zero trust.

Conventional security models are based on perimeter security. In practice, the protection of the corporate ecosystem trusts all traffic and action flowing within the perimeter.

The zero trust approach, on the other hand, is designed to address even all those so-called lateral threats that move through networks. How? By exploiting an approach linked to microsegmentation and the definition of granular perimeters, based on users, data, and their location.

This is a basic concept, yet it is incredibly significant. The concept is that while it is preferable to stop an attack before it is successful, if it is, it is critical that you are aware that it occurred. For example, you may have safeguards in place to prevent code from being executed on your system, but if code is executed and something is done, it is vital that you are notified and can act immediately.

The difference between learning about a successful attack within 5 or 10 minutes and learning about it weeks later is enormous. Having the knowledge early enough can often result in the attack not being successful at all; for example, the attacker may get on your box and add a user account, but you get to the machine and take it offline before they can do anything with it.

Regardless of the situation, detection is critical because there is no guarantee that your prevention actions will be effective.

Other remarkable best practices are as follows:

Computers in a workplace could be entirely safeguarded if all networks were destroyed and everyone was thrown out—but then they would be of no use to anyone.

Not all of your resources are equally valuable. Some data is more vital than others, such as a database holding all accounting information on your clients, such as bank IDs, social security numbers, addresses, and other personal information (we’ll talk about privacy later). Identifying what data is more sensitive and/or significant will assist you in determining the level of protection required to safeguard it and designing your security tactics accordingly.

Using a single strong protection mechanism, such as authentication protocols, is only effective until it is breached. When numerous layers of separate defenses are used, an attacker must apply a variety of tactics to get past them.

Because the causes of breaches aren’t always obvious after the fact, it’s critical to have data to track backward. Even if it doesn’t make sense at first, data from breaches will eventually help to improve the system and prevent future attacks.

Hackers are constantly honing their skills, so information security must evolve to keep up. IT professionals should run tests, conduct risk assessments, reread the disaster recovery plan, double-check the business continuity plan in the event of an attack, and then repeat the process.

IT security is a difficult job that requires both attention to detail and a high level of awareness. However, like many seemingly complex tasks, IT security can be broken down into basic steps that can simplify the process. That’s not to say it’s easy, but it keeps IT professionals on their toes.

So, while we have seen some ways to improve your security posture, I am afraid to tell you that we have only scratched the tip of a huge iceberg. Although hardening is a very important topic and everyone dealing with security should at least understand these basic concepts, an entity is a bit more than a document with a plethora of how-tos.

An entity is the sum of many elements: core values, community, respect and many more, but also ethics, risk management, compliance, and administration, which form the governance of a company.

Governance, policies, and incident management

We are going to talk about what makes an entity (or company, association, or whatever you want to call it).

Governance

We can define corporate governance as “a toolkit that enables management and the board to deal more effectively with the challenges of running a company. Corporate governance ensures that businesses have appropriate decision-making processes and controls in place so that the interests of all stakeholders are balanced.” (This definition is taken from https://www.itgovernance.co.uk/.)

A strong corporate governance framework can assist you in meeting the requirements of laws and regulations such as GDPR, that is, the European privacy law.

GDPR, for example, requires data controllers and processors to verify compliance with its standards through specific documentation, such as applicable logs, rules, and procedures.

Throughout this book, I will use examples from GDPR, although there are several other legislations around, such as LGPD (the Brazilian privacy law) or CCPA from California, and many more about to come. But GDPR is, with the UK variant, an umbrella for roughly 400 million people in 28 countries and therefore, the most popular.

Using IT governance aspects will assist you in creating and maintaining proper policies and procedures to help satisfy your data privacy obligations.

IT governance is a component of corporate governance that aims to improve overall IT management and get more value from investments in information and technology.

IT governance frameworks have the following functions:

According to ISACA (https://www.isaca.org), we can break IT governance (ISO 38500) into five different domains:

Consider that there are several frameworks and methodologies to comply with IT governance, such as ISO 27001, NIST, ISO 27000 (aka ITIL), COBIT, ISO 31000, ISO 38500, and ISO 22301. Since we are dealing with a security compliance framework, it would be better to stick to the most popular, that is, ISO27001 and NIST, alongside ISO 27701 (privacy framework).

Policies and procedures

Policies and procedures are the documents that describe how your business is run in the information security industry.

A policy is a set of rules or guidelines that your entity and its employees must follow in order to comply:

So, what exactly is a policy?

A policy is defined as a set of rules or guidelines that your entity and employees must follow in order to achieve a specific goal (i.e., compliance).

What is the function of a policy?

An effective policy should outline what employees must and must not do, as well as directions, principles, and decision-making guidance. It should answer the questions What? and Why?. Both are related to the meaning of a policy and it’s important to understand what a policy is and why it is needed.

What exactly is a procedure?

A procedure is the inverse of a policy; it is the instructions on how to implement a policy:

What is the importance of documented policies, procedures, and protocols?

Too many businesses regard policies and procedures as a necessary evil, failing to consider their purpose. It’s not about following best practices or becoming a soulless corporate entity; the goal of policies and procedures is to explain what management wants to happen and how it will happen.

I’ve come to believe that the primary difference between a small and medium business is not found in quantifying a company’s maturity by revenue or employee count, but rather in whether or not management has taken the time to develop, implement, and maintain policies and procedures.

So far, this definition has not disappointed me; companies with mature policies, procedures, and systems are easier to audit, have a better understanding of their security posture and risk, and appear to be operating far more sustainably than those that haven’t paid much attention to governance.

Objections about policies and procedures

Once management understands the definitions of policies and procedures, they will no longer ask, “What are policies and procedures?” or “What is the purpose of a policy?” and instead proceed to ask, “Why do I have to write policies and procedures?”

Management in small businesses generally has the same set of objections to writing down a set of policies and procedures, all of which are related to difficulty, company culture, and time constraints. But keep in mind that the benefits outweigh the inconvenience of policies and procedures. The goal of policies and procedures is much more than simply writing down some rules.

It’s difficult to create policies and procedures.

But it’s extremely difficult! Yes, but also no. Most businesses that do not have mature policies and procedures are doing fairly well; otherwise, they would not be in business. It’s certainly easier to define security from the start, but that doesn’t mean it can’t be simple to start with what you’re doing now and refine it later.

Sometimes, the real objection isn’t how difficult it is to write down policies and procedures, but how afraid most people are of writing down how they’re doing things incorrectly. Begin with where you are, and then be realistic about where you want to go. You may not be keeping up with best practices in some areas, but if you let embarrassment keep you from putting policies in writing, you’re missing the point. Knowing exactly what you’re doing now allows you to determine what you should be doing tomorrow. It’s how you can create a real budget, identify real enterprise risks, and respond effectively when something goes wrong.

But no worries, we’ll deep dive into these things later.

Incident management

The goal of the incident management procedure is to restore normal service operation as soon as possible and to minimize the negative effect on business activities while maintaining agreed-upon standards of service quality. The incident management process’s goals are to do the following:

So, we conclude a very rapid journey on the essential topics concerning governance. Let’s move on to an interesting topic, differences of NIST.

Differences between ISO 27001 and NIST

As it has fewer controls to implement, and since there’s no control over it (NIST doesn’t have a certification scheme), NIST is considered somewhat less mature; also, as it is backed by the US government and not an international committee, it is not considered much outside the US. But if you like plain instructions and don’t want to spend a fortune, at least in the beginning, it can be a good idea to use NIST. Finally, it is possible to get the best of both worlds by implementing both at the same time.

What’s NIST?

The National Institute of Standards and Technology (NIST) is a non-regulatory US government agency founded in 1901 that develops technology, standards, and metrics to drive innovation in the US science and technology sectors. NIST is headquartered in Gaithersburg, Maryland.

NIST publishes the Special Publication 800 series, which contains guidance documents and recommendations. As part of the previous series, they released Special Publication 800-53, which catalogs 20 security and privacy control groups. NIST recommends that entities implement these security and privacy controls as part of their risk management strategies. These controls cover access control, security awareness training, incident response plans, risk assessments, and continuous monitoring.

The NIST compliance framework was developed to provide a customizable guide for entities on how to manage and reduce cybersecurity-related risks. In its guide, NIST combines existing standards, guidelines, and best practices. However, it is critical to understand that simply adhering to NIST guidelines will not make your entity 100% secure, which is why the NIST guidelines begin by instructing entities to use a value-based approach to protect their assets.

The NIST Cybersecurity Framework (CSF) is a voluntary (recommended by the Department of Commerce) cybersecurity framework that allows businesses to develop information security, risk management, and control programs. NIST standards are now used in fields ranging from nanotechnology to cybersecurity. Through an executive order in 2013, NIST was tasked with developing a cybersecurity framework, and in February 2014, it published version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1 was released to the public in April 2018.