Managing Catastrophic Loss of Sensitive Data: A Guide for IT and Security Professionals

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $21.50
Usually ships in 1-2 business days
(Save 67%)
Other sellers (Paperback)
  • All (6) from $21.50   
  • New (3) from $39.82   
  • Used (3) from $21.50   
Close
Sort by
Page 1 of 1
Showing All
Note: Marketplace items are not eligible for any BN.com coupons and promotions
$39.82
Seller since 2010

Feedback rating:

(741)

Condition:

New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

New
EXPEDITED SHIPPING AVAILABLE

Ships from: Deer Park, NY

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
$42.27
Seller since 2010

Feedback rating:

(153)

Condition: New
ETA - Standard Mail takes 6-10 business days & Expedited Mail takes 4-6 business days to deliver an item. We do not ship to APO-FPO addresses.

Ships from: Missouri City, TX

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
$115.00
Seller since 2014

Feedback rating:

(139)

Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Page 1 of 1
Showing All
Close
Sort by

Overview

Offering a structured approach to handling and recovering from a catastrophic data loss, this book will help both technical and non-technical professionals put effective processes in place to secure their business-critical information and provide a roadmap of the appropriate recovery and notification steps when calamity strikes.

• Addresses a very topical subject of great concern to security, general IT and business management
• Provides a step-by-step approach to managing the consequences of and recovering from the loss of sensitive data.
• Gathers in a single place all information about this critical issue, including legal, public relations and regulatory issues

Read More Show Less

Product Details

  • ISBN-13: 9781597492393
  • Publisher: Elsevier Science
  • Publication date: 4/4/2008
  • Pages: 400
  • Product dimensions: 9.60 (w) x 12.30 (h) x 4.30 (d)

Meet the Author

Constantine Photopoulos is a consultant with extensive security and regulatory compliance experience. He is a partner at the SOX Group (www.soxgroup.com), an IT security consultancy firm in New York City. He is a graduate of the Massachusetts Institute of Technology, with a degree in electrical engineering and computer science.

Read More Show Less

Read an Excerpt

Managing Catastrophic Loss of Sensitive Data


By Constantine Photopoulos

Syngress Publishing, Inc.

Copyright © 2008 Elsevier, Inc.
All right reserved.

ISBN: 978-0-08-055871-4


Chapter One

Introduction

Solutions in this chapter:

* What Is Sensitive Data?

* Data Security Breach

* Data Loss Consequences

* Prevention and Safeguards

* Response

* Notification

* Recovering from a Data Breach

* Organization of the Book

Overview

The loss of sensitive data continues to be a significant concern for both organizations as well as individuals whose information may be at risk of a breach. Organizations that experience a data breach can suffer reputational damage, loss of customer and constituent confidence, legal and regulatory scrutiny, and the direct costs of managing an incident and complying with the legal requirements to notify customers that their private information has been breached.

If a data breach involves internal business information, the competitive damage to the organization can be severe. In the case of leakage of private customer information, this damage will be compounded by eroded customer trust and brand equity.

Data breaches represent a major category of organizational failures in the eyes of many individuals. Customers, constituents, and employees demand to have their personal information well protected and, in the event that sensitive data may have been exposed, require that they be notified of such incidents. As a result, lawmakers and regulators have responded by passing laws to help identity theft victims and to require organizations to protect the security and confidentiality of their customers' and employees' personal information.

Both organizations and individuals are acutely aware of the risk from the loss of sensitive information. One of the most nefarious consequences of a data breach is identity theft, a rapidly growing crime with devastating consequences to its victims. It still poses a major risk to the public as well as to the organization that mishandles private information with which it has been entrusted.

Since the consequences of identity theft are severe, a real concern arises even if only a small percentage of parties whose information was breached end up becoming victims. Moreover, any notification of a data breach, even if it does not result in identity theft, will influence consumers' behavior and confidence and may lead to the termination of their relationship with the organization that mishandled their private and confidential information. The consequence may be damage to an organization's reputation as well as the opportunity cost of lost business. This loss of confidence can also arise within the organization itself, since the loss of confidence in the security of a particular system or data store can render it hesitant or unwilling to engage in new initiatives or ventures.

Since organizations collect and store vast amounts of personal information about their customers, constituents, and employees, they must play an important role in protecting privacy and curbing the growth of identity theft through the implementation of effective safeguards and controls and through a response plan that will provide the ability to make informed decisions during an incident in order to protect the organization and its customers. This requires the development and implementation of response mechanisms for such a crisis before one occurs.

What Is Sensitive Data?

On a general level, sensitive data can be defined as information concerning the organization's or an affiliate's prospective, current, or former customers, clients, vendors, employees, or any other nonpublic business information. Sensitive data is information whose disclosure is protected by law or regulation as well as that protected by organizational policy. This includes confidential information and Personally Identifiable Information (PII), which is an individual's name in conjunction with an identifier or account number and whose compromise could lead to identity theft or fraud.

Sensitive data can be organized into the following general categories:

* Legislatively protected data subject to legal or regulatory oversight. This includes data such as medical records and financial records. * Personally Identifiable Information, which can reasonably identify individuals and which, if disclosed, could violate the privacy of individuals and lead to identity theft or fraud. * Any data whose unauthorized disclosure could lead to a financial or reputational loss. This includes nonpublic intellectual property and trade secrets as well as business related data such as payroll and benefits information, work history, and budget information. * Any combination of components of customer information that could allow unauthorized access to the customer's account, such as username and password or password and account number. * Data whose unauthorized release would constitute a violation of confidentiality agreed to as a condition of possessing the data. * System or user credentials whose unauthorized release could provide access to sensitive systems or resources. * Any data protected by organizational policy.

Personally Identifiable Information

An important class of sensitive information is notice-triggering Personally Identifiable Information (PII). This type of data is tightly associated with identity theft or fraud and is subject to legislation requiring both reporting and notification of unauthorized access.

Personally Identifiable Information is any information that permits the identity of an individual to be directly or indirectly inferred, including the first name or first initial and last name, address, or telephone number, in conjunction with any one or more of the following elements, when either the name or the data element is not encrypted:

* A social security number or national identification number. * A driver's license number or other officially recognized form of identification. * A credit card number, debit card number, financial account number, or any required security code, access code, or password that would permit access to financial information relating to that party. * Any additional, specific factor that adds to the personally identifying profile of a specific individual, such as a relationship with a specific financial institution or membership in a club. * Medical information.

This general definition of PII can apply is most cases unless local jurisdiction law or regulatory guidance is stricter, in which case the organization must abide by the local jurisdiction laws or regulations.

In addition to PII, other high risk personal information includes health information, student records, employee salary and benefits data, financial information, or other personal information the disclosure of which would violate the privacy of individuals.

Confidential Business Information

In addition to customer, constituent, and employee information, sensitive data encompasses business and operational information whose disclosure would violate a legal agreement or would either deny the organization a competitive advantage or provide an advantage to its competitors. This includes trade secrets and intellectual property, operational details, organizational strategies, certain client relationships, and sensitive third-party information subject to a nondisclosure agreement.

Legally protected business information includes pending mergers and acquisitions. The premature disclosure of this information to or its use by certain parties can result in regulatory and legal penalties since it can provide the potential for insider gains in security trading.

Data Categories

Not all sensitive information requires the same level of safeguards or poses the same risk of harm in case of a breach. Categorization or classification schemes are used to identify various levels of data sensitivity. The most common schemes generally classify data into three or four categories, such as Confidential, Internal, and Public. Guidelines used to classify data include:

* Monetary, reputational, contractual, or regulatory impact if the data is compromised. * Statutes, regulations, or policies requiring certain information types to receive special consideration with respect to unauthorized disclosure or dissemination. * Confidentiality and accuracy of the data with respect to business functions and needs.

Data Security Breach

Despite efforts at identifying and correcting security vulnerabilities, weaknesses will remain given the difficulty in sustaining a fully secured posture. The intentional or accidental exploitation of such weaknesses to obtain unauthorized access to information can result in a data security incident or breach. More specifically, a breach can be defined as any known or suspected circumstance that results in an actual or possible unauthorized release of information deemed sensitive by the organization or subject to regulation or legislation. This can include the unauthorized acquisition, use, alteration, disclosure, retention, and destruction of data that compromises the confidentiality, integrity, or availability of sensitive information maintained by the organization or by a third-party provider under contract to the organization.

An incident can include events that do not constitute an actual compromise or breach but nonetheless pose a security risk to the organization, such as the violation of an explicit or implicit information security policy that can increase the risk of a compromise, or any adverse event whereby the confidentiality, integrity, or availability of organizational information could be threatened accidentally or intentionally.

Specific regulations and laws can also have very specific definitions of incidents, particularly of breaches that warrant notification and reporting to regulators and the affected parties.

An incident can be the result of accidental or intentional actions, by internal or external parties. However, good faith acquisition of sensitive information by an employee for business purposes is not a breach provided that the information is not used or subject to further unauthorized disclosure.

Incidents can have one or more root causes, including negligent employees, negligent third parties, malicious internal or external parties, and unaddressed process or technical vulnerabilities.

There are several ways in which data breach incidents can lead to the compromise of sensitive information. Some common ways include:

* Lost or stolen laptops or storage devices. * Theft of intellectual property. * Attempted or actual unauthorized access to systems or information. * Unauthorized sharing of data. * Improper handling or disposal of data. * Compromised user accounts. * Inappropriate use or sharing of passwords. * Intentional or unintentional noncompliance with organizational security policies and processes. * Noncompliance by a party with contractual obligations regarding the safeguard of sensitive information.

Data Loss Consequences

The consequences of a loss of sensitive information can affect both the organization and any external party whose information was compromised. The principal issue is the threat of misuse of the breached information, especially if this misuse leads to identity theft or fraud.

Impact

For the organization, a loss of sensitive information at a minimum will entail the cost of responding to and managing the incident along with the associated productivity loss. Beyond that, it can include one or more of the following:

* Regulatory or legal impact if the incident will likely result in regulatory attention, legal penalties, civil action, or governmental prosecution. * Customer impact if the incident resulted in a disruption of customer service or in a loss of customer accounts. * Reputational impact if the incident resulted in negative publicity and/or negatively impacted the reputation of the organization. * Financial impact if the incident resulted in or is likely to result in a financial loss or expense.

Identity Theft

Identity theft and identity fraud refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. A baseline definition can be found in the US Identity Theft and Assumption Deterrence Act of 1998, in which identity theft is described as a range of illegal activities that use a person's personal information to perpetrate a crime. The act identifies offenders as anyone who "... knowingly transfers or uses, without lawful authority, any name or number that may be used, alone or in conjunction with any other information, to identify a specific individual with the intent to commit, or to aid or abet, any unlawful activity ...".

(Continues...)



Excerpted from Managing Catastrophic Loss of Sensitive Data by Constantine Photopoulos Copyright © 2008 by Elsevier, Inc.. Excerpted by permission of Syngress Publishing, Inc.. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Overview; Data Loss Consequences; Prevention and Protection; Data Loss Response Team; Detection; Analysis; Response; Notification; Legal Issues and Requirements; Lessons Learned; Appendix—Relevant Legislation

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)