Enterprise Information Security and Privacy -- Contents -- Foreword -- Preface -- Acknowledgments -- Part I: Trends -- Chapter 1 Privacy Roles and Responsibilities -- 1.1 Background -- 1.2 Observations -- 1.3 Recommendations -- 1.3.1 Roles and Responsibilities of Information Security -- 1.3.2 The Impact of Outsourcing: Privacy, Security, and Enforcing Controls -- 1.3.3 Privacy and New Roles for Information Security -- 1.4 Future Trends -- Chapter 2 Data Protection -- 2.1 Background -- 2.2 Observations -- 2.3 Recommendations -- 2.3.1 Formalize a Trust Model -- 2.3.2 Utilize an Integrated and Holistic Approach to Security and Governance -- 2.3.3 Implement a Risk-Based Systemic Security Architecture -- 2.3.4 Support an Adaptive Security Approach to Security -- 2.3.5 Build Systems, Applications, Networks, Protocols, and Others Using Accepted Standards -- 2.4 Future Trends -- Chapter 3 IT Operational Pressures on Information Security -- 3.1 Background -- 3.1.1 IT Operations and IT Service Development Impede Information SecurityGoals -- 3.1.2 Information Security Impedes IT Operations and IT Service Development Goals -- 3.1.3 Information Security Using a Technology-Centric, Bottom-Up Risk Model -- 3.2 Observations -- 3.3 Recommendations -- 3.3.1 Stabilize the Patient and Get Plugged into Production -- 3.3.2 Find Business Risks, Identify Controls, and Fix Fragile Artifacts -- 3.3.3 Implement Development and Release Controls -- 3.3.4 Continually Improve -- 3.4 Future Trends -- Chapter 4 Information Classification -- 4.1 Background -- 4.2 Observations -- 4.3 Recommendations -- 4.4 Future Trends -- Chapter 5 Human Factors -- 5.1 Background -- 5.1.1 Historical Perspective on Privacy -- 5.1.2 Impact of Technology on Privacy -- 5.1.3 Privacy in a Corporate Setting -- 5.1.4 Evolution of Personal Information -- 5.2 Observations.

5.2.1 Privacy Trade-offs-Human Behavioral Impact on Privacy -- 5.2.2 What is Risk? -- 5.3 Recommendations -- 5.4 Future Trends -- Acknowledgments -- Part II: Risks -- Chapter 6 Making the Case for Replacing Risk-Based Security -- 6.1 Introduction -- 6.1.1 Understanding Security Risk -- 6.2 Why Risk Assessment and Risk Management Fail -- 6.2.1 Misplaced Support for Risk-Based Security in Practice -- 6.2.2 Alternatives to Security Risk Assessment -- 6.3 Conclusion -- Chapter 7 The Economics of Loss -- 7.1 Security as the Prevention of Loss -- 7.2 Quantifying the Risk of Loss -- 7.3 Refining the Basic Risk Equation -- 7.4 The Problem of Quantifying Loss Itself -- 7.5 Confronting the Reality of Hypothetical Actions -- 7.6 Overcoming the Fixation on Assets -- 7.7 Overcoming the Fixation on Market Value -- 7.8 Overcoming the Fixation on Productivity -- 7.9 Overcoming the Neglect of Substitutes -- 7.10 Taking Account of the Duration and Extent of the Effects -- 7.11 Distinguishing Between the Different Business Categories ofAttacks -- 7.12 Putting the Proper Risk Estimates Back into the ROI Calculation -- Chapter 8 Legal and Regulatory Obligations -- 8.1 The Expanding Duty to Provide Security -- 8.1.1 Where Does It Come From? -- 8.1.2 What Is Covered? -- 8.2 The Emergence of a Legal Standard for Compliance -- 8.2.1 The Developing Legal Definition of "Reasonable Security" -- 8.2.2 An Increasing Focus on Specific Data Elements and Controls -- 8.3 The Imposition of a Duty to Warn of Security Breaches -- 8.3.1 The Basic Obligation -- 8.3.2 International Adoption -- 8.4 Conclusion -- Chapter 9 Telecommunications -- 9.1 Security Issues in Mobile Telecommunications -- 9.1.1 Pressure on the Perimeter Model -- 9.1.2 Computer Security Threats for Portable Devices -- 9.2 Security Issues in Global Telecommunications -- 9.2.1 Global Cooperation on Cyber Attack.

9.2.2 Global Attention to Software Piracy -- 9.3 Security Issues in Internet Protocol-Based Telecommunications -- 9.3.1 Reduced Technological Diversity -- 9.3.2 Increased Reliance on Shared, Decentralized Internet-Based Systems -- 9.4 Security Issues in Bandwidth-Increasing Telecommunications -- 9.4.1 Residential Users Have Greater Security Responsibility -- 9.4.2 Botnets Become a Huge Threat to the Global Economy -- References -- Part III: Experience -- Chapter 10 Financial Services -- 10.1 Laws, Regulations, and Supervisory Requirements -- 10.1.1 Gramm-Leach-Bliley Act of 1999 -- 10.1.2 The Sarbanes-Oxley Act of 2002 -- 10.1.3 The Fair and Accurate Credit Transactions Act of 2003 -- 10.1.4 Breach Notification Requirements -- 10.1.5 Supervisory Guidance -- 10.2 Future Focus -- 10.2.1 Identity Theft Prevention -- 10.2.2 Outsourcing and Offshoring -- 10.2.3 Cross-Border Data Flows -- 10.2.4 Encryption -- 10.2.5 Online Behavioral Advertising -- 10.2.6 Internet Governance -- 10.2.7 Wireless Security -- 10.2.8 Capital Requirements for Operational Risk -- 10.2.9 Security of Web-Based Business Applications -- 10.2.10 Other Future Focuses in Financial Sector Security -- 10.3 Compliance Challenges -- Chapter 11 Energy -- 11.1 Overview of Sector -- 11.2 Risks Related to Security and Privacy -- 11.3 How Risks Are Addressed -- 11.4 Documentation and Its Relation to Information Security -- 11.5 Conclusion -- Acknowledgments -- Selected Bibliography -- Chapter 12 Transportation Security -- 12.1 Overview -- 12.2 Technology's Role in Transportation Security -- 12.3 Security in Transit -- 12.4 Best Practices Applied -- Chapter 13 Academia -- 13.1 Overview -- 13.1.1 Age and Demographics -- 13.1.2 You Cannot Fire Me -- 13.1.3 Hard to Educate Users -- 13.1.4 Lax Controls -- 13.1.5 How Everything Is Connected -- 13.2 Case Studies.

13.2.1 Case Study: Social Networking and Crimeware -- 13.2.2 Case Study: Social Phishing -- 13.2.3 Case Study: Infected Access Points -- 13.3 Protection -- References -- Appendix A Key Information Security Law References -- A.1 Federal Statutes -- A.2 State Statutes -- A.3 Federal Regulations -- A.4 State Regulations -- A.5 Court Decisions -- A.6 FTC Decisions and Consent Decrees -- A.7 State Attorneys General Consent Decrees -- A.8 European Union-Directives -- A.9 European Union-Security Provisions in Country Implementations of Data Protection Directive -- A.10 Other Countries -- About the Authors -- Index.