Data Risk Governance

Exploring the intersection between information security, privacy, technology and the law.

Categories
Copyright 2009-2012, Matt Sorensen, All Rights Reserved

Site Launched March 2009

Nothing in this site should be construed as legal advice, nor be used in lieu of the advice of your attorney. This information is intended for personal enlightenment and educational purposes only.
Major Works

Information Security & Privacy Law
May 2012

M T W T F S S

« Nov

1 2 3 4 5 6

7 8 9 10 11 12 13

14 15 16 17 18 19 20

21 22 23 24 25 26 27

28 29 30 31
Archives
Meta

May 2012
M	T	W	T	F	S	S
« Nov
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

Blogroll
My Other Links
- CMS Law, PLLC
Email Subscription

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2 other followers
Subscribe
- Entries (RSS)
- Comments (RSS)
Contact Me

matt@mattsorensenlaw.com
Recommended Books

Matt's bookshelf: professional

Information Privacy Law

by Daniel J. Solove

IT Risk: Turning Business Threats into Competitive Advantage

by George Westerman

Re-reading this one.

This is a good overview of the topic supplemented by data gathered from research conducted by the authors. The data is particularly enlightening. I would have liked a more thorough discussion of integrating ...

Fighting Computer Crime: A New Framework for Protecting Information

by Donn B. Parker

I think this is no longer a "new" framework but still a valid insight into information security. One pause I took with this book is the author's complete aversion to information security risk assessment. Unfortunately, there are f...

The Mormon Way of Doing Business: Leadership and Success Through Faith and Family

by Jeff Benedict

This book is great for people curious about Mormons or who may know one in the workplace (hopefully a good one!) The drawback for me is that nothing in this book was really that new to me as the author spends much effort to educate the read...

Risk Intelligence: Learning to Manage What We Don't Know

by David Apgar

So far only OK - it didn't hold my attention for very long. Perhaps the reason is because the author doesn't really provide anything very practical to base the theories on. The topic seems to be just "risk" in whatever form you ch...

1000 Days to the Bar - But the Practice of Law Begins Now: How to achieve your personal best in Law School

by Dennis J. Tonsing

This should be required reading for every first year law student, during the summer before entering law school. You should only buy this one book. Feel free to modify the techniques to fit your style, including the use of newer technologies...

The CISSP Prep Guide: Mastering the Ten Domains of Computer Security

by Ronald L. Krutz

A basic tome on ISC2's ten domains. There are better guides out there, particularly Shon Harris material.

Official (ISC)2 Guide to the CISSP Exam

by Susan Hansche

I say "read" but I really only browsed it. The authors seem to have tried to put forward the most academically acceptable treatise on the ISC2 ten domains. This is not helpful for test preparation. We called this book the "ye...

The Nine: Inside the Secret World of the Supreme Court

by Jeffrey Toobin

Great insight to the people (yes they are people, not demi-gods) who sit on the Supreme Court. The book covers is pre-Chief Justice Roberts and Justice Alito.

Well written and the chapters vary in topic and context enough to make it a...

Cybercrime: The Investigation, Prosecution and Defense of a Computer-Related Crime

by Darlene Demelo Moreau

International Guide to Privacy

by Jody R. Westby

Global Perspectives In Information Security: Legal, Social, and International Issues

by Hossein Bidgoli

Current info sec issues in the legal, social and international context. I read it for the legal insights. As far as a collection of essays goes it is pretty good. I recommend other titles for folks new to information security, this book is ...

Privacy at Risk: The New Government Surveillance and the Fourth Amendment

by Christopher Slobogin

Secrets and Lies: Digital Security in a Networked World

by Bruce Schneier

"The starting point for anyone interested in computer security. The book is a classic and has many imitations. Schneier is brilliant and is still a leading luminary in the world of security."

What Should I Do with My Life?: The True Story of People Who Answered the Ultimate Question

by Po Bronson

"This book has short vignettes about 50 people who pondered their work life and wondered if there was something else out there. Some just up and quit their jobs for a radical career change. Some didn't. Some found success and hapiness,...

Who Moved My Cheese?

by Spencer Johnson

"Want to change your life but don't know how? This short story using mice as an analogy for modern human corporate shmucks, offers a new way to embrace change. Several rules are laid out to guide one away from complacency, complaining ...

The New School of Information Security

by Adam Shostack

Enterprise Information Security and Privacy

by Warren C. Axelrod

Information Privacy Official Reference for the Certified Information Privacy Professional

by Peter P. Swire

Having earned the CISSP credential, most of this book was review for me except for the legal chapter, which was very informative. This book gets the job done, I passed the exam just fine with this as my only preparation.

A Practical Guide for Policy Analysis: The Eightfold Path to More Effective Problem Solving

by Eugene Bardach

Boring. Public policy is just not my thing. I had to read this for school. I'm sure to a public policy devotee the book would be great.

How to Achieve 27001 Certification: An Example of Applied Compliance Management

by Sigurjon Thor Arnason

The book is pretty straight-forward and demystifies some of the quirks of ISO 27001. The book is most helpful to those companies seeking certification and does a nice job of using visual aides to see the required documentation.

Information Technology Risk Management in Enterprise Environments: A Review of Industry Practices and a Practical Guide to Risk Management Teams

by Jake Kouns

Foundations of Banking Risk: An Overview of Banking, Banking Risks, and Risk-Based Banking Regulation

by GARP (Global Association of Risk Professionals)

slide:ology: The Art and Science of Creating Great Presentations

by Nancy Duarte

This book was slightly disappointing. Any learner has to walk the line between theory and application. Theory is essential or one often won't understand the nuances of implementation and application. I had hoped this book would help me make...

Black Swan

by Nassim Nicholas Taleb

Information Security Law

by Mark G. Milone

I read the first edition which felt rushed to market. Very little commentary offered beyond the actual statutory text. It is valuable in collecting the references in one place but lacks any professional insight to the content.

The Failure of Risk Management: Why It's Broken and How to Fix It

by Douglas W. Hubbard

Great insights. There has been a raging battle for years between different camps over the "right" way to do risk analysis in fields other than insurance and finance. This book takes the quantitative risk assessment view and does a...

Share book reviews and ratings with Matt, and even join a book club on Goodreads.

SANS Legal 523: Law of Data Security and Investigations

I recently attended the SANS Legal 523 course during SANS Fire 2010, in Washington DC. The course instructor is Benjamin Wright, an attorney with deep experience in technology and security.

Based on a little inquiry, I gathered that this course is rarely attended by lawyers, and is most often attended by IT professionals. This makes sense as it is hard to imagine attorneys being drawn to an organization like SANS. However, the best professionals today are those with relevant training in multiple disciplines. If you are an attorney and want to learn about information security from the best, I highly recommend taking this course after taking SANS Security 301 as a pre-requisite.

The Legal 523 course is broken out as follows:

Day 1: Fundamentals of IT Security Law and Policy

Security Policy
Privacy Notice & Privacy Laws
Computer Crime Laws
Intellectual Property
Non-Disclosure Agreements and Terms of Use
Honeypots & Entrapment
Active Defenses, Hacking Back

Day 2: E-Records, E-Discovery, and Business Law

Vicarious Liability
E-Discovery
Records Retention, Destruction
Email Retention
Forensics
Privacy Policies
Evidence Law
Signatures

Day 3: Contracting for Data Security and Other Technology

Click Through Agreements
Contract Formation
Battle of the Forms
Liability
Breach
Bonds
Assent
Warranty
Remedies
Liens
Ownership Issues
Subpoenas, Documentation, Audits
Exceptions
Maintenance
Termination
Escrow
Investigations
Competition
Disputes
Non-Disclosure

Day 4: The Law of IT Compliance: How to Conduct Investigations

Cooperation with investigations
Numerous Examples of Fraud (Post-Mordems)
SOX; (See also here and here.)
Securities Fraud
Federal Sentencing Guidelines
Codes of Ethics
Hotlines, Reporting, Whistleblowing
Employee Monitoring, Entrapment
Raids & Seizures

Day 5: Applying Law to Emerging Dangers: Cyber Defense

Sony Root Kit Case Study
Crisis Communications
Choicepoint Case Study
Relationship with Law Enforcement
TJX Case Study
Publicity
Safely Monitoring Threats w/o Incurring Liability
Factors Mitigating Legal Risk
Public Accountability
Political Diplomacy
Strategic Legal Procedures
Competitive Boundaries

Like this:

Be the first to like this page.

Data Risk Governance

Exploring the intersection between information security, privacy, technology and the law.

Categories

Copyright 2009-2012, Matt Sorensen, All Rights Reserved

Major Works

Archives

Meta

Blogroll

My Other Links

Email Subscription

Subscribe

Contact Me

Recommended Books

Matt's bookshelf: professional

SANS Legal 523: Law of Data Security and Investigations

Like this:

Leave a Reply Cancel reply

Follow “Data Risk Governance”