JOnline: Book Review—Information Security and Privacy 

Download Article

Information Security and PrivacyInformation Security and Privacy is recommended for professionals who are responsible for protecting customer information and corporate, employee and personnel data; who advise clients or management in information security and compliance with privacy laws; and whose scope includes not only North America and Europe, but also Asia.

This book is written in a readable format for lawyers, C-level managers, auditors and security professionals. Most of the more than 60 coauthors are practicing privacy lawyers with extensive experience in advising clients on a global scale and are from the information security committee of the American Bar Association.

As can be expected, Information Security and Privacy is presented from the perspective of a legal advisory, which creates an interesting and unique view of the topic—one that differs from other information security and privacy publications. The book presents complicated matters in a structured, simple and clear way, which demonstrates that the authors have a firm grasp of the topic.

Activities to gain illegal access to information and personal data have become more attractive as the value of this information and data has increased and as the amount of information and functionality stored and offered in online applications has grown. Utilizing the content and message of this book will add a piece in the mosaic of methods and measures to improve corporate defense in cyberspace, information security and data privacy on a global scale. Additionally, Information Security and Privacy presents important aspects for privacy controls, best practice and liability.

Information Security and Privacy’s 395 pages are structured into eight chapters, four appendices and a rich collection of references to other resources. The first chapter of the book explains the complex term “information security” and lays out an agenda that is applied to all subsequent chapters.

The strength of Information Security and Privacy is its combination of information risk management and aspects of privacy regulations and privacy liability. Readers are instructed in the need for privacy risk management, the expected consequences if something goes wrong and the type of claims that exist. The core strength of the book is the chapter about privacy laws and regulations, which provides a comprehensive framework in:

  • International laws
  • Nonregulatory obligations
  • US federal and state laws

The section on international law provides a high-level overview of the status of privacy regulations in Europe, Canada, 15 countries of the Asia-Pacific region and four Latin American countries. Although a detailed description of the privacy legislation in those countries exceeds the scope of one book, Information Security and Privacy delivers a valuable entry point for readers looking to obtain a better understanding of what privacy legislation exists in the selected countries, and also underlines that more understanding must be acquired when doing business in any country.

It is critical for businesses to understand legal implications and compliance and to have appropriate safeguards and risk management efforts in place to protect the information and private data of customers and the organization. Information Security and Privacy is a great contribution to achieve that and deals with technical aspects, legal considerations and security standards, and even gives examples for best-practice documents. It is a must read and “must understand” for executives, security professionals, international accountants, auditors and management consultants.

Editor’s Note

Information Security and Privacy is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit, e-mail or telephone +1.847.660.5650.

Reviewed by Horst Karin, Ph.d., CISA, CRISC, CISSP, president of DELTA Information Security Consulting Inc., which provides consulting services in information security and risk management. Karin’s advisory services focus on SAP security; governance, risk and compliance; public key infrastructure; WebTrust; and sustainable regulatory compliance. He is the coauthor of SAP Security and Risk Management and chair of the ISACA Publications Subcommittee.

Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.