Information Security and Privacy 


By Thomas J. Shaw Esq.
Reviewed by Horst Karin, Ph.d., CISA, CRISC, CISSP

Bookstore Purchase the Book

Information Security and PrivacyInformation Security and Privacy is recommended for professionals who are responsible for protecting customer information and corporate, employee and personnel data; who advise clients or management in information security and compliance with privacy laws; and whose scope includes not only North America and Europe, but also Asia.

This book is written in a readable format for lawyers, C-level managers, auditors and security professionals. Most of the more than 60 coauthors are practicing privacy lawyers with extensive experience in advising clients on a global scale and are from the information security committee of the American Bar Association.

As can be expected, Information Security and Privacy is presented from the perspective of a legal advisory, which creates an interesting and unique view of the topic—one that differs from other information security and privacy publications. The book presents complicated matters in a structured, simple and clear way, which demonstrates that the authors have a firm grasp of the topic.

Activities to gain illegal access to information and personal data have become more attractive as the value of this information and data has increased and as the amount of information and functionality stored and offered in online applications has grown. Utilizing the content and message of this book will add a piece in the mosaic of methods and measures to improve corporate defense in cyberspace, information security and data privacy on a global scale. Additionally, Information Security and Privacy presents important aspects for privacy controls, best practice and liability.

Information Security and Privacy’s 395 pages are structured into eight chapters, four appendices and a rich collection of references to other resources. The first chapter of the book explains the complex term “information security” and lays out an agenda that is applied to all subsequent chapters.

The strength of Information Security and Privacy is its combination of information risk management and aspects of privacy regulations and privacy liability. Readers are instructed in the need for privacy risk management, the expected consequences if something goes wrong and the type of claims that exist. The core strength of the book is the chapter about privacy laws and regulations, which provides a comprehensive framework in:

  • International laws
  • Nonregulatory obligations
  • US federal and state laws

The section on international law provides a high-level overview of the status of privacy regulations in Europe, Canada, 15 countries of the Asia-Pacific region and four Latin American countries. Although a detailed description of the privacy legislation in those countries exceeds the scope of one book, Information Security and Privacy delivers a valuable entry point for readers looking to obtain a better understanding of what privacy legislation exists in the selected countries, and also underlines that more understanding must be acquired when doing business in any country.

It is critical for businesses to understand legal implications and compliance and to have appropriate safeguards and risk management efforts in place to protect the information and private data of customers and the organization. Information Security and Privacy is a great contribution to achieve that and deals with technical aspects, legal considerations and security standards, and even gives examples for best-practice documents. It is a must read and “must understand” for executives, security professionals, international accountants, auditors and management consultants.

Editor’s Note

Information Security and Privacy is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit, e-mail or telephone +1.847.660.5650.

Reviewed by Horst Karin, Ph.d., CISA, CRISC, CISSP, president of DELTA Information Security Consulting Inc., which provides consulting services in information security and risk management. Karin’s advisory services focus on SAP security; governance, risk and compliance; public key infrastructure; WebTrust; and sustainable regulatory compliance. He is the coauthor of SAP Security and Risk Management and chair of the ISACA Publications Subcommittee.