TOTAL SECURITY

Guide to the Protection of Company Assets

by Giancarlo Butti

>> table of contents, foreword, presentation and contents of the book

Giancarlo Butti, whom I have known as a Clusit member for several years, has always shown himself to be very attentive and sensitive to information security issues and has produced numerous publications on these topics since 2003.

With this book, which focuses on the protection of company assets, understood as physical goods, information and people, the author intends to promote a correct perception of risks among entrepreneurs and professionals, proposing a self-assessment and giving some simple tips to raise the level of security immediately.

I can only be grateful to Giancarlo for this effort to disseminate a correct information security culture, which is one of the activities promoted and carried out by Clusit.

Paolo Giudice
General Secretary
CLUSIT - Italian Association for Information Security
www.clusit.it

At last, a text that deals with computer security with a different slant from the usual, and which is addressed not to the usual insiders, but to those who are not in the trade and have only a smattering of these issues and must for their fortune identify the tangible and intangible assets to be protected, pragmatically identify the threats that may affect those assets, provide adequate protection so that they remain as far away from their structure as possible and, since resources are a non-infinite entity, at least manage the residual risk.

Simple perhaps to say, but by no means trivial to achieve if you do not have a guide who can be a good companion on the bench.

In my opinion, the book also has the great ability to open a wide window on the rules of conduct that should be the vademecum of the people who have to live with IT and security, whether as operators in the sector or as end users.

I found the reported case studies very appreciable, as they offer a wide-angle view of some positive examples of small to medium-sized companies where security has received acceptable attention. These cases are emblematic because in those types of companies it is usually difficult to find an employee with adequate knowledge/awareness of the subject, but above all, very often the entrepreneur/owner is little inclined to invest in IT security unless forced to by the law (remember that some also have criminal implications), so he often relies on the substantial support of the local patron saint. The message that becomes clear is that even in situations where often nothing is done about security, it is possible instead to take substantial steps by relying on a correct approach.

The last chapter of the book deals with safety law, which in Italy in recent years has received a great deal of attention from the institutions Extracting the most relevant articles I found it meritorious especially for the didactic approach aimed at bringing even people who are normally reluctant to venture into the legal world closer to the dictate.

This is rounded off by a valuable appendix of operational sheets to inventory assets, documents, measures that can be taken...

A detail I like to emphasise is that except for a few terms now in current use and a solitary DMZ, the absence of pure computer language and even of the English type-prezzemolo, so favoured by so many authors in almost contempt of the beautiful equivalents in our language, shines through.

A final consideration on a few points that I would dare to call small pearls - Giancarlo insists among others on the need for training at all levels and periodic audits - two of the most important secrets for achieving and maintaining a good level of security.

Silvano Ongetta
President
AIEA - Italian Association of Information Systems Auditors
www.aiea.it

THE BOOK IS DISCUSSED

ABI LAB
Download pdf

STRONG BANK
www.bancaforte.it/articolo/un-vademecum-per-la-sicurezza-in-azienda-RB47169k

TOOLNEWS
Download pdf

IGED.IT
Download pdf

BANCO&NOI June/July 2011
Download pdf

ASSIOM FOREX LETTER (Courtesy of Lettera Assiom Forex, previously published in Lettera Assiom Forex October/2011)
Download pdf

TOTAL SECURITY OF YOUR DATA: Disaster Recovery and High Availability
www.lineacom.it/1/nt/news/109/

THE AUTHOR

Giancarlo Butti

(LA BS7799), (LA ISO IEC 27001), CRISC, ISM

Master's degree in Business Management and Organisational Development at MIP-Politecnico di Milano.

He has been involved in ICT, organisation and regulation since the early 1980s in various roles: organisation analyst, security manager and auditor at banking groups.
Consultant in document, security, privacy... at companies of different sectors and sizes.

He has to his credit more than 600 articles in 20 different publications (for years he was a member of the Technical Committee of the magazine iged.it) and 17 books and white papers, some of which are used as university texts; he holds courses and seminars and is a lecturer at ITER and ABI Formazione on privacy, ICT audit and regulatory audit.

Among the document-related publications: Working with hypertexts '91, Guide to document management '97, Discourse on multimedia '98, Guide to workflow '99, Internet in the company '00, The IT protocol for public administration '03, IT protocol according to AIPA standards - Guide to solutions based on Microsoft technology '03, Portals for public administration '04, Intranet for public administration '04, Information at hand. Always. Everywhere '12.

He is a member and pro-bassador of AIEA (www.aiea.it) and a member of CLUSIT (www.clusit.it).

He participates in the working groups of ABI LAB on Business Continuity, of ISACA-AIEA on Privacy EU and is a member of the OMAT360 Expert Committee on Innovation.

LinkedIn profile

REGULATORY UPDATES

Since the publication of the book TOTAL SAFETY, important changes have been made to Legislative Decree 196/03.

For the reader's convenience, those that have a significant impact on information systems and security measures (as well as on formal aspects) are listed, referring for the official text to www.garanteprivacy.it where the updated version of the regulatory text is always available.

Variations occurring after the publication of the book and subsequently repealed are omitted.

Art. 4. Definitions
...
(b) 'personal data' means any information relating to a natural person who is identified or identifiable, even indirectly, by reference to any other information, including a personal identification number;(1)
...
(i) 'data subject' means the natural person to whom personal data relate; (2)
...

(1) Paragraph amended by Article 40(2)(a) of Decree-Law No 201 of 6 December 2011, converted, with amendments, into Law No 214 of 22 December 2011.
(2) Paragraph amended by Article 40(2)(b) of Decree-Law No 201 of 6 December 2011, converted, with amendments, into Law No 214 of 22 December 2011.

Article 34. Processing by electronic means
...
1-bis.(1) For entities which process only non-sensitive personal data and which process as the only sensitive and judicial data those relating to their employees and collaborators, including those relating to their spouses and relatives, the keeping of an updated security policy document shall be replaced by the obligation of self-certification, issued by the data controller pursuant to Article 47 of the Consolidated Act referred to in Presidential Decree no. 445 of 28 December 2000, to process only such data in compliance with the minimum security measures provided for in this Code and the technical specifications contained in Annex B). 445 of 28 December 2000, to process only such data in compliance with the minimum security measures laid down in this Code and in the technical specifications contained in Annex B). In relation to such processing, as well as to processing operations carried out in any event for current administrative-accounting purposes, in particular at small and medium-sized enterprises, freelance professionals and artisans, the Garante, having consulted the Minister for Regulatory Simplification and the Minister for Public Administration and Innovation, shall identify by its own provision, to be updated periodically, simplified procedures for applying the technical specification contained in the aforementioned Schedule B) with regard to the adoption of the minimum measures referred to in paragraph 1.

1-ter.(1) For the purposes of applying the provisions on the protection of personal data, processing operations carried out for administrative-accounting purposes are those connected with the performance of activities of an organisational, administrative, financial and accounting nature, regardless of the nature of the data processed. In particular, these purposes include internal organisational activities, those functional to the fulfilment of contractual and pre-contractual obligations, the management of the employment relationship in all its phases, the keeping of accounts and the application of regulations on tax, trade union, social security, health, hygiene and safety at work.
...

(1) Paragraphs added by Article 6, paragraph 2, letter a), number 5), of Decree-Law No 70 of 13 May 2011, converted, with amendments, by Law No 106 of 12 July 2011. They replace the preceding paragraph 1-bis added by Article 29(1) of Decree-Law No 112 of 25 June 2008, converted, with amendments, by Law No 133 of 6 August 2008.

Decree-Law No. 5 of 09 February 2012 - Urgent provisions on simplification and development
(OJ No. 33 of 9-2-2012 - Ordinary Supplement No. 27)

Introducing in Article 45 the following Simplifications in the field of personal data

1. Legislative Decree No 196 of 30 June 2003 is amended as follows:

(d) Paragraphs 19 to 19.8 and 26 are deleted from the technical specifications on minimum security measures in Annex B.

Some of the content reproduced on this page is available directly on the website of the respective owners.

Cookie	Durata	Descrizione
consent	2 years	Used to detect whether the visitor has accepted the marketing category in the cookie banner. This cookie is required for GDPR compliance of the website.
cookielawinfo-checkbox-advertisement	1 year	Used to detect whether the visitor has accepted the marketing category in the cookie banner. This cookie is required for GDPR compliance of the website
cookielawinfo-checkbox-analytics	1 year	Used to detect whether the visitor has accepted the statistics category in the cookie banner. This cookie is required for GDPR compliance of the website
cookielawinfo-checkbox-functional	1 year	Determines whether the user has accepted the cookie consent box
cookielawinfo-checkbox-necessary	1 year	Determines whether the user has accepted the cookie consent box
cookielawinfo-checkbox-others	1 year	Stores the user's cookie consent status for the current domain
cookielawinfo-checkbox-performance	1 year	Stores the user's cookie consent status for the current domain
language	session	Save the user's preferred language on the website
SameSite	1 day	It ensures the security of visitors' browsing by preventing the falsification of requests between sites. This cookie is essential for the security of the website and the visitor
wc_cart_hash_#	persistent
wc_fragments_#	session

Cookie	Durata	Descrizione
ld:#:$diagnostics	persistent	This GoToWebinar cookie is used for the technical implementation of the webinar
machineId	persistent	This GoToWebinar cookie is used for the technical implementation of the webinar.
OREO	session	This GoToWebinar cookie is used for the technical implementation of the webinar

Cookie	Durata	Descrizione
ADRUM_BT1	1 day	This cookie is used to detect errors on the site; this information is sent to support staff to optimise the visitor experience on the site
ADRUM_BTa	1 day	This cookie is used to detect errors on the site; this information is sent to support staff to optimise the visitor experience on the site.
browser_id	5 years	Used to recognise the user's browser when returning to the website

Cookie	Durata	Descrizione
_ga	2 years	Registers a unique ID used to generate statistical data on how the visitor uses the website
_gat	1 day	Used by Google Analytics to limit the frequency of requests
_gid	1 day	Registers a unique ID used to generate statistical data on how the visitor uses the website
collect	session	Used to send data to Google Analytics about the device and user behaviour. Tracks the user across devices and marketing channels
vuid	2 years	It collects data on user visits to the site, such as which pages were consulted

Cookie	Durata	Descrizione
ads/ga-audiences	session	Used by Google AdWords to re-engage visitors who might become customers based on their online behaviour on all websites
VISITOR_INFO1_LIVE	179 days	Try to estimate the speed of the user's connection on pages with embedded YouTube videos
YSC	session	Registers a unique ID for statistics related to which YouTube videos have been viewed by the user
yt-remote-cast-available	session	Stores user's video player preferences using embedded YouTube video
yt-remote-cast-installed	session	Stores user's video player preferences using embedded YouTube video
yt-remote-connected-devices	persistent	Stores user's video player preferences using embedded YouTube video
yt-remote-device-id	persistent	Stores user's video player preferences using embedded YouTube video
yt-remote-fast-check-period	session	Stores user's video player preferences using embedded YouTube video
yt-remote-session-app	session	Stores user's video player preferences using embedded YouTube video
yt-remote-session-name	session	Stores user's video player preferences using embedded YouTube video
yt.innertube::nextId	persistent	Registers a unique ID for statistics related to which YouTube videos have been viewed by the user
yt.innertube::requests	persistent	Registers a unique ID for statistics related to which YouTube videos have been viewed by the user

Total security

TOTAL SECURITY

Guide to the Protection of Company Assets

THE BOOK IS DISCUSSED

THE AUTHOR

REGULATORY UPDATES

Upcoming courses - see all

see all scheduled courses

BE ITER

ITER protects its computers with NOD32 antivirus system

Social

Search

Disclaimer

Company data

Contact