Sicurezza totale 4.0

BUY

For the purchase of several titles, please contact the secretariat:

3484161819 | it**@it*********.it

The book

This book is aimed at those who do not have a specific competence in the field of security and are called upon, in various capacities, to protect:

  • personal data and the rights and freedoms of natural persons (as Data Controller, DPO, Data Processor, etc.), in accordance with privacy legislation
  • the assets of one's organisation, (business assets, as an entrepreneur, professional, PA executive, etc.)
  • company know-how.

The book is also useful for those who are entrusted with supporting them in risk assessment and in choosing and implementing the most suitable security measures, allowing them to share a common language as free of jargon as possible.

All the main aspects relating to the security and protection of tangible and intangible assets, including personal data, which constitute an organisation's assets, are described in simple, simplified, discursive language, as far as possible free of technical terms.

A didactic approach, which can also facilitate safety professionals in their work, who find in this text a tool to present topics that are not always easy to explain.

The perspective of the book is to give guidance on the management of business risks and related countermeasures from the perspective of a synergetic vision, aimed at protection:

  • corporate assets
  • personal data
  • the rights and freedoms of natural persons
  • corporate know-how
  • in order to protect the company against:
    • losses: economic, image, clientele, know-how
    • legal disputes
    • sanctions: economic, criminal, blocking of processing.

THE CONTENTS OF THE BOOK

The book consists of two parts.

Part One

La first part includes a series of descriptive and didactic chapters describing the risk assessment process both from the point of view of corporate assets and from the point of view of privacy legislation (protection of fundamental rights and freedoms of natural persons).

Since this is not a technical book, the way in which the information is presented is intended to be simple and schematic, almost like a presentation, a sequence of slides and tables that briefly express the most important concepts.

It is then up to the reader to go deeper into the notions presented in the descriptive part of the text; further investigation is possible by consulting the available documentation:

  • in the second part of the book and in the appendices
  • free of charge on the sites selected at the end of the text.

The first part of the book consists of several chapters, corresponding to as many stages of a risk analysis.

In the chapter "Assets to be protected"The focus is on the identification of corporate assets, their valorisation, and their interactions. The identification of tangible assets to be protected is relatively simple. As far as information (intangible assets) is concerned, the investigation makes it possible to identify where it is present within the company: documents, information system, company practices, knowledge and skills of employees, prototypes...; information is thus within material assets or constitutes someone's knowledge and skills.

Information includes personal data, the subject of particular protection as it is covered by a substantial body of legislation, the violation of which could have consequences on the fundamental rights and freedoms of natural persons (the true object of protection under privacy legislation).

In the chapter "Risk management"we go on to analyse what are risks, threats, vulnerabilities...

A tangible asset can be stolen, damaged, destroyed; information can also be stolen or deleted, but it can also be copied or intercepted without altering the original and thus without the owner being aware of it.

The threats to information are therefore more extensive and numerous than those to the physical goods that contain it.

The destruction of a server has an impact on both the intrinsic value of the asset and the data it contains. If that server provides an important service for the company (or its customers), there may be further consequences, such as service interruption, with economic, legal and image repercussions.

If the compromised data included personal data, there could also be consequences for the rights and freedoms of natural persons.

The analysis of the risks associated with, for example, the loss of an asset cannot be limited to the mere monetary valuation of the asset, but must also value the real impact on the company's business, as well as on the rights and freedoms of individuals.

This appreciation is indispensable in order to allow for a proper evaluation of the costs and benefits of possible countermeasures, bearing in mind that risks to the rights and freedoms of natural persons are not business risks (and therefore within the company's reach) and that their management therefore has specific implications.

For instance, in the case of high risk, the legislation provides for a specific set of requirements, such as the execution of a DPIA.

In the chapter "Security Measures"Numerous organisational, physical and logical countermeasures and their management processes are presented. There is also a collection of "Rules of Conduct", which they can distribute to their employees. However, we do not go into the technical details of the solutions, as this activity requires specific expertise.

Technical countermeasures need to be implemented by specialists, whereas organisational and behavioural countermeasures can be implemented immediately that can significantly reduce risks.

For example, for an accountant, the very simple rule of keeping only photocopies of documents useful for filing his clients' tax returns in his office significantly limits the risk of their destruction or loss (and the related legal, image, and economic consequences).

The chapter "Safety regulations" illustrates the numerous regulations that affect security in the company: the GDPR, Legislative Decree 196/03, the numerous provisions of the Guarantor for the protection of personal data, the legislation on computer crimes, the legislation on the administrative responsibility of companies, the legislation on digital signatures...

Part Two and Appendices: Operational Tools

Nella seconda parte del libro sono raccolte una serie di schede operative utili per il censimento degli asset aziendali e per la valorizzazione del rischio. In questo modo il lettore può fare immediatamente una prima analisi della propria situazione, valutando la propria esposizione al rischio e individuando le opportune contromisure.

The author

Giancarlo Butti (gi*************@pr***.it)

(LA BS 7799, LA ISO IEC 27001:2005/2013/2022, LA ISO 20000-1, LA ISO 22301, LA ISO IEC 42001), CRISC, CDPSE, ISM, DPO, DPO UNI 11697:2017, DPO UNI CEI EN 17740:2024, CBCI, AMBCI

Master in Business Management and Organisational Development (MIP - Politecnico di Milano).

ESG contact person(*) (Environmental, Social and Governance) and Inclusion of the CLUSIT Scientific Committee.

He has been involved in ICT, organisation and regulation since the early 1980s:

  • organisation analyst, project manager, security manager and auditor in banking groups
  • document, security, privacy... consultant in companies of different sectors and sizes.

As a populariser he has to his credit:

  • over 800 articles in 40 different publications
  • 26 books and white papers, some of which are used as university texts
  • 27 collective works as part of ABI LAB, Oracle/CLUSIT Community for Security, CLUSIT Report on ICT Security in Italy
  • speaker at over 170 events at ABI, ISACA/AIEA, AIIA, ORACLE, CLUSIT, ITER, INFORMA BANCA, CONVENIA, CETIF, IKN, TECNA, UNISEF, PARADIGMA...
  • former teacher of the ABI professional training course - Privacy Expert and Data Protection Officer
  • lecturer in masters and postgraduate courses at several universities:
    • Master's Degree in "Data Protection Officer and Privacy Law" at the University Suor Orsola Benincasa - Naples
    • Postgraduate Course in Data Protection and Data Governance at the University of Milan
    • Cefriel Data Protection Officer Advanced Training Course
    • UNISEF Master's Degree for Personal Data Protection Officers
    • DPO Pathway and the Information Security & Privacy Observatory of the Politecnico di Milano
    • Risk analysis and management at the State University of Milan
  • Master Risk management, internal audit & fraud at Ca Foscari Challenge School.

Member and former proboviro of AIEA/ISACA (www.aiea.it - Italian Association of Information Systems Auditors), of CLUSIT (www.clusit.it - Italian Association for Information Security), of DFA (www.perfezionisti.it - Digital Forensics Alumni ), of ACFE (https://www.acfecentral.it/- Association of Certified Fraud Examiners).and of BCI (www.thebci.org - Business Continuity Institute).

Participates in various working groups of ABI LAB, ISACA-AIEA, the CLUSIT...

(*) Former researcher in the field of renewable energy (UNESCO - International directory of new and renewable energy information sources and research centres, 1986)

Index

PRESENTAZIONE DELLA SECONDA EDIZIONE. 9

PRESENTAZIONE DELLA PRIMA EDIZIONE. 10

PRESENTAZIONE DI PAOLO GIUDICE. 10

RECENSIONE DI SILVANO ONGETTA.. 10

INTRODUZIONE. 12

I CONTENUTI DEL LIBRO.. 13

PARTE PRIMA.. 16

GLI ASSET DA PROTEGGERE. 17

GLI ASSET DAL PUNTO DI VISTA DELL’AZIENDA.. 17

I BENI MATERIALI 18

I BENI IMMATERIALI 19

LA CONOSCENZA.. 23

IL CAPITALE INTELLETTUALE. 23

LA CLASSIFICAZIONE DELLE INFORMAZIONI 26

I DOCUMENTI 27

I DOCUMENTI ELETTRONICI 28

IL SISTEMA INFORMATIVO.. 29

IL CICLO DI VITA DELLE INFORMAZIONI 31

IL CAPITALE UMANO.. 33

ALTRI ASSET. 35

METODOLOGIA ENISA PER LE PMI 36

LA COLLOCAZIONE DEI BENI AZIENDALI 37

LA VERIFICA DOCUMENTALE. 37

GLI ASSET DAL PUNTO DI VISTA DELLA NORMATIVA PRIVACY. 39

L’AMBITO DI TUTELA.. 39

I SOGGETTI TUTELATI 40

LA GESTIONE DEL RISCHIO.. 42

L’ANALISI DEL RISCHIO.. 42

I RISCHI 44

CORRELAZIONE FRA ASSET. 45

LE MINACCE NEI CONFRONTI DEI BENI MATERIALI 46

LE MINACCE NEI CONFRONTI DEI BENI IMMATERIALI 47

EVENTI CORRELATI AL PERSONALE. 49

I REQUISITI DI SICUREZZA.. 54

METODOLOGIA ENISA PER LE PMI 56

GLI IMPATTI PER L’AZIENDA.. 57

CORRELAZIONE FRA IMPATTI 57

LE MINACCE. 61

MINACCE AMBIENTALI 61

MINACCE INDUSTRIALI 62

MINACCE – GUASTI 63

MINACCE COMPORTAMENTALI 64

LE VULNERABILITÀ.. 66

L’ANALISI DEI RISCHI DEL PUNTO DI VISTA DELL’AZIENDA.. 69

FASI DELL’ANALISI DEI RISCHI 69

ANALISI DEI RISCHI DAL PUNTO DI VISTA DEL GDPR. 76

CONFRONTO FRA ANALISI DEL RISCHIO DAL PUNTO DI VISTA DELL’AZIENDA E DEL GDPR. 85

TRATTAMENTO DEL RISCHIO.. 87

I COSTI DI RIPRISTINO.. 87

IL TRATTAMENTO DEL RISCHIO AZIENDALE. 88

IL TRATTAMENTO DEL RISCHIO DAL PUNTO DI VISTA DEL GDPR. 89

LA RILEVAZIONE DELLE MISURE DI SICUREZZA IN ATTO.. 89

L’ATTIVAZIONE DELLE CONTROMISURE. 91

IL TRASFERIMENTO DEL RISCHIO.. 93

IL CICLO DELL’ANALISI DEL RISCHIO.. 94

LE MISURE DI SICUREZZA.. 95

CLASSIFICAZIONE DELLE MISURE DI SICUREZZA.. 95

CICLO DI VITA DELLE MISURE DI SICUREZZA.. 99

COERENZA NELLE CONTROMISURE. 100

DIFFERENZA NELLE CONTROMISURE. 102

ESEMPI DI MISURE DI SICUREZZA.. 104

MISURE DI CARATTERE GENERALE. 105

RAPPORTI CON IL PERSONALE. 106

GESTIONE DEGLI ACCESSI FISICI/LOGICI AGLI ASSET. 107

RAPPORTI CON ESTERNI (FORNITORI/OUTSOURCER) 108

GESTIONE DELLA SICUREZZA.. 110

CONTROLLI 110

SICUREZZA FISICA.. 111

VIDEOSORVEGLIANZA.. 115

SICUREZZA LOGICA.. 116

GESTIONE DEI DOCUMENTI 126

LA CONTINUITÀ DEL BUSINESS. 127

LE COMUNICAZIONI 130

CRITTOGRAFIA.. 134

PSEUDONIMIZZAZIONE. 135

FIRME ELETTRONICHE. 136

IMPLEMENTARE LE MISURE DI SICUREZZA.. 140

RIEPILOGO MISURE DI SICUREZZA BASE. 140

CONTINUITÀ OPERATIVA.. 142

SICUREZZA FISICA.. 142

SCENARI OPERATIVI 143

TELEFONIA MOBILE. 144

APPLICAZIONI END USER COMPUTING.. 145

SOCIAL MEDIA.. 147

LA GESTIONE DEI RIFIUTI ELETTRONICI 148

BIG DATA.. 150

BLOCKCHAIN E DLT. 154

INTELLIGENZA ARTIFICIALE. 156

CLOUD.. 160

IOT (INTERNET OF THINGS) 168

LE NORMATIVE SULLA SICUREZZA.. 173

LA PROTEZIONE DEI DATI PERSONALI E DEI DIRITTI E LE LIBERTÀ DELLE PERSONE FISICHE. 175

LE MISURE DI SICUREZZA NEL D.LGS. 196/03 PRE GDPR. 176

SEMPLIFICAZIONI 180

LE MISURE DI SICUREZZA NEL GDPR. 184

I PROVVEDIMENTI CHE IMPATTANO LA SICUREZZA.. 187

LA SALUTE E SICUREZZA NEI LUOGHI DI LAVORO.. 188

LA SICUREZZA DEGLI IMPIANTI 190

LA CRIMINALITÀ INFORMATICA.. 191

IL DIRITTO D’AUTORE. 192

LA RESPONSABILITÀ AMMINISTRATIVA.. 194

CONTROLLI E LIMITI NEI CONTROLLI 195

I VINCOLI 195

LE SOLUZIONI 201

VADEMECUM PRIVACY E LAVORO – APRILE 2015. 206

STRUMENTI UTILIZZATI DAL LAVORATORE PER RENDERE LA PRESTAZIONE LAVORATIVA.. 208

LA TUTELA DEL KNOW HOW… 213

PARTE SECONDA – STRUMENTI OPERATIVI 215

MODULI PER LA RACCOLTA DI INFORMAZIONI 217

MISURE DI SICUREZZA DELLA SEDE. 219

MISURE DI SICUREZZA DEI LOCALI 221

MISURE DI SICUREZZA DEL CED.. 223

ARCHIVI CARTACEI (DOCUMENTI / SUPPORTI) 225

RILEVAZIONE DELLE COMPETENZE/CONOSCENZE. 236

STRUMENTI PER MAPPARE PROCESSI E TRATTAMENTI 239

LA RILEVAZIONE DEI PROCESSI AZIENDALI 239

SCHEDE DI RILEVAZIONE DI UN PROCESSO.. 241

LA RILEVAZIONE DEI FLUSSI DOCUMENTALI 244

IL DPS COME STRUMENTO DI MAPPATURA.. 247

IL REGISTRO DELLE ATTIVITÀ DI TRATTAMENTO (AUTORITÀ GARANTE PER LA PROTEZIONE DEI DATI PERSONALI) 255

ESEMPI DI POLICY E PROCEDURE. 257

ESEMPIO 1 – CLASSIFICAZIONE DEI DATI PERSONALI/INFORMAZIONI 258

ESEMPIO 2 – NORME DI COMPORTAMENTO.. 260

ESEMPIO 3 – REGOLE PER LE COMUNICAZIONI AZIENDALI DA E VERSO L’ESTERNO.. 268

ESEMPIO 4 – POLICY PER L’USO DELLA POSTA ELETTRONICA AZIENDALE. 272

ESEMPIO 5 – GESTIONE DELLA VIOLAZIONE DEI DATI (DATA BREACH) 276

ALLEGATI 280

ALLEGATO A – FINALITÀ DEL TRATTAMENTO.. 281

ALLEGATO B – SOGGETTI INTERESSATI 285

ALLEGATO C – CATEGORIE DI DATI OGGETTO DI TRATTAMENTO.. 288

ALLEGATO D – SCENARI DI RISCHIO – RISORSE ESTERNE. 290

IT-GRUNDSCHUTZ CATALOGUES. 290

ENISA – THREAT TAXONOMY. 291

ALLEGATO E – MISURE DI SICUREZZA – RISORSE ESTERNE. 292

ENISA – HANDBOOK ON SECURITY OF PERSONAL DATA PROCESSING.. 292

CYBERSECURITY FRAMEWORK NAZIONALE. 293

IT-GRUNDSCHUTZ CATALOGUES. 295

NIST SPECIAL PUBLICATION 800-53 (REV. 4) 296

ALLEGATO F – POLICY E PROCEDURE – RISORSE ESTERNE. 298

AUSTRALIAN GOVERNMENT INFORMATION SECURITY MANUAL. 298

SANS INSTITUTE. 302

ALLEGATO G – ANALISI DEI RISCHI E DPIA- RISORSE ESTERNE. 304

AEPD.. 304

CNIL. 305

ALLEGATO H – ANALISI DEI RISCHI – LISTADO DE CUMPLIMIENTO NORMATIVO.. 306

ALLEGATO I – ANALISI DEI RISCHI – RISORSE ESTERNE. 308

ALLEGATO J – TRADUZIONE DELLE TABELLE ENISA.. 309

ALLEGATO K – ANALISI DEI RISCHI QUALITATIVA E QUANTITATIVA.. 314

UN CONFRONTO TRA I DUE APPROCCI 314

LA RACCOLTA DEI DATI 316

LE FONTI DI INFORMAZIONI 316

L’ATTRIBUZIONE DEI VALORI 317

SCALE QUALITATIVE. 317

SCALE QUANTITATIVE. 318

IL PROBLEMA DELLA RAPPRESENTAZIONE DEI VALORI STIMATI 318

CALCOLO DEL RISCHIO QUANTITATIVO.. 320

SOMMA O MOLTIPLICAZIONE?. 322

CONCLUSIONI 323

ALLEGATO L – ASPETTI CONTRATTUALI NEI RAPPORTI CON OUTSOURCER/FORNITORI 324

OGGETTO.. 325

GESTIONE DEL CONTRATTO.. 325

MODALITÀ.. 326

RISPETTO DELLE NORME. 327

RESPONSABILITÀ.. 329

CORRISPETTIVI 329

QUALITÀ DEL SERVIZIO.. 330

LA DESIGNAZIONE DEL SOGGETTO ESTERNO QUALE RESPONSABILE DEL TRATTAMENTO.. 331

ALLEGATO M – RISORSE ESTERNE. 332

ALLEGATO N – GLOSSARIO.. 335

Extract

Scarica Extract

Social

  • Facebook
  • Custom 1
  • Custom 2

Search

Disclaimer

All the contents of this site are protected by current national and international regulations on the protection of Intellectual and Industrial Property. By the term "site", ITER srl, P. I. 09306810962, intends to refer to every technical, graphic and IT element of the site, including, by way of example but not limited to, the software that enables its operation and the relative codes, the contents >> more...

Company data

Registered office:
Piazzetta Guastalla, 11 - 20122 Milan (MI) Fiscal Code/VAT Code: 09306810962
Capital stock: € 10,000 i.v.
CCIAA: MI-2082738
PEC: it**@pe*******.it
ITER is a trade mark patent registered in 1989

Contact

Administrative and operational headquarters:
Alley of Heat, 36
21047 Saronno (VA)
Phone: +39 02 099 98 91
Fax: +39 02 2953 2355


Email: it**@it*********.it