Chapter 12 Short Summary:

1. Documented Operating Procedures:

○ Establish and maintain documented procedures for operational activities,

including system start-up/close-down, backup, maintenance, and security

monitoring

○ Ensure procedures are authorized and managed as formal documents

2. Change Management:

○ Implement controls to manage changes to the organization, business

processes, and information systems to mitigate security risks

○ Include identification, planning, testing, approval, and communication of

changes

3. Capacity Management:

○ Monitor resource usage, tune systems for performance, and project future

capacity needs to ensure system availability and efficiency

○ Address potential bottlenecks and dependencies on key personnel

4. Separation of Environments:

○ Separate development, testing, and operational environments to prevent

unauthorized access or changes to operational systems

○ Define rules for transferring software from development to operational status

5. Protection from Malware:

○ Implement detection, prevention, and recovery controls against malware,

supported by user awareness and system access controls

○ Regularly update malware protection software and conduct reviews of system

content
6. Backup:

○ Establish a backup policy to define requirements for backing up information,

software, and systems

○ Ensure backups are tested, stored securely, and can be restored when needed

7. Logging and Monitoring:

○ Maintain event logs to record user activities, exceptions, and security events

○ Protect log information from tampering and unauthorized access

○ Synchronize system clocks to ensure accurate logging

8. Control of Operational Software:

○ Control the installation of software on operational systems through authorized

procedures

○ Maintain an inventory of installed software and ensure it is supported by the

vendor

9. Technical Vulnerability Management:

○ Monitor and manage technical vulnerabilities in information systems

○ Evaluate risks and apply patches or other controls to address vulnerabilities

10. Information Systems Audit Considerations:

○ Plan and agree on audit activities to minimize disruptions to business

processes

○ Ensure audits are conducted with read-only access to systems and data unless

otherwise authorized
 Possible questions based on the chapter:

● Could you describe the documented procedures for routine operations - such as

system start-up, shutdown, error handling, and change management - and how these

procedures are communicated to the team? (Operational Procedures and

Responsibilities)

● Can you explain your approach to logging and monitoring? How do you ensure that

logs (including user activities and system events) are regularly reviewed and protected

against tampering? (Logging and Monitoring)

● What anti-malware measures are currently in place? For example, which tools or

software do you use, and how often are these defenses updated? (Protection from

Malware)

Chapter 15 Short Summary:

1. Information Security Policy for Supplier Relationships:

● Establish and document information security requirements to mitigate risks

associated with supplier access to the organization’s assets

 ● Define controls for managing supplier relationships, including identifying

types of suppliers, access levels, and monitoring adherence to security

requirements

● Implement processes for handling incidents, ensuring resilience, and training

personnel involved in supplier interactions

2. Addressing Security within Supplier Agreements:

● Establish agreements with suppliers that detail information security

requirements, including data handling, access controls, and legal obligations

● Include terms for incident management, training, sub-contracting, auditing,

and conflict resolution

● Ensure that agreements cover the entire supply chain, especially for critical

components and services

3. Information and Communication Technology Supply Chain:

● Incorporate security requirements in agreements to manage risks associated

with the ICT supply chain

● Ensure suppliers propagate security practices throughout the supply chain and

provide assurance of component integrity and traceability

● Implement processes for monitoring and validating security compliance and

managing component life cycles

4. Monitoring and Review of Supplier Services:

● Regularly monitor and review supplier service delivery to ensure adherence to

security terms and manage incidents effectively

● Conduct audits, review service reports, and manage any identified problems to

maintain agreed service levels

5. Managing Changes to Supplier Services:

 ● Manage changes to supplier services, considering the criticality of business

information and systems involved

● Reassess risks when implementing changes to services, networks,

technologies, or physical locations, and ensure security controls are updated

accordingly.

Possible questions based on the chapter:

● How do you currently determine which types of suppliers (IT, logistics, etc.) are

allowed to access the sensitive information, and what controls are in place to manage

that access? (Supplier Access Control)

● What steps are you taking to ensure that the ICT supply chain, including any

subcontracted suppliers, meets your security requirements and that you can trace

critical components back to their source? (ICT Supply Chain Security)

● What procedures do you have in place to manage changes in supplier services

(whether due to new tech, policy updates, or supplier transitions) to ensure continuous

security and service quality? (Managing Changes)

 GDPR Summary

Key Points of GDPR:

1. Scope & Applicability:

○ Applies to all organizations handling EU citizens' personal data, regardless of
location.
○ Covers data controllers (decision-makers) and processors (service providers).
2. Key Principles:
○ Lawfulness, Fairness, and Transparency – Data must be collected and used
in a lawful and clear manner.
○ Purpose Limitation – Data must only be collected for specific, legitimate
purposes.
○ Data Minimization – Only the necessary data should be collected.
○ Accuracy – Data must be kept up to date.
○ Storage Limitation – Data should only be retained for as long as necessary.
○ Integrity and Confidentiality – Data must be protected against unauthorized
access and breaches.
3. Legal Bases for Processing:
○ Consent from the data subject.
○ Performance of a contract.
○ Compliance with legal obligations.
○ Protection of vital interests.
○ Legitimate interests of the data controller (balanced against user rights).
4. Data Subject Rights:
○ Right to access, rectify, erase, and restrict processing of personal data.
○ Right to data portability (transfer data to another service).
○ Right to object to processing (including automated decision-making).
○ Right to be informed about data collection and processing.
5. Obligations for Organizations:
○ Implement security measures to protect data.
○ Conduct Data Protection Impact Assessments (DPIAs) for high-risk
activities.
 ○ Appoint a Data Protection Officer (DPO) for certain cases.
○ Report data breaches within 72 hours to authorities.
6. Enforcement & Penalties:
○ Supervisory authorities (e.g., national data protection agencies) enforce
GDPR.
○ Fines can reach €20 million or 4% of annual global turnover, whichever is
higher.

How can GDPR regulations affect the company?

1. Data Collection & Customer Interaction

● Consent and Transparency: The company must obtain explicit, informed consent
from customers, authors, employees, or any individuals whose personal data is
collected. This may require revising subscription forms, online registration processes,
and marketing campaigns to ensure that consent is clear and documented.
● Enhanced Privacy Notices: GDPR mandates detailed privacy policies that explain
data usage. GVT Book Publishing will need to update its notices on websites, apps,
and print materials to communicate what data is collected, why it’s collected, and how
long it will be stored.

2. Marketing and Communication

● Email and Direct Marketing: If the company uses email newsletters or promotional
campaigns, it must ensure that all communications comply with GDPR. This means:
○ Collecting explicit consent before sending marketing emails.
○ Providing easy opt-out mechanisms.
○ Clearly explaining the purpose of data collection and usage.
● Data Minimization: Only necessary customer data should be collected for specific
purposes, reducing potential liability.

3. Internal Policies and Data Governance

● Data Protection Measures: GVT Book Publishing must implement robust security
protocols to protect personal data from breaches. This includes:
 ○ Regular security assessments.
○ Implementing encryption and access controls.
○ Establishing protocols for data breach notifications (reporting breaches within
72 hours).
● Record-Keeping: The company needs to maintain records of data processing
activities, which is essential for accountability under GDPR.
● Employee Training: Staff must be trained on GDPR compliance, ensuring that
everyone understands their role in protecting personal data.

4. Contracts and Third-Party Relationships

● Vendor Management: If the company outsources any data processing (such as cloud
storage, email marketing services, or printing services), it must ensure that these
vendors comply with GDPR requirements. This involves updating contracts to include
data protection clauses.
● Data Processor Agreements: Clear agreements with third parties are needed to
delineate responsibilities and liabilities in case of a data breach or non-compliance.

5. Risk Management and Potential Penalties

● Compliance Costs: There may be upfront investments in technology, legal advice,

and staff training to meet GDPR standards.
● Fines and Reputational Damage: Non-compliance can result in significant fines (up
to €20 million or 4% of annual global turnover) and damage to the company’s
reputation, making robust compliance a critical business priority.
● Operational Adjustments: The company might need to revise its operational
procedures, from how customer data is stored to how marketing lists are maintained,
to minimize risk and ensure compliance.

6. Opportunities for Competitive Advantage

● Building Trust: By proactively complying with GDPR, GVT Book Publishing can
position itself as a trustworthy brand that respects customer privacy, potentially
enhancing customer loyalty and differentiating itself in the market.
● Streamlined Data Management: Revising data processes can lead to more efficient
data handling, which can improve overall operational effectiveness.