Hello, everybody. And welcome to the Hyatt security experts. At number 33 I take compliance program.
My name is Alejandro Pena, and I'll be instructor for today's session.
Really, objectives is to understand and be able to identify the main concept supply. A 90 compliance program.
The security industry, calm prices are extremely bored, are broad set of communities of rich Ingles capabilities and day to day activities.
Compliance represents a necessary aspect to security and safety, but everybody hated
because the auditors come to see if you're actually compliant and they are not the best people of telling. You have to fix things. They just they. For some reason that you have to find something in your system, they cannot just say I You know what? You're doing a great job
to prove your job. You've made do this. So people had
I got a reason for this. Most people see the term complains at the complete, you know, endurance
to the set of requirements are Taylor to mitigate a broad set of starting threats.
Let me tell you a little trick of people on, and one that I have too far, you know, one that I had to learn the hard way. Compliance by itself does not actually secure systems. It does not just simply not.
However, if you use that regulation as an invalid, you create the wrong policies and procedures. Then your complaints problem will should have a big impact on traditional risk.
For example, P. C I. D. S s, you know, payment, car industry and data security. Thunder requests that data encryption. But you also want to play additional crypto controls like encryption case, and you create your policy that we cover
all the PC idea says part. But it will also cover a tailor control
you want to put in place to reduce risk, and I set the level.
Also, lack of compliance at your regulation could throw some fines, lawsuits and ever present negative impacts of the great public perception within the cart. Our public opinion. So there's that, too. I mean, pain finds that's something you can calculate.
But you know, the more dangerous thing or result from from from a bridge is to losing thrust after customers and maybe his customers telling you to, uh
that they will leave. You are maybe the image of your business. That's a huge deal, too.
Another fact that is crucial to understand on identifying what compliance regulation You miss our one to be complaining with. For example, if you're handling credit card information to want to be complained with P C I B S s. But if you were handling medical records, then you want to wrinkle die. We're hip, for example.
selecting the right appropriate regulation, you must comply. That's difficult because weight control names here hipaa pcr j d p. R. But you know, when dealing you, you also have to taking place. Take into consideration
the regular regular you know them
local loss or regulations. For example, If you're planning to up in business in Costa Rica or Panama, they have some strong regulations off there. And maybe yeah, DPR will cover must most of the topics for their there since tricked to retain topics,
you also have to check in. Those laws or regulations are selecting the one that will apply to you. It's hard, it's a hard task, and it's not walking apart. I'll so, uh, in order to help you put together eight points, that might help you too, you know,
to Grey your piety complaints program again. This is this program is not only just okay, I wanna be your DPR I will follow all their truck instructions, but it means also that, uh,
you have to select all of the regulations. And best practices are good practices. I don't like it Were best practices, by the way. Good practices a better war. Um, so good practices and regulations that you can put it together into a policy.
This is some kind of life. Cycle it together for you. And first, Now you know the regulations. You have to know the regulation, and you have to know that if you're dealing with credit card, you want to be P C I, for example, and if you're dealing with medical records, you want to deal. You want to be complying with Hibbert
management support. I mean, if they don't get on board with the program, I can assure you folks your program or will die differently.
Then comes the policy processes and procedures. Uh uh, with that and, you know, knowing what regulations you have three complaint with and the ones who want to be compliant with because maybe you have to be complaining with PC High. But for some reason you also want to be complained with on regulations
that not affecting you directly But you know you want to put together
are really good policy
training on awareness If you don't train your employees. Uh,
and I mean, everyone from the CEO are the board of directors. True that, you know, people help you with
maintains and stuff. We all have to be insane boat folks. So you have to train everyone. Maybe the skills you will take fish them in this train. Stations will be different. And it's not the same training session for a pen tester. For example,
I will be to a CEO or something. Marketing person
testing. You have to test your systems and to see if you're actually complained or being complained with some parts off. The system's already
then comes in journal article. Someone comes from a different department, Uh uh. To see to see what points are you being compliant with And what points what points? You're still Mason,
and you can through their gap analysis so you can close the guy
with additional controls.
Then comes the risk management. Uh, because at the end, a continuous risk assessment is needed. Maybe you put in place controls, but at the end of the week enabled inability came out. Or maybe that control is no longer reducing the risk to an acceptable level,
and you have to continuously measure
that. For that, you can use a K A rise just stands for key risk indicators. It's kind of the brother of the sister. Keep performance indicators. The thing is, that key performance gives you an ecstatic
graphic. Oh, our information. I mean, how many times did Billy went down? How many times did you suffer a ransom world last year? But the key risk indicators gives you up a broader solution and information. For example,
what's the risk that something in the future will happen to you because you don't have the controls in place?
Okay, for 55% for example. So you can you can measure your risk management process and continuously performed the risk assessment by having those pure risk indicators.
And, of course, finally, the remediation. Uh, whatever came out in the journal art, whatever risk management told you to decrease the risk level,
whatever you're destined reveal. It'll go down to a re mediation. You have to put in place a remediation program for every aspect of internal audit. And this and this cycle both cell but goes again because again, it may be your
trying to enter in a new market. So you have to again around regulations and management's pour A policies, procedures training, testing an internal audit for these new relation.
What is he? Well, ah, is the certification. You have the standard A regulation have to put in place if you're dealing with medical records.
If you're complaining with regulations, does it mean that your infrastructure is secure? Well, no. It doesn't mean that you have to put in place a compliance program that will take regulations, a synonym put to great policies. And then you can, you know,
put more points in that policy to actually,
um, security system.
What is busy? Idea says what is payment car payment card, industry data, security, thunder.
Um, and this used to actually measure. How well are you protecting the credit card information or this? Take all our you know, with everything around that trick information, stakeholder information
What is the very first step in every compliance program. We'll know your regulation if you don't know your revelation,
Um, you will be applying maybe a religion that it's not affecting to you directly,
and I will. I will put that at the same level off getting management support because you came now your regulation. But you don't get management support. Your program is you know it will not walk anywhere
in today's re lecture with this, because the main concepts you need to know establish an anti compliance program
supplements materials again at the book For a Practical Internet of Things Security by Brian Russell It's a great book I haven't recommended to go to.
In the next video. We'll review some concepts that will help you establish good Internet response process for your lunch infrastructure.
Well, that's it for today, folks, I hope in your video in such vision