5 hours 25 minutes
Welcome back, Cyberia Friends to the Hcs PP certification course with Sai Buri.
My name is Charlene Hutchins and I'll be your instructor today for compliance frameworks.
Today we're going to touch on a few frameworks that you may see during the exam and you'll definitely see during your career as a security and privacy professional.
We'll discuss I so
a pack and only CD.
I so is International Standards Organisation.
It is billed as the world's largest standards organization and is headquartered in Geneva, Switzerland.
Currently, they offer over 19,500 standards for sale individually
or Group eight memberships.
They're more than 30 standards addressing information, security practices and audit.
And each of the standards is constantly reviewed and updated, which requires consistent attention for keeping up with the latest standard changes.
As an information security professional, you should be familiar with the ISIL security standards.
NIST is part of the US Department of Commerce and addresses the measurement infrastructure within science and technology efforts of the U. S. Government.
This sets standards in the number of areas including information security.
Mrs Developed sets of publications through the CSD over recent decades, and all of these publications Air submitted as draft for public review.
This encourages comments and suggestions that are taken into consideration within the final version off the documents.
Just recently, there was a shift and password requirements required recommended by NIST
Missed SP 863 B now recommends that passwords should only be changed if there's been a known compromise,
and it recommends that longer passwords are better than more complex passwords with special characters. The numbers, etcetera.
What's been found over the years is that it's really challenging for the average computer user
to remember a password, let alone one with special characters in the one that has to be changed every 90 days. With so many systems requiring a unique password,
people began to use a single password across all their systems to meet requirements. And we're using easy to remember or guess passwords such as winter 2020
or winter 2020 exclamation mark.
This defeated the purpose of what a password is supposed to do.
So making passwords longer, such as setting the minimum character length to 15 and using past phrases such as I am your favorite instructor, makes it easier for users to accomplish the goal of hard to guess passwords and thereby strengthening security
a little bit more about special publications there. Nearly 200 documents within the 800 Siris of the special publications.
These are the set of standers aimed at the general information security audience within or outside of the federal government.
These are the most public set of standard documents and represent outreach and collaborative efforts with information technology specialists and government, private organizations and higher education.
There is in this standard for interpreting and applying HIPPA for healthcare organizations. It's the Espy 800-66 Revision one, which was published in October of 2008.
This would be a great reference as you review new organizations who are looking to hit the security requirements. Ah, for a strong security standards
missed inter agency reports or technical research reports targeting specialized audiences,
including interim and final reports,
these air for information technology security specialists who wish to keep abreast with the latest research within the CST,
the CSD has provided a report on the secure exchange of health information that offers a perspective about how to establish an exchange information between different organizations.
The Mist IR 7497 Security architecture Design process for health information exchanges. H. Iea's Check it out in your spare time.
Next, let's talk about common criteria.
The common criteria for information technology Security evaluation or C C
for um, along with the common methodology for information technology security evaluation, the C E M. R. The technical basis for an international agreement among member countries.
The criteria are the targets of the standards, and the methodology is how the standards are achieved
all according to the arrangement. Among the members,
A C C includes three sets of documentation describing the general model, the security functional requirements and the security assurance requirements.
The C M
describes activities performed by an evaluator assessing the efforts to implement the functional requirements in the sure assurance requirements.
More than likely public and private healthcare organizations will not require this level of rigor or details.
Assurance and compliance is toe. Other standards can satisfy the requirements of protecting pH. I.
Now Gap is a set of principles determined jointly by the American Institute of Certified Public Accountants, or the AI C. P A
and the Canadian Institute of Chartered Accountants. The C I c. A.
These principles, as stated in the main, are based on the commonly accepted privacy standards for protecting personal information.
They include providing initial evaluations, gap risk and control assessments, benchmarking and performance evaluations, and the documentation to support the efforts.
The efforts target the private personal information of clients, customers and workforce members.
There will certainly be similarities between Gap and healthcare privacy standards, but the gap principles offer no new concepts to most healthcare organizations.
APEC is the Asia Pacific Economic Cooperation with a goal to provide sustainable economic growth and prosperity
in the Asian Pacific region.
The idea began in 1989 and by 1998
reach full membership with 21 member countries.
The APEC Data Privacy Pathfinder was established by ministers in 2007 to achieve accountable cross border flow of personal information within the APEC region.
This goal was to be achieved by developing and implementing the cross border privacy rules or seed the PETE our system consistent with the APEC Privacy framework, which was first endorsed by APEC ministers in 2004.
Progress on the implementation of the APEC privacy framework includes the application of information privacy, individual action plans for eight
I A piece by 14 economies and the creation of a study group within the data privacy subgroup to analyze and identify best practices and the role of trust marks in promoting the cross border flow of information.
The updated APEC Fry Privacy framework of 2015 addresses gaps in policies and regulatory frameworks on e commerce to ensure that the free flow of information and data across borders is balance, with the effective protection of personal information essential to trust and confidence
in the online market, please
The update of the privacy framework was endorsed by ministers in November 2016.
the O. E. C. D is the Organization for Economic Cooperation and Development, which works to build better policies for better lives.
They provide a unique form in knowledge hub for data and in my house, this exchange of experiences, best practice sharing and advice on public policies and international standard setting.
For several decades, the only CD has been playing an important role in promoting respect for privacy as a fundamental value and the condition for the free flow of personal data across borders.
The guidelines on the protection of privacy and transport of flows of personal data constitute the first update of the original 1980 version that served as the first internationally agreed upon set of principles.
A number of new concepts were introduced, including national privacy strategies,
Um, data security breach notification and privacy management programs.
In summary, we reviewed several different compliance frameworks. Please use the supplemental study material, such as the flashcards, to test your knowledge of specific points surrounding these frameworks.
Thank you for joining me today, and I'll see you in the next video.