Compliance Frameworks
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Welcome back Cybrary friends,
00:00
to the HCISPP Certification course with Cybrary.
00:00
My name is Schlaine Hutchins,
00:00
and I'll be your instructor
00:00
today for Compliance Frameworks.
00:00
Today, we're going to touch on
00:00
a few frameworks that you may see during the exam.
00:00
You'll definitely see during
00:00
your career as a security and privacy professional.
00:00
We'll discuss ISO, NIST,
00:00
Common Criteria, GAPP,
00:00
APEC, and OECD.
00:00
Let's begin. ISO is
00:00
the International Standards Organization.
00:00
It is build as the world's
00:00
largest standards organization,
00:00
and it's headquartered in Geneva, Switzerland.
00:00
Currently, they offer over 19,500
00:00
standards for sale individually
00:00
or through paid memberships.
00:00
There are more than 30 standards addressing
00:00
information security practices and audit.
00:00
Each of the standards is constantly reviewed and updated,
00:00
which requires consistent attention
00:00
for keeping up with the latest standard changes.
00:00
As an information security professional,
00:00
you should be familiar with the ISO security standards.
00:00
NIST is part of
00:00
the US Department of Commerce and addresses
00:00
the measurement infrastructure within
00:00
science and technology efforts of the US government.
00:00
NIST set standards in a number of
00:00
areas, including information security.
00:00
NIST has developed sets of publications
00:00
through the CSD over recent decades.
00:00
All of these publications are
00:00
submitted as draft for public review.
00:00
NIST encourages comments and suggestions that are taken
00:00
into consideration within
00:00
the final version of the documents.
00:00
Just recently, there was a shift in
00:00
password requirements recommended by NIST.
00:00
NIST SP 800-63B now
00:00
recommends that passwords should only be
00:00
changed if there has been a known compromise.
00:00
It recommends that longer passwords are better than
00:00
more complex passwords with
00:00
the special characters, the numbers, etc.
00:00
What's been found over the years is that it's really
00:00
challenging for the average computer user
00:00
to remember a password,
00:00
let alone one with special characters
00:00
and the one that has to be
00:00
changed every 90 days with
00:00
so many systems requiring a unique password.
00:00
People began to use a single password across
00:00
all their systems to meet requirements and were
00:00
using easy to remember or guess passwords such as
00:00
winter 2020 or winter 2020 exclamation mark.
00:00
This defeated the purpose of
00:00
what a password is supposed to do.
00:00
Making passwords longer, such as setting
00:00
the minimum character length to
00:00
15 and using pass phrases such as,
00:00
I am your favorite instructor,
00:00
makes it easier for
00:00
users to accomplish the goal of hard to
00:00
guess passwords and thereby strengthening security.
00:00
A little bit more about Special Publications.
00:00
There are nearly 200 documents within
00:00
the 800 series of the Special Publications.
00:00
These are the set of standards aimed at
00:00
the general information security audience
00:00
within or outside of the federal government.
00:00
These are the most public set of
00:00
standard documents and represent outreach and
00:00
collaborative efforts with
00:00
information technology specialists in government,
00:00
private organizations, and higher education.
00:00
There's a NIST standard for
00:00
interpreting and applying HIPAA.
00:00
For healthcare organizations,
00:00
it's the SP 800-66 Revision 1,
00:00
which was published in October of 2008.
00:00
This would be a great reference as you
00:00
review new organizations who are
00:00
looking to HIPAA security requirements
00:00
for a strong security standard.
00:00
NIST Interagency Reports or
00:00
technical research reports
00:00
targeting specialized audiences,
00:00
including interim and final reports.
00:00
These are for information
00:00
technology security specialists who wish
00:00
to keep abreast with the latest research within the CSD.
00:00
The CSD has provided a report on
00:00
the secure exchange of health information that offers
00:00
a perspective about how to establish and
00:00
exchange information between different organizations.
00:00
The NISTIR 7497,
00:00
Security Architecture Design Process
00:00
for Health Information Exchanges, HIEs.
00:00
Check it out in your spare time.
00:00
Next, let's talk about Common Criteria.
00:00
The Common Criteria for
00:00
Information Technology Security Evaluation or CC,
00:00
along with the Common Methodology for
00:00
Information Technology Security Evaluation,
00:00
the CEM, are the technical basis
00:00
for an international agreement among member countries.
00:00
The criteria are the targets of the standards.
00:00
The methodology is how the standards are achieved,
00:00
all according to the arrangement among the members.
00:00
The CC includes three sets of
00:00
documentation describing the general model,
00:00
the security functional requirements,
00:00
and the security assurance requirements.
00:00
The CEM describes activities performed by an evaluator
00:00
assessing the efforts to implement
00:00
the functional requirements and
00:00
the assurance requirements.
00:00
More than likely,
00:00
public and private health care organizations
00:00
would not require this level of rigor or detail.
00:00
Assurance and compliance is to other standards
00:00
can satisfy the requirements of protecting PHI.
00:00
Now, GAPP is a set of principles determined jointly by
00:00
the American Institute of Certified Public Accountants
00:00
or the AICPA,
00:00
and the Canadian Institute of Chartered Accountants,
00:00
the CICA.
00:00
These principles, as stated in the name,
00:00
are based on the commonly accepted privacy standards
00:00
for protecting personal information.
00:00
They include providing initial evaluations,
00:00
GAPP, risk,
00:00
and control assessments, benchmarking,
00:00
and performance evaluations, and
00:00
the documentation to support the efforts.
00:00
The efforts target the private
00:00
personal information of clients,
00:00
customers, and workforce members.
00:00
There will certainly be similarities
00:00
between GAPP and healthcare privacy standards.
00:00
But the GAPP principles offer
00:00
no new concepts to most healthcare organizations.
00:00
APEC is the Asia-Pacific Economic Cooperation
00:00
with the goal to provide
00:00
sustainable economic growth and
00:00
prosperity in the Asian-Pacific region.
00:00
The idea began in 1989,
00:00
and by 1998,
00:00
reached full membership with 21 member countries.
00:00
The APEC data privacy pathfinder
00:00
was established by ministers in 2007,
00:00
to achieve accountable cross-border flow of
00:00
personal information within the APEC region.
00:00
This goal was to be
00:00
achieved by developing and implementing
00:00
the Cross-Border Privacy Rules or CBPR system,
00:00
consistent with the APEC privacy framework,
00:00
which was first endorsed by APEC ministers in 2004.
00:00
Progress on the implementation of
00:00
the APEC privacy framework includes the application of
00:00
information privacy individual action plans
00:00
or IAPs by 14 economies.
00:00
The creation of a study group within
00:00
a data privacy subgroup to analyze and identify
00:00
best practices and the role of
00:00
trust marks in promoting
00:00
the cross-border flow of information.
00:00
The updated APEC privacy framework of 2015,
00:00
addresses gaps in policies and
00:00
regulatory frameworks on e-commerce to ensure that
00:00
the free flow of information and data
00:00
across borders is balanced with
00:00
the effect of protection of personal information
00:00
essential to trust and
00:00
confidence in the online marketplace.
00:00
The update of the privacy framework was endorsed
00:00
by ministers in November 2016.
00:00
Lastly, the OECD is
00:00
the Organization for Economic
00:00
Cooperation and Development,
00:00
which works to build better policies for better lives.
00:00
They provide a unique form and knowledge hub for
00:00
data and analysis exchange of experiences,
00:00
best practice sharing,
00:00
and advice on public policies
00:00
and international standard-setting.
00:00
For several decades, the OECD has
00:00
been playing an important role in promoting respect
00:00
for privacy as a fundamental value and
00:00
the condition for the free flow
00:00
of personal data across borders.
00:00
The guidelines on the protection of
00:00
privacy and transport or flows of personal data
00:00
constitute the first update of the original 1980 version
00:00
that served as the first
00:00
internationally agreed upon set of principles.
00:00
A number of new concepts were introduced,
00:00
including national privacy strategies,
00:00
data security breach notification,
00:00
and privacy management programs.
00:00
In summary, we've reviewed
00:00
several different compliance frameworks.
00:00
Please use the supplemental study material,
00:00
such as the flashcards to test
00:00
your knowledge of specific points
00:00
surrounding these frameworks.
00:00
Thank you for joining me
00:00
today and I'll see you in the next video.
Up Next
