Governance and Compliance Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Governance and compliance Part 1.
00:00
The learning objectives for this lesson
00:00
are to define the different types of data,
00:00
to explain data ownership and classification,
00:00
and to explore legal considerations
00:00
of data. Let's get started.
00:00
Organizations are constantly collecting
00:00
data with the individuals that they do business with.
00:00
This is normal in the course of doing business,
00:00
but not all data is equal.
00:00
Some data has to have additional levels of
00:00
protection on it based on the type of data that it is.
00:00
We're going to go over some of those.
00:00
We've created data types to help us better
00:00
differentiate the types of information
00:00
that need additional levels of protection on them.
00:00
We'll begin with the personally
00:00
identifiable information or PII.
00:00
This is data that can be used to directly or even
00:00
indirectly identify a specific person.
00:00
Examples of this would be name,
00:00
address, social security number, phone number.
00:00
Any of that type of information
00:00
would need to have higher levels of
00:00
protection placed on it
00:00
because it is of a sensitive nature.
00:00
Next, we have the protected health information or PHI.
00:00
This is data that can be used to identify
00:00
an individual concerning their health care.
00:00
It also includes their past,
00:00
present, or future health needs.
00:00
In the United States, this is governed by HIPAA.
00:00
HIPAA has 18 different unique identifiers
00:00
of what is considered PHI under HIPAA laws.
00:00
Something that might surprise you is
00:00
that their IP address that
00:00
they use to visit your website
00:00
would be included with this.
00:00
It's not just their individual health record,
00:00
it could also be a voiceprint, a fingerprint,
00:00
a photo of the patient,
00:00
all of that would be considered PHI, and then,
00:00
therefore, is required to be protected.
00:00
The entities that are under
00:00
HIPAA regulations have to go to
00:00
fairly complex steps to
00:00
ensure that that data is not disclosed.
00:00
Next, we have financial.
00:00
This covers financial information,
00:00
including payment histories,
00:00
credit ratings, and financial statements.
00:00
A subset of this is the
00:00
personally identifiable financial information.
00:00
This is information provided to
00:00
a financial institution about a specific consumer.
00:00
It's generally used to gain access
00:00
to financial services or products.
00:00
Your credit history will be judged,
00:00
will help to verify your creditworthiness
00:00
so a bank could either give you
00:00
a credit card or a bank account, that type of thing.
00:00
Then we have intellectual property.
00:00
These are the intangible products
00:00
created by human thought and ingenuity.
00:00
They are protected by trademarks,
00:00
copyrights, patents, and trade secrets.
00:00
Data ownership is who is responsible for the data,
00:00
and what are they responsible to
00:00
do with the data that's under their control?
00:00
The entity that is responsible for this,
00:00
they have to determine what are
00:00
the levels of restrictions based
00:00
on the laws and legal frameworks that I am subjected to.
00:00
Based on those, what levels of protection do I need to
00:00
place on the data that I have in my possession?
00:00
Data classification.
00:00
We went over this briefly in our previous lesson.
00:00
But I'm going to hit it again because based
00:00
on the way the data is classified,
00:00
that determines the type of protections
00:00
and controls that must be placed on them.
00:00
With public,
00:00
this is information that if it were disclosed,
00:00
it's not going to harm anyone,
00:00
including your organization.
00:00
Sensitive data, however, if it were disclosed,
00:00
it would cause harm to the organization as
00:00
well as the individuals the information is about.
00:00
Then lastly, we have confidential.
00:00
This is information that if it were disclosed,
00:00
would cause considerable harm to
00:00
the organization or
00:00
the individuals that it might be about.
00:00
Because of that, the highest levels of protection must
00:00
be put in place to ensure that it is not released.
00:00
Data destruction. When we have data that has gone
00:00
through the entire data life cycle and we've
00:00
reached the stage where we need to get rid of the data,
00:00
we have to find the appropriate way to do that.
00:00
Based on the type of data that we have,
00:00
there may be different ways of doing that.
00:00
The more sensitive data might need
00:00
more stringent requirements to
00:00
ensure that it is not recoverable.
00:00
Sanitization is where we remove
00:00
all the data from the media using methods such as clear,
00:00
purge, damage,
00:00
and removing all labels, markings, and logs.
00:00
Clear is multiple block-level overwriting
00:00
of data that protects against recovery,
00:00
except in maybe in the sense of a cleanroom.
00:00
Clear would be overwriting the data with random data
00:00
on the drive over and over again with multiple passes.
00:00
This makes it very difficult to recover it.
00:00
Bringing into a clean room,
00:00
they can dissect the drive and use things like
00:00
an electron microscope to go through,
00:00
and really try to piece
00:00
together items that may be recoverable.
00:00
However, if we need to ensure
00:00
that even that is not possible,
00:00
we want to use purge.
00:00
This will protect against
00:00
all recovery methods including clean rooms.
00:00
We also can use damage,
00:00
where we physically break
00:00
the storage medium to make it useless.
00:00
This may be putting into
00:00
an industrial shredder or a degausser,
00:00
or you may want to just totally melt the device.
00:00
If you want to ensure that
00:00
your data is completely unrecoverable,
00:00
damage is the way you want to go.
00:00
Then finally, we have crypto erase.
00:00
This is where we'll remove the key
00:00
that was used to encrypt the data on the device.
00:00
If there's no way for that key to be recovered,
00:00
then that data is totally useless.
00:00
Instructor side note. There have been
00:00
numerous stories in the news over the years of
00:00
people when they purchase
00:00
used drives from eBay or other type places,
00:00
only to find that those drives
00:00
contain sensitive information on them.
00:00
In 2009, British Telecom
00:00
performed research where they purchased drives,
00:00
and they even found US THAAD missile system data
00:00
on some of the drives that they purchased.
00:00
It wasn't deleted and hard to recover it,
00:00
it was just on the drive right there.
00:00
When you're disposing of old drives and devices,
00:00
it's very important that you go
00:00
through the process to destroy it
00:00
properly based on the classification level of that data.
00:00
Usually, wiping them with programs like DBAN,
00:00
which will do the overwriting
00:00
of the data with multiple passes
00:00
, that's usually sufficient.
00:00
If you want to donate a computer or resell a computer,
00:00
you run it through DBAN,
00:00
ensure that everything on the drive is
00:00
destroyed, and it's good to go.
00:00
However, for more sensitive type data,
00:00
you need to go through the destruction process.
00:00
I would consider using a reputable service to
00:00
handle this because they know the proper ways to do it,
00:00
and they'll ensure it's done for you.
00:00
But if you don't want to go that route,
00:00
thermite is always an option.
00:00
Data sovereignty. This is based on
00:00
the laws in the country where the data is stored.
00:00
That governs how the data can be
00:00
collected and how it's used in the global economy.
00:00
Regulations will vary widely,
00:00
and these can impact how the data is stored,
00:00
transmitted to another country,
00:00
and what types of encryption
00:00
must be used to protect the data.
00:00
Cloud computing has demonstrated
00:00
this complexity as legal risks
00:00
in different jurisdictions can
00:00
limit how resources can be used.
00:00
>> Attestation of compliance.
00:00
The set of policies, contracts,
00:00
and standards between two entities that have been
00:00
designated as essential is
00:00
your attestation of compliance.
00:00
It will identify how the relationship will be governed,
00:00
including how incidences will
00:00
be reported and then addressed,
00:00
the use of independent auditors
00:00
and data protection requirements in violation agreements.
00:00
You're proving to another entity
00:00
that you are compliant and you're
00:00
doing a mutual agreement on what
00:00
that level of compliance means between the two of you.
00:00
Legal considerations.
00:00
Due to how rapidly technology
00:00
is being used in every area of our lives,
00:00
the laws are changing to keep pace.
00:00
Now they usually change it at a lot slower level,
00:00
but when they change, they really make big changes.
00:00
This can lead to additional complexities
00:00
due to these fast changes.
00:00
Legal jurisdictions is the first one.
00:00
The legal framework that will be used based
00:00
on the location of the data would be your jurisdiction.
00:00
This can include federal laws,
00:00
federal regulations, state laws,
00:00
international laws and laws in individual countries.
00:00
Do care and due diligence.
00:00
Due care is using the prudent man rule.
00:00
What is considered to be reasonable and expected?
00:00
What type of protection based on a given asset?
00:00
This is the baseline and it will vary
00:00
widely based on what is being protected.
00:00
Due diligence is the ongoing and documented processes
00:00
to continuously evaluate and
00:00
improve the ways we protect data.
00:00
Legal hold and e-Discovery.
00:00
Legal hold is also called litigation
00:00
hold and it is a notification
00:00
received by an entity that requires
00:00
the preservation of electronically stored information,
00:00
ESI, and paper records that
00:00
may be relevant to pending legal proceedings.
00:00
It's usually handled by your legal team,
00:00
but cybersecurity teams are
00:00
involved to place the hold on the data.
00:00
e-Discovery is identifying, collecting,
00:00
and providing the ESI identified in a legal hold.
00:00
This is becoming very common because
00:00
more and more important information is
00:00
in the digital side.
00:00
A opposing attorney will submit a demand
00:00
to hold all data related to an impending lawsuit say.
00:00
That could include email,
00:00
it could include documents,
00:00
it could include timestamps on various things.
00:00
As a cybersecurity professional,
00:00
your job is to go in there and
00:00
freeze all of that information so that it can be
00:00
collected and then given to
00:00
your legal department for them in turn to give to
00:00
their attorneys and then their attorneys to
00:00
give to the attorney that originally requested it.
00:00
It's a very serious process
00:00
that you need to make sure that you're
00:00
documenting each step of the way and to give
00:00
to the request exactly what is being asked for.
00:00
Because that opens up other issues
00:00
and typically cybersecurity people
00:00
won't just be handed this,
00:00
they'll be giving guidance
00:00
by your own internal legal team.
00:00
We've had to do this on two separate occasions
00:00
and we never dealt with opposing counsel.
00:00
It was always with
00:00
the attorney for the people that we were working
00:00
for and they provided us
00:00
with the details of what we needed to do.
00:00
We did the search, froze
00:00
everything and then copied it all for them,
00:00
and then they took it from there. Export controls.
00:00
National export controls.
00:00
Many countries may place
00:00
restrictions on different exports,
00:00
especially the ones that pose a national security risk.
00:00
These may include software, commodities,
00:00
and technology. The Wassenaar Agreement.
00:00
This was established in 1996 to define export controls
00:00
for conventional arms and
00:00
dual-use goods and technologies.
00:00
Forty-two participating states got together to
00:00
create this to help prevent
00:00
the sensitive technology from getting
00:00
to terrorist groups and rogue nations.
00:00
Also we have encryption laws.
00:00
These will vary between countries.
00:00
In some countries you may have no restrictions at all,
00:00
while others are very
00:00
serious and may not even allow encryption to be used.
00:00
This is a big deal.
00:00
In fact, simply using a VPN in
00:00
some countries can get you into a lot of trouble.
00:00
If you're going to be using any level of
00:00
encryption in the international setting,
00:00
you're going to want to make sure that you understand
00:00
those laws very well ahead of time.
00:00
I've actually done some international travel
00:00
and found a few places that I
00:00
visited that they frown heavily upon using a VPN.
00:00
Then you have nations such as China
00:00
where the locals are heavily
00:00
crack down on but tourists aren't targeted quite as much,
00:00
but VPNs are one of those things there
00:00
that are heavily regulated.
00:00
Contract and agreement types.
00:00
Legally enforceable documents that are
00:00
used to govern the relationship between parties.
00:00
The first one is the master service agreement or MSA.
00:00
This is an umbrella contract
00:00
establishing an agreement between
00:00
parties to conduct business
00:00
during a specific period of time.
00:00
It is defined by scopes of
00:00
work and expectations and deliverables.
00:00
A memorandum of understanding or MOU
00:00
is a non-binding document that's critical,
00:00
that formally defines roles
00:00
and the expectations of the two parties.
00:00
It's very important to remember that it is non-binding.
00:00
A non-disclosure agreement or an NDA.
00:00
This defines how an entity can use
00:00
data and what must be kept confidential,
00:00
also contains the legal ramifications
00:00
that serve as a deterrent to disclosure,
00:00
similar to those using and hiring new employees.
00:00
These govern the relationship between
00:00
the two companies working together.
00:00
For example, when hiring a third-party security service,
00:00
they will have access to
00:00
the company's sensitive information
00:00
that's normal in the course of doing business.
00:00
The NDA aims to ensure that
00:00
the data remains confidential and that
00:00
the third-party service will not do
00:00
things that don't allow that information to be disclosed.
00:00
We also have the interconnection
00:00
security agreement or ISA.
00:00
This is used when two parties need
00:00
to share data via an interface.
00:00
Then it will describe the expectations,
00:00
the roles, and the operating
00:00
parameters of that connection.
00:00
We also have the service level agreement or SLA.
00:00
This is how a service will be provided
00:00
and it will contain
00:00
measurable and repeatable levels
00:00
of service and penalties.
00:00
You're guaranteeing a certain level
00:00
of uptime, for example.
00:00
If you don't, what would be
00:00
the penalties for not delivering that level of service.
00:00
Operational level agreement or OLA.
00:00
This is an internal document that defines
00:00
the essential operational needs
00:00
so that an entity can maintain an SLA.
00:00
This is what an organization would use
00:00
internally to ensure that they
00:00
are delivering that level of
00:00
uptime because they don't want to suffer
00:00
that penalty if they do not
00:00
deliver that level of service.
00:00
We also have a privacy level agreement, or PLA.
00:00
This is commonly used when we're working with a CSP
00:00
and it details how
00:00
data will be kept private and protected.
00:00
Let's summarize. We went over
00:00
data types and classifications.
00:00
We also went over data destruction.
00:00
Then we went over
00:00
a third party compliance and contracts and agreements.
00:00
We went over export controls and e-Discovery.
00:00
Let's do some example questions.
00:00
Question 1, this is
00:00
a non-binding document that
00:00
establishes how two organizations will work together.
00:00
Memorandum of understanding or an MOU.
00:00
Question 2, this agreement
00:00
was created to prevent weapons and
00:00
dual-use technology from getting
00:00
to terror groups and rogue nations.
00:00
The Wassenaar Agreement.
00:00
Question 3, this is the term for
00:00
any health information that can
00:00
uniquely identify a patient.
00:00
Protected Health Information or PHI.
00:00
Finally Question 4, this type of data,
00:00
if it were disclosed would bring
00:00
considerable harm to an organization.
00:00
Confidential data. Hope this lesson
00:00
was helpful for you, and I'll see you in the next one.
Up Next