Governance and Compliance Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Governance and compliance Part 2.
00:00
The learning objectives for this lesson
00:00
are to explore industry standards,
00:00
to define privacy data,
00:00
and to define certification and
00:00
accreditation. Let's get started.
00:00
Regulations and standards are
00:00
tightly integrated together.
00:00
The regulations are the legal requirements,
00:00
and standards define the details of compliance.
00:00
It's critical to understand what jurisdiction you're
00:00
operating under as it pertains to regulations.
00:00
It might be you have one set of
00:00
laws at the national level,
00:00
but state and local regulations could differ from that.
00:00
It gets more complicated when you start involving
00:00
international law because you
00:00
may be operating in multiple countries.
00:00
You need to identify what
00:00
regulations apply to you so that you can
00:00
make sure that you are putting
00:00
the proper protections in place
00:00
for the data that you're responsible for.
00:00
But, sometimes we need a little help with this,
00:00
because coming up with
00:00
all the possible ways to protect
00:00
data can be very complicated.
00:00
That's where industry standard publishers come at.
00:00
The National Institute of Standards or
00:00
NIST is a really good example of this.
00:00
They're a non-regulatory agency
00:00
of the United States government,
00:00
and they create best practices and standards
00:00
across all technology and science fields.
00:00
Included in this is
00:00
the special publication 800 series for cybersecurity,
00:00
but also the risk management
00:00
framework and the Cybersecurity Framework.
00:00
The International Organization for Standards, or ISO,
00:00
also publishes the Cybersecurity Framework, ISO 27000.
00:00
It includes over a dozen standards
00:00
for various parts of cybersecurity.
00:00
You can use these to apply to your own organization,
00:00
to make sure that you're matching what is considered
00:00
best practices to ensure that
00:00
the data is being protected within your organization.
00:00
NIST 800 series is very good.
00:00
It's got a lot of areas to look at,
00:00
all the way from how to set
00:00
proper password policies and
00:00
all the way up to encryption.
00:00
You can find the ones that apply to
00:00
your organization in that 800 series and use those.
00:00
Again, they're all free of charge.
00:00
They are freely published.
00:00
You can get all that information and then build
00:00
your own policies to help match
00:00
that using this as a base.
00:00
The General Data Protection Regulation, or GDPR.
00:00
This was created by the European Union to enforce
00:00
rules on organizations that
00:00
offer service to entities within the EU,
00:00
or that collect and analyze data on subjects in the EU.
00:00
The key point to remember here is it doesn't matter where
00:00
the requesting organization is
00:00
or where the data is stored.
00:00
You could be an organization that's
00:00
only in the United States.
00:00
Your server and all the data
00:00
is located in the United States,
00:00
but you're selling services to individuals in the EU.
00:00
You fall under the GDPR and
00:00
must protect the EU customers that you
00:00
have to higher levels of purity
00:00
than what is common in the United States at this time.
00:00
The GDPR has seven principles.
00:00
These are lawfulness, fairness, and transparency.
00:00
Purpose limitation means that you
00:00
cannot use that information
00:00
for anything other than
00:00
the very specific purposes that you're collecting it.
00:00
Data minimization means that you're
00:00
only collecting the least minimal amount of
00:00
data necessary to conduct
00:00
business with this person or entity.
00:00
Accuracy is to ensure that
00:00
the information is kept accurate.
00:00
You have storage limitations,
00:00
and then you also have to ensure
00:00
the integrity and confidentiality of the data.
00:00
Then the whole process must have accountability.
00:00
GDPR is one of
00:00
the most strict regulations in place now to ensure
00:00
that the privacy of entities or
00:00
individuals is maintained by
00:00
an organization that's collecting the data.
00:00
We also have the Capability
00:00
Maturity Model Integration or CMMI.
00:00
This was created for Department
00:00
of Defense contractors primarily,
00:00
and it has five levels.
00:00
The purpose of this was to ensure
00:00
that the organization had
00:00
a spelled out specified level
00:00
of maturity in their
00:00
operational or software capabilities.
00:00
Level 1 is the initial process,
00:00
and this means that there are no processes in
00:00
place within the organization and all work is reactive.
00:00
Level 2 step it up now,
00:00
where many work activities are defined in processes,
00:00
but the work is still reactive in nature.
00:00
Level 3 moves up to the defined level.
00:00
This is where the majority of the work is well-defined in
00:00
processes and proactive measures are now in place.
00:00
Level 4 is the quantitatively managed level.
00:00
This is where well-defined processes are now in place,
00:00
proactive measures are in
00:00
place and the war output is being analyzed.
00:00
Finally, we have Level five or optimizing,
00:00
where well-defined processes are in place,
00:00
work is proactive, it's also measured,
00:00
analyzed, and continuously improved.
00:00
This is a very complex process,
00:00
and if you go look at it to
00:00
see all the items that are covered,
00:00
it is very thorough and
00:00
it's very difficult to get up to level 5.
00:00
But, the good guide to help ensure that
00:00
an organization can prove their level of maturity.
00:00
Let's talk about some other regulations and standards.
00:00
The Children's Online Privacy Protection Act, or COPPA.
00:00
This is a US federal law
00:00
and it's designed to protect the privacy of
00:00
children under the age of 13
00:00
in and outside of the United States.
00:00
It requires notice of when consent is needed,
00:00
and you must protect
00:00
the child's data from marketing purposes.
00:00
The Payment Card Industry Data Security Standard
00:00
or PCIDSS,
00:00
the global data protection standard,
00:00
was created by the credit card industry.
00:00
They didn't want government regulation coming
00:00
in into their parts.
00:00
They wanted to handle this themselves.
00:00
They didn't want regulation on them.
00:00
They created this set of regulations to help
00:00
identify controls that are
00:00
necessary to prevent credit card fraud,
00:00
but also to protect the data
00:00
of the credit card and debit cards being used.
00:00
Again, they didn't want any government stepping in,
00:00
so they created this global standard.
00:00
It's pretty thorough.
00:00
Mirrors a lot of the NIST special publication documents.
00:00
You'll see a lot of things in there that
00:00
are very detailed,
00:00
and it's a good system even to
00:00
be using it for other things in your organization.
00:00
But any organization that process is
00:00
payment card information of any kind falls under PCI.
00:00
Then again, it's not a government regulation
00:00
and you're not going to go to jail for this,
00:00
you're not going to have fines from the government,
00:00
but PCI does fine.
00:00
They do have the capability to
00:00
find you if you're not compliant with this,
00:00
and sometimes these fines can be very expensive.
00:00
We also have the Cloud
00:00
Security Alliance Star certification.
00:00
This measure is the security capabilities
00:00
and privacy controls of
00:00
a Cloud service provider against these
00:00
CSA Cloud controls matrix.
00:00
Let's talk about privacy data.
00:00
This is the type of data that can
00:00
uniquely identify an individual.
00:00
It can be personally identifiable information,
00:00
financial information, and protected health information.
00:00
The Health Insurance Portability
00:00
and Accountability Act in the United States,
00:00
is called HIPAA,
00:00
is a US federal law that is designed to protect PHI.
00:00
One of the things to mind is H-I-P-A-A, not H-I-P-P-A.
00:00
You see this all the time on Twitter
00:00
where people are claiming
00:00
that certain information is
00:00
protected under HIPAA but they always misspell it.
00:00
And when they misspell it,
00:00
that immediately lets me know that
00:00
they really don't have any idea
00:00
of what they're talking about,
00:00
what is covered or not covered by HIPAA.
00:00
But when you have privacy data,
00:00
additional controls have to be in place to ensure that
00:00
that data remains private and secure.
00:00
Certification and accreditation.
00:00
Certification is the formal process
00:00
that a system owner can be
00:00
assured that a complicated technology solution
00:00
is configured in a secure manner.
00:00
It's a process that will go through to
00:00
make sure that first it's going
00:00
to do what you want it to do,
00:00
and that it will do what the vendor
00:00
or what mostly the vendor says it's going to do.
00:00
The vendor goes through and
00:00
creates the certification for this.
00:00
Accreditation, however, is when
00:00
the system owner agrees,
00:00
and then they accept
00:00
the claim that the system has certified.
00:00
The key to remember is certification is
00:00
the process that goes through by
00:00
the vendor to show that their system
00:00
is certified and setup in a secured manner,
00:00
whereas accreditation is you accepting
00:00
that and taking over that system,
00:00
and accepting that the system is going to perform the way
00:00
the vendor says it is and it is
00:00
configured in the specified way.
00:00
However, within the US government,
00:00
this process has a different meaning because of
00:00
the extremely strict and complex measures
00:00
that are in place to ensure that systems are compliant.
00:00
The certification and accreditation process
00:00
has four phases.
00:00
The first is the initiation and planning.
00:00
This is where the system owner and
00:00
the Information Security System Security Officer
00:00
identify and acknowledge that
00:00
a certification and accreditation
00:00
are needed for a specific system.
00:00
Then we move to the certification process.
00:00
An independent audit will
00:00
review the system to
00:00
identify the controls that are needed,
00:00
and this is based on NIST 800-53.
00:00
Then after that, we go to the accreditation.
00:00
The certifying authority will verify that
00:00
the system meets all the standards
00:00
that were found in the audit,
00:00
and an authority to operate on ATO will then be issued.
00:00
After that, we close it out with continuous monitoring.
00:00
This ensures that the system
00:00
continues to operate in a compliant manner.
00:00
Let's summarize. We went over regulations and standards.
00:00
We discussed the National
00:00
Institute of Standards and Technology,
00:00
NIST and the International
00:00
Organization for Standardization.
00:00
We also went over standards such as the GDPR,
00:00
COPPA, PCIDSS, CMI, and STAR.
00:00
We also went over privacy data
00:00
and certification and accreditation.
00:00
Let's do some example questions.
00:00
Question 1, the formal process
00:00
of accepting a certified system
00:00
from a system builder is accreditation.
00:00
Question 2, this standard was created by
00:00
the global payment card industry to prevent
00:00
fraud and to predict
00:00
credit card and debit card information.
00:00
Payment Card Industry Data Security Standard, PCIDSS.
00:00
Question 3, this US government regulation
00:00
is for protecting PHI.
00:00
Health Information Portability
00:00
and Accountability Act, HIPAA.
00:00
The non-regulatory agency of the US government that
00:00
creates standards and best practices
00:00
across science and technology.
00:00
The National Institute of Standards
00:00
and Technology, or NIST.
00:00
I hope this lesson was
00:00
helpful for you. I'll see you the next one.
Up Next