Introduction to Security Laws and Standards

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 6 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
Hey, everyone, welcome back to the course in this video. We're gonna take a high level view of some security laws and standards that you want to know in particular laws and standards. You'll want to know if you're gonna be taking the easy council certified ethical hacker exam. So we're gonna identify what p. C I D S S is.
00:15
We're also gonna identify what ISO 27 001 is. We'll talk about HIPPA, we'll talk about socks.
00:22
We'll also talk about the M. C. A. We'll talk about fisma as well. A C C p A. Which is a little newer law in place.
00:30
So let's talk about PC I d. S s first. This is a standard in this stands for payment card industry data security standard, and basically it applies to anyone that's involved in processing payment cards. So think of your credit cards and what it does is it basically just sets minimum security requirements. Hey, if you're gonna process credit cards, you need to do these basic things.
00:50
So it helps organizations
00:51
secure their networks a little better, so it actually requires them that they must build to maintain a secure network to protect our cardholder data a lot better, and they also may need to maintain a vulnerability management program. So again, thinking through when we define cybersecurity earlier,
01:07
it's always evolving right. There's always new vulnerabilities, and so they need to have a program in place. So once they identify
01:11
vulnerabilities, they fixed the issue or they accept the vulnerability and the risk associated with it. And then they continuously monitor and test the networks. I saw 27 001 This specifies requirements for establishing maintaining in implementing an information security management standard
01:30
so you can actually get certified in this. Now there's ISO 27 002
01:34
which helps you actually implement. The control specified in 27 001 but is a 27 001 is the only one you can get certified in. That's important to know if you do take the CH exam, so keep that in mind if they ask a question around what is so can you be certified in or which one is around? Certification? That's 27 001
01:53
Think of 27 02 as the one
01:57
around implementation of those security controls
02:00
next we have HIPPA. So HIPPA stands for the Health Insurance Portability and Accountability Act, and it's spelled H I. P. A. Is how they act on them is you'll see a lot of people, including, like physicians and nurses spelling it as H. I P P. A. But that's incorrect. If you see that out there, you know that spelled incorrect. So that's a fun fact for you to know. And you can correct the individual
02:19
on the proper spelling.
02:21
So HIPPA has a couple of main components of security role, which, really the focus is around. Elektronik protected health information. So most organizations are
02:31
health care organizations are doing things electronically so that electronic charting, Elektronik lab results and a lot of cases as well and other test results. So the security role is all around the e. P h. I. So making sure that there are administrative safeguards in place so things like policies and procedures
02:49
technical, uh, safeguards in place as well as physical safeguards. So making sure that I can't run off with a laptop, and if I do, there's a technical safeguard in place of full disk encryption. So that way, if I steal the laptop. I still can't get the data,
03:02
I will say. As an example, I worked for a health care organization as a nurse, and one of the other nurses left the laptop in the car. They didn't have good security practices, and they didn't have full disk encryption in place on the device. So laptop was lost while it was stolen,
03:19
and whoever got it was able to access anything they wanted to on the device. That's why it's very important to
03:24
do these fundamental security things, especially in the health care arena. And we're still seeing these days that people are sharing passwords. Eso again. That's an administrative thing as well as, well, mostly administrative and a training thing of saying, Hey, don't share passwords with each other, but you have to also think through the flipside, right? The other side of the things. The nurses side.
03:44
I don't
03:45
You're a temporary nurse or a staff nurse, a agency nurse. Excuse me and
03:53
you're working the night shift.
03:54
And through the charge nurse doesn't have admin credentials to reset your password. All of a sudden, your password doesn't work. You call the help desk 1000 times. Nobody is picking up,
04:03
they're telling you or they're telling you, Hey, we got authenticate who you are. So then you have the charge nurse. They're trying to authenticate you. It's just a big fiasco, right? And meanwhile, your patient needs medicine and all these things. I'm telling you that because I've been there, done that right. I've been the nurse that's been an agency nurse
04:20
that's having trouble getting their access or getting their password reset just to get in
04:25
to do their charting. All these things were going on. I can't even look up labs on a patient. And fortunately for me, I was an agency nurse at ah place where the Charge nurse was able to reset passwords, right? They were super users, so they were ableto reset the password in the m r. For me.
04:42
But I have heard a lot of horror stories of people that couldn't do that. So that's why it's very challenging, especially in health care, to have all the security stuff in place and having people actually use it, because
04:55
sometimes it's just difficult to actually use the security
04:58
because organizations make it difficult, right? Like give super user access to certain people that are trusted. That air vetted
05:05
So the privacy rules the other main component of hip we need to worry about from a security standpoint. So this one goes back to the legitimate need to know right
05:15
Onley. The right people should be able to access a protected health information
05:19
at the right time
05:21
socks or some Barney's Oxley Act. This one specified I t control requirements around around security on DSA specifically around auditing. So that's the main area of interest. Socks itself came out after the Enron stuff, so it was designed to help protect investors from fraudulent accounting practices.
05:42
D. M. C. A of the Digital Millennium Copyright Act. This one helps you protect your copyrighted work. A lot of times we see this, uh, like DMC a takedown requests or name change request coming about around online courses. So somebody might steal an image or steal parts of a course. Or
06:00
they might even
06:01
use terminology in the course or as part of advertising in the course that's protected under trademark laws. So that's where you can send things like a D M. C. A. Request. Some people also just copy your course right and put it on different websites. And that's another way you could do that. In fact, I've had to do that in the past
06:18
with some of my online courses. I've had to fill out the DMC a request
06:23
on. I just decided at a certain point, it wasn't worth all my time and effort. If someone's gonna steal it, they're gonna find a way to steal it, right? A notable case was via converses, YouTube where it was ruled that even though there was content posted on YouTube that was under, you know, registered under Viacom,
06:41
YouTube wasn't really responsible, right? Because they had done measures in place. And at the end of the day, they can't control every user uploading every type of video
06:50
and then medical device data. Right? Um, you can, actually, depending on what information harvested from, like your pacemaker, you could actually send a D m. C. A request. Like your doctor, right? Or an insurance company. Um, of course, I'm not giving you legal advice here, but there are options there for you. So D m c. A also applies to medical device data
07:10
fisma or the Federal Information Security Management Act. This one required federal agencies to implement information security plans to help protect sensitive data better.
07:19
And then finally, we have C, C P. A or the California Consumer Privacy Act. This one actually enhance privacy rights and consumer protection for residents of California. Why do you care about that? Well, if you're selling anything in the state of California to California residents, you should care. Keeping in mind, though, that it applies to organizations with
07:39
and no gross revenue of 25 million or more. So unless you're at that level,
07:43
you probably don't need to worry about it or anyone that buys, receives or sells personal information of 50,000 or more consumers or households in the state of California again, if you're not at that level, probably don't need to worry about C. C. P. A. And earning more off or earning basically like half year revenue
08:01
from selling consumer data again. If that's not applicable, you probably don't need to worry about it. However,
08:05
it's probably smart to just reach out to your counsel. If you have a business and asked them or if you work in an organization, ask your your legal team there. If CCP A applies to you. In most cases, they've already figured that out, so they should be able to tell you yes or no.
08:20
So that's a quick quiz question here. This'll helps protect your digital intellectual property. Is that gonna be hip? A. C C p a or D M C A.
08:30
Alright, this one was pretty easy. It's gonna be the digital millennial Copyright act.
08:35
So in this video, we just talked briefly about some of the laws and regulations and standards that you want to be mindful of. P. C. I. D. S s iso 27 001 HIPPA Socks DMC a fisma and also the California California Consumer Privacy Act.
Up Next
Penetration Testing and Ethical Hacking

The Penetration Testing and Ethical Hacking course prepares students for certifications, like CEH. This course walks students through the process of gaining intelligence, scanning and enumerating and hacking the target.

Instructed By