Security Policies & Procedures (part 2.2)

Video Activity

This lesson covers industry regulations. Industry regulations are written to mitigate threats specific to an industry. The lesson gives the following examples: PCI-DSS: Payment card industry data security standard State data breach bills: different laws and regulations in each state Healthcare (HIPAA and HITECH): protection of medical records Sarba...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

10 hours 28 minutes
Video Description

This lesson covers industry regulations. Industry regulations are written to mitigate threats specific to an industry. The lesson gives the following examples:

  • PCI-DSS: Payment card industry data security standard
  • State data breach bills: different laws and regulations in each state
  • Healthcare (HIPAA and HITECH): protection of medical records
  • Sarbanes Oxley (SOX): accountability to senior executives
  • Graham Leach Bliley Act (GLBA): Banking and financial industries. Banks cannot share your financial information.
  • International Regulations: Depends on where a company does business

This lesson also discusses common business documents: - Interconnection Security Agreement (ISA)

  • Memorandum of Understanding (MOU)
  • Service Level Agreement (SLA)
  • Operating Level Agreement (OLA)
  • Non-disclosure agreement (NDA)
  • Business Partnership Agreement (BPA)
Video Transcription
now industry regulations. Like we said, this is a huge input into what our policies will say. Uh, that's why risk management has to come before policy development. I don't know how to write policy till I've looked at risks. I don't know. You know, if if I run a grocery store,
my risks are very, very different from your company that manages credit cards.
Ah, then your company that manages health care information for patients. So we do risk management and part of risk management. You know, we look at what our surroundings are. What's the value of our data and water? The threats Industry regulations are generally written to mitigate the threat specific to each individual industry.
So when you look at PC I, that's payment card industry
and their ah, lot of times, you'll see P c I.
Dash d. S s payment kord industry data security standard Ah, where there are set of regulations on how I must protect customer information if I operate a payment card, you know, if I accept Visa master charge, they are self regulated as an industry,
and it's within their best interest to stay self regulated
so they take compliance with those standards very, very seriously. They conduct regular audits,
data breach bills from state to state, their different laws and regulations. So you have to be knowledgeable about specifics to your individual state. They're also laws like HIPPA, Health Insurance Portability and Accountability Act.
And it was all about protecting the confidentiality of medical records
on being very restrictive as to how that information must be stored and how that information would be shared. And then the high tech acts sort of added to HIPPA because many companies find that they cant meet hippo requirements on their own. So they decide to outsource.
Maybe let another company process thes medical forms because they're better able to maintain HIPPA compliance.
Well, traditionally, even if I'd outsourced, I was the only one toe have liability. You know, I'm the doctor's office on the medical provider, and I outsourced these records to another agency. Well, if that other agency didn't meet hippo requirements, I was held liable, and I still him held liable even today.
But what the hi tech acted is it said Okay, that company
that you've partnered with that you've outsourced the forms to they're also liable. So essentially high tech expanded liability, not just to the company providing the healthcare service is but to any company processing forms that contain health care information.
Sarbanes Oxley often referred to his socks. This is a law that was designed to address some of the shenanigans that we saw back in the nineties with companies like Enron and WorldCom. Ah, and essentially what it addresses is accountability to senior executives within an organization.
And we saw, you know, we saw a lot of
of companies where the senior management they were cooking the books essentially and they weren't being held accountable to any sort of auditing standards. So Sarbanes Oxley goes in and specifies corporate accountability.
G L B a Gramm Leach Bliley act. This was named for the senators that proposed and push this law through. This deals with banking and financial industries. And although G L B A covers a lot in that realm, the piece that specifically important tow us for the cast exam
is that Gramm Leach Bliley
makes it illegal for a bank to share and financial institutions to share your financial information. So, for instance, my bank can't make it publicly available. What my bank balances were how much money I deposit on a monthly basis.
Also international regulations. It depends on where my company does business. You know what you'll find is, the longer you're in this field, you'll find that the U. S. Has a fairly lax approach when it comes to protecting the privacy of its citizens.
For instance, if you go to the European Union, they take a much more stringent stance on privacy.
So if I'm a U. S company doing business in the European Union, I have to follow what are called the safe Harbor laws and the safe harbor laws require that I protect you citizens data with much stronger security mechanisms in place. And that's just one the safe harbor laws
Basil deals with There's Basil to it deals with international banking.
There are all sorts of international laws, but the bottom line here is policy is often driven by laws, you know, why do we protect customer information?
Because we have to to maintain legal compliance. So that's always an important understanding, an important consideration.
Okay, some common business documents and yeah, I think these would be very testable and knowing the significance of these documents, and when they might be appropriate. So we start out with an interconnection security agreement. Okay? An interconnection security agreement
on this exam. They love to use acronyms, so make sure you know what the acronyms are.
They will not spell them out for you, so take a little bit of time and learn your acronyms. So when we talk about an Aisa the ideas you and I are sharing a network for whatever purpose, maybe we have an extra net. We have some sort of set of shared resource is your company needs to access. My company needs to access. So
how we protect their data,
the requirements for connecting to the shared network, how the network is managed and how oversight happens that would all be specified in an I S a. It's an inner connection. Security agreement now a Mao and M o U. Uh, also along the same lines, we have an m o a.
So an MOU is a memorandum of understanding
an M. O. A. Is a memorandum of agreement. And although the documents are different there for the same purpose, and I don't think there they will differentiate between them on the exam
So when you see these memorandums Zim Away or MOU, the purpose is to list individuals, and they're expected responsibilities. A lot of times, you'll see this with a business continuity plan.
Maybe I have an operator who's gonna be responsible for restoring data from backup in the event that we've had some sort of disaster.
Well, that operator, if he doesn't show up because he didn't know that was his role, we've got a problem so often these documents, memorandum of understanding, memorandum of agreement there, there toe list out the expectations and they get signed.
And that way we we've got that. As a matter of fact, the big difference between an MOU and an M o. A.
A memorandum of agreement is a legally binding document, and a lot of times that's for our external vendors. Where's an MOU might be used in house, but like I said, I don't really think that they're going to specify that. I think that I would just certainly know that these are necessary documents to make sure that our expectations were met.
All right, service level agreement we've talked about ah, with service level agreements. This is a commitment often from a vendor that guarantees us a certain degree of up time or a certain performance threshold that they're committing. Tow us.
A service level agreement is legally binding, as are all of thes agreements. You know, these air signed agreements that we have
that guarantee this in cases, Ah, guarantee from a vendor
operating level agreement. And oh, L A.
So the idea is the degree of resource is that would be available so that we'll meet a specific level of operations. We have certificate a specific set of resource. Is that air provided
That's gonna be in O l. A. And that's our guarantee that will provide. Um uh, A lot of times is really important. When you look at things like dependencies. I've gotta provide you with a certain level of operations so that you can meet your goals.
Non disclosure agreements, these air important for your employees. If they're dealing with company sensitive proprietary information, you want to make sure that you have an indie A from them, a non disclosure agreement. So that's where your employees acknowledge the fact that this proprietary company information
and they signed a commitment not to disclose that information to your competitors
or two entities outside of the organization. It's very important to get nd a sign
and then business partnership agreements.
So obviously organizations come together to pursue a common goal. How that partnership is gonna work, how it's gonna look what the constraints are, what the expectations are that would be documented in a partnership agreement.
Up Next

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By