WEBVTT 1 00:00:00.000 --> 00:00:01.740 In this section of the course, 2 00:00:01.740 --> 00:00:03.900 we are going to discuss Compliance. 3 00:00:03.900 --> 00:00:05.610 The Compliance section of the course 4 00:00:05.610 --> 00:00:09.270 focuses on Domain 1: Governance, Risk, and Compliance, 5 00:00:09.270 --> 00:00:12.150 specifically objective 1.3 6 00:00:12.150 --> 00:00:14.640 which states you must be able to explain 7 00:00:14.640 --> 00:00:17.970 how compliance affects information security strategies. 8 00:00:17.970 --> 00:00:20.130 In today's enterprise landscape, 9 00:00:20.130 --> 00:00:22.650 adhering to industry compliance and standards 10 00:00:22.650 --> 00:00:25.770 is not just about meeting regulatory requirements; 11 00:00:25.770 --> 00:00:28.380 it's also about fostering trust, 12 00:00:28.380 --> 00:00:31.320 ensuring security practices are in place, 13 00:00:31.320 --> 00:00:33.510 and safeguarding sensitive data. 14 00:00:33.510 --> 00:00:36.810 Industry-recognized frameworks provide essential guidelines 15 00:00:36.810 --> 00:00:39.690 for establishing robust security controls, 16 00:00:39.690 --> 00:00:41.760 helping organizations manage risk 17 00:00:41.760 --> 00:00:44.400 effectively across multiple internal 18 00:00:44.400 --> 00:00:46.050 and external environments, 19 00:00:46.050 --> 00:00:47.790 while privacy regulations, 20 00:00:47.790 --> 00:00:50.310 both local and cross-jurisdictional, 21 00:00:50.310 --> 00:00:52.860 add another layer of compliance complexity, 22 00:00:52.860 --> 00:00:56.010 requiring organizations to navigate and align 23 00:00:56.010 --> 00:00:58.200 with diverse legal frameworks. 24 00:00:58.200 --> 00:01:00.930 Finally, regular security reviews 25 00:01:00.930 --> 00:01:03.360 ensure that organizations remain resilient 26 00:01:03.360 --> 00:01:05.340 in the face of evolving threats 27 00:01:05.340 --> 00:01:07.980 and changing regulatory demands. 28 00:01:07.980 --> 00:01:09.690 As we go through this section, 29 00:01:09.690 --> 00:01:12.720 we will cover many topics related to Compliance 30 00:01:12.720 --> 00:01:16.020 including industry standards and industry compliance, 31 00:01:16.020 --> 00:01:17.910 security and reporting frameworks 32 00:01:17.910 --> 00:01:22.140 such as the Systems and Organization Controls or SOC2, 33 00:01:22.140 --> 00:01:24.870 the National Institute of Standards and Technology 34 00:01:24.870 --> 00:01:28.680 Cybersecurity Framework or NIST CSF, 35 00:01:28.680 --> 00:01:32.190 and the Cloud Security Alliance or CSA framework. 36 00:01:32.190 --> 00:01:36.240 We will also discuss privacy regulations, security reviews, 37 00:01:36.240 --> 00:01:38.460 and cross-jurisdictional compliance. 38 00:01:38.460 --> 00:01:41.460 First, we will look at Industry Compliance. 39 00:01:41.460 --> 00:01:43.920 Industry compliance requires that organizations 40 00:01:43.920 --> 00:01:47.520 meet established laws, regulations, guidelines, 41 00:01:47.520 --> 00:01:50.670 and specifications to protect sensitive data, 42 00:01:50.670 --> 00:01:52.470 maintain customer trust, 43 00:01:52.470 --> 00:01:54.900 and avoid regulatory penalties. 44 00:01:54.900 --> 00:01:57.090 Industry compliance includes an awareness 45 00:01:57.090 --> 00:01:59.550 of industry-specific compliance requirements. 46 00:01:59.550 --> 00:02:02.160 For example, government agencies 47 00:02:02.160 --> 00:02:05.310 must comply with data security and privacy regulations 48 00:02:05.310 --> 00:02:09.090 to protect sensitive national and citizen information. 49 00:02:09.090 --> 00:02:11.040 In healthcare, compliance focuses 50 00:02:11.040 --> 00:02:12.840 on safeguarding patient data. 51 00:02:12.840 --> 00:02:15.660 In the financial sector, financial institutions 52 00:02:15.660 --> 00:02:18.390 are required to implement compliance measures 53 00:02:18.390 --> 00:02:21.210 to protect customer financial information 54 00:02:21.210 --> 00:02:22.650 and prevent fraud. 55 00:02:22.650 --> 00:02:24.751 Finally, in the utilities industry, 56 00:02:24.751 --> 00:02:28.380 organizations must ensure the security and resilience 57 00:02:28.380 --> 00:02:30.030 of critical infrastructure, 58 00:02:30.030 --> 00:02:32.700 protecting against disruptions and cyber attacks 59 00:02:32.700 --> 00:02:36.480 that could impact public safety and service continuity. 60 00:02:36.480 --> 00:02:39.510 Then, we will explore industry standards. 61 00:02:39.510 --> 00:02:42.660 Industry standards are established guidelines and practices 62 00:02:42.660 --> 00:02:45.630 that organizations within a specific industry 63 00:02:45.630 --> 00:02:47.160 are expected to follow. 64 00:02:47.160 --> 00:02:48.960 These standards are often developed 65 00:02:48.960 --> 00:02:52.110 by industry bodies or regulatory organizations 66 00:02:52.110 --> 00:02:55.680 and serve as benchmarks for compliance and best practices. 67 00:02:55.680 --> 00:02:58.290 For example, the Payment Card Industry 68 00:02:58.290 --> 00:03:01.320 Data Security Standard or PCI DSS 69 00:03:01.320 --> 00:03:03.090 mandates security measures 70 00:03:03.090 --> 00:03:06.660 for organizations that process credit card transactions 71 00:03:06.660 --> 00:03:08.700 to protect cardholder data. 72 00:03:08.700 --> 00:03:10.887 Additionally, the International Organization 73 00:03:10.887 --> 00:03:15.810 for Standardization or ISO 27000 series framework 74 00:03:15.810 --> 00:03:18.870 is used for managing information security risks 75 00:03:18.870 --> 00:03:20.190 and offers guidelines 76 00:03:20.190 --> 00:03:23.580 for establishing, implementing, maintaining, 77 00:03:23.580 --> 00:03:25.050 and continually improving 78 00:03:25.050 --> 00:03:27.720 an information security management system. 79 00:03:27.720 --> 00:03:30.210 Lastly, the Digital Markets Act, 80 00:03:30.210 --> 00:03:33.690 although primarily focused on regulating digital platforms 81 00:03:33.690 --> 00:03:36.750 to ensure fair competition in the European Union, 82 00:03:36.750 --> 00:03:38.700 intersects with industry standards 83 00:03:38.700 --> 00:03:42.630 like PCI DSS and ISO 27000 84 00:03:42.630 --> 00:03:46.140 by imposing obligations on large digital platforms 85 00:03:46.140 --> 00:03:49.590 to maintain high levels of data protection and security. 86 00:03:49.590 --> 00:03:52.620 After that, we will look at Security Frameworks. 87 00:03:52.620 --> 00:03:55.470 Security frameworks are sets of guidelines, 88 00:03:55.470 --> 00:03:57.960 best practices, and standards 89 00:03:57.960 --> 00:03:59.385 designed to help organizations 90 00:03:59.385 --> 00:04:03.000 manage and reduce cybersecurity risks. 91 00:04:03.000 --> 00:04:05.130 Security frameworks include: 92 00:04:05.130 --> 00:04:07.050 foundational best practices, 93 00:04:07.050 --> 00:04:08.970 which form the core principles 94 00:04:08.970 --> 00:04:11.580 that guide the implementation of security measures; 95 00:04:11.580 --> 00:04:14.638 benchmarks, which are specific measurable standards 96 00:04:14.638 --> 00:04:17.640 derived from foundational best practices; 97 00:04:17.640 --> 00:04:21.630 and the Center for Internet Security or CIS benchmarks, 98 00:04:21.630 --> 00:04:24.240 which offer actionable and detailed guidance 99 00:04:24.240 --> 00:04:26.370 on securing systems and data. 100 00:04:26.370 --> 00:04:31.320 Next, we will explore the systems and organization controls 101 00:04:31.320 --> 00:04:33.180 or SOC2 framework. 102 00:04:33.180 --> 00:04:35.744 The SOC2 framework is an auditing process 103 00:04:35.744 --> 00:04:37.407 that assesses the effectiveness 104 00:04:37.407 --> 00:04:41.280 of an organization's information security controls, 105 00:04:41.280 --> 00:04:43.200 either at a point in time 106 00:04:43.200 --> 00:04:46.650 or over approximately a 6 to 12-month period. 107 00:04:46.650 --> 00:04:50.700 SOC2 focuses on five key trust service principles: 108 00:04:50.700 --> 00:04:54.150 security, availability, processing integrity, 109 00:04:54.150 --> 00:04:56.580 confidentiality, and privacy. 110 00:04:56.580 --> 00:04:58.170 Its reports are crucial 111 00:04:58.170 --> 00:05:00.060 for demonstrating that an organization 112 00:05:00.060 --> 00:05:02.850 is effectively managing and protecting data 113 00:05:02.850 --> 00:05:05.040 according to industry standards. 114 00:05:05.040 --> 00:05:08.010 Following that, we will look at the National Institute 115 00:05:08.010 --> 00:05:11.520 of Standards and Technology Cybersecurity Framework 116 00:05:11.520 --> 00:05:13.350 or NIST CSF. 117 00:05:13.350 --> 00:05:15.780 The NIST Cybersecurity Framework was developed 118 00:05:15.780 --> 00:05:18.630 by the National Institute of Standards and Technology 119 00:05:18.630 --> 00:05:22.590 to help organizations manage and reduce cybersecurity risk. 120 00:05:22.590 --> 00:05:23.760 The framework is designed 121 00:05:23.760 --> 00:05:26.340 to be flexible across various industries, 122 00:05:26.340 --> 00:05:28.170 providing a structured approach 123 00:05:28.170 --> 00:05:31.170 to managing and recovering from cyber events. 124 00:05:31.170 --> 00:05:33.480 The NIST Cybersecurity Framework 125 00:05:33.480 --> 00:05:35.820 organizes cybersecurity activities 126 00:05:35.820 --> 00:05:37.800 into five core functions: 127 00:05:37.800 --> 00:05:40.980 identify, protect, detect, 128 00:05:40.980 --> 00:05:43.050 respond, and recover, 129 00:05:43.050 --> 00:05:45.090 providing a comprehensive approach 130 00:05:45.090 --> 00:05:47.820 to managing and responding to cyber risk. 131 00:05:47.820 --> 00:05:52.290 Then, we will explore the Cloud Security Alliance Framework. 132 00:05:52.290 --> 00:05:55.170 The Cloud Security Alliance or CSA framework 133 00:05:55.170 --> 00:05:57.750 is a set of guidelines and best practices 134 00:05:57.750 --> 00:05:59.910 designed to help organizations 135 00:05:59.910 --> 00:06:02.430 secure cloud computing environments. 136 00:06:02.430 --> 00:06:04.650 It provides a comprehensive approach 137 00:06:04.650 --> 00:06:06.480 to manage and mitigate risks 138 00:06:06.480 --> 00:06:08.520 associated with cloud services, 139 00:06:08.520 --> 00:06:11.250 addressing areas such as data protection, 140 00:06:11.250 --> 00:06:13.890 security management, and compliance. 141 00:06:13.890 --> 00:06:16.680 Within the Cloud Security Alliance framework, 142 00:06:16.680 --> 00:06:18.270 the Cloud Security Alliance 143 00:06:18.270 --> 00:06:23.130 Security Trust Assurance and Risk or STAR program 144 00:06:23.130 --> 00:06:25.500 offers a certification process 145 00:06:25.500 --> 00:06:28.620 that assesses and validates the security practices 146 00:06:28.620 --> 00:06:30.330 of cloud service providers, 147 00:06:30.330 --> 00:06:32.700 ensuring transparency, trust, 148 00:06:32.700 --> 00:06:35.490 and compliance in their cloud environments. 149 00:06:35.490 --> 00:06:38.850 After that, we will look at privacy regulations. 150 00:06:38.850 --> 00:06:41.550 Privacy regulations are designed to protect 151 00:06:41.550 --> 00:06:45.210 individual's personal information and privacy rights 152 00:06:45.210 --> 00:06:47.730 by setting requirements for how organizations 153 00:06:47.730 --> 00:06:51.300 collect, store, use, and share data. 154 00:06:51.300 --> 00:06:55.200 For example, the Children's Online Privacy Protection Act 155 00:06:55.200 --> 00:07:00.200 or COPPA focuses on protecting children's data in the US. 156 00:07:00.420 --> 00:07:04.020 The General Data Protection Law or LGPD 157 00:07:04.020 --> 00:07:06.660 sets data protection standards in Brazil. 158 00:07:06.660 --> 00:07:10.350 The California Consumer Privacy Act or CCPA 159 00:07:10.350 --> 00:07:13.680 addresses privacy rights in the state of California 160 00:07:13.680 --> 00:07:17.730 and the General Data Protection Regulation or GDPR 161 00:07:17.730 --> 00:07:21.060 enforces data protection across the European Union. 162 00:07:21.060 --> 00:07:23.628 Organizations must adapt their security strategies 163 00:07:23.628 --> 00:07:26.460 to comply with these diverse regulations, 164 00:07:26.460 --> 00:07:30.210 ensuring robust data protection and privacy measures 165 00:07:30.210 --> 00:07:32.400 tailored to different legal requirements 166 00:07:32.400 --> 00:07:34.770 in different geographical regions. 167 00:07:34.770 --> 00:07:37.590 Then, we will explore Security Reviews. 168 00:07:37.590 --> 00:07:41.220 Security reviews involve dedicated evaluations 169 00:07:41.220 --> 00:07:43.950 of an organization's security policies, 170 00:07:43.950 --> 00:07:46.110 controls, and practices 171 00:07:46.110 --> 00:07:48.510 to ensure they are effective and aligned 172 00:07:48.510 --> 00:07:51.420 with regulatory requirements and best practices. 173 00:07:51.420 --> 00:07:54.780 These reviews can be internal or external. 174 00:07:54.780 --> 00:07:57.300 Internal reviews are conducted locally 175 00:07:57.300 --> 00:08:00.870 and focus on internal processes and practices. 176 00:08:00.870 --> 00:08:04.590 They help identify weaknesses and areas for improvement. 177 00:08:04.590 --> 00:08:08.400 External reviews are conducted by independent third parties 178 00:08:08.400 --> 00:08:10.890 and provide an objective evaluation 179 00:08:10.890 --> 00:08:13.530 of compliance and security effectiveness. 180 00:08:13.530 --> 00:08:15.240 Security review types 181 00:08:15.240 --> 00:08:18.990 include audits, assessments, and certifications. 182 00:08:18.990 --> 00:08:21.300 Audits are formal evaluations 183 00:08:21.300 --> 00:08:23.490 typically conducted externally, 184 00:08:23.490 --> 00:08:27.150 but they may also be conducted by internal security teams. 185 00:08:27.150 --> 00:08:28.980 Assessments, on the other hand, 186 00:08:28.980 --> 00:08:31.560 are internal or external reviews 187 00:08:31.560 --> 00:08:34.440 which identify vulnerabilities, risks, 188 00:08:34.440 --> 00:08:36.570 and gaps in security controls. 189 00:08:36.570 --> 00:08:39.600 Certifications serve as formal validation 190 00:08:39.600 --> 00:08:41.190 that an organization meets 191 00:08:41.190 --> 00:08:44.190 specific security standards or regulations 192 00:08:44.190 --> 00:08:45.720 and are often the result 193 00:08:45.720 --> 00:08:48.060 of successful assessments or audits. 194 00:08:48.060 --> 00:08:50.347 So while assessments help organizations 195 00:08:50.347 --> 00:08:52.620 understand their security posture 196 00:08:52.620 --> 00:08:54.330 and enhance their controls, 197 00:08:54.330 --> 00:08:57.090 certifications offer official recognition 198 00:08:57.090 --> 00:08:59.760 of their adherence to establish standards. 199 00:08:59.760 --> 00:09:03.870 Finally, we will explore Cross-jurisdictional Compliance. 200 00:09:03.870 --> 00:09:07.410 Cross-jurisdictional compliance requirements establish 201 00:09:07.410 --> 00:09:10.350 the standards that ensure an organization's practices 202 00:09:10.350 --> 00:09:14.190 are compliant with all applicable local, national, 203 00:09:14.190 --> 00:09:16.080 and international laws. 204 00:09:16.080 --> 00:09:19.080 Compliance may involve items such as due diligence, 205 00:09:19.080 --> 00:09:21.900 due care, contractual obligations, 206 00:09:21.900 --> 00:09:23.460 and export controls. 207 00:09:23.460 --> 00:09:26.370 Due diligence refer to the proactive investigation 208 00:09:26.370 --> 00:09:28.590 and assessment of compliance risks 209 00:09:28.590 --> 00:09:32.160 before entering into agreements or business activities. 210 00:09:32.160 --> 00:09:34.935 Due care refers to the ongoing responsibility 211 00:09:34.935 --> 00:09:36.900 of an organization 212 00:09:36.900 --> 00:09:39.600 to maintain and manage compliance effectively. 213 00:09:39.600 --> 00:09:41.752 Contractual obligations ensure compliance 214 00:09:41.752 --> 00:09:44.550 with both legal and business standards 215 00:09:44.550 --> 00:09:46.080 which may include provisions 216 00:09:46.080 --> 00:09:48.630 for legal holds and e-discovery. 217 00:09:48.630 --> 00:09:52.170 Legal holds are procedures to preserve relevant data 218 00:09:52.170 --> 00:09:54.479 for potential future legal proceedings. 219 00:09:54.479 --> 00:09:58.230 E-discovery is the process of identifying, collecting, 220 00:09:58.230 --> 00:10:01.950 and analyzing electronic data for legal purposes. 221 00:10:01.950 --> 00:10:04.350 Finally, we have Export Controls 222 00:10:04.350 --> 00:10:07.440 which cover the transfer of sensitive technology 223 00:10:07.440 --> 00:10:09.510 and data across borders. 224 00:10:09.510 --> 00:10:11.610 Export controls often intersect 225 00:10:11.610 --> 00:10:14.220 with due diligence and contractual obligations 226 00:10:14.220 --> 00:10:16.830 by imposing additional compliance requirements 227 00:10:16.830 --> 00:10:18.960 on international transactions. 228 00:10:18.960 --> 00:10:21.270 To finish things off, we'll take a short quiz 229 00:10:21.270 --> 00:10:24.180 to see what you learned during this section of the course. 230 00:10:24.180 --> 00:10:27.660 And we will review each of those quiz questions fully 231 00:10:27.660 --> 00:10:30.930 to ensure you can explain why the right answers were right 232 00:10:30.930 --> 00:10:32.880 and the wrong answers were wrong. 233 00:10:32.880 --> 00:10:35.370 So let's get ready to dive into Compliance 234 00:10:35.370 --> 00:10:37.443 in this section of the course!