WEBVTT 1 00:00:00.000 --> 00:00:01.080 In this lesson, 2 00:00:01.080 --> 00:00:03.810 we will learn about industry compliance. 3 00:00:03.810 --> 00:00:05.610 Industry compliance requires 4 00:00:05.610 --> 00:00:09.450 that organizations meet established laws, regulations, 5 00:00:09.450 --> 00:00:13.560 guidelines, and specifications to protect sensitive data, 6 00:00:13.560 --> 00:00:17.670 maintain customer trust, and avoid regulatory penalties. 7 00:00:17.670 --> 00:00:18.990 Specific industries 8 00:00:18.990 --> 00:00:22.020 that have notable compliance requirements include 9 00:00:22.020 --> 00:00:25.740 government, healthcare, financial, and utilities. 10 00:00:25.740 --> 00:00:28.770 When looking at compliance requirements across industries 11 00:00:28.770 --> 00:00:32.190 like government, healthcare, financial, and utilities, 12 00:00:32.190 --> 00:00:34.800 it is clear that each has its own focus, 13 00:00:34.800 --> 00:00:38.430 but they all aim to protect sensitive data and systems. 14 00:00:38.430 --> 00:00:39.480 In government, 15 00:00:39.480 --> 00:00:42.480 regulations like the Federal Information Security 16 00:00:42.480 --> 00:00:44.520 Management Act, or FISMA, 17 00:00:44.520 --> 00:00:47.070 the National Institute of Standards and Technology 18 00:00:47.070 --> 00:00:50.220 Risk Management Framework, or NIST RMF, 19 00:00:50.220 --> 00:00:55.020 and the Cybersecurity Maturity Model Certification, or CMMC, 20 00:00:55.020 --> 00:00:58.230 emphasize securing federal information and systems 21 00:00:58.230 --> 00:01:00.660 to meet national security needs. 22 00:01:00.660 --> 00:01:03.720 This level of security is especially critical 23 00:01:03.720 --> 00:01:07.320 for contractors handling government-classified data. 24 00:01:07.320 --> 00:01:08.760 Next, in healthcare, 25 00:01:08.760 --> 00:01:10.560 laws like the Health Insurance 26 00:01:10.560 --> 00:01:13.710 Portability and Accountability Act, or HIPAA, 27 00:01:13.710 --> 00:01:16.050 and the Health Information Technology 28 00:01:16.050 --> 00:01:19.650 for Economic Clinical Health Act, or HITECH, 29 00:01:19.650 --> 00:01:22.260 focus on safeguarding patient information 30 00:01:22.260 --> 00:01:26.700 such as Electronic Protected Health Information, or EPHI. 31 00:01:26.700 --> 00:01:28.530 Healthcare regulations are designed 32 00:01:28.530 --> 00:01:31.020 to ensure privacy and include strict rules 33 00:01:31.020 --> 00:01:34.200 around how medical data is stored and shared. 34 00:01:34.200 --> 00:01:36.240 Next, the financial industry. 35 00:01:36.240 --> 00:01:39.240 Through regulations like the Gramm-Leach-Bliley Act, 36 00:01:39.240 --> 00:01:40.740 or GLBA, 37 00:01:40.740 --> 00:01:43.500 the Sarbanes-Oxley Act, or SOX, 38 00:01:43.500 --> 00:01:46.320 and the Payment Card Industry Data Security Standard, 39 00:01:46.320 --> 00:01:48.150 or PCI-DSS, 40 00:01:48.150 --> 00:01:51.420 is centered on protecting customer financial information, 41 00:01:51.420 --> 00:01:53.100 maintaining data integrity, 42 00:01:53.100 --> 00:01:56.490 and securing payment card data to prevent fraud. 43 00:01:56.490 --> 00:01:58.320 Finally, for utilities, 44 00:01:58.320 --> 00:02:01.500 the North American Electric Reliability Corporation 45 00:02:01.500 --> 00:02:06.090 Critical Infrastructure Protection, or NERC-CIP, 46 00:02:06.090 --> 00:02:10.020 and the Federal Energy Regulatory Commission, or FERC, 47 00:02:10.020 --> 00:02:12.450 focus on protecting critical infrastructure 48 00:02:12.450 --> 00:02:14.970 like power grids and water systems. 49 00:02:14.970 --> 00:02:18.330 While all these industries prioritize cybersecurity, 50 00:02:18.330 --> 00:02:20.070 the nature of what they protect, 51 00:02:20.070 --> 00:02:23.370 ranging from patient data to financial transactions, 52 00:02:23.370 --> 00:02:24.660 to national security 53 00:02:24.660 --> 00:02:27.330 drive their unique compliance requirements. 54 00:02:27.330 --> 00:02:29.040 Now let's take a quick look 55 00:02:29.040 --> 00:02:31.980 at the compliance drivers in each industry. 56 00:02:31.980 --> 00:02:33.870 First, we have government. 57 00:02:33.870 --> 00:02:36.840 Government compliance involves several key frameworks 58 00:02:36.840 --> 00:02:40.290 to ensure the security of sensitive data and systems. 59 00:02:40.290 --> 00:02:43.860 The Federal Information Security Management Act, or FISMA, 60 00:02:43.860 --> 00:02:46.170 requires federal agencies to develop 61 00:02:46.170 --> 00:02:48.570 and implement robust security programs 62 00:02:48.570 --> 00:02:50.520 to protect their information. 63 00:02:50.520 --> 00:02:51.720 To support FISMA, 64 00:02:51.720 --> 00:02:54.450 the National Institute of Standards and Technology 65 00:02:54.450 --> 00:02:57.540 Risk Management Framework, or NIST RMF, 66 00:02:57.540 --> 00:02:59.790 provides a method of managing risk, 67 00:02:59.790 --> 00:03:02.700 which includes categorizing information systems, 68 00:03:02.700 --> 00:03:05.250 selecting the appropriate security controls, 69 00:03:05.250 --> 00:03:08.190 and continuously monitoring their effectiveness. 70 00:03:08.190 --> 00:03:10.140 Next, for government contractors, 71 00:03:10.140 --> 00:03:12.450 particularly those in the defense sector, 72 00:03:12.450 --> 00:03:16.950 the Cybersecurity Maturity Model Certification, or CMMC, 73 00:03:16.950 --> 00:03:18.300 is used for safeguarding 74 00:03:18.300 --> 00:03:22.118 Controlled Unclassified Information, or CUI. 75 00:03:22.118 --> 00:03:24.270 CUI is sensitive information 76 00:03:24.270 --> 00:03:26.310 that is not government-classified, 77 00:03:26.310 --> 00:03:29.670 but still requires protection as it is regulated by laws 78 00:03:29.670 --> 00:03:32.820 and regulations to safeguard national security. 79 00:03:32.820 --> 00:03:36.600 Contractors who fail to comply with a CMMC requirement 80 00:03:36.600 --> 00:03:38.340 may be barred from participating 81 00:03:38.340 --> 00:03:40.260 in future government projects. 82 00:03:40.260 --> 00:03:44.370 The CMMC is divided into five levels of certification. 83 00:03:44.370 --> 00:03:48.210 Level 1 focuses on basic cybersecurity hygiene, 84 00:03:48.210 --> 00:03:51.300 like password protection, backups, and logging. 85 00:03:51.300 --> 00:03:54.330 Level 2 introduces immediate practices 86 00:03:54.330 --> 00:03:57.450 such as access control, configuration management, 87 00:03:57.450 --> 00:03:59.310 and incident response. 88 00:03:59.310 --> 00:04:02.640 Level 3 fully implements the NIST SP 89 00:04:02.640 --> 00:04:06.750 or special publication 800-171 guidelines 90 00:04:06.750 --> 00:04:09.210 to protect CUI information 91 00:04:09.210 --> 00:04:12.720 and includes advanced threat detection and response. 92 00:04:12.720 --> 00:04:16.320 Level 4 emphasizes proactive security by measuring 93 00:04:16.320 --> 00:04:19.890 and refining security practices such as threat hunting 94 00:04:19.890 --> 00:04:23.610 and proactive risk management to counter advanced threats. 95 00:04:23.610 --> 00:04:27.450 And level 5 represents the highest level of maturity 96 00:04:27.450 --> 00:04:30.150 where organizations optimize their defenses 97 00:04:30.150 --> 00:04:33.540 through adaptive security controls, supply chain security, 98 00:04:33.540 --> 00:04:35.100 and cyber threat intelligence 99 00:04:35.100 --> 00:04:38.340 to combat the most sophisticated threat actors. 100 00:04:38.340 --> 00:04:41.100 Now, let's take a look at healthcare compliance. 101 00:04:41.100 --> 00:04:45.150 Healthcare organizations must maintain privacy, security, 102 00:04:45.150 --> 00:04:48.090 and ethical practices in handling patient data 103 00:04:48.090 --> 00:04:49.560 and delivering care. 104 00:04:49.560 --> 00:04:52.530 The Health Insurance Portability and Accountability Act, 105 00:04:52.530 --> 00:04:53.430 or HIPAA, 106 00:04:53.430 --> 00:04:55.260 focuses on protecting patient 107 00:04:55.260 --> 00:04:57.960 sensitive health information and privacy. 108 00:04:57.960 --> 00:05:01.380 HIPAA sets strict rules on how hospitals, doctors, 109 00:05:01.380 --> 00:05:03.480 and insurance companies store, 110 00:05:03.480 --> 00:05:05.940 share and access medical data 111 00:05:05.940 --> 00:05:09.300 to prevent unauthorized access or breaches. 112 00:05:09.300 --> 00:05:11.820 Failure to comply with HIPAA can result 113 00:05:11.820 --> 00:05:14.970 in heavy fines, civil or criminal charges, 114 00:05:14.970 --> 00:05:18.240 and significant reputational damage due to breaches 115 00:05:18.240 --> 00:05:20.790 of patient privacy or data leaks. 116 00:05:20.790 --> 00:05:23.790 Next, we have the Health Information Technology 117 00:05:23.790 --> 00:05:26.970 for Economic and Clinical Health Act, or HITECH, 118 00:05:26.970 --> 00:05:28.380 which builds on HIPAA 119 00:05:28.380 --> 00:05:30.450 by encouraging healthcare providers 120 00:05:30.450 --> 00:05:33.090 to adopt electronic health records. 121 00:05:33.090 --> 00:05:35.910 HITECH not only pushes for the digitization 122 00:05:35.910 --> 00:05:36.840 of health records, 123 00:05:36.840 --> 00:05:38.550 but also strengthens security 124 00:05:38.550 --> 00:05:41.220 and privacy measures for electronic data. 125 00:05:41.220 --> 00:05:44.850 It even enforces tougher penalties for healthcare providers 126 00:05:44.850 --> 00:05:48.210 that fail to properly safeguard patient information. 127 00:05:48.210 --> 00:05:51.180 Next, let's consider financial compliance. 128 00:05:51.180 --> 00:05:55.080 Financial industry standards are designed to prevent fraud, 129 00:05:55.080 --> 00:05:58.260 protect customer data, and ensure transparency, 130 00:05:58.260 --> 00:06:00.450 security and ethical conduct, 131 00:06:00.450 --> 00:06:02.970 in financial transactions and reporting. 132 00:06:02.970 --> 00:06:06.780 First, there's the Gramm-Leach-Bliley Act, or GLBA. 133 00:06:06.780 --> 00:06:10.740 GLBA ensures that banks and financial institutions protect 134 00:06:10.740 --> 00:06:13.410 customer's personal financial information. 135 00:06:13.410 --> 00:06:16.080 GLBA also requires these institutions 136 00:06:16.080 --> 00:06:19.320 to ensure their third-party service providers maintain 137 00:06:19.320 --> 00:06:22.860 adequate security measures to protect customer data. 138 00:06:22.860 --> 00:06:26.430 Then we have the Sarbanes-Oxley Act, or SOX. 139 00:06:26.430 --> 00:06:29.910 SOX focuses on making sure public companies maintain 140 00:06:29.910 --> 00:06:31.590 accurate financial records 141 00:06:31.590 --> 00:06:34.380 and implement controls to prevent fraud. 142 00:06:34.380 --> 00:06:37.650 In short, GLBA targets data privacy 143 00:06:37.650 --> 00:06:39.930 and protection in the financial sector, 144 00:06:39.930 --> 00:06:42.000 while SOX ensures the integrity 145 00:06:42.000 --> 00:06:44.760 of financial reporting in public companies. 146 00:06:44.760 --> 00:06:45.593 Last, 147 00:06:45.593 --> 00:06:48.750 we have the Payment Card Industry Data Security Standard, 148 00:06:48.750 --> 00:06:50.307 or PCI-DSS. 149 00:06:50.307 --> 00:06:53.670 PCI-DSS applies to any business 150 00:06:53.670 --> 00:06:55.770 handling credit card transactions. 151 00:06:55.770 --> 00:06:59.580 Compliance with PCI-DSS protects cardholder data 152 00:06:59.580 --> 00:07:03.030 and avoids serious consequences such as data breaches, 153 00:07:03.030 --> 00:07:07.410 hefty fines, legal liabilities, and loss of customer trust. 154 00:07:07.410 --> 00:07:11.340 PCI-DSS enforces six key security goals, 155 00:07:11.340 --> 00:07:13.920 including maintaining a secure network, 156 00:07:13.920 --> 00:07:17.700 encrypting cardholder data, managing vulnerabilities, 157 00:07:17.700 --> 00:07:19.980 enforcing strict access controls, 158 00:07:19.980 --> 00:07:22.350 continuously monitoring systems, 159 00:07:22.350 --> 00:07:25.950 and having a robust information security policy. 160 00:07:25.950 --> 00:07:28.680 Finally, we have utility compliance. 161 00:07:28.680 --> 00:07:32.400 Utility regulations and standards ensure the security, 162 00:07:32.400 --> 00:07:35.790 reliability and safety of critical infrastructure 163 00:07:35.790 --> 00:07:38.280 such as powered grids and water systems. 164 00:07:38.280 --> 00:07:39.240 For example, 165 00:07:39.240 --> 00:07:42.480 the North American Electric Reliability Corporation 166 00:07:42.480 --> 00:07:47.130 Critical Infrastructure Protection, or NERC-CIP standards, 167 00:07:47.130 --> 00:07:50.580 focus on securing the systems that keep the lights on. 168 00:07:50.580 --> 00:07:53.640 The NERC-CIP ensures power companies 169 00:07:53.640 --> 00:07:56.550 have strong security practices in place 170 00:07:56.550 --> 00:07:58.410 to prevent hackers from shutting down 171 00:07:58.410 --> 00:07:59.940 parts of the power grid. 172 00:07:59.940 --> 00:08:04.440 Failure to comply with the NERC-CIP can result in fines 173 00:08:04.440 --> 00:08:08.070 of up to $1 million per day per violation. 174 00:08:08.070 --> 00:08:11.520 Next, there's the Federal Energy Regulatory Commission, 175 00:08:11.520 --> 00:08:12.900 or FERC. 176 00:08:12.900 --> 00:08:14.640 The FERC oversees 177 00:08:14.640 --> 00:08:17.970 and enforces compliance in the energy industry. 178 00:08:17.970 --> 00:08:20.610 FERC makes sure that utility companies 179 00:08:20.610 --> 00:08:23.010 are conducting regular risk assessments 180 00:08:23.010 --> 00:08:25.320 and implementing cybersecurity measures 181 00:08:25.320 --> 00:08:28.830 to safeguard against physical and cyber threats. 182 00:08:28.830 --> 00:08:30.240 So remember, 183 00:08:30.240 --> 00:08:32.730 industry compliance involves adhering 184 00:08:32.730 --> 00:08:35.070 to specific laws, regulations, 185 00:08:35.070 --> 00:08:37.800 and standards that protect sensitive data 186 00:08:37.800 --> 00:08:39.600 and maintain trust. 187 00:08:39.600 --> 00:08:42.330 Each sector, from government to healthcare, 188 00:08:42.330 --> 00:08:45.930 financial and utilities has its own regulations 189 00:08:45.930 --> 00:08:48.660 focused on data protection and security. 190 00:08:48.660 --> 00:08:51.330 Government compliance emphasizes securing 191 00:08:51.330 --> 00:08:53.310 sensitive federal information 192 00:08:53.310 --> 00:08:56.880 through frameworks like FISMA and CMMC. 193 00:08:56.880 --> 00:09:00.270 Healthcare regulations such as HIPAA and HITECH 194 00:09:00.270 --> 00:09:03.660 ensure the privacy and security of patient data. 195 00:09:03.660 --> 00:09:07.320 Financial regulations like GLBA, SOX, 196 00:09:07.320 --> 00:09:12.320 and PCI-DSS prevent fraud and protect financial information. 197 00:09:12.390 --> 00:09:13.320 And finally, 198 00:09:13.320 --> 00:09:16.950 utility compliance secures critical infrastructure 199 00:09:16.950 --> 00:09:18.330 such as power grids 200 00:09:18.330 --> 00:09:23.330 through standards like NERC-CIP and oversight by the FERC.