WEBVTT

1
00:00:00.330 --> 00:00:01.200
In this lesson,

2
00:00:01.200 --> 00:00:03.840
we will learn about industry standards.

3
00:00:03.840 --> 00:00:06.540
Industry standards are established guidelines

4
00:00:06.540 --> 00:00:08.610
and practices that organizations

5
00:00:08.610 --> 00:00:12.210
within a specific industry are expected to follow.

6
00:00:12.210 --> 00:00:15.570
These standards are often developed by industry bodies

7
00:00:15.570 --> 00:00:17.610
or regulatory organizations

8
00:00:17.610 --> 00:00:21.780
and service benchmarks for compliance and best practices.

9
00:00:21.780 --> 00:00:25.020
The industry standards that we will be discussing today are

10
00:00:25.020 --> 00:00:28.260
the Payment Card Industry Data Security Standard,

11
00:00:28.260 --> 00:00:30.150
or PCI-DSS,

12
00:00:30.150 --> 00:00:33.600
the International Organization for Standardization/

13
00:00:33.600 --> 00:00:36.845
International Electro Technical Commission,

14
00:00:36.845 --> 00:00:40.740
or ISO/IEC 27000 Series,

15
00:00:40.740 --> 00:00:42.660
which during this lesson,

16
00:00:42.660 --> 00:00:46.980
we will just refer to as the ISO 27000 Series,

17
00:00:46.980 --> 00:00:50.430
and the Digital Markets Act, or DMA.

18
00:00:50.430 --> 00:00:52.710
In order to understand them each,

19
00:00:52.710 --> 00:00:56.280
let's imagine a city where different safety measures ensure

20
00:00:56.280 --> 00:00:58.110
everything runs smoothly.

21
00:00:58.110 --> 00:01:02.130
PCI-DSS is like the security guards at the bank.

22
00:01:02.130 --> 00:01:03.540
The security guards ensure

23
00:01:03.540 --> 00:01:05.850
that every transaction is protected

24
00:01:05.850 --> 00:01:09.690
and your financial details remain secure during purchases.

25
00:01:09.690 --> 00:01:14.370
The ISO 27000 Series acts like the city's building codes,

26
00:01:14.370 --> 00:01:16.470
setting the standards and guidelines

27
00:01:16.470 --> 00:01:17.940
that businesses must follow

28
00:01:17.940 --> 00:01:20.310
to ensure their data infrastructure is

29
00:01:20.310 --> 00:01:22.860
safe and resilient against threats.

30
00:01:22.860 --> 00:01:25.590
Meanwhile, the Digital Markets Act functions

31
00:01:25.590 --> 00:01:27.960
like the city's anti-monopoly laws,

32
00:01:27.960 --> 00:01:31.500
preventing any single company from dominating the market

33
00:01:31.500 --> 00:01:33.570
and ensuring fair competition.

34
00:01:33.570 --> 00:01:36.810
Now, let's explore each of these industry standards

35
00:01:36.810 --> 00:01:38.070
in more detail.

36
00:01:38.070 --> 00:01:39.180
First, we have

37
00:01:39.180 --> 00:01:41.940
the Payment Card Industry Data security Standard,

38
00:01:41.940 --> 00:01:43.497
or PCI-DSS.

39
00:01:43.497 --> 00:01:46.590
PCI-DSS applies to any business

40
00:01:46.590 --> 00:01:48.780
that handles credit card transactions,

41
00:01:48.780 --> 00:01:53.010
whether it's a small online store or a very large retailer.

42
00:01:53.010 --> 00:01:57.870
The main goal of PCI-DSS is to keep credit card data safe.

43
00:01:57.870 --> 00:02:00.900
And it's built around six key security goals.

44
00:02:00.900 --> 00:02:03.000
These goals include building

45
00:02:03.000 --> 00:02:05.280
and maintaining a secure network,

46
00:02:05.280 --> 00:02:08.220
protecting cardholder data through encryption,

47
00:02:08.220 --> 00:02:11.190
maintaining a vulnerability management program,

48
00:02:11.190 --> 00:02:13.980
enforcing strong access control measures,

49
00:02:13.980 --> 00:02:16.800
regularly monitoring and testing networks,

50
00:02:16.800 --> 00:02:20.460
and establishing an information security policy.

51
00:02:20.460 --> 00:02:23.130
Within the PCI-DSS standard,

52
00:02:23.130 --> 00:02:26.640
credit card merchants are divided into four levels

53
00:02:26.640 --> 00:02:29.310
based on how many credit card transactions

54
00:02:29.310 --> 00:02:31.230
they process each year.

55
00:02:31.230 --> 00:02:34.650
For example, level one merchants are the biggest

56
00:02:34.650 --> 00:02:38.010
processing over six million transactions a year.

57
00:02:38.010 --> 00:02:41.400
And they need to undergo an annual on-site audit

58
00:02:41.400 --> 00:02:43.800
by a qualified security assessor

59
00:02:43.800 --> 00:02:46.170
to make sure they're following all the rules.

60
00:02:46.170 --> 00:02:50.130
They also have to submit an annual report on compliance.

61
00:02:50.130 --> 00:02:52.950
Level two merchants process one million

62
00:02:52.950 --> 00:02:55.470
to six million transactions per year.

63
00:02:55.470 --> 00:02:58.860
Level three merchants process between 20,000

64
00:02:58.860 --> 00:03:01.380
and 1 million transactions per year.

65
00:03:01.380 --> 00:03:03.420
And level four merchants process

66
00:03:03.420 --> 00:03:07.050
fewer than 20,000 e-commerce transactions,

67
00:03:07.050 --> 00:03:10.800
or fewer than 1 million overall transactions per year.

68
00:03:10.800 --> 00:03:14.460
Level two, three, and four merchants generally complete

69
00:03:14.460 --> 00:03:17.580
a Self-assessment Questionnaire, or SAQ,

70
00:03:17.580 --> 00:03:20.160
instead of an on-site audit.

71
00:03:20.160 --> 00:03:23.730
Some of them might also need to run quarterly network scans

72
00:03:23.730 --> 00:03:25.830
by an Approved Scanning Vendor

73
00:03:25.830 --> 00:03:27.510
depending on how they're set up

74
00:03:27.510 --> 00:03:29.820
and how they handle cardholder data.

75
00:03:29.820 --> 00:03:33.720
Second, we have the ISO 27000 Series.

76
00:03:33.720 --> 00:03:36.930
The International Organization for Standardization/

77
00:03:36.930 --> 00:03:41.280
International Electro Technical Commission, or ISO/IEC,

78
00:03:41.280 --> 00:03:45.660
which, again, we will just refer to as ISO in this lesson,

79
00:03:45.660 --> 00:03:47.370
is a group of standards created

80
00:03:47.370 --> 00:03:51.330
as a series of best practices across multiple industries.

81
00:03:51.330 --> 00:03:56.070
Each set of standards is labeled as ISO and a series number.

82
00:03:56.070 --> 00:04:01.070
The entire ISO 27000 Series has about 60 different standards

83
00:04:01.590 --> 00:04:04.980
for different parts of an organization's IT network,

84
00:04:04.980 --> 00:04:07.410
its policies and its controls.

85
00:04:07.410 --> 00:04:12.090
The ISO 27000 series is a set of international standards

86
00:04:12.090 --> 00:04:14.400
designed to help organizations manage

87
00:04:14.400 --> 00:04:16.170
their information security.

88
00:04:16.170 --> 00:04:18.210
These standards offer guidelines

89
00:04:18.210 --> 00:04:21.510
to protect sensitive data from breaches, cyber attacks,

90
00:04:21.510 --> 00:04:23.880
and other cybersecurity threats.

91
00:04:23.880 --> 00:04:26.910
One of the most important standards in this series is

92
00:04:26.910 --> 00:04:29.790
the ISO 27001.

93
00:04:29.790 --> 00:04:34.790
ISO 27001 focuses on establishing, implementing,

94
00:04:34.920 --> 00:04:38.460
maintaining, and continually improving an organization's

95
00:04:38.460 --> 00:04:42.690
Information Security Management System, or ISMS.

96
00:04:42.690 --> 00:04:46.650
This is crucial for industries like healthcare or finance

97
00:04:46.650 --> 00:04:49.320
where protecting data is vital.

98
00:04:49.320 --> 00:04:52.980
Another key standard is the ISO 27002.

99
00:04:52.980 --> 00:04:56.940
ISO 27002 provides best practices

100
00:04:56.940 --> 00:04:58.860
for implementing the security controls

101
00:04:58.860 --> 00:05:02.280
defined in the ISO 27001.

102
00:05:02.280 --> 00:05:06.840
Next, ISO 27005 specifically addresses

103
00:05:06.840 --> 00:05:09.000
information security risk management,

104
00:05:09.000 --> 00:05:12.420
offering guidance on identifying and assessing risks

105
00:05:12.420 --> 00:05:14.940
to better protect sensitive information.

106
00:05:14.940 --> 00:05:18.387
Next, we have ISO 27017.

107
00:05:18.387 --> 00:05:23.387
ISO 27017 focuses on security in cloud services.

108
00:05:24.270 --> 00:05:27.030
Next, ISO 27018 deals

109
00:05:27.030 --> 00:05:29.790
with protecting personal data in the cloud.

110
00:05:29.790 --> 00:05:31.890
Although compliance with these standards

111
00:05:31.890 --> 00:05:33.600
isn't legally enforced,

112
00:05:33.600 --> 00:05:35.580
many organizations adopt them

113
00:05:35.580 --> 00:05:38.580
to follow globally recognized best practices,

114
00:05:38.580 --> 00:05:40.980
demonstrating to clients and regulators

115
00:05:40.980 --> 00:05:44.100
that their data protection strategies are solid.

116
00:05:44.100 --> 00:05:48.510
Third and last, we have the Digital Markets Act, or DMA.

117
00:05:48.510 --> 00:05:50.760
The Digital Markets Act is a regulation

118
00:05:50.760 --> 00:05:53.040
introduced by the European Union

119
00:05:53.040 --> 00:05:56.370
to ensure fair competition in the digital market,

120
00:05:56.370 --> 00:05:58.650
particularly by curbing the dominance

121
00:05:58.650 --> 00:06:01.890
of large tech companies known as gatekeepers.

122
00:06:01.890 --> 00:06:05.820
Gatekeepers are companies that control key digital services

123
00:06:05.820 --> 00:06:09.030
like online search engines, social networking,

124
00:06:09.030 --> 00:06:10.440
and app stores.

125
00:06:10.440 --> 00:06:13.890
They are companies like Google, Apple, and Meta.

126
00:06:13.890 --> 00:06:16.590
The DMA sets strict rules for these companies,

127
00:06:16.590 --> 00:06:19.020
requiring them to allow fair access

128
00:06:19.020 --> 00:06:21.000
to their platforms and data.

129
00:06:21.000 --> 00:06:24.270
For example, DMA ensures that messaging apps

130
00:06:24.270 --> 00:06:26.700
from smaller providers can interoperate

131
00:06:26.700 --> 00:06:28.860
with major platforms like WhatsApp,

132
00:06:28.860 --> 00:06:31.800
so users aren't locked into one service.

133
00:06:31.800 --> 00:06:34.680
Furthermore, the DMA prevents gatekeepers

134
00:06:34.680 --> 00:06:38.160
from favoring their own products over those of competitors

135
00:06:38.160 --> 00:06:40.200
in search results or app stores.

136
00:06:40.200 --> 00:06:43.020
This law is enforced by the European Commission,

137
00:06:43.020 --> 00:06:45.960
and non-compliance can result in hefty fines

138
00:06:45.960 --> 00:06:49.140
of up to 10% of the company's global revenue

139
00:06:49.140 --> 00:06:51.300
or even breakup orders.

140
00:06:51.300 --> 00:06:55.290
The DMA's goal is to promote competition and innovation,

141
00:06:55.290 --> 00:06:58.800
giving smaller companies a fair chance to compete.

142
00:06:58.800 --> 00:07:02.400
So remember, industry standards are guidelines

143
00:07:02.400 --> 00:07:04.320
that organizations follow

144
00:07:04.320 --> 00:07:08.400
to ensure security, compliance, and ethical practices.

145
00:07:08.400 --> 00:07:11.700
These standards are typically set by regulatory bodies

146
00:07:11.700 --> 00:07:13.140
or industry groups,

147
00:07:13.140 --> 00:07:16.920
and help businesses manage risks to protect sensitive data.

148
00:07:16.920 --> 00:07:20.310
For example, the PCI-DSS focuses

149
00:07:20.310 --> 00:07:23.040
on securing credit card transactions,

150
00:07:23.040 --> 00:07:28.040
while the ISO 27000 Series provides comprehensive guidelines

151
00:07:28.200 --> 00:07:32.280
for managing information security across various industries.

152
00:07:32.280 --> 00:07:34.680
Additionally, the Digital Markets Act aims

153
00:07:34.680 --> 00:07:37.980
to promote fair competition in the digital economy

154
00:07:37.980 --> 00:07:40.110
by regulating large tech companies.

155
00:07:40.110 --> 00:07:42.900
Adhering to these standards not only enhances

156
00:07:42.900 --> 00:07:44.370
security and trust,

157
00:07:44.370 --> 00:07:48.813
but also helps organizations avoid non-compliance penalties.