1 00:00:00,000 --> 00:00:01,009 - [Instructor] While we typically develop 2 00:00:01,009 --> 00:00:03,007 security programs for the purpose 3 00:00:03,007 --> 00:00:07,000 of safeguarding the confidentiality, integrity, 4 00:00:07,000 --> 00:00:09,002 and availability of our information, 5 00:00:09,002 --> 00:00:12,001 we also often face external requirements 6 00:00:12,001 --> 00:00:14,005 to build security controls. 7 00:00:14,005 --> 00:00:17,008 Compliance programs ensure that an organization's 8 00:00:17,008 --> 00:00:20,006 security controls are consistent with a variety 9 00:00:20,006 --> 00:00:24,003 of laws, regulations, and standards 10 00:00:24,003 --> 00:00:26,001 that govern organizations. 11 00:00:26,001 --> 00:00:28,006 There are a wide variety of compliance obligations 12 00:00:28,006 --> 00:00:32,001 facing modern enterprises and these obligations 13 00:00:32,001 --> 00:00:34,007 differ depending upon the geographic location 14 00:00:34,007 --> 00:00:37,005 of the organization and it's industry. 15 00:00:37,005 --> 00:00:39,004 A university in the United States 16 00:00:39,004 --> 00:00:41,009 has far different compliance requirements, 17 00:00:41,009 --> 00:00:45,003 for example, than a retail merchant in Europe. 18 00:00:45,003 --> 00:00:48,003 Both organizations may face a significant compliance 19 00:00:48,003 --> 00:00:51,000 burden, but the details will vary. 20 00:00:51,000 --> 00:00:54,004 Security training programs should include 21 00:00:54,004 --> 00:00:57,003 coverage of the specific compliance obligations 22 00:00:57,003 --> 00:01:01,002 facing an organization as well as the responsibilities 23 00:01:01,002 --> 00:01:05,004 of individual employees to ensure continued compliance. 24 00:01:05,004 --> 00:01:08,001 For example, if a law requires that employees 25 00:01:08,001 --> 00:01:10,006 never write down credit card numbers, 26 00:01:10,006 --> 00:01:13,000 the organization security awareness program 27 00:01:13,000 --> 00:01:16,003 should educate them about this requirement. 28 00:01:16,003 --> 00:01:18,008 There are three different types of compliance obligations 29 00:01:18,008 --> 00:01:20,009 that should be covered in an organizations 30 00:01:20,009 --> 00:01:23,008 security awareness and training program. 31 00:01:23,008 --> 00:01:26,006 Laws are requirements passed by a governmental 32 00:01:26,006 --> 00:01:29,007 authority at the national or local level. 33 00:01:29,007 --> 00:01:32,002 They come with civil and criminal penalties 34 00:01:32,002 --> 00:01:34,004 for failure to comply. 35 00:01:34,004 --> 00:01:39,002 For example the Gramm-Leach-Bliley Act or GLBA, 36 00:01:39,002 --> 00:01:43,002 affects security practices of financial institutions. 37 00:01:43,002 --> 00:01:46,003 The Gramm-Leach-Bliley Act requires that financial 38 00:01:46,003 --> 00:01:50,000 institutions designate an information security officer 39 00:01:50,000 --> 00:01:52,006 and build a formal information security program 40 00:01:52,006 --> 00:01:55,007 to protect customer information. 41 00:01:55,007 --> 00:01:58,002 Regulations are mandatory requirements 42 00:01:58,002 --> 00:02:00,004 that an organization must follow 43 00:02:00,004 --> 00:02:02,009 but are not embodied in law. 44 00:02:02,009 --> 00:02:05,003 Some regulations come from government agencies 45 00:02:05,003 --> 00:02:09,005 carrying out other laws, such as this HIPPA security rule 46 00:02:09,005 --> 00:02:11,004 that describes how the U.S. government 47 00:02:11,004 --> 00:02:14,001 expects health care providers will comply 48 00:02:14,001 --> 00:02:15,009 with health insurance portability 49 00:02:15,009 --> 00:02:18,008 and accountability act or HIPPA. 50 00:02:18,008 --> 00:02:22,000 While HIPPA is a law, this security rule 51 00:02:22,000 --> 00:02:23,008 is a government regulation. 52 00:02:23,008 --> 00:02:27,003 Other regulations come from non-governmental authorities. 53 00:02:27,003 --> 00:02:31,001 For example, a contract between two organizations 54 00:02:31,001 --> 00:02:34,000 might include detailed security requirements 55 00:02:34,000 --> 00:02:37,006 and include financial penalties for non-compliance. 56 00:02:37,006 --> 00:02:40,007 Standards are detailed, technical specifications 57 00:02:40,007 --> 00:02:43,003 for security and other controls. 58 00:02:43,003 --> 00:02:46,003 Organizations may be required to comply with standards 59 00:02:46,003 --> 00:02:49,001 by contract or regulation. 60 00:02:49,001 --> 00:02:51,008 For example, the payment card industry data security 61 00:02:51,008 --> 00:02:56,008 standard, or PCIDSS is a standard that merchants 62 00:02:56,008 --> 00:02:59,008 handling credit card information must follow 63 00:02:59,008 --> 00:03:01,006 due to language in their contract 64 00:03:01,006 --> 00:03:05,002 with credit card merchant banks. 65 00:03:05,002 --> 00:03:08,000 The good news is that these laws, regulations, 66 00:03:08,000 --> 00:03:11,004 and standards often just formulize security 67 00:03:11,004 --> 00:03:14,002 best practices that an organization should 68 00:03:14,002 --> 00:03:15,009 already be following. 69 00:03:15,009 --> 00:03:18,002 The best way to begin a compliance effort 70 00:03:18,002 --> 00:03:21,000 is conducting a gap analysis that determines 71 00:03:21,000 --> 00:03:23,004 the areas where and organization may need 72 00:03:23,004 --> 00:03:26,002 to beef up controls to become compliant.