1 00:00:00,000 --> 00:00:02,280 In this lesson, we're going to discuss audits 2 00:00:02,280 --> 00:00:03,600 and compliance. 3 00:00:03,600 --> 00:00:06,390 Now, audits and regulatory compliance are critical aspects 4 00:00:06,390 --> 00:00:09,360 that organizations must navigate to ensure data integrity, 5 00:00:09,360 --> 00:00:11,730 confidentiality, and availability. 6 00:00:11,730 --> 00:00:14,340 These days, our enterprise networks are not just confined 7 00:00:14,340 --> 00:00:16,170 to a single location or region, 8 00:00:16,170 --> 00:00:19,170 and instead they span across various geographical borders, 9 00:00:19,170 --> 00:00:21,300 and this makes them subject to many different laws 10 00:00:21,300 --> 00:00:23,250 and regulations that you may need to be aware 11 00:00:23,250 --> 00:00:25,110 of when you're working in the field. 12 00:00:25,110 --> 00:00:27,840 So in this lesson, let's take a quick look at the concept 13 00:00:27,840 --> 00:00:30,270 of data locality and how it relates to audits 14 00:00:30,270 --> 00:00:32,460 and compliance due to contractual requirements 15 00:00:32,460 --> 00:00:35,010 like the Payment Card Industry Data Security Standard 16 00:00:35,010 --> 00:00:36,720 known as PCI DSS, 17 00:00:36,720 --> 00:00:39,450 and regulations like the General Data Protection Regulation 18 00:00:39,450 --> 00:00:41,130 known as GDPR. 19 00:00:41,130 --> 00:00:43,800 First, let's take a look at data locality. 20 00:00:43,800 --> 00:00:46,530 Data locality refers to the geographic location 21 00:00:46,530 --> 00:00:48,450 where data is stored and processed. 22 00:00:48,450 --> 00:00:50,160 The significance of data locality 23 00:00:50,160 --> 00:00:51,780 really arises from the various legal 24 00:00:51,780 --> 00:00:53,580 and regulatory requirements that dictate 25 00:00:53,580 --> 00:00:55,800 how data is going to be handled in different regions 26 00:00:55,800 --> 00:00:56,880 of the world. 27 00:00:56,880 --> 00:00:58,770 It's important for you to realize that every country 28 00:00:58,770 --> 00:01:01,770 has its own laws that govern data protection, data privacy, 29 00:01:01,770 --> 00:01:03,330 and data sovereignty. 30 00:01:03,330 --> 00:01:05,910 For example, some countries mandate that certain types 31 00:01:05,910 --> 00:01:07,020 of data must be stored 32 00:01:07,020 --> 00:01:09,360 and processed within their own country's borders, 33 00:01:09,360 --> 00:01:11,730 and that their citizens data cannot be stored on servers 34 00:01:11,730 --> 00:01:13,950 outside of their national boundaries. 35 00:01:13,950 --> 00:01:15,840 I actually ran into this myself when working 36 00:01:15,840 --> 00:01:18,690 as an IT director a few years ago over in Europe. 37 00:01:18,690 --> 00:01:20,640 When I was working for a large organization, 38 00:01:20,640 --> 00:01:22,140 we had one small email server 39 00:01:22,140 --> 00:01:23,700 that was running locally in Greece 40 00:01:23,700 --> 00:01:26,130 to support a few hundred employees who worked there. 41 00:01:26,130 --> 00:01:28,950 In my role, I was responsible for all the network access 42 00:01:28,950 --> 00:01:30,840 across Europe from my organization, 43 00:01:30,840 --> 00:01:32,580 and we had recently gone through the process 44 00:01:32,580 --> 00:01:34,680 of migrating most of our company's email servers 45 00:01:34,680 --> 00:01:37,830 into the cloud and consolidating them into one region. 46 00:01:37,830 --> 00:01:39,780 But this one little exchange server 47 00:01:39,780 --> 00:01:41,850 was still required to remain inside of Greece 48 00:01:41,850 --> 00:01:43,740 because of their own data sovereignty laws 49 00:01:43,740 --> 00:01:45,810 in regard to the storage of personally identifiable 50 00:01:45,810 --> 00:01:48,060 information for their citizens. 51 00:01:48,060 --> 00:01:50,610 So even though I was able to migrate the other 10 52 00:01:50,610 --> 00:01:53,130 or 20 countries into our cloud-based environment, 53 00:01:53,130 --> 00:01:55,710 I was still required to maintain a small on-premise network 54 00:01:55,710 --> 00:01:58,500 solution to support this single email server in our Greek 55 00:01:58,500 --> 00:02:00,510 office to meet the regulatory requirements 56 00:02:00,510 --> 00:02:02,340 under their national laws. 57 00:02:02,340 --> 00:02:04,740 Now, another concern with data locality is determining 58 00:02:04,740 --> 00:02:06,990 where the data should be stored since storing data 59 00:02:06,990 --> 00:02:09,479 closer to where it will be used could reduce latency 60 00:02:09,479 --> 00:02:11,039 and improve your performance. 61 00:02:11,039 --> 00:02:12,180 This is particularly important 62 00:02:12,180 --> 00:02:14,220 for real-time applications and services. 63 00:02:14,220 --> 00:02:15,870 So in those cases, you may opt 64 00:02:15,870 --> 00:02:17,370 to use a cloud-based data center 65 00:02:17,370 --> 00:02:19,500 that's closer to your end users. 66 00:02:19,500 --> 00:02:21,930 In the example of this European network I used to run, 67 00:02:21,930 --> 00:02:24,630 we actually did this when we migrated into the cloud. 68 00:02:24,630 --> 00:02:26,760 We could have put our servers into the AWS cloud 69 00:02:26,760 --> 00:02:28,770 over in the United States where our organizations 70 00:02:28,770 --> 00:02:31,350 headquarters was located, but we found that using 71 00:02:31,350 --> 00:02:33,210 the European data centers was actually a better 72 00:02:33,210 --> 00:02:36,600 option for us because about 95% of our users were located 73 00:02:36,600 --> 00:02:38,640 inside of Europe, and this increased our speed 74 00:02:38,640 --> 00:02:40,860 and performance by using data centers that were closer 75 00:02:40,860 --> 00:02:42,510 to our end users. 76 00:02:42,510 --> 00:02:43,520 Another important aspect 77 00:02:43,520 --> 00:02:46,110 of data locality is focused on risk assessments 78 00:02:46,110 --> 00:02:48,360 and risk management because we have to understand 79 00:02:48,360 --> 00:02:50,100 and identify any potential legal 80 00:02:50,100 --> 00:02:52,770 and compliance risks that are associated with data storage 81 00:02:52,770 --> 00:02:55,290 and transfer, which is then going to be determined mostly 82 00:02:55,290 --> 00:02:57,510 by the location of where the data is being created, 83 00:02:57,510 --> 00:02:58,830 where the data is processed, 84 00:02:58,830 --> 00:03:00,930 and where the data is being stored. 85 00:03:00,930 --> 00:03:03,540 Second, let's take a look at the Payment Card Industry 86 00:03:03,540 --> 00:03:05,130 Data Security Standard. 87 00:03:05,130 --> 00:03:07,590 Now, the Payment Card Industry Data Security Standard, 88 00:03:07,590 --> 00:03:11,040 more commonly referred to simply as PCI DSS, is a set 89 00:03:11,040 --> 00:03:13,470 of security standards designed to ensure that all companies 90 00:03:13,470 --> 00:03:15,330 that accept process, store 91 00:03:15,330 --> 00:03:17,040 or transmit credit card information 92 00:03:17,040 --> 00:03:19,410 maintain a secure environment to do so. 93 00:03:19,410 --> 00:03:22,470 Well you'll hear many people call PCI DSS a regulation. 94 00:03:22,470 --> 00:03:24,900 This is technically not a true statement. 95 00:03:24,900 --> 00:03:27,690 Now a regulation is a law that must be followed, 96 00:03:27,690 --> 00:03:29,610 but PCI DSS isn't a law 97 00:03:29,610 --> 00:03:32,340 because it wasn't created by a governmental organization. 98 00:03:32,340 --> 00:03:36,210 Instead, PCI DSS is considered a contractual requirement 99 00:03:36,210 --> 00:03:37,920 that's being imposed on any companies 100 00:03:37,920 --> 00:03:39,780 that want to accept, process, store, 101 00:03:39,780 --> 00:03:42,060 or transmit credit card information. 102 00:03:42,060 --> 00:03:44,070 Now, due to this contractual requirement, 103 00:03:44,070 --> 00:03:47,070 any organization dealing with cardholder data must comply 104 00:03:47,070 --> 00:03:48,450 with the requirements set forth 105 00:03:48,450 --> 00:03:51,390 in the Payment Card Industry Data Security Standard. 106 00:03:51,390 --> 00:03:53,490 This includes measures for network architecture, 107 00:03:53,490 --> 00:03:56,280 software design, and other protective measures. 108 00:03:56,280 --> 00:03:57,930 To validate that organizations are meeting 109 00:03:57,930 --> 00:04:00,300 these requirements, audits and compliance checks 110 00:04:00,300 --> 00:04:02,340 are routinely performed to ensure a secure network 111 00:04:02,340 --> 00:04:03,450 is being maintained, 112 00:04:03,450 --> 00:04:05,400 that cardholder data is being protected, 113 00:04:05,400 --> 00:04:07,350 that a vulnerability management program exists, 114 00:04:07,350 --> 00:04:09,780 that strong access control measures have been implemented, 115 00:04:09,780 --> 00:04:11,070 that regular monitoring and testing 116 00:04:11,070 --> 00:04:12,270 of your networks is occurring, 117 00:04:12,270 --> 00:04:13,950 and that your information security policies 118 00:04:13,950 --> 00:04:15,930 are being properly followed. 119 00:04:15,930 --> 00:04:17,940 Whenever you're designing an enterprise network, 120 00:04:17,940 --> 00:04:19,709 you should ensure that it's designed to segment 121 00:04:19,709 --> 00:04:22,200 and protect cardholder data environments through the use 122 00:04:22,200 --> 00:04:24,900 of firewalls, intrusion detection, and prevention systems, 123 00:04:24,900 --> 00:04:27,030 and robust access controls. 124 00:04:27,030 --> 00:04:29,010 Third, let's take a look at the General Data 125 00:04:29,010 --> 00:04:30,480 Protection Regulation. 126 00:04:30,480 --> 00:04:32,400 The General Data Protection Regulation, 127 00:04:32,400 --> 00:04:35,610 more commonly referred to simply as GDPR, is a regulation 128 00:04:35,610 --> 00:04:37,740 or law created by the European Union 129 00:04:37,740 --> 00:04:39,960 that is focused on data protection and privacy 130 00:04:39,960 --> 00:04:43,500 in the European Union and the European economic area. 131 00:04:43,500 --> 00:04:46,560 GDPR is used to address the transfer of personal data 132 00:04:46,560 --> 00:04:50,130 outside the European Union and the European economic area. 133 00:04:50,130 --> 00:04:52,470 Now just because this is a European Union law 134 00:04:52,470 --> 00:04:54,150 doesn't mean that those of us working outside 135 00:04:54,150 --> 00:04:55,950 of Europe can simply ignore it. 136 00:04:55,950 --> 00:04:58,560 In fact, GDPR applies to all organizations 137 00:04:58,560 --> 00:05:00,690 that are operating within the European Union, 138 00:05:00,690 --> 00:05:02,730 and for those outside the European Union 139 00:05:02,730 --> 00:05:04,650 that are offering goods or services to individuals 140 00:05:04,650 --> 00:05:07,110 inside of the European Union as well. 141 00:05:07,110 --> 00:05:09,660 The General Data Protection Regulation provides individuals 142 00:05:09,660 --> 00:05:11,820 with greater control over their personal data, 143 00:05:11,820 --> 00:05:14,670 including the right to be informed, the right of access, 144 00:05:14,670 --> 00:05:17,340 the right to rectification, the right to erasure, 145 00:05:17,340 --> 00:05:19,380 and the right to restrict processing. 146 00:05:19,380 --> 00:05:21,630 Your organization has to implement measures that comply 147 00:05:21,630 --> 00:05:24,000 with the General Data protection regulation principles 148 00:05:24,000 --> 00:05:27,390 like data minimization, accuracy, storage limitations, 149 00:05:27,390 --> 00:05:29,520 integrity, and confidentiality. 150 00:05:29,520 --> 00:05:32,220 This includes conducting data protection impact assessments, 151 00:05:32,220 --> 00:05:33,780 appointing data protection officers, 152 00:05:33,780 --> 00:05:36,810 and implementing effective data breach response plans. 153 00:05:36,810 --> 00:05:38,010 Now, when it comes to auditing 154 00:05:38,010 --> 00:05:40,110 and compliance, it's really important that you realize 155 00:05:40,110 --> 00:05:42,480 that compliance is not just a one-time activity, 156 00:05:42,480 --> 00:05:44,610 but it's more of an ongoing process. 157 00:05:44,610 --> 00:05:47,250 Your organization needs to implement a continuous monitoring 158 00:05:47,250 --> 00:05:49,560 and auditing program that implements the proper tools 159 00:05:49,560 --> 00:05:52,080 and processes to continuously monitor data flows 160 00:05:52,080 --> 00:05:53,820 and access within your networks. 161 00:05:53,820 --> 00:05:56,310 Additionally, you should consider regular audits to ensure 162 00:05:56,310 --> 00:05:58,650 compliance with relevant standards and regulations 163 00:05:58,650 --> 00:06:01,950 like PCI DSS and GDPR. 164 00:06:01,950 --> 00:06:04,350 Your employees will also require training on the auditing 165 00:06:04,350 --> 00:06:07,260 and compliance process, including a specific requirements 166 00:06:07,260 --> 00:06:08,850 for those standards and regulations 167 00:06:08,850 --> 00:06:10,920 that may apply to your organization. 168 00:06:10,920 --> 00:06:12,630 Part of this training should also be focused 169 00:06:12,630 --> 00:06:14,640 on the implications of non-compliance, 170 00:06:14,640 --> 00:06:15,750 including the potential legal 171 00:06:15,750 --> 00:06:18,480 and financial penalties that could apply to the organization 172 00:06:18,480 --> 00:06:21,120 and its employees if compliance is not fully achieved 173 00:06:21,120 --> 00:06:23,250 within these standards and regulations. 174 00:06:23,250 --> 00:06:25,470 Finally, it's important that your organization takes 175 00:06:25,470 --> 00:06:26,880 the time to develop clear policies 176 00:06:26,880 --> 00:06:29,400 and procedures for data handling, access control, 177 00:06:29,400 --> 00:06:30,840 and incident response. 178 00:06:30,840 --> 00:06:33,090 These policies should be consistently enforced 179 00:06:33,090 --> 00:06:34,620 across your organization to ensure 180 00:06:34,620 --> 00:06:37,320 that you can pass any future compliance audits too. 181 00:06:37,320 --> 00:06:40,200 So remember, our organizations span across geographic 182 00:06:40,200 --> 00:06:42,510 boundaries, and this means our organizations are now 183 00:06:42,510 --> 00:06:44,400 required to follow new and different standards 184 00:06:44,400 --> 00:06:47,490 and regulations based on the locality of your data. 185 00:06:47,490 --> 00:06:50,070 Data locality refers to the geographic location 186 00:06:50,070 --> 00:06:51,930 where data is stored and processed. 187 00:06:51,930 --> 00:06:53,490 Depending on your organization's industry 188 00:06:53,490 --> 00:06:55,200 and location, you may be required 189 00:06:55,200 --> 00:06:59,190 to follow things like PCI DSS and GDPR pretty closely. 190 00:06:59,190 --> 00:07:01,320 The Payment Card Industry Data Security Standard 191 00:07:01,320 --> 00:07:04,410 or PCI DSS is a set of security standards designed 192 00:07:04,410 --> 00:07:07,410 to ensure that all companies that accept process, store 193 00:07:07,410 --> 00:07:09,060 and transmit credit card data 194 00:07:09,060 --> 00:07:11,220 are going to maintain a secure environment. 195 00:07:11,220 --> 00:07:12,840 The General Data Protection Regulation, 196 00:07:12,840 --> 00:07:16,560 or GDPR is a regulation of law created by the European Union 197 00:07:16,560 --> 00:07:17,910 that is focused on data protection 198 00:07:17,910 --> 00:07:20,340 and privacy inside the European Union 199 00:07:20,340 --> 00:07:22,560 and the European economic area. 200 00:07:22,560 --> 00:07:24,240 It's important to understand the requirements 201 00:07:24,240 --> 00:07:27,360 of data locality, PCI DSS, and GDPR, 202 00:07:27,360 --> 00:07:29,160 so you can maintain data integrity, 203 00:07:29,160 --> 00:07:30,720 protect your customer's information, 204 00:07:30,720 --> 00:07:33,620 and avoid potential legal and financial penalties as well.