WEBVTT

00:00.049 --> 00:03.705
>> Governance and
compliance Part 2.

00:03.705 --> 00:06.255
The learning objectives
for this lesson

00:06.255 --> 00:08.100
are to explore
industry standards,

00:08.100 --> 00:10.440
to define privacy data,

00:10.440 --> 00:12.060
and to define certification and

00:12.060 --> 00:14.980
accreditation.
Let's get started.

00:14.980 --> 00:17.420
Regulations and standards are

00:17.420 --> 00:19.550
tightly integrated together.

00:19.550 --> 00:22.580
The regulations are the
legal requirements,

00:22.580 --> 00:25.355
and standards define the
details of compliance.

00:25.355 --> 00:28.100
It's critical to understand
what jurisdiction you're

00:28.100 --> 00:31.115
operating under as it
pertains to regulations.

00:31.115 --> 00:33.110
It might be you have one set of

00:33.110 --> 00:34.910
laws at the national level,

00:34.910 --> 00:38.750
but state and local regulations
could differ from that.

00:38.750 --> 00:42.005
It gets more complicated
when you start involving

00:42.005 --> 00:43.850
international law because you

00:43.850 --> 00:45.815
may be operating in
multiple countries.

00:45.815 --> 00:47.390
You need to identify what

00:47.390 --> 00:49.640
regulations apply to
you so that you can

00:49.640 --> 00:51.560
make sure that you are putting

00:51.560 --> 00:53.090
the proper protections in place

00:53.090 --> 00:55.465
for the data that
you're responsible for.

00:55.465 --> 00:58.820
But, sometimes we need a
little help with this,

00:58.820 --> 01:00.455
because coming up with

01:00.455 --> 01:02.060
all the possible ways to protect

01:02.060 --> 01:03.920
data can be very complicated.

01:03.920 --> 01:06.545
That's where industry
standard publishers come at.

01:06.545 --> 01:08.450
The National Institute
of Standards or

01:08.450 --> 01:10.910
NIST is a really good
example of this.

01:10.910 --> 01:12.995
They're a non-regulatory agency

01:12.995 --> 01:14.440
of the United States government,

01:14.440 --> 01:16.550
and they create best
practices and standards

01:16.550 --> 01:19.055
across all technology
and science fields.

01:19.055 --> 01:20.450
Included in this is

01:20.450 --> 01:23.765
the special publication 800
series for cybersecurity,

01:23.765 --> 01:25.220
but also the risk management

01:25.220 --> 01:27.665
framework and the
Cybersecurity Framework.

01:27.665 --> 01:30.635
The International Organization
for Standards, or ISO,

01:30.635 --> 01:35.015
also publishes the Cybersecurity
Framework, ISO 27000.

01:35.015 --> 01:37.130
It includes over
a dozen standards

01:37.130 --> 01:39.130
for various parts
of cybersecurity.

01:39.130 --> 01:42.080
You can use these to apply
to your own organization,

01:42.080 --> 01:44.480
to make sure that you're
matching what is considered

01:44.480 --> 01:46.880
best practices to ensure that

01:46.880 --> 01:49.730
the data is being protected
within your organization.

01:49.730 --> 01:52.160
NIST 800 series is very good.

01:52.160 --> 01:54.170
It's got a lot of
areas to look at,

01:54.170 --> 01:56.120
all the way from how to set

01:56.120 --> 01:58.385
proper password policies and

01:58.385 --> 01:59.750
all the way up to encryption.

01:59.750 --> 02:01.910
You can find the
ones that apply to

02:01.910 --> 02:05.120
your organization in that
800 series and use those.

02:05.120 --> 02:06.455
Again, they're all
free of charge.

02:06.455 --> 02:07.460
They are freely published.

02:07.460 --> 02:09.680
You can get all that
information and then build

02:09.680 --> 02:11.090
your own policies to help match

02:11.090 --> 02:13.620
that using this as a base.

02:14.470 --> 02:18.500
The General Data Protection
Regulation, or GDPR.

02:18.500 --> 02:22.010
This was created by the
European Union to enforce

02:22.010 --> 02:23.735
rules on organizations that

02:23.735 --> 02:26.270
offer service to
entities within the EU,

02:26.270 --> 02:30.590
or that collect and analyze
data on subjects in the EU.

02:30.590 --> 02:33.680
The key point to remember here
is it doesn't matter where

02:33.680 --> 02:35.270
the requesting organization is

02:35.270 --> 02:36.600
or where the data is stored.

02:36.600 --> 02:38.090
You could be an
organization that's

02:38.090 --> 02:39.935
only in the United States.

02:39.935 --> 02:41.690
Your server and all the data

02:41.690 --> 02:43.330
is located in the United States,

02:43.330 --> 02:46.940
but you're selling services
to individuals in the EU.

02:46.940 --> 02:49.400
You fall under the GDPR and

02:49.400 --> 02:52.280
must protect the EU
customers that you

02:52.280 --> 02:54.830
have to higher levels of purity

02:54.830 --> 02:58.330
than what is common in the
United States at this time.

02:58.330 --> 03:00.730
The GDPR has seven principles.

03:00.730 --> 03:03.665
These are lawfulness,
fairness, and transparency.

03:03.665 --> 03:05.630
Purpose limitation
means that you

03:05.630 --> 03:07.670
cannot use that information

03:07.670 --> 03:08.945
for anything other than

03:08.945 --> 03:11.650
the very specific purposes
that you're collecting it.

03:11.650 --> 03:13.640
Data minimization
means that you're

03:13.640 --> 03:15.710
only collecting the
least minimal amount of

03:15.710 --> 03:17.375
data necessary to conduct

03:17.375 --> 03:19.955
business with this
person or entity.

03:19.955 --> 03:21.770
Accuracy is to ensure that

03:21.770 --> 03:23.675
the information
is kept accurate.

03:23.675 --> 03:25.610
You have storage limitations,

03:25.610 --> 03:27.080
and then you also have to ensure

03:27.080 --> 03:29.540
the integrity and
confidentiality of the data.

03:29.540 --> 03:32.725
Then the whole process
must have accountability.

03:32.725 --> 03:35.300
GDPR is one of

03:35.300 --> 03:39.620
the most strict regulations
in place now to ensure

03:39.620 --> 03:42.680
that the privacy of entities or

03:42.680 --> 03:44.870
individuals is maintained by

03:44.870 --> 03:47.490
an organization that's
collecting the data.

03:48.430 --> 03:50.780
We also have the Capability

03:50.780 --> 03:53.495
Maturity Model
Integration or CMMI.

03:53.495 --> 03:55.130
This was created for Department

03:55.130 --> 03:57.155
of Defense contractors
primarily,

03:57.155 --> 03:59.075
and it has five levels.

03:59.075 --> 04:01.340
The purpose of
this was to ensure

04:01.340 --> 04:04.630
that the organization had

04:04.630 --> 04:07.670
a spelled out specified level

04:07.670 --> 04:08.750
of maturity in their

04:08.750 --> 04:10.850
operational or
software capabilities.

04:10.850 --> 04:12.755
Level 1 is the initial process,

04:12.755 --> 04:15.470
and this means that there
are no processes in

04:15.470 --> 04:18.875
place within the organization
and all work is reactive.

04:18.875 --> 04:20.510
Level 2 step it up now,

04:20.510 --> 04:23.840
where many work activities
are defined in processes,

04:23.840 --> 04:26.055
but the work is still
reactive in nature.

04:26.055 --> 04:28.900
Level 3 moves up to
the defined level.

04:28.900 --> 04:31.450
This is where the majority of
the work is well-defined in

04:31.450 --> 04:34.670
processes and proactive
measures are now in place.

04:34.670 --> 04:38.605
Level 4 is the quantitatively
managed level.

04:38.605 --> 04:42.805
This is where well-defined
processes are now in place,

04:42.805 --> 04:44.440
proactive measures are in

04:44.440 --> 04:47.900
place and the war output
is being analyzed.

04:47.900 --> 04:50.710
Finally, we have Level
five or optimizing,

04:50.710 --> 04:53.335
where well-defined
processes are in place,

04:53.335 --> 04:55.675
work is proactive,
it's also measured,

04:55.675 --> 04:58.330
analyzed, and
continuously improved.

04:58.330 --> 05:00.440
This is a very complex process,

05:00.440 --> 05:01.750
and if you go look at it to

05:01.750 --> 05:03.490
see all the items
that are covered,

05:03.490 --> 05:05.350
it is very thorough and

05:05.350 --> 05:07.615
it's very difficult
to get up to level 5.

05:07.615 --> 05:10.700
But, the good guide
to help ensure that

05:10.700 --> 05:16.660
an organization can prove
their level of maturity.

05:18.200 --> 05:21.950
Let's talk about some other
regulations and standards.

05:21.950 --> 05:25.670
The Children's Online Privacy
Protection Act, or COPPA.

05:25.670 --> 05:27.215
This is a US federal law

05:27.215 --> 05:29.075
and it's designed to
protect the privacy of

05:29.075 --> 05:30.995
children under the age of 13

05:30.995 --> 05:33.695
in and outside of
the United States.

05:33.695 --> 05:36.740
It requires notice of
when consent is needed,

05:36.740 --> 05:38.195
and you must protect

05:38.195 --> 05:41.420
the child's data from
marketing purposes.

05:41.420 --> 05:44.240
The Payment Card Industry
Data Security Standard

05:44.240 --> 05:45.785
or PCIDSS,

05:45.785 --> 05:48.860
the global data
protection standard,

05:48.860 --> 05:51.620
was created by the
credit card industry.

05:51.620 --> 05:53.960
They didn't want government
regulation coming

05:53.960 --> 05:57.265
in into their parts.

05:57.265 --> 05:58.730
They wanted to handle
this themselves.

05:58.730 --> 06:00.545
They didn't want
regulation on them.

06:00.545 --> 06:04.520
They created this set
of regulations to help

06:04.520 --> 06:06.230
identify controls that are

06:06.230 --> 06:08.495
necessary to prevent
credit card fraud,

06:08.495 --> 06:10.340
but also to protect the data

06:10.340 --> 06:13.450
of the credit card and
debit cards being used.

06:13.450 --> 06:16.790
Again, they didn't want any
government stepping in,

06:16.790 --> 06:19.205
so they created this
global standard.

06:19.205 --> 06:21.235
It's pretty thorough.

06:21.235 --> 06:27.235
Mirrors a lot of the NIST
special publication documents.

06:27.235 --> 06:28.720
You'll see a lot of
things in there that

06:28.720 --> 06:30.460
are very detailed,

06:30.460 --> 06:32.710
and it's a good system even to

06:32.710 --> 06:34.960
be using it for other things
in your organization.

06:34.960 --> 06:37.990
But any organization
that process is

06:37.990 --> 06:41.905
payment card information of
any kind falls under PCI.

06:41.905 --> 06:43.810
Then again, it's not a
government regulation

06:43.810 --> 06:45.020
and you're not going to
go to jail for this,

06:45.020 --> 06:47.080
you're not going to have
fines from the government,

06:47.080 --> 06:49.580
but PCI does fine.

06:49.580 --> 06:51.640
They do have the capability to

06:51.640 --> 06:53.770
find you if you're not
compliant with this,

06:53.770 --> 06:57.020
and sometimes these fines
can be very expensive.

06:59.460 --> 07:01.990
We also have the Cloud

07:01.990 --> 07:04.584
Security Alliance
Star certification.

07:04.584 --> 07:06.850
This measure is the
security capabilities

07:06.850 --> 07:08.185
and privacy controls of

07:08.185 --> 07:10.360
a Cloud service
provider against these

07:10.360 --> 07:14.090
CSA Cloud controls matrix.

07:16.200 --> 07:19.100
Let's talk about privacy data.

07:19.100 --> 07:21.250
This is the type
of data that can

07:21.250 --> 07:23.350
uniquely identify an individual.

07:23.350 --> 07:25.840
It can be personally
identifiable information,

07:25.840 --> 07:30.820
financial information, and
protected health information.

07:30.820 --> 07:33.790
The Health Insurance Portability

07:33.790 --> 07:35.650
and Accountability Act
in the United States,

07:35.650 --> 07:37.030
is called HIPAA,

07:37.030 --> 07:41.095
is a US federal law that is
designed to protect PHI.

07:41.095 --> 07:46.795
One of the things to mind is
H-I-P-A-A, not H-I-P-P-A.

07:46.795 --> 07:48.290
You see this all
the time on Twitter

07:48.290 --> 07:49.700
where people are claiming

07:49.700 --> 07:50.990
that certain information is

07:50.990 --> 07:53.165
protected under HIPAA but
they always misspell it.

07:53.165 --> 07:54.200
And when they misspell it,

07:54.200 --> 07:55.310
that immediately
lets me know that

07:55.310 --> 07:56.540
they really don't have any idea

07:56.540 --> 07:57.695
of what they're talking about,

07:57.695 --> 07:59.750
what is covered or
not covered by HIPAA.

07:59.750 --> 08:02.675
But when you have privacy data,

08:02.675 --> 08:05.960
additional controls have to
be in place to ensure that

08:05.960 --> 08:09.810
that data remains
private and secure.

08:11.240 --> 08:14.155
Certification and accreditation.

08:14.155 --> 08:16.505
Certification is
the formal process

08:16.505 --> 08:17.960
that a system owner can be

08:17.960 --> 08:21.650
assured that a complicated
technology solution

08:21.650 --> 08:23.660
is configured in
a secure manner.

08:23.660 --> 08:26.885
It's a process that
will go through to

08:26.885 --> 08:28.790
make sure that first it's going

08:28.790 --> 08:30.740
to do what you want it to do,

08:30.740 --> 08:33.185
and that it will
do what the vendor

08:33.185 --> 08:37.040
or what mostly the vendor
says it's going to do.

08:37.040 --> 08:39.110
The vendor goes through and

08:39.110 --> 08:41.530
creates the
certification for this.

08:41.530 --> 08:43.430
Accreditation, however, is when

08:43.430 --> 08:45.350
the system owner agrees,

08:45.350 --> 08:46.550
and then they accept

08:46.550 --> 08:48.605
the claim that the
system has certified.

08:48.605 --> 08:51.170
The key to remember
is certification is

08:51.170 --> 08:53.570
the process that goes through by

08:53.570 --> 08:56.045
the vendor to show
that their system

08:56.045 --> 08:59.280
is certified and setup
in a secured manner,

08:59.280 --> 09:01.430
whereas accreditation
is you accepting

09:01.430 --> 09:03.590
that and taking
over that system,

09:03.590 --> 09:06.635
and accepting that the system
is going to perform the way

09:06.635 --> 09:08.270
the vendor says it is and it is

09:08.270 --> 09:10.890
configured in the specified way.

09:10.930 --> 09:13.610
However, within
the US government,

09:13.610 --> 09:16.040
this process has a different
meaning because of

09:16.040 --> 09:18.650
the extremely strict
and complex measures

09:18.650 --> 09:21.635
that are in place to ensure
that systems are compliant.

09:21.635 --> 09:23.900
The certification and
accreditation process

09:23.900 --> 09:25.295
has four phases.

09:25.295 --> 09:27.725
The first is the
initiation and planning.

09:27.725 --> 09:29.300
This is where the
system owner and

09:29.300 --> 09:32.060
the Information Security
System Security Officer

09:32.060 --> 09:34.115
identify and acknowledge that

09:34.115 --> 09:35.990
a certification
and accreditation

09:35.990 --> 09:38.180
are needed for a
specific system.

09:38.180 --> 09:41.030
Then we move to the
certification process.

09:41.030 --> 09:42.830
An independent audit will

09:42.830 --> 09:44.330
review the system to

09:44.330 --> 09:46.070
identify the controls
that are needed,

09:46.070 --> 09:49.390
and this is based
on NIST 800-53.

09:49.390 --> 09:51.810
Then after that, we go
to the accreditation.

09:51.810 --> 09:54.740
The certifying authority
will verify that

09:54.740 --> 09:56.420
the system meets
all the standards

09:56.420 --> 09:58.100
that were found in the audit,

09:58.100 --> 10:01.835
and an authority to operate
on ATO will then be issued.

10:01.835 --> 10:04.760
After that, we close it out
with continuous monitoring.

10:04.760 --> 10:06.275
This ensures that the system

10:06.275 --> 10:09.450
continues to operate
in a compliant manner.

10:10.700 --> 10:15.040
Let's summarize. We went over
regulations and standards.

10:15.040 --> 10:16.450
We discussed the National

10:16.450 --> 10:18.400
Institute of Standards
and Technology,

10:18.400 --> 10:19.690
NIST and the International

10:19.690 --> 10:21.370
Organization for
Standardization.

10:21.370 --> 10:24.225
We also went over standards
such as the GDPR,

10:24.225 --> 10:27.975
COPPA, PCIDSS, CMI, and STAR.

10:27.975 --> 10:29.980
We also went over privacy data

10:29.980 --> 10:32.150
and certification
and accreditation.

10:32.150 --> 10:34.590
Let's do some example questions.

10:34.590 --> 10:37.600
Question 1, the formal process

10:37.600 --> 10:39.280
of accepting a certified system

10:39.280 --> 10:44.275
from a system builder
is accreditation.

10:44.275 --> 10:48.410
Question 2, this
standard was created by

10:48.410 --> 10:51.220
the global payment card
industry to prevent

10:51.220 --> 10:52.270
fraud and to predict

10:52.270 --> 10:55.560
credit card and debit
card information.

10:55.960 --> 11:01.170
Payment Card Industry Data
Security Standard, PCIDSS.

11:01.900 --> 11:05.780
Question 3, this US
government regulation

11:05.780 --> 11:08.340
is for protecting PHI.

11:08.770 --> 11:11.210
Health Information Portability

11:11.210 --> 11:13.830
and Accountability Act, HIPAA.

11:15.020 --> 11:19.100
The non-regulatory agency
of the US government that

11:19.100 --> 11:21.034
creates standards
and best practices

11:21.034 --> 11:23.580
across science and technology.

11:24.370 --> 11:26.570
The National Institute
of Standards

11:26.570 --> 11:27.620
and Technology, or NIST.

11:27.620 --> 11:29.180
I hope this lesson was

11:29.180 --> 11:31.890
helpful for you. I'll
see you the next one.