Pass your certification exam. Faster. Guaranteed.

Regulatory Compliance Transcription

Welcome to our information security compliance fundamentals module. This module will discuss regulatory compliance. As a computer security professional, there are three different types of law that you may have to deal with. Administrative law provides standards or regulations that companies and federal agencies are required to follow.

An example of administration law are those laws put in place by the Food and Drug Administration, or the Environmental Protection Agency for dealing with hazardous materials. Civil law, also known as tort law, deals with lawsuits between companies or individuals for some type of wrong doing that results in a damage, or loss.

These cases are typically handled by private parties, not the government. And in these cases the defendant is either found to be liable for the damages, and is required to pay for those damages in court costs. Or they are found to be not liable, and they're not required to pay any damages.

Criminal law deals with crimes against society. These laws are typically enforced by governmental agencies, such as police departments and law enforcement are responsible for bringing charges against individual offenders. In criminal cases, individuals found guilty may be required to pay fines or may face imprisonment. You may see a question on the CISSP examination asking which type of law violation would most likely result in imprisonment.

And criminal law would be the type of law that, when violated, will most likely cause an individual to be imprisoned. In order to protect our business, it is important that we understand the laws and regulations facing our industry, and make sure that we comply with these requirements to reduce our risk.

We must be familiar with statutory laws. We should be familiar with contracts that we have with other individuals and how they can be enforced. The type of regulations that we're required to comply with based on our industry. And it's all Also important to protect individual's personal privacy or Personally Identifiable Information, or PII.

It is important to be familiar with the fact that laws are different based on the jurisdiction in which your company is operating. So you should be familiar with the laws in those specific areas. It's important to make sure that you apply administrative, and technical controls in order to control with laws and regulations.

And it's also important to make sure that you are continuously auditing your systems and your controls to make sure that they are functioning properly, and that they are giving you the desired result. It is also important to maintain written documentation to prove that you're compliant with laws and regulations, and this helps to show due care and due diligence, and may be important If you end up dealing with a law suit or some type of criminal investigation. It is very important to make sure that you comply with all laws in your country, and any regulations that your industry requires you to follow. Management is ultimately responsible for making sure that laws are being followed. And they are also responsible for proving compliance with the laws. One example of a regulation that you may be required to comply with is the Sarbanes-Oxley Act or SOX.

This act requires accurate financial record keeping for publicly traded companies. The Gram Leach Bliley Act, or GLB pertains to the banking industry and requires maintaining the privacy of consumer's information. Finally Basel II pertains to international banking. For the CISSP examination you should be familiar with SOX and GLB, remembering that SOX relates to publicly traded companies and accurate financial recordkeeping.

And GLB relates to banks and consumer privacy. As a computer security professional there are some other laws that you should be familiar with. The federal privacy act of 1974 requires that permission by government agencies before disclosing any private information. It is important to remember this act because it is the first time that action was taken in the area of technology and privacy.

The Computer Security Act of 1987 requires government agencies to locate sensitive systems, provide security training, and develop computer security plans for any computers that contain sensitive information. ECPA, or the Electronic Communications Privacy Act of 1986. This law makes it illegal to monitor, eavesdrop, or intercept oral communications, wire communications, or electronic communications without permission of the parties involved.

It is important to maintain an Acceptable Use Policy and notify your employees that you will be monitoring their activities otherwise you maybe violating the Electronic Communications Privacy Act. HIPAA, or the Health Insurance Portability and Accountability Act, requires those in the health care industry to maintain the security of consumers data and protected health information.

HIPAA is one of the laws that you may see on the CISSP examination, and you should be familiar with the fact that it relates to health care data. The computer broad and abuse act prohibits individuals from accessing federal, government computers without authorization. The federal information resources management regulation.

Provides a set of regulations for using, managing, and acquiring computer resources in the federal government. The Office of Management and Budget Circular A-130 requires that federal agencies have security programs in place. The 1991 federal sentencing guidelines provides sentencing for white-collar crimes, and enhancements for using technology with those crimes.

And the Economic Espionage Act of 1996 prohibits individuals from stealing or misusing trade secrets. Payment Card Industry Data Security Standard, or PCIDSS requires organizations that handle payment cards, such as credit cards to take certain steps to ensure the safe handling of this very sensitive information. It provides a framework so that companies can develop account data security processes in order to detect fraud, prevent fraud, and react to any security incidents that may occur. The Payment Card Industry Security Standards Council encourages all businesses to comply with these standards. In order to lower the risks that are associated with a data compromise. It is very important to remember for the CISSP examination that PCI DSS is not a United States law, it is an international standard that is a recommendation.

If you were to see a question inquiring which is not a United States law providing you with several choices. PCIDSS would be the best choice in that particular situation. Typically, organizations will conduct audits to make sure that they are compliant with these suggestions and regulations. And instead of storing credit card numbers, typically merchants will store tokens instead.

This way if a hacker is able to obtain a copy of their data, they will not have user's credit card numbers. However when external PCI compliance audits are conducted, many companies will fail these tests. It is often required that organizations report data breaches, or disclose the fact that a data breach occurred, to the proper authorities.

It is very important for the CISSP Exam to know the difference between a breach and a data disclosure. A breach is when an individual gains access to your system. And may have had access to private or confidential information. We are seeing an increase not only in the number of data security breaches each year, but also in the diversity and sophistication of these breaches.

A dated disclosure is when you actually have a confirmed loss of data where there is some proof that an individual actually stole the data, and not just that it was exposed and could have been stolen. Obviously it is important to be able to tell the difference if this occurs in your organization, but you should also be familiar with the difference for the CISSP examination.

It is important that you are conducting audits regularly because many laws require that you are completing audits to show compliance. You can either have internal auditors that work for your company and conduct audits, or you can have external auditors that can verify that your company is in compliance.

Auditors are responsible for checking certain elements to make sure that you are in compliance with the regulations. Financial audits are used to review your financial statements, and ensure that they are accurate. Auditors will typically have long checklists of items that will correspond with the different legal, regulatory, and policy requirements that your organization must meet.

And they will go through these checklists to verify compliance. You can also use audits to verify that your organization is following best practices and are meeting your key performance indicators, or KPI. You should be familiar with the term key performance indicators for the CISSP examination. This concludes our Information Security Compliance Fundamentals module, thank you for watching.