It’s important for security professionals to be aware of any compliance regulations. In this video, you’ll learn about GDPR and PCI DSS.
Along with all the other tasks associated with an IT security professional, you will also be asked to follow certain compliance guidelines. These are guidelines based on a series of regulations, laws, or policies in your particular geography, or for your particular line of work. This can also cover many aspects of an organization’s business, you may find that there are regulations regarding the type of data that you save. Other regulations may be based around the finances of the organization, and yet others are based around keeping credit card transactions private. As you can see, these are varied in their scope and it will be up to you as the security team to make sure that the organization is following all of these compliance regulations.
One of the reasons you’re going to track this so closely, is that there could be significant penalties associated with not following these regulations. For example, your organization can be fined, and in some cases, those fines can go into the millions of dollars. There could be incarceration or jail time associated with not following these regulations, and worst case for you certainly, is the loss of employment. If you’re responsible for any of this compliance in your organization it’s important to understand the scope. It may be based on your local geography. There may be national laws, it may be based on a particular territory your organization works in, or may be based on a single city or state. Some of these rules and regulations are specific to a single country, and others may be international laws that everyone in the world must follow.
As you’ve probably seen, your private information is available on many different websites across the internet. To address this, the European Union created a policy called the GDPR. This is the General Data Protection Regulation. The GDPR is a set of rules and regulations that allows someone in the EU to control what happens with their private information. This private information could be a name and address, it might be your phone number, it could be related to medical information, or anything else that would be specific to you.
This regulation allows you to understand where your information is stored and it prevents this information from being exported outside of the European Union. It also puts the control of this data back into your hands. You can contact any of the websites in the EU, ask to have your information removed, and they will remove it because that’s part of the requirements of the GDPR. Another requirement of the GDPR is that every website provides detailed information about their privacy policy. So you should be able to visit any of these websites, look at their privacy policy, and understand exactly what information they’re gathering and what they’re doing with that information.
If you’re part of an organization that collects and stores credit card details, then you may be subject to the PCI DSS. This is the Payment Card Industry Data Security Standard, and the focus of these rules is to provide protection for credit card transactions. PCI DSS is a series of guidelines that’s administered by the payment card industry. This is not a national set of laws, or an international series of regulations. It’s instead managed by these private organizations and there are a series of objectives that these rules are based on. The first is that you need to be able to build and maintain a secure network and systems. If someone is sending credit card information, we want to be sure that nobody can look into your network or your systems and be able to see that credit card detail.
The cardholder data as part of that transaction needs to be protected, and there needs to be some type of management of vulnerabilities so that all of your systems are always up to date, and always patched. We also want to manage who would have access to this credit card information, so every organization that stores credit cards, also needs to have a strong access control measure in place. To be sure that all of these policies are in place, there should be ongoing testing and we want to be sure there are existing security policies to address all of these controls around credit card numbers. To be sure that all of these controls are in place and working, there should be periodic audits and tests. And we need to be sure that our existing security policies include all of these controls for credit card information.