From the course: CISSP Cert Prep (2021): 1 Security and Risk Management
Legal and compliance risks
From the course: CISSP Cert Prep (2021): 1 Security and Risk Management
Legal and compliance risks
- [Narrator] Whenever we work with sensitive information, we encounter laws and regulations that govern the ways that we store, process, and transmit that information. One of the first things that we need to figure out when working with sensitive data is what specific laws and regulations apply to us. Well, that might sound straightforward at first glance. The question of which jurisdictions have the authority to regulate data is actually quite complicated, and compliance risks can impact an organization's risk posture. Let's take a look at a simple example. Imagine that we have a company with all of their operations located in the state of California. It's clear in this case that California state law applies to them, and so does federal law written at the national level in the United States. But what if the company has a customer located in New York? Does New York law now apply as well? And if they're using a cloud provider located in Texas, does Texas law govern the data? If that cloud provider outsources to a data center provider in Florida, then what? Now the issue becomes even more complicated when we expand internationally. The European Union says that, "Their General Data Protection Regulation, GDPR, applies to the personal information of all EU residents, wherever they might be located." Now, of course, GDPR isn't the only law that you'll need to follow. Security professionals should be aware of the different national, territory, and state laws that apply to their operations. And some regulations come from sources other than the law. For example, the Payment Card Industry Data Security Standard, PCI DSS, is a self-regulatory scheme that applies to credit card transactions worldwide. Compliance with PCI DSS is enforced by the banks that provide access to the payment card system. There's no easy answer to these jurisdictional questions. You'll need to sort through these sometimes conflicting regulations with the help of your attorneys, and develop a path that helps you evaluate legal risks that's appropriate for your operating environment.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.