Security Considerations - CompTIA Security+ SY0-701 - 5.1

00:02

IT security professionals have to be

00:04

aware of regulations associated with the organization

00:07

that they work for and the type of data

00:09

that they're collecting.

00:10

This may not only include information

00:12

stored by an application but also

00:14

log files that are created by that application.

00:17

There may also be a requirement to retain

00:19

certain types of information over an extended period

00:22

of time.

00:22

For example, some organizations are

00:24

mandated to store email for a certain number of years

00:28

and be able to access that data at any time.

00:31

One regulation that many organizations are mandated

00:34

to follow is Sarbanes-Oxley.

00:36

You may see this abbreviated as SOX.

00:39

This is officially the Public Company Accounting Reform

00:43

and Investor Protection Act of 2002.

00:46

And it focuses on the finances associated

00:49

with an organization.

00:50

Sarbanes-Oxley is relatively broad

00:52

and it can affect many different parts of the organization.

00:55

From an IT perspective, we want to be sure

00:57

that all of our financial data is protected

01:00

and all of that information is available

01:02

to the proper individuals within our organization.

01:05

And if you're in health care, you're

01:07

certainly familiar with HIPAA.

01:09

This is the Health Insurance Portability

01:11

and Accountability Act.

01:13

And it's abbreviated H-I-P-A-A or HIPAA.

01:16

This mandate ensures that our health care information

01:20

is protected.

01:20

This covers not only the data that's

01:22

being stored by our health care professionals,

01:24

but it also covers how that information is transferred

01:27

and how that information is disclosed to a third party.

01:31

If you're working in IT security,

01:33

there's certainly going to be legal requirements associated

01:35

with part of your job.

01:37

This means there needs to be a set of formal processes

01:40

and procedures for the IT team to be able to report

01:43

any illegal activities.

01:44

The IT security team is also responsible for responding

01:48

to a legal hold.

01:49

This ensures that data will be available for any future legal

01:53

proceedings.

01:54

Many jurisdictions also have rules

01:56

in the books regarding the disclosure of security

01:59

breaches.

01:59

This means, if your organization discovers a security breach,

02:03

they are legally mandated to disclose that breach

02:06

in an appropriate time frame.

02:08

The rules and regulations around disclosures

02:10

are different depending on the geography,

02:12

so you'll need to make sure that you

02:14

follow the legal requirements in your particular area.

02:17

And although cloud computing is a significant advantage

02:20

to the technologist, it does create a number of challenges

02:23

from a legal perspective.

02:24

With cloud computing, we can create application instances

02:28

anywhere in the world.

02:29

And the data associated with those applications

02:32

may also be stored anywhere in the world.

02:35

However, there might be legal guidelines as to where

02:38

information can be stored.

02:39

For example, some countries require

02:41

that if any data is collected from their citizens,

02:44

that data must stay within that country's borders.

02:48

We might also have different security considerations

02:50

for different industries.

02:52

Different organizations certainly

02:54

work in different ways, and there

02:55

will be differences in how IT security is handled

02:58

between different environments.

03:00

For example, if we're dealing with public utilities

03:02

or electrical power generation, there

03:05

may be a set of very strict requirements on how someone

03:08

can access that information.

03:10

This often means that our power-generating technologies

03:13

are often air-gapped from any other part of the network.

03:16

This might be very different than someone

03:18

who works in medicine where the information needs

03:21

to be available to everyone, but it needs to be highly secure.

03:25

This is why, in a medical environment,

03:26

you may find extensive data encryption and other protection

03:30

technologies.

03:31

This allows the medical professionals to have access

03:33

to our private medical information

03:35

but keeps all of that information private

03:37

from anyone else.

03:39

We also have different security considerations

03:41

depending on the scope of the organization.

03:44

If there's a local or a regional focus for an organization,

03:48

all of the data tends to be associated

03:50

with what's happening in that specific area.

03:53

For example, a city or state government

03:55

may collect records and other information

03:57

that they can use to help manage a city or county.

04:00

As the geography increases to more of a national level,

04:03

we're now dealing with issues associated

04:05

with a much larger federal government and things

04:08

like national defense.

04:10

This might also include communication

04:12

between multiple states who make up that national organization.

04:16

And since the need for confidentiality

04:18

is a much larger scope at the national level,

04:20

we may introduce new technologies

04:22

for encryption and data protection.

04:24

A global company has additional security concerns,

04:28

since they have offices that are located in different countries.

04:31

This can be a relatively complex endeavor, especially

04:34

since there are different laws for data protection and data

04:37

security, depending on where you happen to go in the world.