From the course: Cert Prep: ISC2 Certified in Cybersecurity (CC)

Regulations and laws

From the course: Cert Prep: ISC2 Certified in Cybersecurity (CC)

Start my 1-month free trial Buy for my team

Regulations and laws

- Whenever we work with sensitive information we encounter laws and regulations that govern the way that we store, process, and transmit that information. One of the first things that we need to figure out when working with sensitive data, is what specific laws and regulations apply to us. Now, while that might sound straightforward at first glance, the question of which jurisdictions have authority to regulate data is actually quite complicated and compliance risks can impact an organization's risk posture. Let's look at a simple example. Imagine that we have a company with all of their operations located in the state of California. It's clear in this case that California state law applies to them, as does federal law written at the national level in the United States. But what if they have a customer located in New York? Does New York law now apply as well? And if you're using a cloud provider located in Texas, does Texas law govern that data? If that cloud provider outsources to a data center provider in Florida, then what? And the issue becomes even more complicated when we expand internationally. The European Union says that their General Data Protection Regulation, GDPR, applies to the personal information of all EU residents wherever they may be located. Now of course, GDPR, isn't the only law that you'll need to follow. Security professionals should be aware of the different national, territory, and state laws that apply to their operations. And some regulations come from sources other than the law. For example, the Payment Card Industry Data Security Standard, PCI DSS, is a self-regulatory scheme that applies to credit card transactions worldwide. Compliance is enforced by the banks that provide access to the payment card system. Now there's no easy answer to all of these jurisdictional questions. You'll need to sort through these sometimes conflicting regulations with the help of your attorneys and develop a path that helps you evaluate legal risks that's appropriate for your operating environment.

Contents