From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Legal and compliance risks

From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Start my 1-month free trial Buy for my team

Legal and compliance risks

- [Instructor] Whenever we work with sensitive information, we encounter laws and regulations that governs the ways that we store, process, and transmit that data. One of the first things that we need to figure out when working with sensitive information is what specific laws and regulations apply to us. Now, while that might sound straightforward at first, the question of which jurisdictions have the authority to regulate data is really very complicated and compliance risks can impact an organization's risk posture. Let's look at a simple example. Imagine that we have a company with all of their operations located in the State of California. It's clear in this case that California state law applies to them, and so does federal law written at the national level in the United States, but what if they have a customer located in New York? Does New York law now apply as well? And if we're using a cloud provider located in Texas, does Texas law govern the data? If that cloud provider then outsources to a data center provider in Florida, then what? The issue becomes even more complicated when we expand internationally. The European Union says that their General Data Protection Regulation applies to the personal information of all EU residents, wherever they might be located. This can become very complicated because GDPR includes complex data subject rights, including the right to be forgotten, which allows data subjects to request that companies holding their data purge their personal information from their records, and that can be very technically complicated to do. Now, of course, GDPR isn't the only law that you'll need to follow. Security professionals should be aware of the different global standards, as well as national, local, and regional laws that apply to their operations, and some regulations come from sources other than the law. For example, the Payment Card Industry Data Security Standard, PCI DSS, is a self-regulatory scheme that applies to credit card transactions worldwide. Compliance is enforced by the banks that provide access to the payment card system. There's no easy answer to these jurisdictional questions. You'll need to sort through these sometimes-conflicting regulations with the help of your attorneys and develop a path that helps you evaluate legal risks that's appropriate for your operating environment. This is very important work because the consequences of noncompliance can be significant. They may include fines and other sanctions, reputational damage, the loss of licenses for intellectual property use, and other contractual impacts.

Contents