All language subtitles for 008 Security Governance GDPR, HIPAA, PCI-DSS and Intellectual Property_en
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
English
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scots Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Sundanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
Odia (Oriya)
Kinyarwanda
Turkmen
Tatar
Uyghur
Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,300 --> 00:00:05,640
In this lecture, we are going to discuss some popular compliance laws and regulations. The compliance
2
00:00:05,640 --> 00:00:12,480
landscape has evolved significantly during the recent years, and now companies are obligated to protect
3
00:00:12,480 --> 00:00:16,590
the integrity and confidentiality of information that they gather.
4
00:00:17,160 --> 00:00:20,660
We are also going to have a look at some intellectual property instruments.
5
00:00:21,900 --> 00:00:27,210
Before we delve into details of compliance, there are some key terms which you must understand, the
6
00:00:27,210 --> 00:00:31,440
first of these is PII or personally identifiable information.
7
00:00:32,040 --> 00:00:37,110
Now, this is information that can be used to identify, contact or locate someone.
8
00:00:37,590 --> 00:00:43,680
And this includes things like full name, driver's license number, Social Security number, home address and
9
00:00:43,680 --> 00:00:44,640
contact numbers.
10
00:00:46,420 --> 00:00:53,080
Any organisation that collects, stores and processes this information must be protected, and they are
11
00:00:53,080 --> 00:00:57,290
also obligated to announce the breaches that pass a certain threshold.
12
00:00:58,090 --> 00:01:02,610
There are also some penalties that are applied for organizations that do not comply.
13
00:01:04,330 --> 00:01:10,220
The next important term that we need to understand is PHI, which is Protected Health Information.
14
00:01:10,930 --> 00:01:16,930
Now, this refers to health information, including health care plans, payment and history that can
15
00:01:16,930 --> 00:01:18,470
be linked to an individual.
16
00:01:18,910 --> 00:01:24,400
This includes things like names and addresses, health records such as medical or dental, full face
17
00:01:24,400 --> 00:01:27,970
scans and biometric data and health insurance numbers.
18
00:01:28,180 --> 00:01:35,020
The primary difference between PII and PHI is that PHI caters specifically to health related information.
19
00:01:35,590 --> 00:01:40,390
Similar to PII, every organisation that collects, stores and processes
20
00:01:40,390 --> 00:01:42,590
this kind of information must protect it.
21
00:01:42,970 --> 00:01:48,310
There are laws and regulations in place which we are going to discuss shortly, and there are penalties
22
00:01:48,310 --> 00:01:51,760
applied if organizations do not comply with these regulations.
23
00:01:54,410 --> 00:02:00,290
Let's have a look at some of the popular compliance regulations, so the first one is GDP or general
24
00:02:00,290 --> 00:02:01,720
data protection regulation.
25
00:02:02,000 --> 00:02:08,360
This was introduced by the European Union in order to protect the personal data of EU citizens worldwide.
26
00:02:08,880 --> 00:02:13,760
An important point to note here is that an organization can be located anywhere in the world, even
27
00:02:13,760 --> 00:02:14,720
outside EU.
28
00:02:15,200 --> 00:02:21,530
But if they collect, process and store the data of EU citizens, then GDPR applies to them as well.
29
00:02:22,220 --> 00:02:28,320
The next one is HIPAA, which stands for Health Insurance Portability and Accountability Act.
30
00:02:28,910 --> 00:02:31,910
Now this is aimed at protecting health care information.
31
00:02:33,440 --> 00:02:39,050
And the third one is PCI-DSS, which is payment card industry data security standard protection
32
00:02:39,050 --> 00:02:42,930
regulation, and it is aimed at protecting credit card data.
33
00:02:43,250 --> 00:02:46,520
We are now going to have a more detailed look at each of these regulations.
34
00:02:47,730 --> 00:02:53,610
Let's start with GDPR or the General Data Protection Regulation, and here are the salient features.
35
00:02:54,180 --> 00:02:59,770
So the first is purpose limitation. Data should be collected and used only for the stated purposes.
36
00:03:00,240 --> 00:03:05,280
So an organization cannot use data for purposes it has not explicitly declared.
37
00:03:07,210 --> 00:03:10,390
Data breaches must be reported within 72 hours.
38
00:03:10,750 --> 00:03:17,800
Failure to do so may incur penalties and penalties are huge in GDPR. So fines can go up to four million
39
00:03:17,800 --> 00:03:20,650
euros or four percent of annual turnover.
40
00:03:22,910 --> 00:03:29,760
GDPR also mandates ensuring the integrity of the data, so data must be safeguarded, encryption
41
00:03:29,780 --> 00:03:32,890
should be employed and privacy should be enforced.
42
00:03:34,280 --> 00:03:39,230
Storage limitation states that only data that is needed should be stored and other data should be
43
00:03:39,230 --> 00:03:39,760
deleted.
44
00:03:40,040 --> 00:03:45,920
So if a company has collected data about an individual and they're only using part of their data, so
45
00:03:45,920 --> 00:03:50,780
the rest of the data should be deleted, they cannot just stored it indefinitely in the hopes of using
46
00:03:50,780 --> 00:03:51,650
it in the future.
47
00:03:53,480 --> 00:03:59,660
GDPR also provides the "right to be forgotten", which basically means that organisations need to provide
48
00:03:59,660 --> 00:04:05,270
individuals the option of selecting whether they want their data to remain indefinitely with the company
49
00:04:05,270 --> 00:04:06,980
or whether they want it to be deleted.
50
00:04:07,260 --> 00:04:10,760
And if they choose so, the company must delete the data.
51
00:04:11,400 --> 00:04:17,660
Now, this gives tremendous powers to individuals because they can opt whether the data lives indefinitely
52
00:04:17,660 --> 00:04:20,120
with the company or whether they want it to be deleted.
53
00:04:22,350 --> 00:04:27,430
So next is HIPAA - Health Insurance Portability and Accountability Act.
54
00:04:27,660 --> 00:04:29,790
And here are the salient features of HIPAA.
55
00:04:30,480 --> 00:04:32,750
So the first one is physical protection.
56
00:04:33,270 --> 00:04:39,330
Companies must control and monitor access to systems and track electronic personal health information
57
00:04:39,330 --> 00:04:39,990
devices.
58
00:04:41,520 --> 00:04:48,240
Second one is admin production. Companies must manage risk, they must block unauthorised access and
59
00:04:48,240 --> 00:04:49,980
train staff in order to do so.
60
00:04:51,060 --> 00:04:56,560
Companies must immediately notify patients, health authorities and possibly media, about breaches.
61
00:04:57,360 --> 00:05:01,010
It should be noted that breaches need to pass a certain threshold.
62
00:05:01,620 --> 00:05:08,460
So if the breach passes 500 or more records, then the company is obligated to make these announcements.
63
00:05:08,940 --> 00:05:13,860
If the breach is very small, then they do not need to actually notify media, for example.
64
00:05:15,900 --> 00:05:21,070
The privacy rule states that a company must respond to patient's request for information.
65
00:05:21,390 --> 00:05:26,730
So basically a patient can request a company to share all of the information that they have collected
66
00:05:26,730 --> 00:05:27,270
about him.
67
00:05:29,150 --> 00:05:35,360
HIPAA has different years of penalties which range from hundred dollars per violation of up to
68
00:05:35,360 --> 00:05:40,520
1.5 million dollars per year if the company is shown to wilfully neglect HIPAA regulation.
69
00:05:41,620 --> 00:05:48,100
HIPAA also enforces technical protection, which means the need to protect the confidentiality and integrity
70
00:05:48,100 --> 00:05:55,000
of data so companies must encrypt electronic personal health information and they must control and log
71
00:05:55,000 --> 00:05:57,130
any access to EPHI.
72
00:05:58,940 --> 00:06:05,930
The third one is PCI-DSS, which is aimed at protecting credit card data. Companies, which want to
73
00:06:05,930 --> 00:06:09,260
be compliant with PCI-DSS must do the following.
74
00:06:10,450 --> 00:06:16,720
The first one is vulnerability management, which means that companies should have an appropriate vulnerability
75
00:06:16,720 --> 00:06:23,050
management program in place, which basically scans for any possible vulnerabilities and addresses them.
76
00:06:23,890 --> 00:06:25,090
The second one is Secure
77
00:06:25,090 --> 00:06:31,540
network and communication. Companies must employ appropriate tools in order to encrypt and secure their
78
00:06:31,540 --> 00:06:32,800
end-to-end communication.
79
00:06:34,120 --> 00:06:39,970
The third one is network monitoring and testing, so companies must have mechanisms which ensure that
80
00:06:39,970 --> 00:06:44,940
the network is properly monitored and any breaches or malware infections are detected.
81
00:06:46,060 --> 00:06:48,790
The fourth one is authentication and access security.
82
00:06:49,210 --> 00:06:54,940
So companies must have appropriate mechanisms which ensure that end users are properly authenticated.
83
00:06:55,570 --> 00:07:01,390
A simple example could be that a client wants to make a credit card payment and if it is doing so on
84
00:07:01,390 --> 00:07:07,870
HTTP, then it means the company has breached PCI-DSS because the end-to-end connection is not encrypted.
85
00:07:08,140 --> 00:07:13,380
It is being done in plain text, which can lead to possible compromise of the credit card data.
86
00:07:14,410 --> 00:07:15,790
So they should always use HTTPS
87
00:07:16,360 --> 00:07:20,470
for instance, in order to ensure that the end to end payment channel is encrypted.
88
00:07:22,580 --> 00:07:27,530
Here are some tips on being compliant with these regulations, as the old saying goes, prevention is
89
00:07:27,530 --> 00:07:28,310
better than cure.
90
00:07:28,730 --> 00:07:35,090
If your company can conduct business without extensively collecting personally identifiable information
91
00:07:35,090 --> 00:07:37,750
and protected health information, you should do that.
92
00:07:37,910 --> 00:07:42,200
And even if you have to collect it, then it should be the minimal set that is required.
93
00:07:43,160 --> 00:07:46,730
An example could be if you want to enable online payments on your website.
94
00:07:46,760 --> 00:07:51,410
So one option could be that you collect all of the information, including clients name, address,
95
00:07:52,190 --> 00:07:54,530
credit card information, phone numbers and so on.
96
00:07:55,010 --> 00:07:57,020
And then you also store payment information.
97
00:07:57,650 --> 00:08:03,230
Another option could be you could use third party things like PayPal and you just redirect the client
98
00:08:03,230 --> 00:08:03,680
to them.
99
00:08:04,220 --> 00:08:06,890
And from there you just get a confirmation of the payment.
100
00:08:07,960 --> 00:08:13,240
So if payment confirmation is the only thing required for conducting your business, you should definitely
101
00:08:13,240 --> 00:08:13,750
do that.
102
00:08:14,260 --> 00:08:19,990
There is no point in collecting extensive information, which is only going to increase your exposure
103
00:08:19,990 --> 00:08:20,440
factor.
104
00:08:21,780 --> 00:08:27,030
You should always use encryption both at rest, so for example, your database should be encrypted,
105
00:08:27,420 --> 00:08:31,540
in transit when you're sending your data over the public Internet, for example.
106
00:08:31,830 --> 00:08:34,650
So you should use, for example, IPSec or TLS.
107
00:08:34,799 --> 00:08:40,260
You should also implement a security framework for controlling access to data, so your data should be
108
00:08:40,260 --> 00:08:41,520
properly classified.
109
00:08:41,610 --> 00:08:43,799
For example, it is private,
110
00:08:43,799 --> 00:08:45,540
is it confidential, is it public?
111
00:08:45,840 --> 00:08:49,050
And then you should assign access to different users based on that.
112
00:08:50,070 --> 00:08:55,230
Let's discuss intellectual property, a concept that is increasingly becoming important in the world.
113
00:08:57,200 --> 00:09:02,600
So today, the focus of wealth creation is increasingly moving away from tangible assets such as real
114
00:09:02,600 --> 00:09:05,960
estate to intangible assets such as intellectual capital.
115
00:09:06,410 --> 00:09:13,340
The problem is that we have extensive tools and laws in order to protect tangible assets, but we also
116
00:09:13,340 --> 00:09:16,610
need similar tools to protect these intangible assets.
117
00:09:17,270 --> 00:09:23,450
So intellectual property is an intangible type of property that has been created using the human intellect.
118
00:09:24,110 --> 00:09:29,210
Some of the popular tools that are used to protect intellectual property include trademark.
119
00:09:30,110 --> 00:09:34,900
So which gives the owner exclusive right to the use of phrase, symbol or design.
120
00:09:35,510 --> 00:09:39,440
And this prevents companies from selling products using similar logos.
121
00:09:39,470 --> 00:09:45,020
So, for example, these trademarks are used by McDonald's and Nestlé and other companies are not allowed
122
00:09:45,020 --> 00:09:45,680
to use them.
123
00:09:47,270 --> 00:09:52,580
The next is copyright, which basically protects the creative or intellectual work such as images,
124
00:09:52,580 --> 00:09:54,330
music and other works of art.
125
00:09:55,040 --> 00:09:58,010
Now copyright is valid for the life of the author,
126
00:09:58,100 --> 00:10:04,640
and then an additional 70 years after that. An important point to note is that for copyright, it is
127
00:10:04,640 --> 00:10:06,080
nice to get it registered.
128
00:10:06,320 --> 00:10:11,930
But even if it is not registered, and you can show the date of publication, whether it's online or in
129
00:10:11,930 --> 00:10:17,360
the form of a book or anything, if you can prove the date of publication, then you already own the
130
00:10:17,360 --> 00:10:18,270
copyright to that.
131
00:10:18,800 --> 00:10:23,900
So whatever you publish, if it is original and you can prove the date of publication, then it means
132
00:10:23,900 --> 00:10:25,850
that it is automatically copyrighted.
133
00:10:27,110 --> 00:10:33,260
The third one is patent, which prevents anyone from making, using or selling the patented invention.
134
00:10:33,710 --> 00:10:37,910
This is extensively used by commercial enterprises to launch specific products.
135
00:10:38,960 --> 00:10:44,820
Now patent is valid for 20 years, and it is also only applicable in the country
136
00:10:44,840 --> 00:10:45,510
it was filed.
137
00:10:45,530 --> 00:10:49,340
So if you want an international patent, you have to apply in different countries.
138
00:10:49,790 --> 00:10:51,170
This concludes our lecture.
139
00:10:51,560 --> 00:10:52,820
I'll see you in the next one.
15417