Speaker 1: Hello team, welcome to my session on Coffee with Prabh and today we're going to cover about standards and regulations coffee shots. In this video we're going to discuss about five or six questions which is mapped with some standard and regulations, mostly US-centric. My name is Prabh Nair and for more information you can refer my LinkedIn profile. If you're new to my YouTube channel, click on the Subscribe button and bell icon to make sure you should not miss my future videos. Without wasting our time, let's start with the first part. Prabh recently joined a security consultant in a new small online retail company. The company has many of its customers from the United States. The company is planning for additional transformations and want to collect and process online transactions in the future stages. To build trust among the consumer and card issuing authority like JCB, MasterCard, Visa, card issuing authority regarding the security of the transactions via card, which are the following is a most effective standard must they comply with? See, 27,001 is more about information security management system, which talk about the complete company's ISMS system. But it doesn't give me that assurance that, OK, yes, we have full security. And the question was specifically talking about assurance to the authority, JCB, MasterCard, and all that. And they're also dealing with the transaction. ISO 22301 is dealing with the BCMS, Business Continuity Management System, which talk about how to maintain the continuity of the operation. 27,001 is ISMS. NIST 837 has their own standard of information security so only thing is basically left is PCI DSS. So PCI DSS is basically a standard which is basically complied for the merchants and all that who collecting a credit card, debit card, data, transactions and all that. Imagine like I'm running a company and I'm collecting a credit card, debit card, transactions and all that. I need to give some kind of an assurance to the consumer yes whatever the card you are using whatever the transaction is happening it is secure and everything and it by having a PCI DSS logo on my website it also gives some kind of a trust among the consumer. So any question in any certification talking about protecting a credit card, debit card, transactions, data, related standards and all that, remember answer will be PCI DSS. So here we are adopting a PCI DSS standard and there will be SSR who going to assess my infrastructure based on a PCI DSS requirement to give me the assurance whether we are compliance with PCI DSS or not. If I able to comply with PCI DSS then I can use a PCI DSS logo on my website. Okay so that's why in this case answer is basically third. Let's move to the next coffee shot. Okay so Prabh recently joined a security consultant in aspirin technology. There is a company. Aspirins it mean the company desired to sell cloud services to federal agency. Federal is a word used in a US which are the following primary compliance form need to be achieved against PCI DSS is not something our regulatory compliance it's a standard so PCI DSS is removed ISO 27001 definitely required but the question specifically talking about dealing with the federal services okay federal agencies it mean I'm providing my cloud service to the federal agency HIPAA will come into the picture when it comes to the healthcare and all that suppose I'm starting any kind of a healthcare company in US and I'm collecting a health data which is called as a covered entity covered entity so if I am a part of a covered entity where I'm collecting a privacy health information of the consumer and all that so my system need to be comply with HIPAA so what here the question is just saying that selling cloud services to the federal agencies so answer is basically FedRAMP. So FedRAMP stands for US Federal Risk and Authorization Management Program which was established to provide the a standardized approach for assessing, monitoring, authorizing a cloud computing product and services under the FISMA Act. And they also accelerate the adoption of a secure cloud solution by the federal agencies. So in this case, we basically go by the answer B. FedRAMP is a program by which we basically assess the cloud provider. And if they obtain the FedRAMP clearance and all that, then we can use the cloud services in the federal agencies. So let's move to the next coffee shot. OK, so Prabh recently joined a security consultant position in one of the health care company in US. The company collect process health care data for further analysis. Which of the following primary regulation compliance firm need to be achieved? PCI DSS is dealing with the credit card data and all that. FedRAMP we already discussed. When we're selling a cloud service in a federal agency, we need to obtain the clearance for that. 27,001 can be the answer and HIPAA but question talking about primary regulation is 27,000 is not a regulation. It's a standard Okay, it's a ISMS standard. Okay, and even it's not something of mandatory to be follow you want to build a brand Yes, we have a process educate process with appropriate security control in that case We can go for the certification, but if you're dealing in u.s. With healthcare data okay healthcare consumer processing the healthcare data and all that you need to be comply with the HIPAA regulations that is why here the answer is A for alpha or 1. Let's move to the next coffee shot Prabh recently joined a security counsel position in one of the financial services company in the US keyword is financial services in the US the company collect and process the financial data of consumer for further analysis which are the following primary regulation again regulation do compliance from need to be achieved HIPAA is removed PCA DSS also removed the reason why PCA DSS is applicable for the merchant so if I am a company collecting a credit card debit card data I need to protect the transactions and we need to demonstrate the appropriate control for that we have a PCA DSS here the question specifically talking about company collect the process the financial data and they want to talk about the regulation. FedRAMP is basically come into the picture when we dealing for the selling the cloud services or any kind of a services in the federal agency. So only option left is GLBA Gramm-Leach-Billy Act. In US if you're dealing with the healthcare data we need to comply with the HIPAA and if you're dealing with the financial data of a consumer you need to protect as further GLBA. So your company need to be comply with GLBA regulation. Okay so this This is the part of the next coffee shots also. Which of the following law affect the public companies, keyword is public companies, in the United States by requiring them to follow the 11 sections of the Act, keyword is Act. In addition to publicly traded company and their wholly owned subsidiaries and foreign companies that are publicly traded and do business in US. first keyword is law, second keyword is 11 section, third keyword is public companies, then subsidiaries and business in US. FedRAMP and GLB are definitely removed, PCRS is the standard so only option left is SOX. So any kind of a public or unlisted company in US doing any kind of a transactions or doing any kind of business they need to comply with the SOX regulation. SOX is basically applicable for the enterprise like in India we have like we need to comply with SEBI's and all that right so every year we generating a financial transactions that transition must be accurate because when we go public public listing and all that investors invest in the company based on that financial statement only so SOX which is driven by the FTC Federal Trade Commission will basically ensure that okay any company who listed in US they should not be involved in any kind of fraud whatever the financial report they produce it should be accurate because investors based on the report only do the investment. So don't get confused. In the US, we have a GLBA, which is basically dealing with the privacy of financial data. And if you're talking about this one, which is called as a HIPAA. HIPAA is basically dealing with the healthcare data. These two regulations are more from a consumer point of view. If I am a US citizen or US resident, the company who collecting my PHI and all their privacy health information, they need to comply as per the HIPAA. In that case you are not supposed to share the data with others and if it's a bank, insurance company dealing with my financial data they need to be comply with GLBA but for the company which is called enterprise they have one regulation which is called SOX so if I am a public listing companies and I'm doing my services in US doing a business in US so I need to be comply with the FTC regulations which is called as SOX and as per that I need to maintain the accuracy of financial statement I need to maintain the authenticity of financial statement I need to have appropriate control for my financials records and everything because investors trust that report only. That is why here we went with the answer SOX. Answer is D. So if you find this session useful, do share in your network and do let me know what is the name of the Privacy Regulation of Canada and what is the name of the Privacy Regulation of EU and there is one agreement signed between the EU and US which is not do let me know in the comment section. Thank you.