WEBVTT 00:07.220 --> 00:08.720 Compliance reporting. 00:08.720 --> 00:14.300 Unlike vulnerability management, reporting is all about how it interacts with compliance, the regulatory 00:14.300 --> 00:19.340 or contractual agreements that we've made and how we're interacting with those different compliance 00:19.340 --> 00:21.230 standards that we set ourselves up for. 00:21.260 --> 00:25.700 Each company is going to be different when it comes to compliance and the industry standards that they 00:25.700 --> 00:26.900 have to deal with. 00:26.930 --> 00:32.360 For instance, telecommunication has to follow FCC guidelines, but not so much pci-dss. 00:32.390 --> 00:38.870 Whereas a financial institution is going to go into roll with PCI, DSS. 00:38.900 --> 00:43.970 Over, say, telecommunications standards, the aspect of understanding different compliance really 00:43.970 --> 00:49.250 interacts with the different availability within the compliance standards that your specific organization 00:49.250 --> 00:50.960 or industry falls under. 00:51.200 --> 00:53.060 Within that, we have industry standards. 00:53.060 --> 00:57.110 The industry standards for again, telecommunications is going to be vastly different than the industry 00:57.110 --> 01:02.870 standards for retail or for grocery stores or for even payment cards, right? 01:02.900 --> 01:05.330 For banking institutions or hospitals. 01:05.330 --> 01:09.110 All of these are different, and you need to be aware of those different compliance standards depending 01:09.110 --> 01:10.640 on the industry that you're working in. 01:10.670 --> 01:16.100 However, with that said, you should have an overarching understanding of each compliance standard 01:16.100 --> 01:19.340 for every industry that you may come in contact with. 01:19.550 --> 01:23.960 Uh, Sisa really comes into the fact of saying you need to have a high level understanding of the different 01:23.960 --> 01:26.510 compliance structures that you may be dealing with. 01:26.540 --> 01:32.840 You may work in healthcare and have a good understanding of HIPAA and some of the other health regulatory 01:32.840 --> 01:36.920 bodies that you have to fall under and know nothing about PCI, DSS. 01:36.950 --> 01:41.960 Don't go into Sisa thinking that because you have a good understanding of just HIPAA and no understanding 01:41.960 --> 01:44.120 of the other ones, that you're going to be okay. 01:44.150 --> 01:47.660 Uh, again, you don't need to be a master of these, but you do need to understand the different regulatory 01:47.660 --> 01:50.300 bodies that come into compliance reporting. 01:50.330 --> 01:54.980 Now, we've gone over those in past videos, but what does that mean for overall compliance reporting 01:54.980 --> 01:57.080 when it comes into your enterprise environment. 01:57.110 --> 01:59.420 There's industry standards that we need to be aware of. 01:59.450 --> 02:02.630 Industry standards are those standards set up for specific industries. 02:02.630 --> 02:06.230 They can be vastly different from, again, telecommunications to healthcare. 02:06.230 --> 02:08.810 And each standard is going to be slightly different. 02:08.810 --> 02:15.020 You may have a standard within telecommunications that says I need to encrypt data from the server to 02:15.050 --> 02:20.660 the client, but after that we're okay, whereas healthcare would be more I need to be encrypt server 02:20.660 --> 02:23.600 to server, transmission server at rest or excuse me, data at rest. 02:23.600 --> 02:30.460 Data transmit, and in some cases I didn't even need to use data at in use needs to be encrypted because 02:30.460 --> 02:34.420 you're dealing with healthcare and you have HIPAA and you have some other regulatory requirements. 02:34.420 --> 02:37.630 Those industry standards come into play at different levels. 02:37.630 --> 02:39.760 There's the legal aspect as well. 02:40.000 --> 02:45.010 Uh, you could have legal holds, which we've talked about in the past, but they could have legal consequences 02:45.010 --> 02:48.400 based on what your industry is going through. 02:48.460 --> 02:53.020 For instance, when I worked for a telecommunications company, we had to work on Sox audits. 02:53.020 --> 02:57.730 We had to go through, we had to barcode everything that barcode needed to align to that specific object, 02:57.730 --> 03:03.100 which we had to detail the manufacturer, the model, the serial number, the whole nine yards for Sox 03:03.100 --> 03:06.640 audits because it was part of the legal requirements set up for our industry. 03:06.670 --> 03:11.620 Now, Sox audits are pretty industry wide, meaning they're going past just telecommunications. 03:11.620 --> 03:16.060 They're usually in all industries, but the level that you may have to go through, depending on your 03:16.060 --> 03:20.350 technological skill or level of your industry, may be vastly different. 03:20.350 --> 03:23.200 Working in telecommunications, it was all over the place. 03:23.200 --> 03:24.730 It was literally everything that we did. 03:24.730 --> 03:30.160 We would almost, um, use an entire month just for Sox audit because we had so many tools that are 03:30.160 --> 03:32.350 going through or so many items that had to be scanned. 03:32.380 --> 03:38.830 There's contractual obligations as well Where those obligations need to go through and be met based 03:38.830 --> 03:40.510 on who you have a contract with. 03:40.540 --> 03:46.270 If you're using PCI, DSS, that's a contractual obligation, meaning that you have an obligation for 03:46.270 --> 03:51.610 encrypting different software or encrypting different data at different points throughout your system. 03:51.610 --> 03:56.440 And you need to be aware of those contractual agreements and obligations as it goes through. 03:56.440 --> 04:01.240 And you have to have compliance scanning and compliance reporting to say, yes, I'm meeting this compliance 04:01.240 --> 04:03.130 requirement or no, I'm not. 04:03.220 --> 04:05.200 There's the governance aspects of it. 04:05.200 --> 04:11.500 This could fall under ISO 2701 or NIST or other governance frameworks that you may be utilizing. 04:11.500 --> 04:13.570 And then of course, there's internal policies. 04:13.570 --> 04:17.800 It's not unnatural to have different policies based on where you work. 04:18.040 --> 04:22.390 I worked in three different telecommunications companies, and all three had different internal policies 04:22.390 --> 04:23.710 for the same item. 04:23.830 --> 04:25.060 It's not uncommon to do that. 04:25.060 --> 04:29.800 You need to be aware of those policies, and your contractual or compliance reporting needs to reflect 04:29.800 --> 04:32.050 those internal policies that you're utilizing. 04:32.050 --> 04:35.320 Sometimes those policies don't make sense That's not our job. 04:35.320 --> 04:39.790 Our job is to make sure that we're following those policies, make the argument later, but follow the 04:39.790 --> 04:40.990 policies now. 04:41.020 --> 04:45.610 And that's part of the compliance reporting aspect that we're going to be pushing out to our managerial 04:45.610 --> 04:47.500 or our leadership level.