Legal frameworks and forensics

- [Instructor] Welcome to this lesson on legal frameworks and forensics. In this lesson, we have three key objectives. The first is to go through a handful of legal frameworks. We'll then talk a little bit about eDiscovery and some forensics requirements. We have quite a few legal frameworks to go through, and you'll see some recurring themes between some of these frameworks, so I won't necessarily do a deep dive on each of these specific components of these frameworks. But I do recommend pausing on these slides and taking some notes or becoming aware of the components of the framework in case it comes up in the exam. The first legal framework we'll cover is the Organization for Economic Cooperation and Development, or the OECD. This is an international organization that promotes policies aimed at improving the economic and social wellbeing of people all over the world. So the OECD has some core foundational principles for data privacy and security, and these principles emphasize things like consent, data integrity, and having a specified purpose for data use. They guide how personal data should be managed and highlight the need for transparency and individual rights. Once again, we'll see several of these foundational principles come up in several of the other frameworks. So we'll, in this case, stop to briefly talk about each of these different principles. Starting with the collection limitation principle, the idea here is that personal data should only be collected with consent and kept to a minimum. For data quality, the data should be relevant, accurate, and also kept up to date. For the purpose specification principle, the intent here is that the purpose for the data collected should be clearly stated at the time of collection. For use limitation, personal data should only be used for the specified purpose or with consent if it's for other purposes. For the security safeguards principle, data should be protected with the appropriate security measures. For openness, organizations should be transparent about the data collection practices of the employee at the organization. For the individual participation principle, individuals should have the right to access and correct their personal data. And then finally, for accountability, data controllers should be held responsible for complying with privacy principles. On top of these foundational principles, the OECD also has some overarching themes. The first one is a recommendation for organizations to use risk management to manage the protection of privacy data within the organization. The next is kind of a core concept as to why the OECD exists, which is that privacy has a global impact and really should be governed by an international organization, which is the OECD. Three primary guidelines that the OECD adopted are creating and managing national privacy strategies that should be created and implemented at the highest levels of government. The next is having established and strict data security breach notification regulations. And then finally, encouraging organizations to have privacy management programs to help organizations adhere to these requirements. The next legal framework we'll cover is the Asia-Pacific Economic Cooperation Privacy Framework or APEC. The goal of this framework is to establish a consistent approach to information privacy protection across the Pacific Rim. This is similarly rooted in a handful of foundational principles. And in this case, there's nine of them. These principles focus on things like preventing harm, limiting data collection, and ensuring the integrity and security of personal information. The framework mandates clear notices to individuals about data collection and uses and requires consent where appropriate, as well as ensuring that the data is accurate and protected against unauthorized access. The framework also emphasizes the importance of choice and consent, which allows individuals to have control over their personal information. For cloud security specifically, understanding these framework can be helpful in designing systems and policies that adhere to these core principles and facilitate safe, lawful, and fair personal data handling. Once again, we notice a theme here of principles that are similar to other frameworks, but I do recommend spending some time memorizing the principles in relation to each of the different frameworks. Any module summary should be a good resource you can use to keep track. The next legal framework is, of course, the GDPR or General Data Protection Regulation, which has come up a few times throughout the course. The reason that the GDPR is significant is because it represents a pretty significant landmark in data privacy laws and it sets a really high standard for data protection worldwide. It introduces comprehensive requirements for data handling and includes pretty strict data protection principles and extensive rights for data subjects such as the infamous Right to be Forgotten. The GDPR also establishes various different roles and responsibilities, including things like data controllers and processors to ensure that data privacy is upheld during various stages of the data lifecycle. There's also, in some cases, penalties for non-compliance, and some of them can be pretty substantial. This is yet another reason why strict adherence to GDPR requirement is important for all organizations that are collecting personal data of EU citizens. This is a general overview of what the GDPR is. And later in the course, we'll discuss some specifics around the different roles and responsibilities and do a deep dive on how they work together to ensure the data privacy. Similar to the other frameworks, the GDPR has some foundational principles, which once again have a pretty similar theme. The module summary should also be a pretty good place to make sure you have a good understanding of the principles underneath each of these frameworks, as well as the definition of what they cover. Some additional frameworks here that we won't necessarily touch on in as much detail are the Health Insurance Portability and Accountability Act or HIPAA. And this is a US regulation that governs protection of PHI. We also have the Payment Card Industry Data security Standard or PCI DSS, which, as a reminder, is not a legal requirement, but rather an agreement created by some of the major credit providers across the United States to ensure safe handling of payment and other financial data. Next, we have the Privacy Shield Standard, and this is a framework that was created for regulating exchanges of personnel data for commercial purposes between the European Union and the United States. And then finally, we have the Sarbanes Oxley Act or SOX. This is a US federal law that was enacted to protect investors from corporate fraud. The focus of SOX is that publicly traded companies in the US or in other words, companies that have stock available for purchase have to adhere to SOX regulations. The last thing I'll touch on for legal frameworks is the definition of statutory requirements, regulatory requirements, and contractual requirements. Many of the frameworks that we've discussed up to this point fall into different categories when it comes to these. So starting with statutory requirements, these are required by law. Specifically in the US, these are laws enacted by the legislative branch of the government. Whereas regulatory requirements are compliance requirements that are set by a governing body to control activities of a certain industry. And then finally, we have contractual requirements, and these are obligations agreed upon and a legal contract between parties. So some examples here is that HIPAA would fall underneath a statutory requirement for healthcare data, where something like some of the NIST standards would be part of a regulatory requirement. And PCI DSS is a great example of a contractual requirement. Now, let's cover eDiscovery. We've covered this before, but just as a quick reminder, eDiscovery is this process of seeking, locating, and securing electronic data for legal evidence. For a typical on-prem system that could involve gaining physical control over digital media and creating a chain of custody to keep track of where that physical media has gone and who has had control over it. But of course, in a cloud environment, this becomes a little bit more complex. Unlike traditional computing environments, cloud infrastructures complicate the process of all three of these activities being seeking, locating, and securing the evidence. And sometimes this complexity can be heightened by jurisdictional issues when the data is located in different local and national regions. It can also be difficult to maintain a clear chain of custody for this type of digital evidence, which is why organizations that have infrastructure deployed in the cloud should work closely with legal teams, and in some cases, eDiscovery experts to make sure that the processes around the collection and storing of this information is both compliant and effective. This process can also be integrated into the overall organizational strategy for things like data management and access controls, and in some cases may require cooperation with cloud service providers to ensure that all of the requirements are being met. Finally, we'll cover forensic requirements. I'm sure you've gathered by now that the cloud environment doesn't make the process of digital forensics very easy because of the virtual and distributed nature of the resources. This is because it makes traditional physical search and seizure methods impractical, and in many cases, completely impossible. In many cases, this is why it's important to have qualified digital forensics and incident response personnel that are dedicated to these specific purposes. Organizations may also need to negotiate contracts with CSPs and have specific clauses for how things like eDiscovery will be handled in the event that it needs to occur. There's also a variety of third party and cloud-specific tools and frameworks that organizations can use to simplify this process a bit. But ultimately, the goal here is that organizations should consider it as a requirement and plan for it accordingly. All right, in summary in this lesson, we covered a handful of different legal frameworks. We then touched on eDiscovery and forensic requirements. Just as a reminder here, we went through pretty large variety of these legal frameworks. So I do recommend using the resources available in the course summary and spending some time memorizing the core purposes and foundational principles of each of these different frameworks. Thanks for joining. I'll see you in the next lesson.