Get startedGet started for free

Risk management industry standards

1. Risk management industry standards

As a cloud security professional, you’ll usually have to review assets and verify that they meet the standards and frameworks. You’ll also need to be able to describe what you notice in terms of your organization's compliance objectives. In this video, we’ll explore these standards and frameworks and discuss how they can help you in your career as a cloud security professional. It’s important to call out our discussion in this course should not be considered legal advice. The Payment Card Industry Data Security Standard, or PCI DSS, is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions. PCI DSS also protects cardholders against misuse of their personal information. The PCI Security Standards Council, also known as PCI SSC, was created in September of 2006 to address the changing security standards in the Payment Card Industry, or PCI. It is an independent body created by major payment card brands focused on improving transaction security. The PS SSC set the standards for payment security. Then, payment card brands may require merchants to follow these standards to maintain compliance. Keep in mind, the payment brands are responsible for enforcing PCI DSS compliance, not the PCI council. The PCI DSS applies to any organization that accepts, transmits, or stores any cardholder data, regardless of the size of the organization, or the number of transactions. All merchants will fall into one of four merchant levels based on transaction volume over a 12-month period. Each level determines the security and audit scope required to remain compliant. These levels are set by payment card brands and so may differ from each other. These levels are not set by PCI SSC. Let’s dive into each of these levels. Level 1 applies to merchants that process over six million card transactions per year by any method, including online, in store, or by phone. Level 2 applies to merchants that process one to six million card transactions per year. Level 3 applies to merchants that process 20,000 to 1 million ecommerce transactions per year. Ecommerce transactions are transactions related to buying and selling goods online. Finally, level 4 applies to merchants processing fewer than 20,000 ecommerce transactions per year, and any other merchant processing up to 1M card transactions per year. There are three ongoing steps a cloud security team follows to adhere to the PCI DSS. First, assess means to identify all locations of cardholder data, and analyze processes and IT assets for vulnerabilities that could expose cardholder data. Second, repair means to fix the identified vulnerabilities. You can do this by securely removing any unnecessary cardholder data and implementing secure business processes. And third, report means to document assessment and remediation details, and submit compliance reports to the bank and card brands you do business with. Along with the PCI DSS, you also need to be familiar with the ISO 27001 framework. Remember, ISO 27001 is an international framework that focuses on information security management systems. The three aspects of information security in ISO 27001 are confidentiality, information integrity, and availability of data. This is also known as the CIA triad. Confidentiality means that only authorized people can access the information held by the organization. An example of a confidentiality risk is a threat actor gaining unauthorized access to client login details and selling them online. Information integrity means that data within an organization is not erased or damaged, but instead reliably stored and not changed without authorization. A risk to information integrity might be a staff member that accidentally deletes some content in a file. Lastly, availability of data means that an organization and its authorized clients can access information whenever they need to. This ensures the organization meets business needs and user expectations. Availability of data could be put at risk if a database goes offline due to server problems and insufficient backup. Knowing about PCI DSS compliance, ISO 27001, and the CIA triad will help you implement these standards and frameworks for workloads within your organization.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.