[MUSIC]
We live in a connected world, our lives are translated into data that is recorded
on digital devices on the cloud served with friends and used for
a large variety of purposes.
Today, you can not worry only about yourself,
you need to also worry about the people, the organizations, you interact with and
the laws that regulate those interactions.
And depending on the country you are in, you will probably have laws about privacy
and data protection, national security, anti-terrorism and financial governance.
As the business methods and technologies are constantly evolving,
these laws have to be frequently updated.
This has a lot of impact in how business works and even in some cases, you may find
yourself breaking a regulation you were not aware ever existed.
Security management processes should identify which
business processes are subject to certain legislations and laws and
provide the necessary controls to ensure that the restrictions and
requirements imposed by those laws are met.
This process can be really complex and challenging for
big corporations, as they might be subject to regulations from
different countries which are contradictory.
For example, national security legislation in the US allows the government
after obtaining the necessary permissions to request information about
a specific users to companies operating in us soil.
However, if the request is about a European citizen and
the data is being stored in a European country,
European regulations forbid the company to comply with that request.
At the moment, there are actually many regulations that affect information
systems and security management.
Let's quickly review two of them.
The Wassenar agreement regulates the exports of arms and dual-use goods.
Cryptography is considered dual-use good technology under this agreement.
This agreement is signed by more than 41 countries,
including most countries in Europe, Unites States and Canada.
Therefore, if you are in any of those countries and you are developing a prelude
with cryptographic capabilities, you may be required to obtain an export license.
Computer misuse has been recently added as criminal offence in many countries.
These includes unauthorized access, alteration or destruction of information.
However, under some legislations conducting certain legitimate security
analysis task are also considered a crime.
The previous examples so how difficult it is to meet the requirements imposed by
laws and regulations existing in the many countries you may be operated.
Remember that security management processes should identify these
regulations and
how they affect the business processes running within the organization.
Here, you can see a list of regulations that affect somehow information systems
and security management.