Media and Its Regulatory Burden
As a cloud-based solution, GRC Labs deploys simply and quickly even across a large media enterprise. It also provides a common platform to manage controls across multiple frameworks, and a dashboard that lets CISO monitor key performance indicators for compliance and IT security efforts.
Media outlets must also be nimble, able to push new content via new platforms as they arise on social media: from written essay, to photo montage, to YouTube video, to Twitter chat. Then the outlet must capture data about who interacts with what content, to what extent, and analyze that information to develop revenue strategies.
Media companies can encounter significant regulatory burdens as they go about the business of collecting data on customers and their behavior. Consider some of the data they are likely to collect from website visitors are 1. Name, 2. Credit Card. 3. Address, 4. Age, 5. Location, 6. Social media profiles.
Much of that data can be subject to protection from multiple laws, that can reach across multiple jurisdictions. The United States of American media outlet, for example, might be subject to Global Data Protection Regulation if it sells goods to EU citizens. Any data collected about minors requires parental consent. Credit card data is protected by federal law.
A critical question is whether the data collected can identify a specific person; even something as simple as a photo submitted in a contest can bring multiple compliance risks.
Compliance Objective
As media companies build their business based on one or more cloud-based services, compliance obligations start to add up. Media outlets can work with multiple frameworks to achieve those objectives. Credit cards can be secured with the PCI DSS framework. Other sensitive data can be governed by the NIST security protocols. Tracking risk assessments, gap analyses, and remediation efforts across multiple frameworks, however, can be daunting.
Assess vulnerabilities in the network and application layers.
Remediate any weaknesses, either through security patches to software or through changes to data collection practices.
Be able to report those risk assessments and remediations to other parties as necessary.
Study data collection practices for non-compliant behaviors (say, failure to secure consent for collecting social media profiles)
Map progress on those remediation efforts.
Diagnosis of breaches when they happen, with disclosure according to breach notification laws.