
COMPLIANCE COUNSELOR
Privacy and your offshore operations
Joel Dubin 10.18.2006
Rating: -4.60- (out of 5)




|
If you outsource any part of your operations offshore, remember that security and privacy concerns don't stop at the border.
While financial firms have to comply with two data privacy laws – the Gramm-Leach-Bliley Act and Sarbanes-Oxley Act -- and the medical industry has to comply with HIPAA, none of these regulations stop at the border. Each applies to an organization's domestic and overseas partners equally. And, if your organization outsources to Europe, it must comply with the European Union Data Privacy Directive, in addition to all other applicable American legislation.
But protecting privacy overseas – and complying with relevant laws – requires three levels of security: technical, administrative and physical. The threat to IT data sent offshore isn't solely about programming and application projects; it's also about back-office operations and other processing centers that are tied to the network that handles sensitive information. It's important to remember that they are also a part of your IT infrastructure, even if indirectly.
So what should an enterprise do to mitigate these global concerns? Here are some best practices for conducting business in any foreign country:
As with any external network connection, the following base rules apply for technical security. Some of these may be required under Section 404 of Sarbanes-Oxley, which provides vague guidance on IT controls to buttress the broader financial controls mandated by the legislation.
Depending on where you're operating overseas, the administrative level can be the trickiest.
The physical security level should be handled just like your organizatio
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com

n's main facility. Always visit the proposed offshore site. Having first-hand knowledge of the facility will help you avoid potential pitfalls and unexpected problems. The cost of an expensive overseas trip is far less than the cost of an expensive disaster that could have been avoided by a simple facility inspection. During your visit, ask the following questions:
Some companies, like those that have overseas call center operations, don't allow their employees to bring in office supplies and require them to check briefcases at the door. This prevents an unscrupulous employee from writing down customer information that could be later used maliciously. Whatever you do, try to supervise and control documents and other items as they enter and leave the facility.
Also set up a disaster recovery strategy to account for natural disasters, terrorist attacks and the like, and ensure backups go to secure facilities off site, if not out of the country. In general, make physical access overseas as tough as you would at your facilities at home.
Above all, document all security procedures, whether technical, administrative or physical, and codify them into your information security policies. Routinely review past incidents and logs and be prepared for auditors to ensure you are meeting the requirements mandated by Sarbanes-Oxley and the other applicable regulations for your industry.
About the Author:
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP in security, specializing in Web and application security. He is also the author of The Little Black Book of Computer Security available from Amazon.
 |

|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com. Register now
to start rating these tips. Log in if you are already a member.
|


');
// -->
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
 |
|
|
 |
|
 |