Privacy and your offshore operations

More on outsourcing Examine the business risks of outsourcing Visit our resource center for the latest news, tips and expert advice on complying with privacy regulations

While financial firms have to comply with two data privacy laws – the Gramm-Leach-Bliley Act and Sarbanes-Oxley Act -- and the medical industry has to comply with HIPAA, none of these regulations stop at the border. Each applies to an organization's domestic and overseas partners equally. And, if your organization outsources to Europe, it must comply with the European Union Data Privacy Directive, in addition to all other applicable American legislation.

But protecting privacy overseas – and complying with relevant laws – requires three levels of security: technical, administrative and physical. The threat to IT data sent offshore isn't solely about programming and application projects; it's also about back-office operations and other processing centers that are tied to the network that handles sensitive information. It's important to remember that they are also a part of your IT infrastructure, even if indirectly.

So what should an enterprise do to mitigate these global concerns? Here are some best practices for conducting business in any foreign country:

• First, determine whether your offshore operations are part of your company, foreign partners under contract or part of some other business arrangement. While the same rules apply for all three, there are subtle differences. For example, if an arm of your company resides overseas, you'll have more direct control because you can establish policies and procedures without having to get approval from an outside partner.
• Segregate your overseas IT facilities on a distinct network segment. Some companies treat their offshore networks as hostile outside connections, regardless of whether or not they're part of the company network. Consider doing the same.

As with any external network connection, the following base rules apply for technical security. Some of these may be required under Section 404 of Sarbanes-Oxley, which provides vague guidance on IT controls to buttress the broader financial controls mandated by the legislation.

• At a bare minimum, the offshore facility should have a dedicated firewall system. Use a multi-layered defense-in-depth strategy, complete with intrusion detection systems (IDS), intrusion prevention systems (IPS) and virus protection.
• Harden your IT infrastructure. Ensure your routers and servers have the most up-to-date patches and security fixes, unneeded services are turned off, non-essential ports are closed and access is restricted to authorized users. Block access to USB sticks, iPods and other mass storage devices that can gather data.
• Ensure that all connections between your domestic network and the overseas operation are secure. In addition to firewalls, consider encrypting the pipes that carry sensitive customer information.
• Create a separate group within your access management team for adding, changing and deleting all overseas users. They should create distinct groups for your offshore staff. Such groups can be created in Active Directory (AD), for example, allowing for their segregation and supervision, but still integrating them into the AD tree for all your staff, both domestic and global.
• Carefully log and monitor all network activity on foreign network segments, just as you would your domestic ones. Conduct regular audits of user IDs and passwords to weed out former employees and make sure existing ones have only the access they need.

Depending on where you're operating overseas, the administrative level can be the trickiest.

• Thoroughly screen all overseas staff, just as you would your domestic ones. Where possible, conduct background checks for criminal records and work history. In many countries with underdeveloped infrastructures, this isn't realistic, and high turnover can make this difficult. But even the most remote developing countries have local business organizations or a seasoned expatriate community that can provide assistance. Use them.
• Rely on local managers and owners as much as possible for personnel advice. They know the culture, the language and, above all, any local nuances that may seem strange to you as a foreigner, but may be nothing to worry about. They may also know who to hire and who to stay away from, something else that may not be obvious to an outsider.

The physical security level should be handled just like your organization's main facility. Always visit the proposed offshore site. Having first-hand knowledge of the facility will help you avoid potential pitfalls and unexpected problems. The cost of an expensive overseas trip is far less than the cost of an expensive disaster that could have been avoided by a simple facility inspection. During your visit, ask the following questions:

• Is the facility located in a densely populated area, or in an isolated industrial park? Is it adequately secured from outsiders or non-employees?
• It's smart to log and monitor employee access to the facility. Are there adequate access controls, such as guards to check employee IDs, or other physical protections like card-operated turnstiles?

Some companies, like those that have overseas call center operations, don't allow their employees to bring in office supplies and require them to check briefcases at the door. This prevents an unscrupulous employee from writing down customer information that could be later used maliciously. Whatever you do, try to supervise and control documents and other items as they enter and leave the facility.

Also set up a disaster recovery strategy to account for natural disasters, terrorist attacks and the like, and ensure backups go to secure facilities off site, if not out of the country. In general, make physical access overseas as tough as you would at your facilities at home.

Above all, document all security procedures, whether technical, administrative or physical, and codify them into your information security policies. Routinely review past incidents and logs and be prepared for auditors to ensure you are meeting the requirements mandated by Sarbanes-Oxley and the other applicable regulations for your industry.

About the Author:
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP in security, specializing in Web and application security. He is also the author of The Little Black Book of Computer Security available from Amazon.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Security Audit, Compliance and Standards,   Data Privacy and Protection,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Common PCI questions: Web application firewalls or source code review? Data Privacy and Protection Interpreting 'risk' in the Massachusetts data protection law Strategies for using technology to enable automated compliance How to prepare for a FERPA audit How to find virtual machines for greater virtualization compliance Quiz: Virtualization and compliance Compliance in the cloud Researchers predict SSNs, crack algorithm putting identities at risk How to write a risk methodology that blends business, security needs PCI compliance requirement 3: Protect data Mass. Senate seeks to amend, weaken data breach notification law Data Privacy and Protection Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cypherpunk  (SearchSecurity.com) Data Encryption Standard  (SearchSecurity.com) P3P  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.