Doing business in the U.S., you know all about the alphabet soup that is today's compliance mess: PCI DSS, HIPAA, GLBA, SOX, etc. But what about global regulations? Are there other things to worry about, maybe more compliance laws?
The answer is yes and no. If the company takes credit cards for payment, then PCI DSS is in play wherever those transactions are captured. Enforcement outside of the U.S. is in its infancy, but it will grow. There are quite a few QSAs (Qualified Security Assessors) that can conduct global assessments, so if the organization is international, then it's important to have consistent processes and control sets in place to protect the credit card data. If the company is compliant with PCI DSS in the U.S., then it's likely compliant in all the countries in which it operates.
What about having solid financial controls? Is it necessary to pay the Sarbanes-Oxley tax outside of the U.S.? This only happens if the company is in Japan where their Financial Instruments and Exchange Law (know as J-SOX, because it's so closely modeled after SOX) is in place. That means it's important to take a risk-based approach to making sure that financial controls are in place and separation of duties is enforced. Also, do some logging to verify what's actually been done.
It's worth noting that five years ago differences in the international regulatory frameworks were apparent when considering privacy, but not anymore. To its credit, Europe has really led the way in terms of delineating what is acceptable to share and defining a set of specific requirements about protecting customer information. Nowadays, regardless of geography, the standards are mostly equivalent for both security and privacy.
Many of these requirements are laid out in the European Commission's 1995 Directive on Data Protection (Directive 95/46/EC). This directive was adopted in 1995 and has been enforced since 1998 for all countries in the European Union. It lays out eight principles of good practice, of which number seven is "secure."
That's right: Private companies (and governments for that matter) need to keep private data secure. But what does that mean? It's generally the same as every other regulation that requires data protection. Organizations must make the case to local regulators that excessive private data is not being stored and that any data that is stored is done securely. It's not unlike other privacy-oriented regulations such as HIPAA and GLBA in the U.S.: First protect the data, and then document the controls used. If the company proves it can successfully protect its data, it will -- in all likelihood -- be compliant.
A quick assessment of these global privacy regulations always brings me back to my general philosophy on compliance. Many organizations look at compliance as a set of check boxes that must be addressed. But compliance is not the goal; it's a result of securing data in a dynamic and dangerous world.
To be clear, compliance is not something to do. It's not something to buy. It's not something that is finished -- ever. As long as attackers are coming up with new ways to steal information, there will always be new defenses that are required and new reports that need to be generated for new regulators.
So regardless of where an organization does business, there are a few basic principles: Don't collect more data than needed. Protect customers' private data. Document the controls that are in place.
And get a nice case for that compliance passport that will house all the stamps from around the world.
About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also SearchSecurity.com's expert-in-residence on information security management. Get more information about the Pragmatic CSO, read his blog, or reach him via e-mail.
This was first published in October 2008