While financial firms have to comply with two data privacy laws – the Gramm-Leach-Bliley Act and Sarbanes-Oxley Act -- and the medical industry has to comply with HIPAA, none of these regulations stop at the border. Each applies to an organization's domestic and overseas partners equally. And, if your organization outsources to Europe, it must comply with the European Union Data Privacy Directive, in addition to all other applicable American legislation.
But protecting privacy overseas – and complying with relevant laws – requires three levels of security: technical, administrative and physical. The threat to IT data sent offshore isn't solely about programming and application projects; it's also about back-office operations and other processing centers that are tied to the network that handles sensitive information. It's important to remember that they are also a part of your IT infrastructure, even if indirectly.
So what should an enterprise do to mitigate these global concerns? Here are some best practices for conducting business in any foreign country:
- First, determine whether your offshore operations are part of your company, foreign partners under contract or part of some other business arrangement. While the same rules apply for all three, there are subtle differences. For example, if an arm of your company resides overseas, you'll have more direct control because you can establish policies and procedures without having to get approval from an outside partner.
- Segregate your overseas IT facilities on a distinct network segment. Some companies treat their offshore networks as hostile outside connections, regardless of whether or not they're part of the company network. Consider doing the same.
As with any external network connection, the following base rules apply for technical security. Some of these may be required under Section 404 of Sarbanes-Oxley, which provides vague guidance on IT controls to buttress the broader financial controls mandated by the legislation.
- At a bare minimum, the offshore facility should have a dedicated firewall system. Use a multi-layered defense-in-depth strategy, complete with intrusion detection systems (IDS), intrusion prevention systems (IPS) and virus protection.
- Harden your IT infrastructure. Ensure your routers and servers have the most up-to-date patches and security fixes, unneeded services are turned off, non-essential ports are closed and access is restricted to authorized users. Block access to USB sticks, iPods and other mass storage devices that can gather data.
- Ensure that all connections between your domestic network and the overseas operation are secure. In addition to firewalls, consider encrypting the pipes that carry sensitive customer information.
- Create a separate group within your access management team for adding, changing and deleting all overseas users. They should create distinct groups for your offshore staff. Such groups can be created in Active Directory (AD), for example, allowing for their segregation and supervision, but still integrating them into the AD tree for all your staff, both domestic and global.
- Carefully log and monitor all network activity on foreign network segments, just as you would your domestic ones. Conduct regular audits of user IDs and passwords to weed out former employees and make sure existing ones have only the access they need.
Depending on where you're operating overseas, the administrative level can be the trickiest.
- Thoroughly screen all overseas staff, just as you would your domestic ones. Where possible, conduct background checks for criminal records and work history. In many countries with underdeveloped infrastructures, this isn't realistic, and high turnover can make this difficult. But even the most remote developing countries have local business organizations or a seasoned expatriate community that can provide assistance. Use them.
- Rely on local managers and owners as much as possible for personnel advice. They know the culture, the language and, above all, any local nuances that may seem strange to you as a foreigner, but may be nothing to worry about. They may also know who to hire and who to stay away from, something else that may not be obvious to an outsider.
The physical security level should be handled just like your organization's main facility. Always visit the proposed offshore site. Having first-hand knowledge of the facility will help you avoid potential pitfalls and unexpected problems. The cost of an expensive overseas trip is far less than the cost of an expensive disaster that could have been avoided by a simple facility inspection. During your visit, ask the following questions:
- Is the facility located in a densely populated area, or in an isolated industrial park? Is it adequately secured from outsiders or non-employees?
- It's smart to log and monitor employee access to the facility. Are there adequate access controls, such as guards to check employee IDs, or other physical protections like card-operated turnstiles?
Some companies, like those that have overseas call center operations, don't allow their employees to bring in office supplies and require them to check briefcases at the door. This prevents an unscrupulous employee from writing down customer information that could be later used maliciously. Whatever you do, try to supervise and control documents and other items as they enter and leave the facility.
Also set up a disaster recovery strategy to account for natural disasters, terrorist attacks and the like, and ensure backups go to secure facilities off site, if not out of the country. In general, make physical access overseas as tough as you would at your facilities at home.
Above all, document all security procedures, whether technical, administrative or physical, and codify them into your information security policies. Routinely review past incidents and logs and be prepared for auditors to ensure you are meeting the requirements mandated by Sarbanes-Oxley and the other applicable regulations for your industry.
About the Author:
Joel Dubin, CISSP, is an independent computer security consultant based in Chicago. He is a Microsoft MVP in security, specializing in Web and application security. He is also the author of The Little Black Book of Computer Security available from Amazon.
This was first published in October 2006