Applying information security management principles in GRC
This Security School is a free multimedia learning guide designed to help you understand and address the strategic and tactical implications of this topic.
The following video is an excerpt from the Official (ISC)² CISSP OnDemand Training.
When it comes to addressing privacy requirements and other compliance issues, only one rule holds true for everyone: Assume nothing. Even two companies in the same vertical industry and geographic region can have very different needs if one operates locally and the other does business internationally.
Dynamics like this illustrate why it's important that Certified Information System Security Professionals (CISSPs) fully understand the legal, regulatory and privacy demands facing their individual organizations to ensure information is managed appropriately.
In this video, expert Adam Gordon walks viewers through an overview of various considerations of which enterprise CISSPs must be aware in order to maintain data integrity and confidentiality.
Keeping up to date on how various legal, regulatory and privacy requirements apply to the enterprise is often the responsibility of the CISSP -- and it's an ongoing responsibility, explains Adam Gordon, lead editor of the Official (ISC)² Guide to the CBK, Fourth Edition.
"It's not something you just do once," he says. "Laws continue to evolve."
Such a climate can prove complex and challenging for many CISSPs, particularly those trying to stay on top of compliance demands for global enterprises.
In the video, Gordon explores some of the issues that arise when a multinational company must not only meet two governments' individual privacy requirements, but must also navigate intricate agreements governing how data is shared between those borders.
"When we think about governance, risk management and compliance -- what we call GRC, an acronym to represent those areas -- we want to be thinking about activities, thought processes, standards, procedures, policies within the organization that help us to really focus on compliance," he says.
CISSP® is a registered mark of (ISC)².
The following is a full transcript of Adam Gordon's video.
Transcript - As privacy requirements evolve, CISSPs must stay informed
As we turn our attention to compliance, or what compliance means for the CISSP, you want to be thinking about legislative and regulatory compliance within the organization; what are the elements that help to frame that conversation a little bit? And [what are the] privacy requirements from a compliance perspective.
Are there regulatory issues? Are there legislative issues that help us to frame the privacy conversation? There definitely are. They may vary by country, by region, by geography, and we want to at least be aware of those. We may not obviously have to take all of them into account as we operate within our environment.
If we are, for instance, a CISSP that operates in India, we have to be aware of the privacy, legal and regulatory requirements within India. And, as a result of that, while we do want to focus on those, and we drive our practice and our business around those, if our business is local to India as a country -- we don't leave India, we don't do business with others outside of India -- then we may want to have some awareness of the fact that there are other legal regulatory and privacy requirements in other geographies and other regions of the world, but they're probably really not going to apply to our business, and, as a result, we probably don't have to pay much attention to them.
However, having said that, [in the] same situation, if we are based in India, our company is there, but it's a multinational, and we do business not just in India, but in Leighton, in Asia-Pac, in other geographies of the regions of the world. Then, we have to make sure we are focused on the privacy, legal and regulatory requirements inside of our country, but we also need to ... be focused on how those apply, as well as how the others from the other regions [in which] we do business then may apply. There may be a difference in approach, a difference in understanding, a difference in interpretation and, indeed, a difference in need to meet certain bars, certain levels of either documentation or certain levels of compliance that may differ by region based on law and based on [the] interpretation of them.
So I want to make sure, as we begin our conversations, that we're thinking about these things. It's very important for us to understand and be aware of the fact that CISSPs, that our particular interpretation of our world is going to be in alignment with, in support of and indeed is going to meet all the expectations of any legal, any regulatory, any compliance requirements that exist outside of the business that are part of the responsibilities that we have to make sure or ensure are being met in order to do business properly and to be on the right side of that conversation with all of the authorities, both in the government and through any regulatory bodies we may need to address.
So laws and regulations are very important for us to be aware of. In North America, for instance, we may have both local municipality-based regulations in a city. We may then have state or geography-based, municipality-based as well as federal regulations. So we typically have city, we then typically have state, and we then typically have federal regulatory requirements.
We may have to meet burdens of proof and regulatory compliance requirements under one or multiple levels of regulations and law there; although, within the United States, within North America, federal law may trump those others depending on what we're talking about. Certain areas, it does, others it may or may not. But we do have, as a business and as a security professional within that business, a responsibility to understand what all of those competitive requirements may be and how they interact.
A safe harbor provision is something that we should be aware of here, as well. There may or may not be a safe harbor provision that you will be bound by or have to interact with depending on the nature of your business. Again, this is really going to be something that's focused on for multinational businesses -- businesses that operate across multiple distinct national borders or entities.
But, having said that, what, generically, a safe harbor provision may provide for is the ability for one country or one entity to be able to interact with another country, another entity or another group of countries [and] another entity's geographic and political representation and allow that country and those countries or that [group of two] countries to agree on how they are going to effectively enforce one or more legal or regulatory requirements through some sort of agreement that allows them to be able to either carve out an exception or grant some sort of requirement proof of burden responsibility to the party that we like to be able to do business [with]. And, as long as they meet that requirement, they're said to be operating under the tenants or the specifications of the safe harbor provision or agreement.
The United States has this in place with Switzerland, and also has this in place with the EU [European Union], in terms of safe harbor requirements. They are used today and still continue to be used in order to allow North American-based companies to be able to do business with European-based entities in relation to understanding, and therefore meeting the burden of proof around the European directive on information management and privacy of the individual.
And, as a result of that, the burden of proof for the North American company is not the same as it would be for a European company that has to meet the burden of proof under the privacy directive because the burden of proof for a European company is a little bit higher. The standards, in other words, for privacy and privacy for the individual in terms of information management for PII, Personally Identifiable Information, is more stringent in Europe. North American standards are not quite as high; at least, not today.
But having said that, we have agreed in North America to do business with members of the EU and/or Switzerland through safe harbor agreements that still allow us to specify that we will meet a minimum expectation, a minimum level of burden of proof under that requirement, even though it's not quite the same as it would be for a European counterpart.
So safe harbor provisions could be very valuable from a legal and regulatory perspective. We want CISSPs to understand what they are. If you come across them in the practice or outside in the field as you actually go out and start managing, you should be aware of the fact that they may exist and you may actually be bound by them.
I've given you two examples of what safe harbor provisions may be, and you certainly can think through what that may be in your world, and what do they actually pertain to you as a company, or an individual within your company, or whether there's something that, although they're very interesting, may really not have any impact on you.
Governance, risk management and compliance
When we think about governance, risk management and compliance -- what we called GRC, generically, as an acronym to represent those areas -- we want to be thinking about activities, thought processes, standards, procedures, policies within the organization that help us to really focus on compliance with the ideas behind governance, which is the good; carrying out the good operational specifications, procedures and policies that help us to run the business properly; and risk management.
When we combine all three of these things together, we're really focused on the ways in which we manage information, manage confidentiality around it, manage integrity associated with it, manage availability in regards to it, and GRC helps us to really enforce and, therefore, think about and carry out the ideas behind confidentiality, integrity and availability.
Again, in a business, the CISSP may be the lead practitioner; the lead professional that is going to focus on these areas. There may be a chief risk office or a risk management function that carves out and deals with risk specifically, and they actually have responsibility for GRC alignment overall. Risk management tends to be focused on governance, compliance as well as risk. But it may not be in your world. You may simply have a security function or a CISSP being brought in or you're being groomed to fill that role that will take on responsibilities for this. It's hard to say exactly, in other words, how that will play out in your world.
But, again, I'll challenge you as I have already, to stop for a moment and think about what it is you're doing today; how your world is structured. What does that look like? And do you have specific responsibilities called out for management of GR and/or C or GRC together -- governance, risk management and/or compliance -- or some combination of those? Do you have a specific responsibility set ascribed to one role or one group of individuals in the organization today that fulfill these purposes?
If so, who are they? Are you associated with them? Are they CISSPs? And if they are, ask them what the value of becoming [a] CISSP has meant in relation to carrying out GRC activities. If not, how are you going to do something differently? What are you going to do when you go back to your business, your world, the organizations you represent over time, out beyond this class, to carve out these areas and help to understand and drive compliance, governance and risk management within the organization? How are you, as a CISSP, going to change that dynamic is what I would challenge you with, and ask you to think about, as you think about the role, the value and the importance of GRC within the organization.
Privacy requirements and compliance
With privacy requirements, I mentioned that many areas of the world today, many legal municipalities, will have their own interpretation of this. I mentioned the European Union and the data protection directive already. You could see it on the screen in front of you.
Australia has their own Privacy Act. Argentina has personal data protection laws specifically. Canada has what we call PIPEDA [Personal Information Protection and Electronic Documents Act]. You could see it on the screen at the lower left. We have things such as HIPAA and Gramm-Leach-Bliley, the GLBA, in the United States.
We also have PCI DSS, which is a broad, industry-driven perspective on how to ensure GRC is applied to the electronic transaction thought process around moving information and moving payments back and forth between vendors and customers. It's not a North American [thing], not a specific geography thing; it is broadly interpreted through the payment industry as being something that any and all vendors around the world that want to be able to securely process transactions electronically should subscribe to or ascribe to. And so that is a broad industry directive and a broad industry set of solutions around privacy management.
Any or all of these privacy requirements, and, by the way, this is not an exhaustive list by any means, there are many, many directives; many, many standards; many, many laws that we left off the slide on the screen here. This is just one example. But obviously, due to space constraints, we have to make sure we're giving you a sampling, but obviously not an exhaustive list.
You and your world where you live, where you attend from, and the businesses you run may be subject to additional privacy requirements. Keep in mind and remember that knowledge of alignment with and making sure that you are knowledgeable, as well as aligned with, as I said, any or all of the standards listed on the screen, as well as any or all of the standards that are not here, but apply to you in your world for your business, [which] is the responsibility of the CISSP today in the organization within the enterprise.
And it's an ongoing responsibility. It's not something you just do once, in other words, is what I'm suggesting to you. Laws continue to evolve. If you follow the conversation in the EU today and ... over the last several months and years around the emerging thought processes on privacy and data protection, they're constantly evolving, constantly changing. The focus continues to grow in these areas, and narrows its focus on the rights of the individual and how to protect personal information from an individual perspective ... within the EU today, and has been for some time.
That is not the same thing in North America. It is not the same thing in some of the other areas in the world today. I'm not suggesting there's not a focus on those things; I'm simply pointing out the focus is not as narrowly defined around the rights of the individual in some areas of the world, as it may be in the European Union today.
Knowledge of that from the CISSP's perspective and the trends associated with the directions that these legislative bodies may be taking, is also important as an ongoing example of due diligence in your world. To be able to apply that to the organization and bring that knowledge back over time is one of the key responsibilities that the CISSP must think about and must carry out with regards to legal and regulatory compliance and awareness of the compliance regimes within the organization.
CISSP® is a registered mark of (ISC)² Inc.