Problem solve Get help with specific problems with your technologies, process and projects.

Learning the language of global compliance

When a company expands its operations to other countries, what compliance issues confront a security manager? Expert Mike Rothman explains how data security and data privacy can be the same in any language.

To be clear, compliance is not something to do. It's not something to buy. It's not something that is finished -- ever.
Break out the passport; the corporation's going global. With ubiquitous networks, low-cost telecoms and an increasingly tech-savvy workforce, it won't be long before international operations are thriving in many U.S. companies that don't have them today. Yet, when thinking about doing business around the world and protecting assets, the question inevitably crops up: What about compliance?

Doing business in the U.S., you know all about the alphabet soup that is today's compliance mess: PCI DSS, HIPAA, GLBA, SOX, etc. But what about global regulations? Are there other things to worry about, maybe more compliance laws?

The answer is yes and no. If the company takes credit cards for payment, then PCI DSS is in play wherever those transactions are captured. Enforcement outside of the U.S. is in its infancy, but it will grow. There are quite a few QSAs (Qualified Security Assessors) that can conduct global assessments, so if the organization is international, then it's important to have consistent processes and control sets in place to protect the credit card data. If the company is compliant with PCI DSS in the U.S., then it's likely compliant in all the countries in which it operates.

What about having solid financial controls? Is it necessary to pay the Sarbanes-Oxley tax outside of the U.S.? This only happens if the company is in Japan where their Financial Instruments and Exchange Law (know as J-SOX, because it's so closely modeled after SOX) is in place. That means it's important to take a risk-based approach to making sure that financial controls are in place and separation of duties is enforced. Also, do some logging to verify what's actually been done.

It's worth noting that five years ago differences in the international regulatory frameworks were apparent when considering privacy, but not anymore. To its credit, Europe has really led the way in terms of delineating what is acceptable to share and defining a set of specific requirements about protecting customer information. Nowadays, regardless of geography, the standards are mostly equivalent for both security and privacy.

Many of these requirements are laid out in the European Commission's 1995 Directive on Data Protection (Directive 95/46/EC). This directive was adopted in 1995 and has been enforced since 1998 for all countries in the European Union. It lays out eight principles of good practice, of which number seven is "secure."

That's right: Private companies (and governments for that matter) need to keep private data secure. But what does that mean? It's generally the same as every other regulation that requires data protection. Organizations must make the case to local regulators that excessive private data is not being stored and that any data that is stored is done securely. It's not unlike other privacy-oriented regulations such as HIPAA and GLBA in the U.S.: First protect the data, and then document the controls used. If the company proves it can successfully protect its data, it will -- in all likelihood -- be compliant.

For more information
Learn how to combine compliance efforts to manage PCI DSS.

Find out more about building a risk-based compliance program in this Security School lesson.
The fine folks in Canada used the EU privacy directive to build their PIPEDA (Personal Information Protection and Electronic Documents Act) regulations, which went into effect in 2001. Similar to other privacy regulations, PIPEDA requires organizations to notify customers when they collect private data, specify what it will be used for and obtain the proper consent.

A quick assessment of these global privacy regulations always brings me back to my general philosophy on compliance. Many organizations look at compliance as a set of check boxes that must be addressed. But compliance is not the goal; it's a result of securing data in a dynamic and dangerous world.

To be clear, compliance is not something to do. It's not something to buy. It's not something that is finished -- ever. As long as attackers are coming up with new ways to steal information, there will always be new defenses that are required and new reports that need to be generated for new regulators.

So regardless of where an organization does business, there are a few basic principles: Don't collect more data than needed. Protect customers' private data. Document the controls that are in place.

And get a nice case for that compliance passport that will house all the stamps from around the world.

About the author:
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about the Pragmatic CSO, read his blog, or reach him via e-mail.

This was last published in October 2008

Dig Deeper on Data privacy issues and compliance

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.