Navigating the Regulatory Waters of Information Security

By implementing strong information security measures, the CISO is more likely to stay ahead of regulatory mandates
By implementing strong information security measures, the CISO is more likely to stay ahead of regulatory mandates

As pressure from regulatory compliance increases the modern chief information security officer (CISO) must take an increasingly holistic and integrated approach to information risk management. By implementing strong information security measures, the CISO is more likely to stay ahead of regulatory mandates.

How many recent, high-profile data breaches could have been prevented with better governance? Although corporate governance is common practice, and often a requirement, in many aspects of business, governance is not always present in the information security function. However, it still plays a vital role in reducing risk and providing a more rapid response to a data breach.

The Era of Big Data and the Cloud Has Arrived

Big Data brings technological innovation and valuable analytics to the enterprise, but it can also bring significant legal and regulatory issues that while confusing, require abidance. The ins and outs of data and privacy laws are moving so quickly that CISOs and their companies operating in diverse jurisdictions need a jump on what it will take to protect information, safeguard data and navigate across borders. Even organizations operating solely in the US need to wake up, smell the coffee and become familiar with the ever-changing state of affairs for complying in the cloud.

This should be obvious, but let me throw it out there just to be clear: there’s no getting around data privacy laws and regulations. Businesses can either comply or pay a stiff penalty. No two jurisdictions are alike in their regulations, privacy legislation, or fraud and breach prevention. Traditional information protection methods may be difficult to apply or useless when it comes to storing or harnessing data in the cloud.

Businesses will have better control of their data, and prepare for what lies ahead, if they brush up on the requirements now and realize no two rules are alike. Regulations vary across jurisdictions (we’ll touch upon this later), change constantly and have not standardized when it comes to protecting data. Unless you are continuously monitoring the rules, and put mechanisms in place to do so, you might not only be compromising your data but also your corporate responsibility.

Data Privacy and Regulations

The concept of privacy is preserved in various regulations. The aspect of privacy that is relevant to information security derives from the right of respect for personal information that is held by organizations as data. When data held by organizations is sufficiently safeguarded, then individuals’ privacy is protected.

The requirement for maintaining data privacy has increased as privacy regulations have been adopted by many more jurisdictions since they were first introduced. Fines for breaching data privacy regulation have multiplied, and penalties can be more severe than fines. Increased public awareness and media interest have led to potential commercial and reputational consequences for non-compliance. The risk of private data being compromised has increased as systems are increasingly accessible from the Internet and vulnerable to cyber-attack.

What is Personally Identifiable Information?

Information subject to privacy regulation will inevitably be moving to the cloud. It is because of this that organizations need to know whether the information they are holding about an individual is personal identifiable information (PII) and consequently needs protection.

There are a number of recognizable examples of PII, such as names and addresses. PII can also include medical records, bank account details, photos, videos, and even information about what a person likes, their opinions and where they work – basically, any information making the person identifiable. Importantly, information does not have to include a name to be PII.

Protecting PII is the responsibility of the data controller, typically the organization that purchases the cloud-based system. Protection of PII in the cloud will come from the right combination of controls and safeguards provided by the purchasing organization and the cloud provider. It is therefore important to clearly define the responsibilities of each party.

Governments, Jurisdictions and Privacy Regulations

Most governments have created or are in the process of creating regulations that impose conditions on the protection and use of PII, with penalties for organizations that fail to adequately protect it. As a result, organizations need to treat privacy as both a compliance and business risk issue, to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.

Different countries’ regulations impose different requirements on whether PII can be transferred across borders. Some have no additional requirements; others have detailed requirements. To determine what cross-border transfers that will occur with a particular cloud-based system, an organization needs to work with their cloud provider to determine where the information will be stored and processed.

Transferring PII to Approved non-EU Jurisdictions

No additional requirements are required if information is transferred to approved jurisdictions. Approved jurisdictions have been recognized by the European Union (EU) as having an adequate level of protection under local regulation. These are jurisdictions that have data privacy regulations that broadly match those of the EU. Jurisdictions that have satisfied these requirements include: Argentina, Canada, Israel, Uruguay and New Zealand.

Transferring PII to the US

One of the major jurisdictions missing from the approved list is the US. However both the EU and US governments want organizations to be able to transfer information between the EU and the US. To support this activity the Safe Harbor Treaty has been created that allows EU information to be transferred to US-based organizations.

The EU does not prevent the transfer of PII to non-approved solutions. However, transfers are allowed only if an adequate level of protection can be assured.

Risk Happens

Putting private information into the cloud will certainly create some risk and must be understood and managed properly. Organizations may have little or no control over the movement of their information, as cloud services can be provided by multiple suppliers moving information between data centers scattered across the globe. If the data being moved is subject to privacy regulations, and the data centers are in different jurisdictions, this can trigger additional regulations or result in a potential compliance breach.

The decision to use cloud systems should be accompanied by an information risk assessment that’s been conducted specifically to deal with the complexities of both cloud systems and privacy regulations; it should also be supported by a procurement process that helps compel necessary safeguards. Otherwise, the tireless pressure to adopt cloud services will increase the risk that an organization will fail to comply with privacy legislation.

Awareness is Key

We shouldn’t forget that people are very important in all of this. A lot of the breaches and incidents I’ve seen have not come from criminal intent, but simply because people have inadvertently made a mistake. The senior manager, who on discovering a fault with his tablet, takes it back to the store to get a replacement – but omits to remove all of the personal and corporate information he has been using. The road warrior who loses her smartphone containing personal business contact information and has not enabled the remote wipe facility while traveling away from her home country, and by so doing jeopardizes the personally identifiable information that she was storing on her top clients.

Managing information risk is critical for all organizations to deliver their strategies, initiatives and goals. Consequently, information risk management is relevant only if it enables the organization to achieve these objectives, ensuring it is well positioned to succeed and is resilient to unexpected events. As a result, an organization’s risk management activities – whether coordinated as an enterprise-wide program or at functional levels – must include assessment of risks to information that could compromise success.

Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cybersecurity, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

What’s hot on Infosecurity Magazine?