Home » Data Protection » PCI and Compliance

Opinion

Security at the Four Corners

When security is a global undertaking, CSOs are subject to the murky legal requirements of multiple jurisdictions at once.

By David H. Holtzman

January 01, 2004 — CSO — A good road trip always seems to include a stop at one of those places where you can stand in three or four states at the same time. So, it's a wonder that data centers don't sell tickets. After all, every computer on the Internet straddles hundreds of countries. This geographic side effect of networked technology is unappreciated by corporate planners, but security wonks know better. They know that the tangled skein of enterprise cabling foreshadows the legal snarls and ethical hairballs that will be coughed up in a security catfight.

When customers and employees are international, ethical ambiguities are compounded. The current war in Iraq has made it painfully obvious that American interests are not necessarily shared by others, even by those whom we consider "business-friendly."

Unlike conventional crime, computer thuggery frequently reaches across territorial lines, often originating from countries where the act is not illegal. Using legal bandages to staunch such a security wound may be too little, too late. Businesses with trade secret sensitivities might want to consider less formal protection strategies such as white hat hackers.

Disjointed expectations of privacy mean more than a mismatch in confidentiality laws. There's often a cultural skew. For instance, the requirement for opt-in in the European Union is more than a statute; it reflects the underlying sense of "fairness" in countries like France or Germany.

What can a globally conscious CSO do? Education always helps. Start by running cultural awareness seminars for security staff to minimize cultural misunderstandings. When training other employees, be clear when explaining the rules. Don't appeal to patriotism or even laws. If it's against corporate rules, it's wrongend of story.

Security policies must be readable in every relevant language. Clear translations are too important to trust to other groups in the company. Post your policies on your website in every language. (Don't forget to translate units of measurement.) The policy should explain the company's views without resorting to parochial laws or ethical bias. Or threats...avoid droning out punitive details like the ridiculous FBI "warning" at the beginning of a videotape.

Make an arrangement with telephone translation services for simultaneous 800-number interpretation. If a problem comes up and you need to speak to a client and you can't, it could be a lifesaver. While you're at it, make sure that you have a clear translation of the word security. In some countries it is a euphemism for secret police.

Verify the pedigree of all legacy data in the enterprise and map it to the physical location of the servers. Working with legal, relocate the machines into friendly regulatory environments. Examine your vulnerabilities and tease out your recourse. Don't rely on legal remedies for security succor; it's expensive to prosecute in multiple countries, and evidence-gathering may prove impossible.