A CSO's Guide to the World

Is it possible to adhere to local business customs without compromising security? Only if the CSO has a little creativity and a lot of trust.

Case in point: In Sweden, businesses cannot use security cameras to monitor employee performance. (For example, there's no fair firing of someone caught on video sleeping.) Businesses also must complete forms detailing where the camera's information is stored, for what purposes it is used, and how and when it will be destroyed.

Asian countries have typically passed legislation that is very close in nature to the EU's Data Protection Act. However, enforcement of the laws can vary widely. Japan, Hong Kong, Singapore and Australia all have DPA laws on the books, but I've found that companies are very rarely taken to task for violating those regulations.

No Standard for Standards

Outside of data protection issues, there tend to be far fewer differences in information security, primarily because there are few differences in technical systems. After all, a Windows 2003 server in one country is just about the same as in any other. Where I did find differences, though, is in the method of implementing an information security program. Europeans are much more likely to follow an international standard than are Americans.

I'm sure an entire book could be written about this phenomenon, but it probably stems from the fact that Europe is composed of many countries that, historically, have had to cooperate in order to ensure that their technical systems worked with one another. The telegraph and gauge of railroad tracks are two examples of European nations agreeing on and building a common standard. If they hadn't, then imagine having to stop at each border and board a different train.

Americans, by contrast, tend to view themselves as rugged individualists. We often place priority on getting to market. Just think back to the introduction of video cassette recorders. In the late 1970s and early 1980s, there were two competing standards, VHS and Betamax. Rather than compromise on a common standard, American companies slugged it out in the marketplace. Eventually, VHS gained the upper hand, and Betamax died outâ¬ah, American Darwinian capitalism at its finest.

In the field of information security, these cultural differences play themselves out with Europeans being much stronger proponents of ISO 17799 than are Americans. If an American company goes for any type of third-party certification, it is more likely to be a Statement on Auditing Standards (SAS) 70. Unlike ISO 17799, however, the SAS 70 is not a "best practices" standard. Instead, it documents the controls in place that satisfy the company's internal control objectives. The company defines its own control objectives, and the auditor checks to see if the controls the company has implemented are sufficient to achieve its objectives. Once again, we see the American practice of "going it your own way."