Global Security and Privacy Best Practices

IT security directors must take a region- or country-specific approach to the difficult issues of security and privacy policies. A single global approach will not meet regional or national requirements.

Different legal and regulatory environments in various regions and countries make implementing global “one size fits all” security policies complex, difficult and risky. For example, the privacy regulations in the European Union (EU) are far more rigorous than in the United States-and any attempt to use U.S. practices in Europe will likely be disastrous. Enterprise security practices should be deployed on a region- or country-specific basis, and should follow these best practices.

How can I address country-specific privacy explanations and implementation regulations?

National and regional regulatory requirements make global security standards or practices difficult, and often impossible, to implement. Despite the lure of global standards, enterprises should deploy region- or country-specific security-related practices, especially for Internet and e-mail filtering and encryption deployments.

In some situations, however, global security practices may be possible to achieve, such as with antivirus software, where the vendor, update requirements and central reporting practices can be implemented by a company with global operations. Therefore, some IT security organizations should have global and regional security parent organizations. Smaller enterprises may require the IT security organization to design and coordinate region-specific security-related practices, which demands extensive coordination with local human resources departments and legal counsel, and contact with regional regulatory authorities.

Anti-spam filtering may not be a problem for global organizations, depending on how it is implemented. For example, an anti-spam implementation in which spam is only blocked or tagged, reports on individual user activity/history are not maintained, dictionary methods that examine the content of a message are not used, and quarantines can only be viewed by the end user likely will not be contrary to strict EU privacy or European Works Council requirements. Some countries-for example, in the United Kingdom, under the Regulation of Investigatory Powers Act 2000-require that a basic warning banner alert employees that their e-mails may be intercepted.

Because countries such as the United States allow monitoring and end-user-specific reporting, anti-spam practices, and even anti-spam products, may be different according to the region in which they are implemented. Canada and Australia are also more permissive about employee monitoring; however, certain policies and end-user notifications are required.

Privacy compliance is an extremely complex endeavor in which business risk decisions are paramount. The EU has the strictest privacy laws (although Hong Kong and New Zealand also have strict laws), and legal risks are highest in Europe. However, not all enterprises will face equal risk. Compliance with and enforcement of the implementation of the EU Data Protection Directive (DPD) across EU member states have been minimal at best. Data protection authorities have mainly pursued the most egregious offenders. In addition, non-U.S. enterprises, especially consumer or technology companies, have attracted the attention of some data protection authorities because healthcare, pharmaceutical and financial services companies face greater customer privacy concerns.

U.S. or multinational companies should be especially wary of how they treat EU employee data and how they monitor EU employees’ electronic activities. EU employee tribunals are common, and EU employees frequently take their employers to court.

One of the most vexing issues for enterprises trying to comply with privacy laws is translating what the laws regarding the use of personal data mean for everyday business and IT practices.

One of the most vexing issues for enterprises trying to comply with privacy laws is translating what the laws regarding the use of personal data mean for everyday business and IT practices. Compliance to the letter of the law can be extremely difficult, especially because the laws in the various EU member states are new and many data protection authorities are unclear on what they expect from enterprises. Similarly, legal counsel, who also may be unsure about what the laws mean in practice, may give extremely conservative advice, making continued operations difficult for some enterprises. Business, legal and IS organizations should work closely (and consult with their peers) to map regulatory requirements into decisions about how to approach compliance.

With government agencies increasingly turning to electronic communications with their information suppliers, how can I develop secure network connections to governments when there are no internationally accepted standards?

Enterprises must interact more frequently with government IT systems, often for registering documents, but particularly as part of government procurement processes. Many countries have established requirements that are usually related to the manner in which electronic documents are transmitted or filed. Germany and Italy have particularly prescriptive government e-signature requirements that are based on public-key infrastructure (PKI) and “smart cards.” Similarly, some Asia/Pacific governments, such as Malaysia and Singapore, have instituted PKI-specific requirements for certain electronic transactions and licensed certificate authorities that enterprises must navigate.

All EU member states must pass their own national laws to implement the provisions of the EU Directive on Electronic Signatures. The EU directive is based on a two-tier system, gives higher legal recognition to advanced authentication e-signatures and is typically accredited or licensed by the member state. Other types of e-signatures are recognized. National implementations likely will differ significantly, adding complexity to the requirements for enterprises that want to use e-signatures within the EU.

The EU directives on e-commerce, distance selling and electronic invoicing (higher authentication is required for electronic invoices) have provisions that relate to electronic contracting. The EU also has passed freedom of information laws (somewhat similar to the U.S. freedom of information laws) that will affect enterprises that supply EU governments.

Enterprises must comply with each set of requirements. A compliance option is to leverage service providers that comply with specific requirement sets.

In addition to international privacy and monitoring issues, what are other security concerns regarding the international deployment of IT?

International encryption regulations can be a problem for global enterprises, particularly if an enterprise wants to deploy virtual private networks in its regional offices or provide encryption to partners with employees in certain countries. Only a few countries restrict the import and use of cryptography. Such regulations have been imposed in countries that are vulnerable to political instability and terrorism, or that have authoritarian governments. China, Russia, India, Pakistan, Saudi Arabia, Vietnam and several former Soviet republics (such as Kazakhstan) restrict, or will be inclined to restrict, the import and use of encryption. Unfortunately, these locations, while rich in natural resources and untapped markets, are usually where enterprises require encryption the most.

Enterprises that plan to use cryptography in these countries, or whose end users with encryption on their laptops may travel there, face several challenges. They first must ascertain exactly what the restrictions on encryption are in each country. This is easier said than done because many regulations are maintained by individual government agencies or defense departments, they are rarely made public, and they are subject to the whims of social, business and political change. Surveys on the Internet may be useful as an initial starting point, but they will not be sufficient for an encryption regulation strategy. Enterprises require recent, granular information on what the regulations are, who is in charge of them and who has gained permission to use encryption in the past.

Enterprises must develop encryption policies early, especially if they plan to open offices in China or central Asian states. Using law firms can be extremely expensive as well as ineffective because these firms typically do not have expertise on local encryption laws. The law firm must have a presence in the country where encryption is restricted so it can understand the regulations, and know where and whom to ask for permission. International law firms such as Coudert Brothers, White & Case and Baker & McKenzie usually have offices in politically volatile countries. Steptoe & Johnson has a strong U.S. encryption practice.

The most cost-effective option is to appoint company representatives in the region to handle the regulations process. Smaller companies also should require that their virtual private network or security vendors assist them with security regulations worldwide. These vendors typically have specialist knowledge because they must import their technology into these countries.

Enterprises must develop encryption policies early, especially if they plan to open offices in China or central Asian states.

Bottom Line: Enterprises should deploy region- or country-specific security-related practices, especially for Internet and e-mail filtering and encryption deployments. U.S. or multinational companies should be especially wary of how they treat EU employee data and how they monitor EU employees’ electronic activities. Business, legal and IS organizations should work closely (and consult with their peers) to map regulatory requirements into decisions about how to comply with regional or national security and privacy regulations.

For more information on the latest security issues facing IT and business, visit gartner.com/security.