Brainstorming: controls required for cross-border sensitive data transfer/handling

Would like to brainstorm: out there what are the controls/measures organizations put in place
when transferring/processing data (within same company) but across countries (which has
different laws & regulations) ?

So far, thought of the following:  pls add on or comment.  Certainly remove if there are
irrelevant ones.

Endpoint
-      Endpoint Encryption (if data flows to endpoint): what about data at rest??
-      USB lockdown

Gateway
-      Web Scanning
-      Email screening

Servers / DB
-      Database Activity Monitoring?  Is built-in DB audit trail sufficient or need
        DB activity monitoring tools like Imperva ?
-       Data masking of card# (for PCI-DSS)
-       Need DB encryption?

Transmission
-      Encryption of files (what are the standards?)
-      VPN / secure file transfers (is SSL/TLSV1.2 enough) ?

Non-disclosure agreement
-       Is there a need to sign NDA (for intra-company or this applies only to inter-company)

Is this treated as 'Outsourcing' if it's intra-company ?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ste5anSenior DeveloperCommented:
First of all: It depends on the level of sensitivity.

Endpoint
 -      USB lockdown

Don't work. MITM USB HID faking keyboards are possible to built and hard to defend against. Here you need physical access control to the client machines.

Gateway
Only limited useful to detected data breaches. But cannot prevent them.
Furthermore scanning legal data use can give people (third party) illegal access to the data. E.g. AV scanners using cloud protection services. Funny fact, seems to be the vector how some NSA/CIA data leaked to Kaspersky.

Servers / DB
-      Database Activity Monitoring?  Is built-in DB audit trail sufficient or need
         DB activity monitoring tools like Imperva ?

You need general rules of physical and logical access. Documented and audited, ISO9001 style. "Say what you do, do what you say and document it."
Normal audit trails are normally sufficient. But sometimes hard to use (okay, they are not, when you know what you're doing, but audit folks have often not the then necessary technical skills). Thus third-party software maybe useful.
-       Data masking of card# (for PCI-DSS)
Imho only of limited use. Depending on the system, e.g. SQL Server and the users access to it, it could be circumvented. But when you need to implement it, well, then implement it.

Transmission
There is no reason to use unencrypted transmissions of any kind. Or rephrased, as long as there is no technical need for plaintext, encrypt everything.

Non-disclosure agreement
Sure. Between all companies. But also between each company and their employees. And furthermore, you need to instruct each party on a regular basis. This means teaching your employees on a regular schedule. Auditing all participants in regular intervals (employees and other companies).


In short: This is mainly a - pretty complex - business process problem. Thus a head start is required. Without that, no technological measure will ensure what you need to do. Especially as such measures will be circumvented, when not understood by the participating parties.
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Endpoint - If you are traveling then make it light weight - have no sensitive data. short of it, have a clean notebook. You can always VPN back to reach any data. Bring along a 2FA encrypted USB portable drive separated from the notebook. Always keep that drive with you. For some drive, it can have a decoy partition such that upon "forced" check, you can use that as a cover to show the "real" data . Alternatively, have a Windows To Go drive and run the OS off the drive as your workspace, and bring a compatible notebook that support WTG.

Storage - If you are indeed travelling, why would you even be carrying your server. Go for VM instead. Backup you data offline and encrypt them and keep it off the actual hardware. Once past the border check and reach your destination, you can recover it. In fact, you dont really travel around with your "database". If need to have a cloud store otherwise VPN back to your enterprise for a limited access.

Network - Never the hotel network, hotspot or wifi, esp those that comes free. Likewise those innocent looking charger power point can be hideous also. Travel wise and save, bring your extra battery. Bring your MIFI or smartphone but use the local SIM to setup the internet connectivity. Use that to establish VPN services.

Make sure all the login password does not replicate your internal login details. Have a password wallet and safe keep in your protected drive. Maintaining cyber hygiene is important when overseas. Always exercise clean up of cache in machine and secure erasure of sensitive that is store in the machine, when it is no longer needed.

Vendor Management - In this aspect, it is more of what is really being exchange. If it gets beyond the technology and goes into the "how" in depth. Likely NDA is inevitable. But always adopt a need to know basis. Background check is essential especially when you want to start a contractual agreement when new company and startup in other country. Being savvy on OpSec can be useful too as you may reads news on US ban on certain provider. You never know what you dont know, so take a cautions decision and avoid sharing more than necessary. Awareness is equally when you received freebie and gift ...
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.