The Mandate of Global Data Security
To create and sustain global competitive advantage, it is imperative that information management initiatives be aligned with a global business strategy. Yet many organizations struggle with the challenges of global data security, the widely differing laws from country to country, the communications and the performance issues involved.
I spoke with Srinivasan Sankar, the Director of Enterprise Data for FINCA International to bring some clarity to the issues. FINCA International is a leading international microfinance institution offering financial services and products to small scale businesses. Their programs reach low-income people in more diverse countries than any other microfinance provider. They operate subsidiaries in 23 countries of Africa, Eurasia, the Middle East and South Asia and Latin America, serving over one and a half million people.
What about your responsibilities leads you to dealing with data security issues?
As Global Data Officer, I have responsibility for all enterprise data. For the organization and its 23 country operations (5 continents – Africa, Asia, Europe, North America, South America), I’m accountable for data that is collected, stored, shared, and analyzed. My core responsibility is to ensure the data strategy is implemented correctly, the data is correct and secure and that customer data privacy is governed correctly.
Data Protection (protect data as an asset and prevent the breaches) and Data Upkeep (manage the health of the data under governance) are two major core values for me in leading the data strategy at FINCA.
How do you find the laws about data security across the countries? Are they consistent or do they differ dramatically?
Data security varies between countries. There are countries that mandate that no data whatsoever can leave that country. All data – customer, banking transaction, finance, etc. – has to stay within a data center in that country.
There are countries that are fine with the data being stored outside of the country but the data has to be within the region. For example, Eurasian countries mandate that data be stored in a data center that is physically located within the EU.
There are countries that allow data to be stored elsewhere, like the African countries.
There are also countries that have previously allowed data to be stored outside the country and/or within the region that have changed that stance.
What generalities can you make about different regions in regards to their data security policies?
PII (personally identifiable information) tends to have a strong security policy in most countries.
Where does encoding, encryption, and hashing come into play?
Right now encoding and masking happens at the source level itself before the data leaves a country as part of ETL. All PII is masked. There’s a plan in the near future to completely encrypt the Enterprise Data Warehouse using encryption method and hashing. This will prevent any access to the data resulting from accident or theft of the database stored in a Disaster Recovery location off-site.
Do any of the restrictions impact your ability to consolidate data for FINCA from all countries?
Not at this time as most of our Client Analytics are done at the summary level. However in future as the requirements from Legal, Fraud and Risk warrants collecting data at a granular level from each country, then it has to be done at the source level.
How do you keep up with the ever-changing and detailed nature of worldwide data security laws?
Our Internal control team in each of the countries updates me whenever there’s a requirement from regulators on data privacy and protection. Whenever there’s a major decision by a country’s government itself I get that information through the news media (i.e., Russia.) and follow-up with the respective country’s internal control.
Do you use a framework such as Control Objectives for Information and Related Technology (COBIT)?
Yes we do. Recently with regards to the Enterprise Data Strategy, we measured our current maturity level against the assessment done using COBIT few years ago.
Are there any key success factors to share about global data security?
Being proactive in understanding the regulatory requirements and having a strong data protection policy executed with the authorities is very important. Also remember one size doesn’t fit all. The policies and procedures have to be customized for the respective countries and you need to be able to quickly arrive at a mutual understanding. Have a Global security policy that covers most aspects of data security and then include individual country requirements as you work your way through.
Finally, regularly audit what computers and who accesses the data to ensure only authorized users have access.
What trends do you see in global data security?
With the proliferation of NSA spying and other data breaches increasing every day, there will be strong data privacy and protection policies arising from countries outside United States. Regulators want to know every level of detail (infrastructure setup, masking/encryption, auditing, security policy, etc.) before they can let data leave the country.
This post is brought to you by SAS.