What to consider in your multinational MRI program

In a previous post we discussed why companies need a multinational strategy when creating their insider risk management (IRM) program. In short, it’s far too easy for organizations to get caught up in the regulatory landscape. For each jurisdiction, you need to know what data you can enter, what actions you can take and what you need to report. In this article, we will present some key points to consider when implementing a strategy.

Start with a Privacy Impact Assessment

A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information is collected, used, shared and stored. Some countries require organizations to complete a PIA before implementing an IRM solution. PIAs help identify privacy risks, anticipate issues, and evaluate IRM solutions. A PIA should be conducted at the start of an IRM project to help shape the project implementation strategy and determine the most appropriate configuration for monitoring technology.

Treat each country individually

Although there are many commonalities in MRI compliance requirements between many countries, it is best to configure monitoring systems for each country’s specific legal requirements. It can also be tempting to adopt policies tailored to the country with the strictest privacy laws and apply them in all countries. This can backfire when different countries may have conflicting requirements. For example, it is illegal in France to prohibit the private use of professional messaging. In Germany, this is common practice. Failure to comply in some countries may also result in criminal liability.

Focus on your acceptable use policies

A Acceptable Use Policy (AUP), also known as a fair use policy, is a set of rules governing how employees can use company-owned assets. They inform employees of the expected standards of use and the potential consequences of breaching them. To meet the privacy requirements of most countries, an AUP should define the penalties that will be applied if a user violates the AUP, specifying that monitoring can be used to ensure compliance.

In some countries it may be illegal to monitor employees (or use surveillance evidence) to reprimand or terminate an employee unless an AUP has been properly communicated to staff. In countries with well-established data protection laws, organizations must provide information about the processing of personal data, including the type of data collected, who has access to the data, and under what circumstances monitoring may take place.

Avoid surveillance-centric solutions

User Activity Monitoring (UAM) allow organizations to measure application usage and intensity, work hours, and other metrics to measure productivity and provide early warnings of employee burnout. They also monitor and record all user actions. This can include logging keystrokes, screenshots, keyword monitoring, browser and search recording, and video recording of sessions.

UAM is required in US federal agencies to comply with Executive Order 13587, National Insider Threat Policy and Minimum Standards and Committee on National Security Systems (CNSSD) Directive 504. Organizations should also use UAM carefully to comply with privacy regulations such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

A better approach is to select technologies that minimize data an organization should collect and eliminate the collection of intrusive data sources that are not necessary to improve security. As the figure shows, by targeting high-risk events, teams can manage insider risks without infringing on individuals’ privacy.

Building a multinational MRI program requires planning to avoid violating local regulations. Further guidance is available in our whitepaper: Insider Risk Management & Employee Privacy: Guidance for Multinational Organizations. The report also takes an in-depth look at IRM programs and the GDPR. Download it now.

The post office What to consider in your multinational MRI program appeared first on DTEX Systems Inc.

*** This is a syndicated blog from the Security Bloggers Network of DTEX Systems Inc written by Jonathan Daly. Read the original post at: https://www.dtexsystems.com/blog/what-to-consider-in-your-multinational-irm-program/

Ryan H. Bowman