Trade Compliance Imperatives for Implementing Cyber Compliance Capabilities
This post describes the regulatory imperatives for implementing export cyber compliance capabilities. In addition, it includes fundamental questions IT organizations must be able to answer to achieve cyber compliance (i.e., the integration of trade compliance controls into IT systems). These questions are informed by regulatory requirements and regulator expectations (as expressed through Consent Agreement requirements and published guidelines).
We hope this post will help you better understand the challenges and opportunities for achieving export compliance in IT. As always, if you have any questions please reach out to us.
Export Cyber Compliance
In the context of this blog, “Cyber Compliance” means ensuring the location, access and transfer of export-regulated data in IT networks and systems complies with export regulations. Cyber Compliance requires companies integrate export control requirements into IT architecture, administration and use.
Cyber Compliance differs from Cyber Security in that an environment may be secure, but not compliant. For example, if secure IT infrastructure is located in another country, housing export-regulated data within could result in an export violation. IT administrators and/or users could have the security credentials required to access data, but due to their employer, nationality or location, they do not have the export authorization to gain access, or potential access, to the data. A transfer of export-regulated data could occur through an encrypted channel, but the recipient of the data is an unauthorized Foreign Person. Cyber Compliance ensures unauthorized exports are prevented in IT (“export prevention”), while enabling authorized exports to occur in IT (“export enablement”).
Trends in Export Cyber Compliance
Export compliance requirements have always applied to “Technical Data,” whether the data exists in hard-copy or electronic format. However, US export enforcement and compliance efforts have traditionally focused on controlling exports resulting from physical access (e.g. foreign person employees, foreign person visitors, etc.) and physical transfers (e.g. shipments, hand-carries, etc.).
As business operations evolved to become globally-networked and information- driven, organizations’ export compliance programs remained focused on the physical domain. Thus, many organizations have yet to implement adequate cyber compliance programs. As a result, these organizations are regularly discovering and voluntarily reporting cyber compliance incidents to the US Department of State Directorate of Defense Trade Controls (DDTC), the U.S. regulator responsible for the International Traffic in Arms Regulations (ITAR).
Trends in Export Cyber Compliance
In response to the increasing trend in cyber compliance incidents, DDTC has begun including cyber compliance requirements in punitive actions known as Consent Agreements. To summarize Consent Agreement cyber compliance mandates, DDTC requires companies to implement capabilities for identifying, controlling and tracking regulated information in IT networks and systems. Although not codified in regulation, these requirements represent DDTC’s cyber compliance expectations.
Achieving Cyber Compliance
In simple terms, achieving cyber compliance requires organizations develop capabilities to identify what data is subject to what regulations and implement controls governing the location, access and transfer of regulated data. Answers to the following questions indicate an organization’s cyber compliance capabilities and gaps.
1. Export Control Program – does your organization have the ability to readily identify:
Export control requirements (i.e., a list of requirements mapped to business functions, processes and systems), and
Standard work (i.e., policies, processes, procedures, tools, training, records and reports)?
2. Business Landscape Management – does your organization have the ability to readily identify:
Legal Entities, Management Structure (e.g. divisions, business units and sites), and Organizational Structure (e.g. breakdown of business functions such as Legal, Finance, Sales, Engineering, Supply Chain, Production, etc.)?
3. Infrastructure – does your organization have the ability to readily identify:
The companies that own, operate and service your IT infrastructure, to include the cloud and Disaster Recovery, and
The geographic location, to include country, where the IT infrastructure is located?
4. Networks – does your organization have the ability to readily identify:
The networks on which infrastructure resources reside, and
The processes by which new infrastructure, applications and users are being provisioned/de-provisioned in the network(s)?
5. Applications – does your organization have the ability identify:
The applications containing regulated data and the infrastructure on which it resides, to include network file drives, email, collaboration suites (e.g. SharePoint), Customer Relationship Management (CRM), Product Lifecycle Management (PLM), Software Development Lifecycle (SDLC), Enterprise Resource Planning (ERP), Supplier Relationship Management (SRM), Manufacturing Execution Systems (MES), Quality Assurance Systems (QAS), etc.?
6. Administration – does your organization have the ability to identify:
The personnel who administer infrastructure, networks and applications, to include identity attributes such as employer, geographic location, citizenship, etc.?
7. Users – does your organization have the ability to identify:
Employees who have access to infrastructure, networks, and applications, Contractors who have access to infrastructure, networks and applications, and
External Business Partner personnel who have access to infrastructure, networks and applications?
8. Data – does your organization have the ability to identify:
What data is subject to regulatory control,
When data is regulated, the specific jurisdiction, classification and marking controls to which the data is subject, and to identify data and the related regulatory controls for both structured and unstructured data?
9. Authorizations – does your organization have the ability to identify:
Applicable authorizations (e.g. internal policies, DSP-5s, TAAs, etc.) that define compliant location, access and transfer criteria?
10. Integrated Controls – does your organization have the ability to identify:
Authorized regulated data creation and storage locations (infrastructure, networks and applications),
Compliant user access control mechanisms (infrastructure, network, application and data-level),
Compliant administrator access control mechanisms (infrastructure, network, application and data-level), and authorized regulated data transfer mechanisms (e.g. encrypted email, authenticated portal, etc.)?
What can you do?
TC Engine has bridged the gap between the Export Compliance and Information Technology disciplines. We speak both languages and translate export compliance requirements into terms understood by IT.
We specialize in the automation of export compliance processes and integration of export controls into IT networks and systems. We help our clients modernize export compliance programs, replacing paper policies, manual tools and tribal- knowledge with standardized, automated and integrated export compliance capabilities.