In December 2017 a global software company serving the telecommunications industry settled charges with the U.S. Department of Justice for violating U.S. controls on foreign access to sensitive data, including export controlled information. As part of the settlement, the company agreed to implement an Enhanced Security Plan designed to increase information security by regulating remote access to company networks and transfers of sensitive data.
The Enhanced Security Plan is a helpful benchmark for network providers seeking to protect sensitive information about U.S. telecommunications networks and other critical infrastructure.
Many tech companies develop software using foreign technical personnel both inside and outside of the U.S. The use of a global technical workforce increases the risk of unauthorized access to U.S. controlled information, including sensitive network data and data critical to the U.S. domestic communications infrastructure. Unauthorized access has consequences from an export controls perspective – under the U.S. Export Administration Regulations (EAR) and U.S. International Traffic in Arms Regulations (ITAR) licenses might be required to store U.S. sensitive data in overseas servers or for non-U.S. persons to handle, transmit or access controlled software, technology or technical data that is subject to U.S. jurisdiction. The Enhanced Security Plan provides an example of how these information security requirements can be met by:
- Requiring authentication and tracking of changes to systems software through code-signing and other means;
- Restricting access, transmission and storage of certain sensitive data to U.S.-based servers and U.S.-based network infrastructure; and
- Controlling access by non-U.S. persons and implementing procedures for the proper vetting and licensing of non-U.S. employees and agents.
- Additionally, the Enhanced Security Plan recommends an effective compliance program that includes the following:
- Appointing a Security Director with appropriate authority, reporting lines, independence, skills, and resources to ensure compliance;
- Implementing a Security Policy that describes the management of user identity and access, and building systems that monitor unauthorized attempts to access and screen personnel;
- Conducting periodic third-party audits of the security procedures and their implementation; and
- Engaging a third-party auditor to ensure compliance.
Companies doing business with the U.S. government or in connection with critical U.S. infrastructure, as well as companies that handle or use export-controlled technology, software, technical data, and cloud or network services, should review the DOJ Enhanced Security Plan requirements and consider including them within their own compliance programs.