I'm currently doing my Cyber Security Certification program, I along with my fellow classmates are in Beginner stages. Over the past few weeks we have been writing up variety of Discussions using Domains 1 to 5, for this Week we are given a scenario and must utilize Domains 6 and 7. Where I have a strong grasp of Technical aspect I don't have such grasp in relation to Management aspect.
The Discussion scenario is as followed:
A North American auto manufacturer has recently opened up a manufacturing plant within a country that is classified as an emerging economy. The key challenges that this North American auto manufacturer faces is that from a security and privacy perspective, this location does not carry the same stringent security and privacy requirements to that of North America. There are a number of missing regulations, no penalties for data breaches, and no government legislation or applicable law around the collection, usage, storage and dissemination of Personal Identifiable Information (PII).
Using your knowledge from domain 6 and first half of domain 7, what additional detailed assessments, tests, and possible recommendations you would advise this North American auto manufacturer to exercise to ensure it does not degrade its existing stringent security and privacy practices (given there is no incentive to maintain it)?
For some odd reason this week's discussion is drawing blanks and I can't seem to grasp of what I should be Analyzing and what steps I should be taking. Do not get me wrong, I enjoy learning but somehow this particular scenario is drawing blanks. In part I don't exactly grasp the question. As such it would be appreciated if someone can help me break this scenario down in a more understandable format.
At this stage I gotten a few loose points:
- Company A opened operations in Country B
- Country B has lax/non-existing regulations. This should be considered. How much should this be used for decision weight?
- Can Company A operate in Country B, but store all Data of Country B citizens/ect on Company A servers in Country A?
- If Company A would account for Point 2 and 3, should Company A even consider this actions as financially viable?
- If Point 4 is true, should Company A deploy same frameworks and policies as they use to operate in Country A while operating in Country B and not being bound by much legal restrictions?
This is where I currently stand. I'm not sure how valid my points are, or if I'm even on the right path.
Feedback is appreciated.
