Skip to ContentGo to accessibility pageKeyboard shortcuts menu
OpenStax Logo
Foundations of Information Systems

6.3 Data Security and Privacy from a Global Perspective

Foundations of Information Systems6.3 Data Security and Privacy from a Global Perspective

Learning Objectives

By the end of this section, you will be able to:

  • Identify global frameworks in data security and privacy
  • Identify global regulations and requirements for data security and privacy
  • Apply a framework to a case study

In an era driven by digitization and the Internet of Things (IoT), vast amounts of data are generated, collected, processed, and transmitted daily. From personal user preferences in online shopping to critical health data, information flows through global networks with an ease previously unimaginable. Data have indeed become one of the most valuable commodities in the modern era, both for businesses and for bad actors, making the frameworks that guide its safekeeping vitally important to maintaining the integrity of our digital future.

Reflecting the diverse concerns of different regions and industries, several frameworks have emerged that now serve as a universal staple in data management practices of multiple private, public, and governmental organizations. These frameworks, such as the COBIT 2019, the Enterprise Privacy Risk Management Framework, and the ISO/IEC 27701, provide structured practices that enable enterprises to comply with regulatory demands and establish and maintain a culture of data integrity and privacy-centric operations. These international standards are critical as they shield enterprises from potential breaches and legal repercussions in the respective country.

However, the world of data security and privacy is in a perpetual state of evolution. The introduction of landmark regulations such as the European Union’s GDPR or California’s CCPA is testament to the shifting sands of data governance, with each new regulation aiming to balance business innovation with individual rights. In navigating this dynamic terrain, organizations must not only be aware of these frameworks and regulations, but also thoroughly understand their nuances and the underlying principles they champion.

Global Frameworks in Data Security and Privacy

Due to the explosive growth and constant evolution of technologies frameworks have been established through the collaboration of international standards organizations, governmental bodies, and industry groups to establish guidelines that resonate on a worldwide scale. Some of the most well-known are the globally recognized COBIT 2019 Framework, the Enterprise Privacy Risk Management Framework, ISO/IEC 27701, and the NIST Privacy Framework.

COBIT 2019 Framework

Developed by the Information Systems Audit and Control Association (ISACA), Control Objectives for Information and Related Technologies (COBIT) stands out as a comprehensive framework designed for the governance and management of enterprise IT. While its primary focus is IT governance, its principles and guidelines offer a holistic approach to robust data protection. The framework, previously known as COBIT5 and then overhauled in 2019, emphasizes the importance of stakeholder needs, risk management, and a value-based, holistic approach that aligns IT goals with business objectives. Organizations employing this framework may use it to:

  • establish a systematic approach to managing personal data
  • ensure that privacy risks are identified and mitigated
  • demonstrate compliance with privacy regulations globally
  • foster trust among stakeholders, especially data subjects, by showcasing a commitment to privacy

An example of COBIT adoption is the European Network of Transmission System Operators for Electricity (ENTSO-E).

Tasked with representing forty-two electricity transmission operators across thirty-five European countries, ENTSO-E embarked on a journey in 2014 to integrate COBIT 5 into its IT processes.29 This strategic move was aimed at refining the organization’s intricate IT infrastructure to support massive electricity flows, establish a decade-long network development blueprint, and ensure a transparent, standardized energy transaction framework across Europe. By embracing COBIT 5, ENTSO-E was able to fortify its IT governance, ensuring data integrity, process efficiency, and a commitment to excellence in line with its ambitious mission.

As the framework evolved, they have continued to align their practices with the updated COBIT 2019 to address emerging IT governance challenges.

ISO/IEC 27701

An extension to the ISO/IEC 27001 and ISO/IEC 27002 standards, the ISO/IEC 27701 provides guidelines for establishing, implementing, and maintaining a privacy information management system (PIMS), which is a framework or set of policies and procedures used by an organization to manage personal data and ensure compliance with privacy laws and regulations.

ISO/IEC 27701 is particularly vital given the volume of international and regional data protection laws such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.

The key highlights of ISO/IEC 27701 include three levels (Table 6.2):

  • Frameworks and Standards (Top Level): These are the overarching guidelines that organizations follow. For instance, ISO/IEC 27001 is the standard for managing information security, while ISO/IEC 27701 focuses on privacy.
  • Systems (Middle Level): The frameworks lead to the creation of specific systems such as ISMS and PIMS, which are implemented within organizations to protect information and ensure compliance.
  • Sector-Specific Applications (Bottom Level): The standards and systems are applied differently across sectors, acknowledging that each has specific requirements and challenges.
Standards, Systems, and Sectors Application
Top Level: Frameworks and Standards
ISO/IEC 27001 Foundation for information security management system (ISMS)
ISO/IEC 27002 Provides best practices and controls to support the ISMS established by ISO/IEC 27001
ISO/IEC 27701 An extension of ISO/IEC 27001 and 27002, focused on privacy information management system (PIMS)
Middle Level: Systems Examples
Information security management system (ISMS) Created based on ISO/IEC 27001, this system manages and protects an organization’s information
Privacy information management system (PIMS) Built upon ISO/IEC 27701, this system integrates privacy controls into the ISMS, focusing on personal data protection
Bottom Level: Sector-Specific Applications
Health-care sector Adoption of ISO/IEC 27701 to ensure patient data privacy across borders
Financial services sector Utilization of ISO/IEC 27701 to manage global client data securely
Tech sector Integration of ISO/IEC 27701 into cloud platforms to safeguard user data
Table 6.2 ISO/IEC 27701 Hierarchy The hierarchy of the ISO/IEC 27701 provides guidance through overarching standards, specific systems, and the application of those standards and systems.

NIST Privacy Framework

In January 2020, the National Institute of Standards and Technology (NIST) released its Privacy Framework to address the challenges of increasing data privacy risks. This framework complements the NIST Cybersecurity Framework, specifically focusing on managing privacy risks by promoting the idea of Privacy by Design, which is a concept and approach in system engineering and data handling practices that integrates privacy and data protection measures from the very beginning of the design process, rather than as an afterthought.

The NIST Risk Management Framework allows enterprises to translate high-level, principles-based legal requirements into tangible technical privacy controls. Figure 6.6 outlines the Risk Management Framework steps, serving as a blueprint for organizations to tailor their own cybersecurity strategies. Notably, it incorporates guidance from a suite of NIST standards. For instance, NIST SP 800-39 offers a broad overview for managing information security risk organization-wide, while IR 8062 provides a nuanced approach to privacy engineering and risk management. SP 800-30, on the other hand, specializes in risk assessments, helping organizations identify, evaluate, and prioritize risks.

Risk Management Framework listing NIST standards and matching them with NIST Guidance on preparing standards: Categorizing, Selecting controls, Implementing controls, Assessing controls, Authorizing system, and Monitoring controls.
Figure 6.6 The Risk Management Framework steps incorporate key NIST standards such as SP 800-39 for organizational risk, IR 8062 for privacy engineering, and SP 800-30 for risk assessments. (modification of work “Risk Management” by NIST/National Institute of Standards and Technology, Public Domain)

As we advance further into the era of data-driven decision-making and digital innovation, these frameworks and regulations play a dual role. First, they provide a framework to guard against potential risks, and second, they lay the foundation for businesses to innovate responsibly, ensuring that user trust isn’t compromised.

National Regulations outside the United States and the European Union

The growing number of regulations and standards creates complexity for multinational companies, requiring significant resources and expertise to comply with different, sometimes conflicting, regulations. These challenges include addressing security risks due to inadequate security controls in IoT devices, differing standards across devices, and issues of data sovereignty in cloud-based platforms and access controls. International alignment and cooperation in data privacy regulations is crucial, as it simplifies compliance for global businesses and facilitates international trade and data flows.

In a globalized world where technology transcends borders, the protection of user information, data security, and privacy controls is a shared concern among nations, although each country has its own regulatory laws. Just as the United States has put in place various agencies and standards to oversee data protection, other nations across Asia, South America, and Africa have crafted comparable frameworks to safeguard user information.

China: Personal Information Protection Law

China’s Personal Information Protection Law (PIPL), introduced in 2021, marks the country’s first major data privacy law. This law is crucial for ensuring that personal information collected within China remains within its borders—a concept known as data localization. PIPL sets very strict rules for sharing data with other countries, meaning that companies must meet specific requirements before transferring data out of China. These requirements include getting certifications or contracts that align with Chinese standards.

Japan: Act on the Protection of Personal Information

Japan’s Act on the Protection of Personal Information (APPI) has been a key part of the country’s data privacy laws since it was first enacted in 2003. Recognizing the growing importance of global data protection, Japan made significant changes to the APPI in 2017 to update it in line with international standards, such as the European Union’s GDPR. The APPI focuses heavily on individual rights, ensuring that people have control over their personal data. This includes the right to access their data, correct any inaccuracies, and decide how their data are used. Businesses are required to clearly explain why they are collecting personal data and must obtain explicit consent from individuals.

South Africa: Protection of Personal Information Act

South Africa’s Protection of Personal Information Act (POPIA), which became fully effective in 2021, is designed to protect the privacy of personal data within the country. POPIA applies to any organization that processes personal information in South Africa, whether the data are processed automatically (like on a computer) or manually. The law requires that organizations are transparent about why they are collecting personal data and that they get consent from individuals when necessary. POPIA also emphasizes the importance of lawful processing, meaning that data can only be used for legitimate purposes. Furthermore, organizations must appoint an information officer to oversee compliance with POPIA, ensuring that the organization follows the regulations.

Industry-Specific Regulations and Standards

In the rapidly evolving landscape of information security, two frameworks stand out for their comprehensive approach and widespread adoption: the Payment Card Industry Data Security Standard (PCI DSS) and ISO/IEC 27001 (Table 6.3). PCI DSS, a global security framework, sets the standard for safeguarding cardholder information, thereby playing a crucial role in mitigating credit card fraud.

Framework PCI DSS ISO/IEC 27001
Purpose
  • Increases controls around cardholder information
  • Aims to reduce credit card fraud
  • Helps organizations manage information security practices
  • Aligns information security with business needs
Governance
  • Maintained by the Payment Card Industry Security Standards Council
  • Applicable to all entities handling credit card data
  • An international standard; part of the ISO/IEC 27000 family
  • Establishes, implements, maintains, and improves an ISMS
Data protection and risk management
  • Requires strong encryption for storing and transmitting cardholder data
  • Establishes secure network requirements through firewalls and other measures
  • Provides guidance on managing and mitigating information security risks
  • Emphasizes regular risk assessment and mitigation strategies
Security measures/maintenance and improvement
  • Mandates regular security testing and assessments
  • Limits cardholder data access to necessary personnel only
  • Includes ongoing maintenance and continuous improvement of the ISMS
  • Ensures regular reviews and updates to security practices
Compliance and impact/adoption and impact
  • Mandatory for organizations handling branded credit cards
  • Enhances customer trust by indicating high-security standards
  • Widely adopted across various industries as a security benchmark
  • Improves information security management and competitive advantage
Table 6.3 Industry-Specific Regulations and Standards The PCI DSS and ISO/IEC 27001 purposes, governance, data protection, security measures, and impact on organizations are laid out in their frameworks.

The enforcement of these security standards and regulations typically involves a combination of government oversight, industry self-regulation, and third-party audits. Government agencies in various countries develop and enforce regulations, often imposing penalties for noncompliance, which can include fines, legal action, or operational restrictions. Compliance with these standards is often verified through third-party audits conducted by accredited certification bodies, which assess whether organizations meet the required security and privacy benchmarks.

Effective collaboration between nations, industries, and regulatory bodies is essential in shaping a coherent, effective approach to data protection in the globalized digital age.

Case Study: Attaining ISO/IEC 27001 Certification

Information security remains at the forefront of organizational priorities, particularly as data breaches and cyber threats become increasingly sophisticated. The ISO/IEC 27001 certification differentiates organizations that have excelled in establishing robust information security processes and procedures to safeguard crucial data. Additionally, organizations that meet this standard are better equipped to prevent data breaches and protect essential data. This case study delves into the experience of a Texas-based data center, a facility designed to host computer systems and related components, as it tackled the challenges of securing this vital certification during the global COVID-19 pandemic.

Background: The ISO/IEC 27001 Standard

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly developed ISO/IEC 27001. This globally recognized standard specifies the requirements for establishing, implementing, maintaining, and continuously improving an information security management system (ISMS). An organization that achieves this certification demonstrates its commitment to information security and data privacy, meeting international standards of excellence.

ISO/IEC 27001 certification is achieved through a rigorous process facilitated by a certification body, which is an organization accredited to assess and certify that companies, systems, processes, or products meet the established standards and requirements. The traditional method to obtain this certification involves undergoing an audit, a systematic examination and evaluation of an organization’s records, compliance with regulatory standards, and the integrity of financial reporting processes.

The Challenge: Certification during a Pandemic

In April 2020, Lone Star Data Hub, a data center located in Austin, Texas, embarked on a journey to achieve ISO/IEC 27001 certification. For Lone Star Data Hub, known for managing critical data infrastructure for regional clients in sectors such as finance and health care, this certification was more than just a seal of approval. It was a strategic business move aimed at setting their services apart in a competitive market. Obtaining ISO/IEC 27001 certification would underscore the center’s dedication to stringent information security standards and enhance its appeal to a broad client base, including Fortune 500 companies. This certification was seen as a crucial step in demonstrating their commitment to protecting sensitive data and maintaining the highest level of security. However, the onset of the COVID-19 pandemic introduced a myriad of challenges, specifically, nationwide lockdowns, social distancing mandates, and the transition to remote work.

To meet the challenges of this certification process, the data center sought a certification body with a solid reputation, even in remote settings. Guided by a recommendation from another auditor and the influence of stakeholders with a comprehensive background in information security, they selected the National Sanitation Foundation; International Strategic Registrations chapter (NSF-ISR).

The ensuing audit was thoroughly planned, with NSF-ISR providing a comprehensive agenda designed to allow the data center to operate seamlessly, ensuring minimal disruption to its ongoing operations. The audit process involved a detailed examination of the data center’s information security practices, including assessments of security controls, risk management processes, and compliance with ISO/IEC 27001 standards. This balanced approach provided the data center with invaluable insights, highlighting areas of strength and those needing improvement.

Remote Auditing: A New Paradigm

The adoption of remote auditing, a practice in which an audit is conducted off-site via video or other technological means, marked a significant shift in the certification process. Traditionally, auditors would be present on-site, directly interacting with systems and personnel. However, the pandemic’s constraints necessitated a different approach. NSF-ISR leveraged digital tools and technologies to assess the data center’s systems, processes, and policies. During the remote audit, NSF-ISR measured various aspects, including the effectiveness of security controls, the alignment of practices with ISO/IEC 27001 standards, and the overall security posture of the data center. This assessment was conducted through virtual meetings, screen sharing sessions, and digital document reviews, which have become a new norm. While this mode of auditing was novel, it demonstrated that with the right tools and expertise, remote evaluations could be just as effective as their in-person counterparts.

Achieving Certification: Implications and Benefits

The meticulous audit culminated in the data center obtaining its ISO/IEC 27001 certification. This achievement also signaled an auditor’s adeptness in remotely verifying an ISMS. For the Texas-based data center, this certification expanded the company’s market opportunities, enabling it to respond to business opportunities that mandated stringent information security practices. As more organizations prioritize data security, the demand for ISO/IEC 27001-certified entities is poised to grow.

Footnotes

  • 29European Network of Transmission System Operators for Electricity, “Net-Zero Industry Act,” ENTSO-E, July 2023, https://eepublicdownloads.blob.core.windows.net/public-cdn-container/clean-documents/Publications/Position%20papers%20and%20reports/2023/ENTSO-E%20NZIA%20Position%20Paper_%20June2023.pdf
Citation/Attribution

This book may not be used in the training of large language models or otherwise be ingested into large language models or generative AI offerings without OpenStax's permission.

Want to cite, share, or modify this book? This book uses the Creative Commons Attribution-NonCommercial-ShareAlike License and you must attribute OpenStax.

Attribution information
  • If you are redistributing all or part of this book in a print format, then you must include on every physical page the following attribution:
    Access for free at https://openstax.org/books/foundations-information-systems/pages/1-introduction
  • If you are redistributing all or part of this book in a digital format, then you must include on every digital page view the following attribution:
    Access for free at https://openstax.org/books/foundations-information-systems/pages/1-introduction
Citation information

© Mar 11, 2025 OpenStax. Textbook content produced by OpenStax is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike License . The OpenStax name, OpenStax logo, OpenStax book covers, OpenStax CNX name, and OpenStax CNX logo are not subject to the Creative Commons license and may not be reproduced without the prior and express written consent of Rice University.