Any Laws Against Hiring Foreign Virtual Workers For Cyber Security

egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+Member Posts: 384 ■■■■□□□□□□
Hi all.  I was trying to find out if anybody knew of any laws that disallows foreign virtual workers (e.g. from Brazil, Kenya, Africa, etc) from performing cyber security audits or risk assessments for businesses here in the U.S.?  This thought struck me as their is a well-known shortage for qualified cyber security workers here in the U.S.  At the same time their also exists a stable virtual ecosystem for qualified remote workers in foreign countries who are willing to work for cheaper hourly rates.

I of course, just know about the arbitrage situation.  I know less about the associated laws that hiring companies have to abide by.  Thanks in advance for sharing your knowledge, comments, etc.

Comments

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,934 Admin
    Rather than specifically foreign workers, I think it has more to do with prohibitions on the exportation of certain types of USA data to foreign countries where the "foreign workers" reside. The same type of situation exists with GDPR data handled outside of the GDPR countries (yes, the Brexit'ed UK is still GDPR-abiding) and US public sector (i.e., government) data that must be handled only by people with US security clearances.
  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 384 ■■■■□□□□□□
    JD I'm talking specifically about security audits or risk assessments where the auditor (or assessor) is merely working off check lists.  No high grade audits like penetration assessments, just checking if policies, specific technologies, or people are present/not present in the security environment of the client business.
  • bigdogzbigdogz Member Posts: 873 ■■■■■■■■□□
    I would worry more about the lack of security and implications it may have on your network and organization. The ISP's in other countries may not have the same technologies to offer defense in depth and making those extra hops to your network add to exposure.
  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 384 ■■■■□□□□□□
    bigdogz said:
    I would worry more about the lack of security and implications it may have on your network and organization. The ISP's in other countries may not have the same technologies to offer defense in depth and making those extra hops to your network add to exposure.

    Thanks for chipping in @bigdogz .  What I'm referring to specifically is the standard interview between auditor and security manager to answer (yes) or (no) to questions on a checklist.  There are no technology interventions at this level just a human being interviewing another human being in a Zoom session to complete an audit or security assessment questionnaire.


  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,934 Admin
    Sounds like you need CISA-certified people to weigh-in on this topic.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,232 Mod
    edited November 22
    egrizzly said:


    Thanks for chipping in @bigdogz .  What I'm referring to specifically is the standard interview between auditor and security manager to answer (yes) or (no) to questions on a checklist.  There are no technology interventions at this level just a human being interviewing another human being in a Zoom session to complete an audit or security assessment questionnaire.


    yes it can, that's how I conducted my assessment during Covid lockdown. Mind you, my client & I are living in the same geographic area but I had to be remote (working from home).

    The only regulation that I know is some data if classified as 'sensitive' or something similar, then the data can't be view offshore. However, for audit type work, you don't necessarily view customer data, so I can see more of that type of work being done remote.

    For example: you want to audit the process of onboarding and offboarding employees, and what type of security training they do internally. You don't necessarily view Privately identifiable information (PII's). Just process documentation and evidence that the process is being followed.



    Here's an article about the Australian employers who opened up recruiting fully remote for most of their IT work. Whilst not Security specific, I don't see why not.





    Disclaimer: I'm not a lawyer and this is not a legal advice. Consult your legal department for a legal advice.


    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 384 ■■■■□□□□□□
    UnixGuy said:
    egrizzly said:


    Thanks for chipping in @bigdogz .  What I'm referring to specifically is the standard interview between auditor and security manager to answer (yes) or (no) to questions on a checklist.  There are no technology interventions at this level just a human being interviewing another human being in a Zoom session to complete an audit or security assessment questionnaire.


    yes it can, that's how I conducted my assessment during Covid lockdown. Mind you, my client & I are living in the same geographic area but I had to be remote (working from home).

    The only regulation that I know is some data if classified as 'sensitive' or something similar, then the data can't be view offshore. However, for audit type work, you don't necessarily view customer data, so I can see more of that type of work being done remote.

    For example: you want to audit the process of onboarding and offboarding employees, and what type of security training they do internally. You don't necessarily view Privately identifiable information (PII's). Just process documentation and evidence that the process is being followed.



    Here's an article about the Australian employers who opened up recruiting fully remote for most of their IT work. Whilst not Security specific, I don't see why not.





    Disclaimer: I'm not a lawyer and this is not a legal advice. Consult your legal department for a legal advice.


    Thanks UnixGuy.  This is helpful.
  • scascscasc Member Posts: 340 ■■■■■□□□□□
    A timely post. I don't see this being an issue as long as appropriate contractual clauses are in place between you and the other provider. This would include, where applicable things like NDA etc (depending on the country to want to offshore the work to). Naturally there would not be any data being handled however you can still discover holes in the auditee's security operations just by asking some pertinent questions. I'm actually contemplating doing something similar from here, with my brother in law who has a proper LLP licensed and setup in the US. To perhaps use this to contract services from where I am - where applicable and appropriate.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
Sign In or Register to comment.