Any Laws Against Hiring Foreign Virtual Workers For Cyber Security

egrizzly

Hi all.  I was trying to find out if anybody knew of any laws that disallows foreign virtual workers (e.g. from Brazil, Kenya, Africa, etc) from performing cyber security audits or risk assessments for businesses here in the U.S.?  This thought struck me as their is a well-known shortage for qualified cyber security workers here in the U.S.  At the same time their also exists a stable virtual ecosystem for qualified remote workers in foreign countries who are willing to work for cheaper hourly rates.

I of course, just know about the arbitrage situation.  I know less about the associated laws that hiring companies have to abide by.  Thanks in advance for sharing your knowledge, comments, etc.

JDMurray

Rather than specifically foreign workers, I think it has more to do with prohibitions on the exportation of certain types of USA data to foreign countries where the "foreign workers" reside. The same type of situation exists with GDPR data handled outside of the GDPR countries (yes, the Brexit'ed UK is still GDPR-abiding) and US public sector (i.e., government) data that must be handled only by people with US security clearances.

egrizzly

JD I'm talking specifically about security audits or risk assessments where the auditor (or assessor) is merely working off check lists.  No high grade audits like penetration assessments, just checking if policies, specific technologies, or people are present/not present in the security environment of the client business.

bigdogz

@egrizzly

I would worry more about the lack of security and implications it may have on your network and organization. The ISP's in other countries may not have the same technologies to offer defense in depth and making those extra hops to your network add to exposure.

egrizzly

bigdogz said:

@egrizzly

I would worry more about the lack of security and implications it may have on your network and organization. The ISP's in other countries may not have the same technologies to offer defense in depth and making those extra hops to your network add to exposure.

Thanks for chipping in @bigdogz .  What I'm referring to specifically is the standard interview between auditor and security manager to answer (yes) or (no) to questions on a checklist.  There are no technology interventions at this level just a human being interviewing another human being in a Zoom session to complete an audit or security assessment questionnaire.

JDMurray

Sounds like you need CISA-certified people to weigh-in on this topic.

UnixGuy

egrizzly said:

Thanks for chipping in @bigdogz .  What I'm referring to specifically is the standard interview between auditor and security manager to answer (yes) or (no) to questions on a checklist.  There are no technology interventions at this level just a human being interviewing another human being in a Zoom session to complete an audit or security assessment questionnaire.

yes it can, that's how I conducted my assessment during Covid lockdown. Mind you, my client & I are living in the same geographic area but I had to be remote (working from home).

The only regulation that I know is some data if classified as 'sensitive' or something similar, then the data can't be view offshore. However, for audit type work, you don't necessarily view customer data, so I can see more of that type of work being done remote.

For example: you want to audit the process of onboarding and offboarding employees, and what type of security training they do internally. You don't necessarily view Privately identifiable information (PII's). Just process documentation and evidence that the process is being followed.

Here's an article about the Australian employers who opened up recruiting fully remote for most of their IT work. Whilst not Security specific, I don't see why not.

https://www.itnews.com.au/news/australias-top-it-shops-are-now-recruiting-more-fully-remote-staff-555882

Disclaimer: I'm not a lawyer and this is not a legal advice. Consult your legal department for a legal advice.

egrizzly

UnixGuy said:

egrizzly said:

Thanks for chipping in @bigdogz .  What I'm referring to specifically is the standard interview between auditor and security manager to answer (yes) or (no) to questions on a checklist.  There are no technology interventions at this level just a human being interviewing another human being in a Zoom session to complete an audit or security assessment questionnaire.

yes it can, that's how I conducted my assessment during Covid lockdown. Mind you, my client & I are living in the same geographic area but I had to be remote (working from home).

The only regulation that I know is some data if classified as 'sensitive' or something similar, then the data can't be view offshore. However, for audit type work, you don't necessarily view customer data, so I can see more of that type of work being done remote.

For example: you want to audit the process of onboarding and offboarding employees, and what type of security training they do internally. You don't necessarily view Privately identifiable information (PII's). Just process documentation and evidence that the process is being followed.

Here's an article about the Australian employers who opened up recruiting fully remote for most of their IT work. Whilst not Security specific, I don't see why not.

https://www.itnews.com.au/news/australias-top-it-shops-are-now-recruiting-more-fully-remote-staff-555882

Disclaimer: I'm not a lawyer and this is not a legal advice. Consult your legal department for a legal advice.

Thanks UnixGuy.  This is helpful.

scasc

A timely post. I don't see this being an issue as long as appropriate contractual clauses are in place between you and the other provider. This would include, where applicable things like NDA etc (depending on the country to want to offshore the work to). Naturally there would not be any data being handled however you can still discover holes in the auditee's security operations just by asking some pertinent questions. I'm actually contemplating doing something similar from here, with my brother in law who has a proper LLP licensed and setup in the US. To perhaps use this to contract services from where I am - where applicable and appropriate.

egrizzly

UnixGuy said:

egrizzly said:

Thanks for chipping in @bigdogz .  What I'm referring to specifically is the standard interview between auditor and security manager to answer (yes) or (no) to questions on a checklist.  There are no technology interventions at this level just a human being interviewing another human being in a Zoom session to complete an audit or security assessment questionnaire.

yes it can, that's how I conducted my assessment during Covid lockdown. Mind you, my client & I are living in the same geographic area but I had to be remote (working from home).

The only regulation that I know is some data if classified as 'sensitive' or something similar, then the data can't be view offshore. However, for audit type work, you don't necessarily view customer data, so I can see more of that type of work being done remote.

For example: you want to audit the process of onboarding and offboarding employees, and what type of security training they do internally. You don't necessarily view Privately identifiable information (PII's). Just process documentation and evidence that the process is being followed.

Here's an article about the Australian employers who opened up recruiting fully remote for most of their IT work. Whilst not Security specific, I don't see why not.

https://www.itnews.com.au/news/australias-top-it-shops-are-now-recruiting-more-fully-remote-staff-555882

Disclaimer: I'm not a lawyer and this is not a legal advice. Consult your legal department for a legal advice.

We're of the same train of thought UnixGuy.  It's strictly the questionnaire type security assessments. E.g. 1) Do you have a firewall in place (yes/no), Do you use 2-factor authentication for this resource (yes/no), Do you enforce password change every 90 days (yes/no).  

So with this kind of assessment no data is being viewed.  I just wanted to be absolutely sure that there was no dominating legal barrier to prevent overseas workers (e.g. from Philipinnes) from conducting such interviews with small business owners in the US.  There is certainly a benefit as these businesses can become compliant and avoid penalties.

JDMurray

egrizzly said:

I just wanted to be absolutely sure that there was no dominating legal barrier to prevent overseas workers (e.g. from Philipinnes) from conducting such interviews with small business owners in the US.

Have you check with any actual legal professionals who specialize in this sort of thing?

scasc

As mentioned above, you may want to get some legal opinion in respect to understanding what is allowed/not. From the outset, as you have mentioned there is no sensitive data access, the key is to get agreement with your client.

TechGromit

JDMurray said:

Rather than specifically foreign workers, I think it has more to do with prohibitions on the exportation of certain types of USA data to foreign countries where the "foreign workers" reside. 

That how it is where I work, we must know what country a foreign national is from, the United States has strict export controls in regards to Nuclear technology to some Countries.  Not that I come across much in my job anyway, but then again, I never fully explored the network to see what I have access to.  

egrizzly

     ....yeah, TechGromit. I think the fully explored territory is one you want to stay out of while working for your employer, lol

@JDMurray ....yeah, I've been knocking on the legal doors.  I asked a couple of lawyer friends of mine, plus engaged some legal forums.  It's the same pattern as here.  The default thought is that the foreign contractors would be accessing confidential data.  However that's not the case of course.  The type of work I'm seeking to validate is simply of the _checklist_ risk assessment variety.

fitzlopez

Hi CISA certified here. I can comment on the topic, I'm not in the US and know conationals who do this type of work for the US. If you take all the precautions you take with normal auditors (contracts, NDAs, reputation, VPNs, sanitize data, etc.), your company policies permit it and can still keep your contractual  agreements with your clients in place, I see no trouble. Just do a test run first, because not all security professionals are alike and quality of work will vary from individual to individual.Take into account that prosecuting in foreign countries is costly, so picture your worst case scenario if things go south. If that cheap foreign guy checks the wrong box is firing him enough to fix the problem?

egrizzly

@fitzlopez thanks for the insight.  So obviously the risk assessment projects that might be the best candidate for this outsourcing are the high-volume, low-risk variety.  I'm not saying each project does not deserve detail of course, but as you mentioned, if the cheap guy checks the wrong box the worse case scenario is one that you can digest financially.

TechGromit

egrizzly said:

However that's not the case of course.  The type of work I'm seeking to validate is simply of the _checklist_ risk assessment variety.

Don't automatically assume so. If your risk assessment uncovers critical vulnerabilities to your network, would you want someone outside the country have that information? So you database server is still running Windows NT, but with your tight budget you haven't gotten around to replace it yet? This kind of information would be of value on the dark web. While it might be legal to hire this person, would you want to? What is the motivation hiring a foreign worker anyway? To save a few bucks? Or do they have some kind of expertise your looking for?    

scasc

Took words out of my mouth there. 

Firewall = Check
IDS/IPS = No
WAF = No
Security Hardening/Patching = Negligible
Encryption = Supporting TLS 1.0/1.1.
SIEM/Logging = Negligible
SDLC = No validation of input/encoding output.

You get where I'm going with this right? Aggregating the information poses massive problems especially if the information is in the wrong hands. Be careful. Understand your scope, what will be asked, what information is divulged and take it from there.

egrizzly

Point well taken @TechGromit and @scasc

@TechGromit the reason is basically both for expertise as well as to save a few bucks.  A few years before security I worked for a large tech enterprise.  Six months into the engagement they moved that entire project to foreign workers.  The workers had the sensitive permissions like resetting passwords and assigning permissions to users.  I guess it makes sense trying to see if such a situation is possible in InfoSec as well as long within authorized boundaries.

UnixGuy

scasc said:

Took words out of my mouth there. 

Firewall = Check
IDS/IPS = No
WAF = No
Security Hardening/Patching = Negligible
Encryption = Supporting TLS 1.0/1.1.
SIEM/Logging = Negligible
SDLC = No validation of input/encoding output.

You get where I'm going with this right? Aggregating the information poses massive problems especially if the information is in the wrong hands. Be careful. Understand your scope, what will be asked, what information is divulged and take it from there.

This is interesting. you still carry the exact same risk whether this is done via someone onshore or offshore or even by internal employee. The business needs to accept such risks and evaluate accordingly. This is why NDA, data sanitisation/aggregation and using a vetted third party auditors are in place. you will never eliminate the risk that someone can sell such info on the dark web, but you need to do what you can.

To me the value of an indepedent assessment far exceeds the risks in many instances and i'd focus on addressing the findings instead of trying to make sure the findings aren't shared. E.g. It doesn't take much to know that a company doesn't have a proper IPS/IDS from the outside, such info can be gathered without an internal audit.

Again, Legal and business must be involved. My input to it from a security and risk point of view it's fine as long as NDA., sanity checks, using a vetted offshore organisation, .etc.

scasc

UnixGuy said:

This is interesting. you still carry the exact same risk whether this is done via someone onshore or offshore or even by internal employee. The business needs to accept such risks and evaluate accordingly. This is why NDA, data sanitisation/aggregation and using a vetted third party auditors are in place. you will never eliminate the risk that someone can sell such info on the dark web, but you need to do what you can.

To me the value of an indepedent assessment far exceeds the risks in many instances and i'd focus on addressing the findings instead of trying to make sure the findings aren't shared. E.g. It doesn't take much to know that a company doesn't have a proper IPS/IDS from the outside, such info can be gathered without an internal audit.

Again, Legal and business must be involved. My input to it from a security and risk point of view it's fine as long as NDA., sanity checks, using a vetted offshore organisation, .etc.

Totally agree with you mate, and that is why you have NDA's etc - as mentioned - however I think the difference here is that you need something which holds weight in the eyes of law (which costs time/resources/money etc.) - not like big4 . Risk can never be eliminated however would the offshore workers have the same level of background checks undertaken like the vetted 3rd party assessors mentioned? Would they store or access information/data found in the same manner? Totally agree around the NDA's/legal contracts/clauses etc. and that is what is required I believe before work is undertaken. 

I think its a balancing act between protecting what you find and ensuring it adds value by having appropriate remediation measures in place. Even with the IDS example you mentioned, internal audit reports with anything deemed sensitive are never shared outside. It is always classified based on need to know depending on its sensitivity. 

Ultimately, you want to be doing business with someone where you have assurance that they not only can do the work but also can protect key findings. Imagine if this stuff was internet facing and not protected - so agree around the legalities but I think aggregated data is more of a concern than individual findings etc. 

TechGromit

UnixGuy said:

This is interesting. you still carry the exact same risk whether this is done via someone onshore or offshore or even by internal employee. The business needs to accept such risks and evaluate accordingly. This is why NDA, data sanitisation/aggregation and using a vetted third party auditors are in place. you will never eliminate the risk that someone can sell such info on the dark web, but you need to do what you can.

While this is true, the laws and knowledgeable law enforcement staff in another country could be a weaker than in the United States. It would be a lot easier to detect, catch and prosecute someone operating out of the United States than say Bangladesh. Thus there are stronger deterrents for United States Citizens than Bangladesh. The FBI is very active in the world of Cyber Security they have lots of very qualified experts, often detecting information on the dark web from companies that were not even aware they have been compromised. The days of catching a hacker and flipping them to work for the FBI because they lack the in-house expertise are long over.

fitzlopez

TechGromit said:

UnixGuy said:

This is interesting. you still carry the exact same risk whether this is done via someone onshore or offshore or even by internal employee. The business needs to accept such risks and evaluate accordingly. This is why NDA, data sanitisation/aggregation and using a vetted third party auditors are in place. you will never eliminate the risk that someone can sell such info on the dark web, but you need to do what you can.

While this is true, the laws and knowledgeable law enforcement staff in another country could be a weaker than in the United States. It would be a lot easier to detect, catch and prosecute someone operating out of the United States than say Bangladesh. Thus there are stronger deterrents for United States Citizens than Bangladesh. The FBI is very active in the world of Cyber Security they have lots of very qualified experts, often detecting information on the dark web from companies that were not even aware they have been compromised. The days of catching a hacker and flipping them to work for the FBI because they lack the in-house expertise are long over.

Shooting myself on the foot here, as I'm a possible offshore resource. I'd say that if we use the formula risk= threat * likelihood, the risk is higher for remote workers and even higher for offshore. Saying that all people from another country are criminals, I'd say that's racist. However it is true that background checks are probably harder to do. Saying that from experience because I worked for a multinational company and the part of subcontracting a background checker on another country to complement the ones we already had, was a pain, also the things you are allowed to check by law are different from country to country. As mentioned before, the probability of being able to prosecute in a foreign country is really lower and the cost is higher compared to one's own country. The threat of being infiltrated by a foreign state is higher if you hire a remote worker from another country than if you interview someone from your city, the risk is not zero in either case but the cost of trying to infiltrate someone in either scenario is way different for the attacker.

So the Risk is higher, you have then to put the compensating controls that align with your risk appetite and security posture. If you do work for the department of defense of the US they probably need that all your personnel be and live in the US or maybe even have security clearance. If it's the guy that checks the risk of installing the new version of notepad++, I'd say, depending on your controls, just firing him for making a mistake is good enough. You still do the NDA, reputation check, background check, tech controls, etc. There's no excuse for going into fiverr or craiglist and paying a dollar an hour for a security consultant without any controls.

 

Again, as I have a horse in this race, don't discount us offshore workers for all work, just evaluate the risk of the functions we'd perform as with any other decision. Who knows? maybe the risk we pose gets lessened after some years of work.

Ha, just reread everything and it sounds like I want the offshore team to wash the dishes while the in country team to wait the tables. that was not my intention "Go team offshore!".

UnixGuy

TechGromit said:

UnixGuy said:

This is interesting. you still carry the exact same risk whether this is done via someone onshore or offshore or even by internal employee. The business needs to accept such risks and evaluate accordingly. This is why NDA, data sanitisation/aggregation and using a vetted third party auditors are in place. you will never eliminate the risk that someone can sell such info on the dark web, but you need to do what you can.

While this is true, the laws and knowledgeable law enforcement staff in another country could be a weaker than in the United States. It would be a lot easier to detect, catch and prosecute someone operating out of the United States than say Bangladesh. Thus there are stronger deterrents for United States Citizens than Bangladesh. The FBI is very active in the world of Cyber Security they have lots of very qualified experts, often detecting information on the dark web from companies that were not even aware they have been compromised. The days of catching a hacker and flipping them to work for the FBI because they lack the in-house expertise are long over.

We're talking about a checklist that says "does a company have a process for third party risk assurance, YES/NO". Doubt the FBI will be wasting hunting those individuals. We're not talking about doing a Red Teaming pentesting activity using an offshore no-name dude in an Island.

Also, that's why the Interpol exists.

Let me elaborate, I didn't say outsource security risk assessment to a random individual 'offshore'. I said you can offshore certain assessments offshore to a TRUSTED party. That trusted party can be IBM, where they use some of their offshore staff, so in case of legal issues you won't hold the individual accountable, you hold IBM accountable.

Let me also clarify another point, this is isn't new. This is how a lot of assessment are done anyway. Offshore staff are utilised for security risk assessments, it's not practical to do everything onshore, specially for big businesses that have a global presence. For example, who do you think does security risk assessment for the IBM branch in the Philippines? the answer is not an individual in New York.

And a timely reminder, most attacks and breaches start with Phishing. They never start with "according to this publicly available document this company isn't ISO27K1 certified therefore let's hack".

iBrokeIT

egrizzly said:

disallows foreign virtual workers (e.g. from Brazil, Kenya, Africa, etc) 

I would imagine foreign employment law compliance and foreign tax compliance could be significant barriers that your organization may not want to take on if you are not already doing business in those countries.

egrizzly

UnixGuy said:

TechGromit said:

UnixGuy said:

This is interesting. you still carry the exact same risk whether this is done via someone onshore or offshore or even by internal employee. The business needs to accept such risks and evaluate accordingly. This is why NDA, data sanitisation/aggregation and using a vetted third party auditors are in place. you will never eliminate the risk that someone can sell such info on the dark web, but you need to do what you can.

While this is true, the laws and knowledgeable law enforcement staff in another country could be a weaker than in the United States. It would be a lot easier to detect, catch and prosecute someone operating out of the United States than say Bangladesh. Thus there are stronger deterrents for United States Citizens than Bangladesh. The FBI is very active in the world of Cyber Security they have lots of very qualified experts, often detecting information on the dark web from companies that were not even aware they have been compromised. The days of catching a hacker and flipping them to work for the FBI because they lack the in-house expertise are long over.

We're talking about a checklist that says "does a company have a process for third party risk assurance, YES/NO". Doubt the FBI will be wasting hunting those individuals. We're not talking about doing a Red Teaming pentesting activity using an offshore no-name dude in an Island.

Also, that's why the Interpol exists.

Let me elaborate, I didn't say outsource security risk assessment to a random individual 'offshore'. I said you can offshore certain assessments offshore to a TRUSTED party. That trusted party can be IBM, where they use some of their offshore staff, so in case of legal issues you won't hold the individual accountable, you hold IBM accountable.

Let me also clarify another point, this is isn't new. This is how a lot of assessment are done anyway. Offshore staff are utilised for security risk assessments, it's not practical to do everything onshore, specially for big businesses that have a global presence. For example, who do you think does security risk assessment for the IBM branch in the Philippines? the answer is not an individual in New York.

And a timely reminder, most attacks and breaches start with Phishing. They never start with "according to this publicly available document this company isn't ISO27K1 certified therefore let's hack".

@UnixGuy, we are whole-heartedly of the same thought process.

fitzlopez

iBrokeIT said:

egrizzly said:

disallows foreign virtual workers (e.g. from Brazil, Kenya, Africa, etc) 

I would imagine foreign employment law compliance and foreign tax compliance could be significant barriers that your organization may not want to take on if you are not already doing business in those countries.

I'd suggest contracting with a reputable company that takes care of all that, it'll make the resource less cheap but it'll transfer a lot of the hassle and some of the risk.