Data Governance - Part 8: Framework for Geo-Residency and Sovereignty
Scope:
This Standard specifies the minimum requirements for Organizations to protect data assets in their custody from jurisdictional risks, while taking advantage of the global technology ecosystem.
The Standard is not intended to prescribe how an Organization should implement specific security controls. Instead, the standard will guide Organizations using jurisdictional and technology-agnostic approaches that can be adapted to address specific business requirements.
Considerations are given to:
- Identification and categorization of data assets;
- Development of an appropriate threat model;
- Identification of potential risks, including from laws in foreign jurisdictions; and
- Options to mitigate associated risks.
This Standard applies to all sectors, including public and private companies, government entities, and not-for-profit Organizations. This Standard assumes that the Organization implementing the following requirements has existing risk management policies and procedures.
Note: For those applying the standard, where personally identifiable information (PII) is used in the standard, local jurisdictional, legal and/or regulatory definitions shall apply.
Project need:
In today’s global economy, it is not unlikely for organizations to house their assets in foreign locations. Multi-national organizations could have many locations across the globe and with the rise of cloud storage, remotely storing data and assets out of country, whether it be at a corporate site or with a third-party cloud provider is efficient and economical.
Through opportunity, there is always risk and while in recent years global economies have been strong and stable, the introduction of the unseen variables (such as a global pandemic) could threaten this formerly strong and prosperous system.
Organizations must now take into account the geo-political landscape and consider the inherent risks when storing data and assets in a foreign environment. All scenarios must now be examined, and risk assessments and recovery plans must be put in-place to address what could happen to their data and/or assets should the political climate change in the residing nation.
IT delivery models of Commercial-Off-The-Shelf (COTS), cloud computing, edge computing, IoT, and blockchain often require a new mindset and culture that recognizes the value and challenges when using services that cross geo-jurisdictional domains. Likewise, the wireless connectivity options of 5G, 6G and Satellite do not stop at the traditional physical political boundaries.
This standards framework is intended to explore approaches on how to effectively and efficiently consume services outside of specific geo-jurisdictions, while protecting assets and interests. The standard will also highlight considerations where the processes and storage should be within local and regional jurisdictions, plus additional considerations around the use of foreign solutions, including where data may transit outside of domestic control.
Changes from traditional approaches require a change in workplace culture, a shift from doing things as they have always been done, to understanding and implementing strategies to ensure solutions are appropriately secured, protected, cost effective and deliver the prioritized outcomes.
In Canada specifically the need exists to determine realistic approaches, processes and policies that can protect Canadian assets and sovereignty, while appropriately using IT services that may cross geojurisdictional boundaries. Structurally, this is because no Canadian legislative body has ultimate jurisdiction over geo-jurisdictional processing, transit and storage of Canadian IT assets.
Note: The information provided above was obtained by the Standards Council of Canada (SCC) and is provided as part of a centralized, transparent notification system for new standards development. The system allows SCC-accredited Standards Development Organizations (SDOs), and members of the public, to be informed of new work in Canadian standards development, and allows SCC-accredited SDOs to identify and resolve potential duplication of standards and effort.
Individual SDOs are responsible for the content and accuracy of the information presented here. The text is presented in the language in which it was provided to SCC.