Escolar Documentos
Profissional Documentos
Cultura Documentos
Contents
Introduction Data Security and Privacy Information Security Governance Extended Boundaries Regulations Internal Processes Way Forward 02 08 16 24 30 36 47
Introduction
02
00
Highlights
The survey provides insights into the data security and privacy environment of Indian BPO industry. There is evidence that validates general perceptions about security and privacy practices and then there are some outliers that do not align to the seemingly obvious.
Some of the findings of the survey are as follows:
? industry treats data security more as a hygiene factor, rather than a The
of the organizations
? Almost 50 percent of the organizations are negotiating contracts to ensure
that any liability arising from vulnerabilities in the clients environment is borne by the client
? than 3/4 of the organizations face challenges due to a lack of More
th
strategic initiatives; for example, identifying security implications of new business initiatives
? 44 percent of the respondents are mandating vendors / third parties Only
03
Summary
Indian BPO industry has grown nine times from USD 1.6 billion to USD 14.7 billion in just a decade and is expected to witness robust growth in years to come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at USD 60 billion is expected to reach USD 225 billion. During the same period, the growth in domestic BPO revenue is expected to expand seven- folds to reach USD 15 to USD 17 billion, while export revenue is expected to reach USD 50 billion. To sustain this phenomenal growth, the Indian BPO industry needs to overcome one of the major challenges facing the industry today addressing Data Security and Privacy concerns of their stakeholders. Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERTIn (DIT), jointly conducted a survey to assess current state of data security and privacy practices being adopted by the Indian BPO industry and to gain insights into how the Indian BPO industry is addressing clients concerns. As part of this initiative, 50 organizations were surveyed with the following objectives:
? Positioning of data security and privacy in the BPO organizations -
analyzing CISOs role and the tasks performed by the security organization
? Maturity and characteristics of key security disciplines such as Threat &
Vulnerability Management and Incident Management in the wake of rising data breaches globally
? of perceived risks in different Lines of Service (e.g. Customer Level
04
management
? Impact of IT (Amendment) Act, 2008 on the industry ? Evolution of Physical Security and its integration with data security
In order to ensure that the survey results represent the Indian BPO industry at large, we interviewed CISOs and their equivalents in organizations across BPO industry segments and sizes. The survey results highlight trends and insights into the state of data security and privacy in the Indian BPO industry many generally known practices are validated, yet certain unexpected insights are revealed. Data security and privacy The maturity of the Indian BPO industry with respect to data security and privacy, is reflected in the fact that most organizations treat security more as a hygiene factor rather than a point of differentiation to gain competitive advantage. End customers in client geographies are concerned about their personal data in the trans-border data flow. Indian BPO industry realizes this and is equally concerned about any bad publicity in media, which may result from a data breach. Even the clients have made a note of such concerns and demand BPO organizations to undertake privacy initiative and have exclusive mention of data privacy clause in their contracts. The first section of the report Data Security & Privacy reveals these and other such trends in detail. Information security governance The information security function in general has been formalized with most organizations having a designated CISO. However, no standardization with respect to reporting alignment exists as it varies significantly within the responding organizations. CISOs are also moving away from security related operational tasks and are becoming more involved in strategic activities. The survey reveals that industry needs to increase involvement of business managers for understanding security requirement of the business.
05
Extended boundaries As the industry has been expanding across geographies to serve global clients, they continue to face a challenge in meeting multiple regulatory or client requirements. These organizations being well aware of the liabilities arising from any data breach have been re-negotiating contracts with clients to ensure that any liability arising from vulnerabilities in the clients environment is borne by the client. Similar focus needs to be given to third party service providers since they have access to client/organization confidential information. Regulations Industrys focus on global clients is all the more evident from the fact that its data security and privacy related technological investments are driven by global regulatory requirements. However, with introduction of Information Technology (Amendment) Act, 2008 (ITAA 2008), organizations are starting to realize the liabilities arising from it and have also started revising their security policy to incorporate ITAA 2008 requirements. As awareness of ITAA 2008 is low, there is a risk of underestimating the liabilities arising from non-compliance to regulatory obligations. Internal processes There are clear indicators that internal processes have been designed to meet the best practices. However, the implementation and continuous testing/ monitoring varies across the organizations. The findings indicate the level of maturity the industry has achieved when it comes to processes such as threat & vulnerability management, employee screening, security incident management, BCP/DRP and physical security controls.
08
Key findings
? Client/contractual requirements and
global data protection regime are the key drivers for data security practices in BPO industry
? Organizations perceive that key
brand image and therefore adopting data privacy initiatives to prevent any data breach incident, which may lead to bad publicity in media
? Organizations focus on data privacy
to address rising concerns of clients end customers vis--vis their personal data in the trans-border data flow
? Majority of organizations do not have
dedicated or separate privacy team; instead, they use data security team to drive and support privacy initiatives.
Clients continue to drive the information security requirements. They have helped corporations mature their information security programs through periodic audit and monitoring.
10
Less than 5
6-10
11-20
More than 20
Security function
Respondents believe that organizations place due importance to security function internally. This is also coupled with the fact that almost 2/3rd of the organizations have more than five member security team. Most organizations have a central security function, responsible for data security & privacy, enabling them to ensure uniformity of controls across organization. Security is still a centralized function as revealed by the survey. However, geographical expansion of operations, rising revenue in the Lines of Services and business growth in client relationships seem to be driving the structure of the security organization towards localized/decentralized security function.
Continuous Vigilance on evolving issues Keeping top management aware of the risks & liabilities Constant review of the environment Providing architectural treatment to security solutions Use enterprise portal to manage security requirements Collaborate with external sources & internal functions Proactively adopt techniques such as threat modeling, threat tree etc Focus to innovation in the security initiatives 48
78
74
70
60
58
58
44
11
73
24
2 Reputational damage
73
21
65
31
56
35
50
46
48
46
33 0% 20% 40%
33 60% Critical
33 80%
Important
12
Privacy function
While primary drivers for data security and data privacy are the same, the controls and capabilities required for ensuring them are quite different. Realizing this, organizations are moving towards deploying dedicated personnel for privacy. This is evident from the fact that 41 percent of the organizations have a dedicated privacy function with a team strength of more than two members.
43% 16% Less than 2 2-5 More than 5 11% 30% Not Applicable
64
62
62
60
54
52
40
16
Privacy gets treated as a sub-set of information security program, which may lead to under-estimation of legal implication.
13
However, not all of these organizations have extended the scope of audit charter to include privacy and nor do they perform privacy impact assessment whenever new initiatives are undertaken. Organizations can achieve a much better state of privacy, if they take a step towards establishing a privacy function with required empowerment.
16
Key findings
? of majority of the CISOs
organizations are spending significant time on strategic initiatives; for example, evaluating and mitigating security implications of new business initiatives.
? Organizations are seeking external
understand and distinguish security related operational tasks from strategic security tasks
? organizations still do not Many
Role of CISO
The survey reveals that CISOs of nearly 65 percent of the organizations are spending significant amount of their time on activities like:
? Overseeing security policy enforcement ? Participating in business strategy meetings ? Interacting with support functions for enforcing measures ? for remedial measures Planning ? guidelines to enterprise units Issuing ? Overseeing security projects ? Checking for new issues, threats & vulnerabilities ? Convening meetings of security forums.
This clearly indicates that CISOs are spending significant amount of time on strategic tasks instead of operational tasks. However, standardization in CISOs role is lacking. This is evident from the survey results - 29 percent of CISOs spend significant amount of time on reviewing & approving change requests; at the same time 22 percent CISOs do not consider it as part of their responsibility. Similarly, more than 50 percent CISOs spend significant amount of time on reviewing state of security in service delivery channels & reviewing security reports. However, nearly 15 percent believe they are not responsible for reviewing these tasks.
18
Organizations need to refine CISOs role, ensuring minimal involvement in operational tasks such as review reports of security scans.
84
12
80
12
71
16
12
69
24
69
20
10
65
31
65
27
63
33
61
29
10
57
33
10
57
29
14
51
33
16
45
45
10
37
51
12
29
49
22
23
52
25
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Not Responsible
The role and expectations from CISO vary across organizations, whilst many spend time on strategic items, a fair bit of operational tasks take his/her attention.
19
Security tasks
Security of the organization is the prime responsibility of the CISO and his/her team. However, other functions like IT Infrastructure Team, Business Unit, Corporate Compliance, etc. are also involved in the security management tasks. The survey indicated that various teams are being involved in right capacity for security management tasks. This indicates that organizations are aware of stakeholders required to be involved for effective management of security. Trends clearly visible from survey responses are:
? Operational tasks such as installation of
security solutions, administration of security technologies, security testing is performed by IT security and IT infrastructure team, allowing CISO to focus on strategic tasks
?gaps in the security skills are bridged The
20
by availing services of external consultants for the tasks such as security gap/baseline assessments, application security testing, code review, etc. Though CISO is actively getting involved in business activities such as business strategy planning, understanding business requirements of security etc., involvement of business managers in security initiatives needs to be further enhanced.
20
Security tasks
Business Manager Corporate Compliance CISO IT Security IT Infra Team Audit Team External Consultant External Service Provider External Consultant /Service Provider
Security Gap/baseline Assessment Security Strategy Plan Security Requirements Of Business Preparing Security Policies & Procedures Implementating Policies & Procedures Defining & Managing Security Architeture Compliance Reporting To Clients Advisory Vis-a-vis Data Security Architecture Security Solutions Evaluation And Procurement Install Security Solutions, Products And Tools Administration Of Security Technologies Security Testing - VA and PT Application Security Testing , Code Review, Etc. Conducting And Managing Internal Audits/assments Security Monitoring Security Authorization Of Change Requests Report, Investigate And Close Security Incidents Keep Track Of The Evolving Threats And Vulnerabilities Strategies For Protecting Against New Threats And Vulnerabilities Keep Track Of The Evolving Regulatory Requirements Participate In Initial Client Meetings To Understand Clients Security Requirements Administration & Testing Bcp /dr Plans
15 22 63 6 49 8 56 17 4 2 0 0 9 4 10 16 12 0 4 20
15 14 19 14 20 6 25 28 10 2 0 2 2 22 10 8 18 12 16 36
64 80 58 82 57 65 52 77 69 32 12 22 27 61 38 48 68 52 76 62
38 29 27 41 55 55 21 26 69 62 66 64 61 20 72 58 58 68 58 26
9 16 19 16 47 31 8 9 44 68 64 36 20 4 30 18 24 16 16 2
36 2 2 2 18 0 10 4 4 2 2 12 11 71 12 2 6 6 2 8
15 2 0 10 4 4 2 19 6 6 0 12 20 6 4 0 2 6 4 8
6 0 0 0 4 2 2 2 8 8 2 12 0 2 4 2 2 4 0 2
21 2 0 10 8 6 4 21 15 14 2 24 20 8 8 2 4 10 4 10
57 32
17 18
67 59
41 55
24 52
2 5
0 2
0 2
0 5
21
Extended boundaries
24
Key findings
? Meeting multiple regulatory/client
requirements and ensuring employee seriousness towards data security & privacy continue to remain key challenges for organizations
? Organizations are continuously
focusing on deploying technical and organizational safeguards to mitigate risks arising from clients environment
? Organizations have started
negotiating contracts to ensure that any liability arising from vulnerabilities in the clients environment is borne by the client
? Organizations have adopted Third
Party Risk Assessment Framework along with conducting Vendor Risk Management exercise for their service providers.
Overcoming challenges
Meeting multiple client/regulatory requirements, while serving clients across geographies, is a key challenge faced by organizations. Challenges faced (% respondents)
Meeting multiple client requirements Employees in young age group with high attrition rates Meeting multiple regulatory requirements Client providing liberal access to BPO employees Emerging and evolving threats and vulnerabilities Employees connecting to client environment through public network Lack of employee awareness on liabilities arising from data breaches Non seriousness of employees for security and privacy High involvement of employees with client organization Understanding global data protection regulations Different connectivity models Different means used to transfer or access the data Inadequate budget allocation for data security & privacy Increased volume and complexity of data intensive transactions Difficultly to bring visibility over the data Managing third party risks International spread of operations Client prefer business flexibility over the security Lack of support from Top / Senior Management
0% 9 10% 45 44 38 35 33 33 27 25 25 22 20 20 20 18 16 16 15 15 24 20% 30% 40% 50% 60% 40 67 70% 80% 90% 100% 43 49 47 45 22 45 30 59 37 41 36 38 37 50 35 39 48 40 39 43 26 50 35 47 42 23 27 27 30 36 29 26 26 29 20
Not a challenge
26
60
54
50
25
27
Regulations
30
Key findings
? Organizations continue to consider
organizations have not activated legal function to understand, interpret and suggest necessary precautions to comply with ITAA 2008. This explains the low level of awareness amongst the organizations.
Staying compliant
The survey results reveal that although organizations have started to create awareness on ITAA 2008, the level of awareness still needs to be strengthened.
32
While there is greater awareness of global regulations, the implications of ITAA 2008 remain largely unknown.
44
49
22
16 No
31
33
Yes
Not Sure
Employees
End Customers
70 30 Board Members 35 Top / Senior Employees Management 24 Contractors / Third Party employees 15 Clients
33
Global regulations ITAA 2008 has ITAA 2008 does not as a primary driver recently acquired a have any bearings place in the on investment discussion decision
Internal processes
36
Key findings
? Organizations involve process
new issues, vulnerabilities and threats. However, most of them do not have a mechanism in place that is capable of swiftly testing the relevance of these issues in their environment
? than half of the organizations More
surveyed do not mandate vendors / third parties to report new threats and vulnerabilities in their products / services
? industry has matured over the The
years in terms of processes such as security incident management, BCP/DRP and physical security management.
Being prepared
Internal processes of organizations have matured over the years to a point where most of the organizations are keeping track of threats & vulnerabilities and have also established processes for employee background screening, security incident management, BCP/DRP and physical security control.
38
39
Risk based internal or external audits Subscribing to newsletters Through websites of data security vendors Subscribing to vulnerability, exploits databases, etc Subscribing to CERT-In alerts Through peers / competitors Security research reports of product and professional organizations Mandating the vendors to report new threats & vulnerabilities in their products Through discussions on security forums on the internet Subscribing to Analysts reports Provided by the client organizations as part of their Risk Management process 76 74 68 62 54 46 44 40 32 30
86
84
While organizations keep a close eye on threats and vulnerabilities, they lag in swift response.
76
72
60
56
50
46
24
40
41
Background screening
Employee background screening is one of the key controls in terms of security, especially when employees have access to critical / confidential information of clients. Background screening is also important from the fact that a majority of the organizations see internal threats as one of the key drivers for data security. Background screening is one of the basic controls for ensuring security; this is evident from that fact that 72 percent of the organizations follow this process for all their employees. Realizing that background screening is not their core competency, 80 percent of the organizations have outsourced it to third party vendors. Realizing the importance of background screening, NASSCOM started the initiative called National Skills Register (NSR), to have a credible information repository about all personnel working in the IT and BPO industry. Most of the participants are aware of NSR and its value. However, the adoption of NSR as an exclusive source for employee background screening has been limited.
14
10
72
Internally
18
By Third party
80
Both
12
42
84
Logs are securely managed and archived in accordance to compliance requirements Incident management supports data breach notification requirements (regulatory) of clients There is a formal reporting mechanism to report incident to the management, client and regulatory authorities
78
71
69
67
Incident management mechanism is integrated with organization IT processes for remedial actions
67
63
Real time monitoring mechanisms exist that can proactively detect anomalies
59
57
There is an inventory of all the possible scenarios that can lead to an incident
55
Effective solution is implemented for log management, security monitoring and incident management mechanism Incident management mechanism takes inputs from external knowledge sources on vulnerabilities, anomalous patterns and threats There is a mechanism that generate an incident based on patterns and business rules
53
47
41
37
33
29
43
BC/DR plans cover most elements of organizations internal boundaries, but few include aspects relating to third parties.
73
70
Emphasis given on providing cross functional training to employees Architectural treatment given to availability preparedness that drives redundancy of infrastructure components Contracts with third parties include obligation to meet our BCP / DR requirements 50
66
64
Adequate controls exists for perimeter, entry points and interior areas
98
98
96
A process exists for the movement of assets into the operating areas
88
88
A process exists for provisioning and de-provisioning access of visitors, partners, and support services
86
84
Significant level of collaboration exists between physical security, information security and other functions of the organization
82
78
76
The scope of the security monitoring and incident management mechanism is extended to integrate the physical security components
72
70
48
There is centralized monitoring of physical security across various locations by Physical Security Operations Center (PSOC)
48
Physical Security
The respondents realize that risk of data leakage increases once a person has physical access to the operational facility. Therefore, organizations have established strong physical security controls for perimeter, entry points and interior areas along with mechanisms for identification & authorization of employee. Organizations also ensure significant level of collaboration between physical security, information security and other functions. However, in most of the organizations physical security is not integrated with IT Security.
In the times of digital convergence, physical security and digital security controls remain disintegrated.
45
Way forward
Over time, the Indian BPO Industry has withstood significant customer and regulatory scrutiny, and has been able to demonstrate that it is able to embrace data security and privacy governance processes that are required as a minimum baseline for providing outsourcing services in a high trust mode. While customers have largely driven consciousness of risks and requisite controls, most organizations in the industry have developed frameworks that aid them in first line defense, detection, and reacting in an appropriate manner to events that threaten this high trust environment. The industry also continually expands its horizons to newer markets, and has gained a reputation in understanding its exposure to legislation and regulation in varying markets. C-level executives of the BPO industry are well conversant with their responsibilities and liabilities from a data security and privacy standpoint, and implications of risks emanating from these topics regularly underpin the strategic priorities and decision making processes of such executives. One of the themes emerging from the survey is that while the BPO industry has attained a high level of maturity on data security, business continuity preparedness, background screening of employees, etc., there are many emerging issues that require its attention. These issues are majorly attributed to the rapidly evolving security and regulatory landscape. Global regulations require organizations to protect the privacy of end customers. The interpretation of these regulations is becoming a significant challenge, requiring a dedicated effort. This will lead to the emergence of a privacy function in a BPO, moving away from the current practice of positioning privacy within the ambit of security. The privacy function will have to bring the necessary regulatory intelligence that supports the geographical expansion of organizations. On the other hand, it will have to reengineer organizations processes to demonstrate compliance to the regulations. The ever changing threat landscape is driving organizations to redefine their security strategies and programs. The rising complexity and heterogeneous nature of underlying infrastructure pose a significant challenge in doing so. They need to build the right capabilities for maintaining their security posture and responding swiftly to the new threats. Over the years, BPOs have witnessed substantial growth and have penetrated into new Lines of Service. In doing so, they are challenged with protection of sensitive client data. A particular Line of Service is characterized by a specific set of security concerns and liabilities. To sustain its growth, BPO industry should pay close attention to understanding of the risks and liabilities associated with the Lines of Service it is serving. To overcome the challenges identified by the survey, it is important for the organizations to adopt a data-centric approach to manage security & privacy risks and review all processes, functions and client relations from the data perspective. BPO as an industry is facing unique challenges and there is a strong case for collaboration between organizations. The industry treats security as hygiene rather than a competitive advantage. The entire industry can learn from its experiences, and provide a consistent and unified message of a high trust environment at the industry level.
47
Acknowledgments
DSCI Core Team Vinayak Godse Vikram Asnani Rahul Jain Director Data Protection Senior Consultant Security Practices Senior Consultant Security Practices
KPMG Core Team Navin Agrawal Nitin Khanapurkar Atul Gupta Vijay Subramanyam Vidur Gupta Deepak Agarwal Executive Director Executive Director Director Director Associate Director Consultant
KPMG Survey Team Abhijit Varma Ankit Goel Arihant Garg Jignesh Oza Lekha Ragupathi Nayab Kohli Nitin Shah Rahul Gupta Rahul Singhal Sundar Ramaswamy Syamala Raju Peketi
DSCI Project Advisory Group N. Balakrishnan BJ Srinath Anjali Kaushik Akhilesh Tuteja Kartik Shahani Satish Das Baljinder Singh Vishal Salvi Ashwani Tikoo PVS Murthy Deepak Rout Seema Bangera Chairman, DSCI and Associate Director, IISc Bangalore Senior Director, Cert-In MDI Gurgaon Executive Director, KPMG Country Manager, India and SAARC, RSA CSO, Cognizant Global Head of Technology, InfoSec & BCM, EXL Service CISO, HDFC Bank CIO, CSC Global Head Information Risk Management Advisory, TCS CISO, Uninor DGM Information Security, Intelenet Global
KPMG Contact Atul Gupta Director, IT Advisory Services KPMG in India T: +91 124 307 4134 E: atulgupta@kpmg.com
DSCI Contact Vinayak Godse Director - Data Protection DSCI T: +91 11 2615 5071 E: vinayak.godse@dsci.in
www.kpmg.com/in
www.dsci.in
2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative (KPMG International), a Swiss entity. Copyright 2010 DSCI. All rights reserved. Printed in India.