DSCI-KPMG Survey 2010 - State of Data Security and Privacy in Indian BPO Industry

State of Data Secutiry and Privacy in the Indian BPO Industry
Message from CERT-In

Businesses continue to drive IT operations, which in turn try to sustain existing systems, often at the cost of security. Customers, on the other hand, are demanding more security as their worries about cyber crimes, privacy and identity theft grow. In the networked world, business partners, suppliers, and vendors also demand assurance of essential and adequate security when they inter-operate to share information and business data for faster and cost-effective transactions. At the same time, regulatory and law-enforcement agencies require proof of compliance with a plethora of security regulations. Under these circumstances, there is no better way of understanding security preparedness of companies than through a survey. It gives me great pleasure to see the results of the survey of BPO companies, conducted by DSCI through KPMG in India with the active support of DIT. Im sure, this survey will help the industry understand the areas that need focus in order to improve its practices, and present to its clients the best practices approach for trusted business partnership.
Dr. Gulshan Rai DG, CERT-In
Message from DSCI

This is the third DSCI-KPMG Security Survey, conducted in association with CERT-In. While designing the questionnaire for this survey, we decided that rather than conducting a general security survey, we would focus on BPO and Banking domains. Specific questionnaires were, therefore, drawn up to address the concerns of these domains. We present the results of the BPO industry in this report. The depth of questions may perhaps lead one to conclude that the survey is an attempt at assessment rather than merely a high-level information capture. At DSCI, we felt that this was important with a view to understand the data protection trends, underlying issues and concerns that may be unique and specific to the BPO industry. The focus, in general is on positioning of security and privacy in organizations; maturity and characteristics of key security disciplines such as Threat & Vulnerability Management, Incident Management, among others. Such in-depth questionnaire was expected to bring out the BPO responses to the rising data breaches globally. I am pleased to state that the in-depth approach has resulted in findings that are more promising. For the BPO industry, while the survey suggests that employee awareness of data protection continues to be a challenge, the managements are alive to privacy requirements of clients since many BPOs have established a privacy team that is distinct from security. Security organization itself is maturing with CISOs being involved in strategic tasks. An interesting result is the awareness among BPOs that they may be liable for breaches arising from vulnerabilities in clients environment unless they are vigilant enough to negotiate a suitable contract. Among the areas that need attention of management, the following are worth mentioning: employee security awareness should be increased, need for compliance with amended IT Act should be understood, and Lines of Business should be involved in data security initiatives.
Dr. Kamlesh Bajaj CEO, DSCI
Message from KPMG in India

The BPO industry in India has always been under significant influence of data protection regulations. In its initial years of growth phase, corporations have gone through fairly intense scrutiny of customer audits, which sometimes have been considered to be crossing the boundary of reasonable controls expectations. In any case, most CISOs have privately admitted that those audits helped them learn the tricks of the trade and made them better every time they underwent such an audit. The industry has also been conscious that managing adequate level of information protection is essential for the survival. There have been instances of penalties being charged for non-compliance to information security safeguards. In a few extreme cases, clients have renegotiated contracts with their service providers at lower rates just because the security controls have been found to be weak. Some experts believe that information security issues can easily become non-tariff barriers, if the industry as a whole does not embrace appropriate risk mitigation measures. Given this context and the current global economic scenario, it couldnt have been a better time for the industry to demonstrate that it has the right strategies in place to manage and mitigate the risks of information security breaches. The survey validates that the industry understands these implications very well and have put in place the baseline measures to manage the risk. The survey is aimed at identifying protection measures of information security in general and those specific for personally identifiable information (privacy). While the industry participants have developed frameworks for addressing the information security concerns, the aspects relating to privacy havent matured as much. The survey highlights current state of the industry and attempts to identify future direction for a holistic information protection program. It is argued that surveys conducted through the owners of process many a times produce more optimistic results and portray the realities better than what it really is. However, the purpose of the survey being more directional than quantitative assessment, it serves the purpose of identifying trends and priorities of the industry. This survey should act as a useful guide for senior executives of BPO companies in formulating their future positions and will be a good tool for many CISOs in developing business cases for comprehensive information security programs. We hope that the companies, which use the services of Indian BPO industry will also benefit from this survey as it will help them reposition their compliance monitoring efforts in right direction.
Akhilesh Tuteja Executive Director, KPMG in India
Contents
Introduction Data Security and Privacy Information Security Governance Extended Boundaries Regulations Internal Processes Way Forward 02 08 16 24 30 36 47
Introduction
02
00
Highlights
The survey provides insights into the data security and privacy environment of Indian BPO industry. There is evidence that validates general perceptions about security and privacy practices and then there are some outliers that do not align to the seemingly obvious.
Some of the findings of the survey are as follows:
? industry treats data security more as a hygiene factor, rather than a The
point of differentiation to gain competitive advantage

? Customer requirements remain primary drivers for data security to most
of the organizations
? Almost 50 percent of the organizations are negotiating contracts to ensure
that any liability arising from vulnerabilities in the clients environment is borne by the client
? than 3/4 of the organizations face challenges due to a lack of More
th
awareness amongst employees on liabilities arising from data breaches

? CISOs of majority of the organizations are spending significant time on
strategic initiatives; for example, identifying security implications of new business initiatives
? 44 percent of the respondents are mandating vendors / third parties Only
to report new threats and vulnerabilities in their products / services

? seems to be lack of clarity amongst organizations regarding their There
liability under ITAA 2008

? than 75 percent of the organizations involve process owners and More
lines of business in data security initiatives.
03
Summary
Indian BPO industry has grown nine times from USD 1.6 billion to USD 14.7 billion in just a decade and is expected to witness robust growth in years to come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at USD 60 billion is expected to reach USD 225 billion. During the same period, the growth in domestic BPO revenue is expected to expand seven- folds to reach USD 15 to USD 17 billion, while export revenue is expected to reach USD 50 billion. To sustain this phenomenal growth, the Indian BPO industry needs to overcome one of the major challenges facing the industry today addressing Data Security and Privacy concerns of their stakeholders. Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERTIn (DIT), jointly conducted a survey to assess current state of data security and privacy practices being adopted by the Indian BPO industry and to gain insights into how the Indian BPO industry is addressing clients concerns. As part of this initiative, 50 organizations were surveyed with the following objectives:
? Positioning of data security and privacy in the BPO organizations -
analyzing CISOs role and the tasks performed by the security organization
? Maturity and characteristics of key security disciplines such as Threat &
Vulnerability Management and Incident Management in the wake of rising data breaches globally
? of perceived risks in different Lines of Service (e.g. Customer Level
Interaction and Support, Payroll, Finance & Accounting, etc.)

? Managing risks arising from clients environments ? Mechanisms adopted for conducting employee background screening
04
? Strategic options adopted for Business Continuity and Disaster Recovery
management
? Impact of IT (Amendment) Act, 2008 on the industry ? Evolution of Physical Security and its integration with data security
In order to ensure that the survey results represent the Indian BPO industry at large, we interviewed CISOs and their equivalents in organizations across BPO industry segments and sizes. The survey results highlight trends and insights into the state of data security and privacy in the Indian BPO industry many generally known practices are validated, yet certain unexpected insights are revealed. Data security and privacy The maturity of the Indian BPO industry with respect to data security and privacy, is reflected in the fact that most organizations treat security more as a hygiene factor rather than a point of differentiation to gain competitive advantage. End customers in client geographies are concerned about their personal data in the trans-border data flow. Indian BPO industry realizes this and is equally concerned about any bad publicity in media, which may result from a data breach. Even the clients have made a note of such concerns and demand BPO organizations to undertake privacy initiative and have exclusive mention of data privacy clause in their contracts. The first section of the report Data Security & Privacy reveals these and other such trends in detail. Information security governance The information security function in general has been formalized with most organizations having a designated CISO. However, no standardization with respect to reporting alignment exists as it varies significantly within the responding organizations. CISOs are also moving away from security related operational tasks and are becoming more involved in strategic activities. The survey reveals that industry needs to increase involvement of business managers for understanding security requirement of the business.
05
Extended boundaries As the industry has been expanding across geographies to serve global clients, they continue to face a challenge in meeting multiple regulatory or client requirements. These organizations being well aware of the liabilities arising from any data breach have been re-negotiating contracts with clients to ensure that any liability arising from vulnerabilities in the clients environment is borne by the client. Similar focus needs to be given to third party service providers since they have access to client/organization confidential information. Regulations Industrys focus on global clients is all the more evident from the fact that its data security and privacy related technological investments are driven by global regulatory requirements. However, with introduction of Information Technology (Amendment) Act, 2008 (ITAA 2008), organizations are starting to realize the liabilities arising from it and have also started revising their security policy to incorporate ITAA 2008 requirements. As awareness of ITAA 2008 is low, there is a risk of underestimating the liabilities arising from non-compliance to regulatory obligations. Internal processes There are clear indicators that internal processes have been designed to meet the best practices. However, the implementation and continuous testing/ monitoring varies across the organizations. The findings indicate the level of maturity the industry has achieved when it comes to processes such as threat & vulnerability management, employee screening, security incident management, BCP/DRP and physical security controls.
Data Security and Privacy
08
Key findings
? Client/contractual requirements and
global data protection regime are the key drivers for data security practices in BPO industry
? Organizations perceive that key
threats for data security are internal in nature

? Respondents are conscious of their
brand image and therefore adopting data privacy initiatives to prevent any data breach incident, which may lead to bad publicity in media
? Organizations focus on data privacy
to address rising concerns of clients end customers vis--vis their personal data in the trans-border data flow
? Majority of organizations do not have
dedicated or separate privacy team; instead, they use data security team to drive and support privacy initiatives.
Finding its place

Survey reveals that to address end customers concern vis--vis their personal data in trans-border data flow, clients are becoming stringent with respect to Data Security & Data Privacy, which is driving organizations security and privacy initiatives.
Drivers (Data security) (% respondents)
Source: DSCI-KPMG Survey 2010
Drivers for data security

Majority of respondents consider security as a hygiene factor rather than a competitive advantage. Seventy percent of organizations perceive that key threats for data security are internal in nature. Though internal and external threats are one of the drivers for security, client/contractual requirements, global data protection regime and associated liabilities remain the primary drivers for data security in the industry. At the same time, ITAA 2008 is also becoming an important driver for data security for organizations.
Clients continue to drive the information security requirements. They have helped corporations mature their information security programs through periodic audit and monitoring.
10
Security Team Size

(% respondents)
Security function positioning (% respondents)

100 90 80 70 60 50 40 30 20 10 0 94
10% 16% 10 37% 37 37% 37 16
10 Central Security Function
2 For each Vertical
Less than 5
6-10
11-20
More than 20
For each For each Line Geographical of Service location
Each / major Coordinator client for each relationship relationship
Source: DSCI-KPMG Survey 2010 Source: DSCI-KPMG Survey 2010
Security function
Respondents believe that organizations place due importance to security function internally. This is also coupled with the fact that almost 2/3rd of the organizations have more than five member security team. Most organizations have a central security function, responsible for data security & privacy, enabling them to ensure uniformity of controls across organization. Security is still a centralized function as revealed by the survey. However, geographical expansion of operations, rising revenue in the Lines of Services and business growth in client relationships seem to be driving the structure of the security organization towards localized/decentralized security function.
Maturity of security practices (% respondents)

Focus on ISO 27001 82
Continuous Vigilance on evolving issues Keeping top management aware of the risks & liabilities Constant review of the environment Providing architectural treatment to security solutions Use enterprise portal to manage security requirements Collaborate with external sources & internal functions Proactively adopt techniques such as threat modeling, threat tree etc Focus to innovation in the security initiatives 48
78
74
70
60
58
58
44
11
Maturity of security practices

Organizations are following standardized processes by taking major strength from well known standards such as ISO 27001. At the same time, a majority of organizations keep continuous vigilance on evolving security issues & vulnerabilities along with constant review of the environment to assess its security posture. With the current baseline, organizations are adopting forward looking initiatives such as: Providing architectural treatment to security solutions Usage of enterprise portal to manage security Adopting techniques such as threat modeling, threat tree, etc. Focusing on innovation in security initiatives.
Drivers for data privacy

Data privacy, as with data security, is primarily driven by client/contractual requirements and global regulations. However, there are other factors driving data privacy as well. Organizations are conscious of the fact that a small incident of data breach, can impact their brand image to a large extent. This also gets reflected by the fact that 73 percent of the organizations consider bad publicity in media in case of data breach as a critical driver for their data privacy initiatives. This becomes all the more important when most of the organizations are trying to address the concerns of end customers vis--vis their personal data in transborder data flow. Clients concern are highlighted by the fact that 50 percent of the respondents mentioned that their clients demand them to undertake privacy initiatives and exclusively mention data privacy clauses in contracts. Though the prime focus remains on end customers data, 48 percent of the organizations have started to focus on protecting the privacy of their employees data.
Drivers (Data privacy) (% respondents)
73
24
2 Reputational damage
73
21
End customer concerns over trans-border data flow
65
31
Global data protection regulations
56
35
Data privacy clauses in client contracts
50
46
Clients privacy program
48
46
Protecting privacy of employee data
33 0% 20% 40%
33 60% Critical
33 80%
Data Protection Authorities (Client geographies) 100% Less Important
Important
12
Privacy function
While primary drivers for data security and data privacy are the same, the controls and capabilities required for ensuring them are quite different. Realizing this, organizations are moving towards deploying dedicated personnel for privacy. This is evident from the fact that 41 percent of the organizations have a dedicated privacy function with a team strength of more than two members.
Dedicated privacy function

(% respondents) Yes, 40% No, 60%
Privacy team size (% respondents)
43% 16% Less than 2 2-5 More than 5 11% 30% Not Applicable
Maturity of privacy practices (% respondents)
Understanding exists of different roles and entities for data protection
64
Understanding exists about Privacy Principles and their applicability
62
Dedicated policy initiative for privacy
62
Processes are reviewed regularly from privacy perspective
60
Specific technology, solutions and processes are deployed for privacy
54
Scope of audit charter is extended to include privacy
52
Privacy impact Assessment is performed for new initiatives
40
Privacy has just appeared on the organizations agenda
16
Privacy is seriously lacking as compared to security
Privacy gets treated as a sub-set of information security program, which may lead to under-estimation of legal implication.
13
Maturity of privacy practices

The survey reveals that more than 60% of the organizations: understand different roles & entities that exist for data protection, understand Privacy Principles & their applicability, have dedicated privacy policy initiative, and regularly review their processes from privacy perspective.
However, not all of these organizations have extended the scope of audit charter to include privacy and nor do they perform privacy impact assessment whenever new initiatives are undertaken. Organizations can achieve a much better state of privacy, if they take a step towards establishing a privacy function with required empowerment.
Information security governance
16
Key findings
? of majority of the CISOs
organizations are spending significant time on strategic initiatives; for example, evaluating and mitigating security implications of new business initiatives.
? Organizations are seeking external
assistance largely in security gap assessment and application security testing

? Organizations are maturing to
understand and distinguish security related operational tasks from strategic security tasks
? organizations still do not Many
involve business manager in understanding security requirements.
Doing a reality check

The survey results indicate that organizations have come to realize the significance of CISO and his/her role. CISOs have started to get involved in strategic tasks, moving away from operational activities.
CISOs reporting line

The survey reveals that organizations have not come to consensus on whom should the CISO report to? This is evident from the fact that there is no standardization on reporting alignment of CISOs. Further, CISOs have multiple reporting lines, resulting in a lack of focus and accountability. The survey also revealed that 30 percent of organizations CISOs are reporting to CIO/CTO, highlighting the concerns with respect to independence of security function.
CISO reports to (% respondents)

Chief Executive Officer (CEO) Chief Operating Officer (COO) Chief Information Officer (CIO) Chief Risk Officer (CRO) Chief Technology Officer (CTO) Head Quality Assurance Audit Committee Others Source: DSCI-KPMG Survey 2010
4 2 8 18 16 16 14 30
Role of CISO
The survey reveals that CISOs of nearly 65 percent of the organizations are spending significant amount of their time on activities like:
? Overseeing security policy enforcement ? Participating in business strategy meetings ? Interacting with support functions for enforcing measures ? for remedial measures Planning ? guidelines to enterprise units Issuing ? Overseeing security projects ? Checking for new issues, threats & vulnerabilities ? Convening meetings of security forums.
This clearly indicates that CISOs are spending significant amount of time on strategic tasks instead of operational tasks. However, standardization in CISOs role is lacking. This is evident from the survey results - 29 percent of CISOs spend significant amount of time on reviewing & approving change requests; at the same time 22 percent CISOs do not consider it as part of their responsibility. Similarly, more than 50 percent CISOs spend significant amount of time on reviewing state of security in service delivery channels & reviewing security reports. However, nearly 15 percent believe they are not responsible for reviewing these tasks.
18
Organizations need to refine CISOs role, ensuring minimal involvement in operational tasks such as review reports of security scans.
CISO spends time on (% respondents)

Overseeing security policy enforcement
90 6 4
Participating in business strategy meetings
84
12
Interacting with support functions for enforcing measures
80
12
Planning for remedial measures
71
16
12
Issuing guidelines to enterprise units
69
24
Overseeing security projects
69
20
10
Checking for new issues, threats and vulnerabilities
65
31
Convening security forum meeting
65
27
Preparing reports for higher managements consumption
63
33
Reviewing reports of security scan, assessment and audits
61
29
10
Reviewing & responding on security alerts, incidents, issues
57
33
10
Reviewing state of security in Service delivery channels
57
29
14
Reviewing security reports
51
33
16
Overseeing security training of employees
45
45
10
Interacting with IT teams for maintenance of security devices
37
51
12
Reviewing and approve change request
29
49
22
Approving official request of reporting officers 0%

Significant Amount of Time
23
52
25
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Non Significant Amount of Time
Not Responsible
The role and expectations from CISO vary across organizations, whilst many spend time on strategic items, a fair bit of operational tasks take his/her attention.
19
Security gap/baseline assessment

(% respondents) Business Manager Corporate Compliance CISO IT Security IT Infra Team Audit Team External Consultant External Service Provider 6 15 9 38 15
Keeping track of evolving threats & Vulnerabilities (% respondents)

Corporate Compliance 12 52 68 16
15 CISO 64 IT Security IT Infra Team
Source: DSCI-KPMG Survey 2010 36
Security requirements of business

(% respondents) Business Manager Corporate Compliance CISO IT Security IT Infra Team
19 27 19 58 63
Security tasks
Security of the organization is the prime responsibility of the CISO and his/her team. However, other functions like IT Infrastructure Team, Business Unit, Corporate Compliance, etc. are also involved in the security management tasks. The survey indicated that various teams are being involved in right capacity for security management tasks. This indicates that organizations are aware of stakeholders required to be involved for effective management of security. Trends clearly visible from survey responses are:
? Operational tasks such as installation of
Application Security Testing

(% respondents)
CISO IT Security IT Infra Team Audit Team External Consultant 11 20 27 61
security solutions, administration of security technologies, security testing is performed by IT security and IT infrastructure team, allowing CISO to focus on strategic tasks
?gaps in the security skills are bridged The
20
by availing services of external consultants for the tasks such as security gap/baseline assessments, application security testing, code review, etc. Though CISO is actively getting involved in business activities such as business strategy planning, understanding business requirements of security etc., involvement of business managers in security initiatives needs to be further enhanced.
Security Authorization of Change Requests

(% respondents)
Business Manager Corporate Compliance CISO IT Security IT Infra Team 18 8 48 58 16
20
Security tasks
Business Manager Corporate Compliance CISO IT Security IT Infra Team Audit Team External Consultant External Service Provider External Consultant /Service Provider
Security Gap/baseline Assessment Security Strategy Plan Security Requirements Of Business Preparing Security Policies & Procedures Implementating Policies & Procedures Defining & Managing Security Architeture Compliance Reporting To Clients Advisory Vis-a-vis Data Security Architecture Security Solutions Evaluation And Procurement Install Security Solutions, Products And Tools Administration Of Security Technologies Security Testing - VA and PT Application Security Testing , Code Review, Etc. Conducting And Managing Internal Audits/assments Security Monitoring Security Authorization Of Change Requests Report, Investigate And Close Security Incidents Keep Track Of The Evolving Threats And Vulnerabilities Strategies For Protecting Against New Threats And Vulnerabilities Keep Track Of The Evolving Regulatory Requirements Participate In Initial Client Meetings To Understand Clients Security Requirements Administration & Testing Bcp /dr Plans
15 22 63 6 49 8 56 17 4 2 0 0 9 4 10 16 12 0 4 20
15 14 19 14 20 6 25 28 10 2 0 2 2 22 10 8 18 12 16 36
64 80 58 82 57 65 52 77 69 32 12 22 27 61 38 48 68 52 76 62
38 29 27 41 55 55 21 26 69 62 66 64 61 20 72 58 58 68 58 26
9 16 19 16 47 31 8 9 44 68 64 36 20 4 30 18 24 16 16 2
36 2 2 2 18 0 10 4 4 2 2 12 11 71 12 2 6 6 2 8
15 2 0 10 4 4 2 19 6 6 0 12 20 6 4 0 2 6 4 8
6 0 0 0 4 2 2 2 8 8 2 12 0 2 4 2 2 4 0 2
21 2 0 10 8 6 4 21 15 14 2 24 20 8 8 2 4 10 4 10
57 32
17 18
67 59
41 55
24 52
2 5
0 2
0 2
0 5
21
Extended boundaries
24
Key findings
? Meeting multiple regulatory/client
requirements and ensuring employee seriousness towards data security & privacy continue to remain key challenges for organizations
? Organizations are continuously
focusing on spreading awareness about security but challenges seem to persist

? Organizations are increasingly
focusing on deploying technical and organizational safeguards to mitigate risks arising from clients environment
? Organizations have started
negotiating contracts to ensure that any liability arising from vulnerabilities in the clients environment is borne by the client
? Organizations have adopted Third
Party Risk Assessment Framework along with conducting Vendor Risk Management exercise for their service providers.
Overcoming challenges
Meeting multiple client/regulatory requirements, while serving clients across geographies, is a key challenge faced by organizations. Challenges faced (% respondents)
Meeting multiple client requirements Employees in young age group with high attrition rates Meeting multiple regulatory requirements Client providing liberal access to BPO employees Emerging and evolving threats and vulnerabilities Employees connecting to client environment through public network Lack of employee awareness on liabilities arising from data breaches Non seriousness of employees for security and privacy High involvement of employees with client organization Understanding global data protection regulations Different connectivity models Different means used to transfer or access the data Inadequate budget allocation for data security & privacy Increased volume and complexity of data intensive transactions Difficultly to bring visibility over the data Managing third party risks International spread of operations Client prefer business flexibility over the security Lack of support from Top / Senior Management
0% 9 10% 45 44 38 35 33 33 27 25 25 22 20 20 20 18 16 16 15 15 24 20% 30% 40% 50% 60% 40 67 70% 80% 90% 100% 43 49 47 45 22 45 30 59 37 41 36 38 37 50 35 39 48 40 39 43 26 50 35 47 42 23 27 27 30 36 29 26 26 29 20
Key Challenge Source: DSCI-KPMG Survey 2010
One of the challenges
Not a challenge
Challenges in managing data security & privacy

Organizations face the challenge of meeting multiple regulatory/client security and privacy requirements. Internal threats are also a major roadblock in ensuring data security and privacy, especially when 73 percent of the organizations believe that there is a lack of seriousness amongst their employees towards data security. Employees in the young age group with high attrition rates pose a significant challenge in continued sustenance and management of security & privacy. Organizations need to focus on spreading awareness on liabilities arising from data breach as it continues to be a challenge for more than 75 percent of the respondents. The survey also highlights the fact that 70 percent of the organizations are facing challenges with respect to ensuring data security and privacy at the clients environment. The respondents found to be concerned about relatively moderate controls implemented at clients environment. Managing security becomes even more challenging when employees are highly involved with client organization or could connect to clients environment through public networks.
26
Mitigating client environment risk (% respondents)

Making employees aware of the risks in client environment Deploying extra technical and organizational safeguards Negotiating contracts to make client liable for exploitation of clients environment Include clients environment in risk management process Do not consider client environment risk as part of our risk management process Source: DSCI-KPMG Survey 2010 71
60
54
50
25
Mitigating client environment risk

There is an increasing realization about the risks associated with access to the client data systems. Seventy five percent of the respondents have extended the scope of risk management processes to include the risks introduced by clients environment. Organizations are making their employees aware of the risks that arise from clients environment and are also deploying additional technical and organizational controls to mitigate these risks. Further, organizations have started negotiating contracts to ensure that any liability arising from vulnerabilities in the clients environment is borne by the client.
Mitigating Third Party Risk

Organizations realize that with the increasing use of third party service providers, the risk of data breach increases especially when these service providers have access to confidential information. Therefore, most of the organizations sign Non Disclosure Agreements / Confidentiality Agreements with the third party service providers and use contract as an instrument to make the third party service providers liable for any security breaches. Beyond that, 48 percent organizations have controls deployed as per Third Party Risk Assessment Framework and 52 percent conduct Vendor Risk Management exercises.
Mitigating third party risk (% respondents)

Signing Non Disclosure Agreement Deploying technical and organizational safeguards Contract to make the third party liable for any security breaches Making our employees aware of the risks arising from third party services 58 77 75 96
Third party risk management (% respondents)

Controls deployed as per "Third Party Risk Assessment Framework" Conducting Vendor Risk Management exercise Both Neither 42 42 48 52
27
Regulations
30
Key findings
? Organizations continue to consider
regulatory requirements as a primary driver for their investments

? Adoption of an enterprise level
automated tool for managing compliance is still in the nascent stage

? seems to be lack of clarity There
amongst organizations regarding their liability under ITAA 2008

? A large percentage of the
organizations have not activated legal function to understand, interpret and suggest necessary precautions to comply with ITAA 2008. This explains the low level of awareness amongst the organizations.
Staying compliant
The survey results reveal that although organizations have started to create awareness on ITAA 2008, the level of awareness still needs to be strengthened.
Steps taken to track contractual / Regulatory requirements (% respondents)

Involve legal department in initial stages of deal negotiation Maintaining an inventory of contractual / regulatory requirements for each client relationship Compliance / audit / risk manager for each relationship Mechanism to track regulatory changes Managed and shared legal & compliance related information effectively Ensure understanding, interpretation and applicability of legal terms Business process owners self declare compliance to contractual / regulatory requirements Legal and compliance requirements and liabilities for each type of data element are well known Subscribed to services that notifies the legal and regulatory changes An enterprise wide tool helps manage compliance effectively 30 54 50 46 76 70 66 66 62 86
Tracking contractual / Regulatory requirements

The survey highlights that more than 3/4th of the organizations involve legal department in the initial stages of contract negotiation and maintain an inventory of contractual / regulatory requirements for each client relationship. However, only 50 percent of the organizations are well aware of legal & compliance requirements for each type of data element. Further, only 30 percent of the organizations use enterprise level tool to help manage compliance. These could be the possible reasons why organizations continue to face challenge in managing regulatory/client requirements.
Compliance processes remain largely manual.
32
Response to liabilities due to data breach (% respondents)

Strengthening monitoring and incident management mechanism Creating awareness within the organization and third parties Review the client contracts Activating legal function Establish a breach notification mechanism Developing a strong forensic investigation capabilities 18 47 58 58 78 76
Response to liabilities due to data breach

In the wake of global regulations and ITAA 2008, specifying increased civil as well as criminal liability per data breach, most of the organizations are responding by: strengthening their mechanism for monitoring & incident management, and creating awareness within the organization and third parties.
While there is greater awareness of global regulations, the implications of ITAA 2008 remain largely unknown.
My Organization can be sued under ITAA 2008 by (% respondents)

60 50 40 30 20 10 0
44
49
22
16 No
31
33
Yes
Not Sure
Employees
ITAA 2008 is not applicable
End Customers
Awareness on ITAA 2008

There seems to be a lack of clarity amongst respondents regarding applicability of ITAA 2008 as more than 50 percent respondents either responded negative or not sure with respect to their liabilities under ITAA 2008.
Creating awareness on ITAA 2008

Low level of awareness around ITAA 2008 could be understood from the fact that almost 1/3rd of the organizations have not started specific initiatives towards creating awareness on ITAA 2008 amongst their Top Management, whereas 2/3rd of them have not yet started creating awareness for their clients, employees and contractors.
Create awareness amongst (% respondents)

80 70 60 50 40 30 20 10 0
70 30 Board Members 35 Top / Senior Employees Management 24 Contractors / Third Party employees 15 Clients
33
Steps taken in response to ITAA 2008 (% respondents)

Strengthening monitoring and incident management mechanism Identify the personal information flow to the organization Activating legal function Revising organizations security policy Contacting external information sources Extending the scope of security & privacy to cover employee's personal data Collaborating with competitors / peers Review the vendor contracts Identifying and making an inventory of scenarios Developing a strong forensic investigation capabilities 24 20 17 33 33 33 30 39 39 46
Response to ITAA 2008

Since most of the organizations have not even involved their legal function to interpret and suggest necessary safeguards to comply with ITAA 2008, they dont realize the impact of the breach. This is highlighted by the fact that 67 percent organizations have not extended the scope of the security and privacy program to cover employee personal data.
ITAA 2008 as a driver for technology investments

Organizations lack of focus towards ITAA 2008 could be related to the fact that more than 2/3rd of the organizations consider global regulations as a primary driver for their technology investments to enhance information security and regulatory compliance.
ITAA 2008 as a Driver (% respondents)

80 70 60 50 40 30 20 10 0
72 19 ITAA 2008 is significant investment driver 26 11
Global regulations ITAA 2008 has ITAA 2008 does not as a primary driver recently acquired a have any bearings place in the on investment discussion decision
Internal processes
36
Key findings
? Organizations involve process
owners and Lines of Business in their data security initiatives

? Organizations keep a vigilant track of
new issues, vulnerabilities and threats. However, most of them do not have a mechanism in place that is capable of swiftly testing the relevance of these issues in their environment
? than half of the organizations More
surveyed do not mandate vendors / third parties to report new threats and vulnerabilities in their products / services
? industry has matured over the The
years in terms of processes such as security incident management, BCP/DRP and physical security management.
Being prepared
Internal processes of organizations have matured over the years to a point where most of the organizations are keeping track of threats & vulnerabilities and have also established processes for employee background screening, security incident management, BCP/DRP and physical security control.
Data centric approach

Organizations are bringing a data centric approach in their security initiatives by understanding the type of operations, client requirements and underlying resources and access patterns. Further, organizations are increasing aware on how data is managed in its life cycle and having granular level visibility over the data in each of its client relationships and business processes. The survey also reveals that 78 percent of the organizations involve process owners and Lines of Business in their data security initiatives.
Data sentric approach (% respondents)

Involvement of process owners & LoB in the data security initiatives Understanding about the type of operations, client requirements etc Aware of how the data is managed in its life cycle Data classification techniques have been deployed and followed rigorously Granular level visibility over the data Organization is aware of issues in the client environment Uniformity of controls is maintained at both client & organization's environments 36 50 66 66 64 78 76
38
Level of perceived risk (% respondents)

Human Resource Operations Health Information Processing Finance and Accounting Payroll Processing Legal Processing Customer Interaction and Support Billing Management Business Analytics Knowledge Services Supply Chain Management Procurement Services Engineering and Design Services Printing and Publishing Services 0 0% 13 38 20% High 40% Medium Low 60% 22 22 47 62 80% 100% 54 53 46 41 39 56 61 40 44 45 73 72 72 66 27 28 46 16 16 22 17 24 19 19 8 17 17 28 10 10 10 0
Perceived risk based on lines of service

Global regulations could be the prime reason why organizations perceive business processes involving personal information as high risk. More than 2/3rd of the organizations perceive the following business processes as high risk:
? resource operations Human ? information processing Health ? Finance & accounting ? accounting. Payroll
Processes involving personally identifiable information are perceived as high risk.
39
Keep track of evolving threats & vulnerabilities

Organizations have established appropriate measures to keep track of new threats and vulnerabilities, wherein they subscribe to newsletters, CERT-In alerts, exploit databases and by periodically visiting websites of data security vendors. However, there is a need for collaborative effort amongst peer organizations which could benefit the entire industry. Organizations should also consider stronger engagement with vendors/third parties and insist that they report new threats and vulnerabilities in their products / services so that appropriate controls could be implemented in a timely manner.
Keep track of evolving threats & vulnerabilities

(% respondents)
Risk based internal or external audits Subscribing to newsletters Through websites of data security vendors Subscribing to vulnerability, exploits databases, etc Subscribing to CERT-In alerts Through peers / competitors Security research reports of product and professional organizations Mandating the vendors to report new threats & vulnerabilities in their products Through discussions on security forums on the internet Subscribing to Analysts reports Provided by the client organizations as part of their Risk Management process 76 74 68 62 54 46 44 40 32 30
86
Threat & vulnerability management

(% respondents)
Keep vigilant track of new issues, vulnerability and threats The version of each critical asset is up-to-date Integration with IT infrastructure management processes IT infrastructure is homogeneous An architectural treatment is given to threat and vulnerability management Mechanism to test the relevance of issues swiftly, without delays Scope of the function is extended to mobile computing devices etc Collaborates with agencies like CERT-In and other knowledge sources IT infrastructure is heterogeneous Compatibility of business application & cost hinder to make the asset up to date 26 62
84
While organizations keep a close eye on threats and vulnerabilities, they lag in swift response.
76
72
60
56
50
46
24
40
Threat & vulnerability management

The survey reveals that organizations are tracking threats and vulnerabilities. However, most of them do not have a mechanism in place that is capable of swiftly testing the relevance of these issues in their environment. Majority of the organizations ensure that version of each critical asset is up-to-date to make the asset free of vulnerabilities. However, 24 percent of the organizations face compelling reasons such as compatibility of business application and cost escalation hindering version upgrades. Further, heterogeneous nature of IT infrastructure poses challenge to around 26 percent of respondents in managing threats and vulnerabilities.
Solutions adopted for data protection

Organizations have adopted solutions related to encryption and have started to develop fraud management and forensic capabilities internally. In the wake of data protection regulations, more than 50 percent of the organizations have deployed or are planning to deploy the following solutions:
? Disk Encryption Hard ? Encryption Email ? Loss Prevention (DLP) Data ? Security Incident and Event Monitoring (SIEM) ? Data Protection Mobile ? and Compliance Management. Legal
Solutions deployed or planning to deploy (% respondents)

Hard Disk Encryption Email Encryption Data Loss Prevention (DLP) Security Incident and Event Monitoring (SIEM) Mobile Data Protection Legal and Compliance Management Database Activity Monitoring Data Masking Fraud Management Compliance Notification Services Threat Management for mobile computing devices Computer Forensic Do not have sufficient budget
6 52 52 46 44 42 36 34 28 78 72 66 62
41
Background screening
Employee background screening is one of the key controls in terms of security, especially when employees have access to critical / confidential information of clients. Background screening is also important from the fact that a majority of the organizations see internal threats as one of the key drivers for data security. Background screening is one of the basic controls for ensuring security; this is evident from that fact that 72 percent of the organizations follow this process for all their employees. Realizing that background screening is not their core competency, 80 percent of the organizations have outsourced it to third party vendors. Realizing the importance of background screening, NASSCOM started the initiative called National Skills Register (NSR), to have a credible information repository about all personnel working in the IT and BPO industry. Most of the participants are aware of NSR and its value. However, the adoption of NSR as an exclusive source for employee background screening has been limited.
Background screening is conducted for

(% respondents)
14
10
72
Selected relationships All employees
Selected Lines of Service
Background screening is conducted by

(% respondents)
Internally
18
By Third party
80
Both
12
42
Security incident management (% respondents)
Mechanism exists for internal employees and customers to report incidents
84
Logs are securely managed and archived in accordance to compliance requirements Incident management supports data breach notification requirements (regulatory) of clients There is a formal reporting mechanism to report incident to the management, client and regulatory authorities
78
71
69
There is a mechanism to define detective and investigative requirements
67
Incident management mechanism is integrated with organization IT processes for remedial actions
67
Scope of security monitoring is extended to all the critical log sources
63
Real time monitoring mechanisms exist that can proactively detect anomalies
59
Business rules are defined to identify incidents
57
There is an inventory of all the possible scenarios that can lead to an incident
55
Effective solution is implemented for log management, security monitoring and incident management mechanism Incident management mechanism takes inputs from external knowledge sources on vulnerabilities, anomalous patterns and threats There is a mechanism that generate an incident based on patterns and business rules
53
47
41
Incident management mechanisms supports forensic capabilities
37
Collaborate with CERT-IN for incident reporting and response
33
Scope of the incident management is extended to third parties
29
Security Incident Management

Most organizations state that they have formal security incident management in place. Most of the respondents have established mechanism for internal employees and customers to report incidents, define detect & investigative requirements and proactively detect anomalies. The survey reveals that 71 percent of the organizations, incident management supports data breach notification requirements of clients. Further, the incident management process is integrated with IT processes for remedial actions and almost 2/3rd of the organizations have extended the scope of security monitoring to all critical log sources. Organizations have formal processes for reporting security incidents, but only 29 percent of them extend the scope of incident management to third parties.
43
Business Continuity / Disaster Recovery Planning

The survey revealed that respondents have a mature BC/DR planning process in place wherein the scope of BCP/DRP covers strategies for client business processes and recovery objectives of each client relationship being defined. The scope of BCP/DRP for most organizations, also cover scenarios like city outage and externally provisioned systems, applications and networks. Organizations also realize that the knowledge around BCP/DRP is important, therefore emphasis is given to providing crossfunctional training and BC/DR drills being conducted frequently. Though significant level of automation exists for DR operations, organizations are yet to adopt automation tools for the entire BCP/DRP This is evident from that fact that more than 40 percent . of the organizations follow manual processes and do not have operational metrics to help take routing decisions. The survey further revealed that though the processes for many organizations around BCP/DRP are matured, only 50 percent of organizations have realized that third parties should also be mandated to meet BCP/DRP requirements.
BC/DR plans cover most elements of organizations internal boundaries, but few include aspects relating to third parties.
The scope of BCP/DRP (% respondents)

Covers the strategies for client business processes Extended to cover scenarios like city outage Recovery objectives for each client relationships Covers the externally provisioned systems, application and network Source: DSCI-KPMG Survey 2010
66 74 76 78
For BCP/DRP (% respondents)

Adequate technical measures are deployed to migrate or route business processes from one operational location to other Drill is conducted frequently 73
73
The knowledge is managed effectively
70
Emphasis given on providing cross functional training to employees Architectural treatment given to availability preparedness that drives redundancy of infrastructure components Contracts with third parties include obligation to meet our BCP / DR requirements 50
66
64
For BCP/DRP there exists (% respondents)

Mapping of each of business operation with associated Infrastructure component Significant level of automation for DR operations Operational metrics to help take routing decisions Automated tool to perform BCP/DR process 28 58 56 80
Source: DSCI-KPMG Survey 2010 44
Physical security (% respondents)
Adequate controls exists for perimeter, entry points and interior areas
98
There exists a mechanism for identification and authorization of employee
98
Entry to the delivery centers is restricted to authorized persons only
96
A process exists for the movement of assets into the operating areas
88
Physical security function is owned by the Admin department
88
A process exists for provisioning and de-provisioning access of visitors, partners, and support services
86
Physical security operation is driven by stringent and consistent processes
84
Significant level of collaboration exists between physical security, information security and other functions of the organization
82
Segregation of duties is maintained in shared facilities
78
The scope of security testing is extended to cover physical security controls
76
The scope of the security monitoring and incident management mechanism is extended to integrate the physical security components
72
An architectural treatment given to the physical security countermeasures
70
Physical security is integrated with IT security through competent solutions
48
There is centralized monitoring of physical security across various locations by Physical Security Operations Center (PSOC)
48
Physical security function is owned by the IT department
Physical Security
The respondents realize that risk of data leakage increases once a person has physical access to the operational facility. Therefore, organizations have established strong physical security controls for perimeter, entry points and interior areas along with mechanisms for identification & authorization of employee. Organizations also ensure significant level of collaboration between physical security, information security and other functions. However, in most of the organizations physical security is not integrated with IT Security.
In the times of digital convergence, physical security and digital security controls remain disintegrated.
45
Way forward
Over time, the Indian BPO Industry has withstood significant customer and regulatory scrutiny, and has been able to demonstrate that it is able to embrace data security and privacy governance processes that are required as a minimum baseline for providing outsourcing services in a high trust mode. While customers have largely driven consciousness of risks and requisite controls, most organizations in the industry have developed frameworks that aid them in first line defense, detection, and reacting in an appropriate manner to events that threaten this high trust environment. The industry also continually expands its horizons to newer markets, and has gained a reputation in understanding its exposure to legislation and regulation in varying markets. C-level executives of the BPO industry are well conversant with their responsibilities and liabilities from a data security and privacy standpoint, and implications of risks emanating from these topics regularly underpin the strategic priorities and decision making processes of such executives. One of the themes emerging from the survey is that while the BPO industry has attained a high level of maturity on data security, business continuity preparedness, background screening of employees, etc., there are many emerging issues that require its attention. These issues are majorly attributed to the rapidly evolving security and regulatory landscape. Global regulations require organizations to protect the privacy of end customers. The interpretation of these regulations is becoming a significant challenge, requiring a dedicated effort. This will lead to the emergence of a privacy function in a BPO, moving away from the current practice of positioning privacy within the ambit of security. The privacy function will have to bring the necessary regulatory intelligence that supports the geographical expansion of organizations. On the other hand, it will have to reengineer organizations processes to demonstrate compliance to the regulations. The ever changing threat landscape is driving organizations to redefine their security strategies and programs. The rising complexity and heterogeneous nature of underlying infrastructure pose a significant challenge in doing so. They need to build the right capabilities for maintaining their security posture and responding swiftly to the new threats. Over the years, BPOs have witnessed substantial growth and have penetrated into new Lines of Service. In doing so, they are challenged with protection of sensitive client data. A particular Line of Service is characterized by a specific set of security concerns and liabilities. To sustain its growth, BPO industry should pay close attention to understanding of the risks and liabilities associated with the Lines of Service it is serving. To overcome the challenges identified by the survey, it is important for the organizations to adopt a data-centric approach to manage security & privacy risks and review all processes, functions and client relations from the data perspective. BPO as an industry is facing unique challenges and there is a strong case for collaboration between organizations. The industry treats security as hygiene rather than a competitive advantage. The entire industry can learn from its experiences, and provide a consistent and unified message of a high trust environment at the industry level.
47
Acknowledgments
DSCI Core Team Vinayak Godse Vikram Asnani Rahul Jain Director Data Protection Senior Consultant Security Practices Senior Consultant Security Practices
KPMG Core Team Navin Agrawal Nitin Khanapurkar Atul Gupta Vijay Subramanyam Vidur Gupta Deepak Agarwal Executive Director Executive Director Director Director Associate Director Consultant
KPMG Survey Team Abhijit Varma Ankit Goel Arihant Garg Jignesh Oza Lekha Ragupathi Nayab Kohli Nitin Shah Rahul Gupta Rahul Singhal Sundar Ramaswamy Syamala Raju Peketi
DSCI Project Advisory Group N. Balakrishnan BJ Srinath Anjali Kaushik Akhilesh Tuteja Kartik Shahani Satish Das Baljinder Singh Vishal Salvi Ashwani Tikoo PVS Murthy Deepak Rout Seema Bangera Chairman, DSCI and Associate Director, IISc Bangalore Senior Director, Cert-In MDI Gurgaon Executive Director, KPMG Country Manager, India and SAARC, RSA CSO, Cognizant Global Head of Technology, InfoSec & BCM, EXL Service CISO, HDFC Bank CIO, CSC Global Head Information Risk Management Advisory, TCS CISO, Uninor DGM Information Security, Intelenet Global
KPMG Contact Atul Gupta Director, IT Advisory Services KPMG in India T: +91 124 307 4134 E: atulgupta@kpmg.com
DSCI Contact Vinayak Godse Director - Data Protection DSCI T: +91 11 2615 5071 E: vinayak.godse@dsci.in
www.kpmg.com/in
www.dsci.in
2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative (KPMG International), a Swiss entity. Copyright 2010 DSCI. All rights reserved. Printed in India.

DSCI-KPMG Survey 2010 - State of Data Security and Privacy in Indian BPO Industry

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

DSCI-KPMG Survey 2010 - State of Data Security and Privacy in Indian BPO Industry

Enviado por

Direitos autorais:

Formatos disponíveis

State of Data Secutiry and Privacy in the Indian BPO Industry

Message from CERT-In

Dr. Gulshan Rai DG, CERT-In

State of Data Secutiry and Privacy in the Indian BPO Industry

Message from DSCI

Dr. Kamlesh Bajaj CEO, DSCI

State of Data Secutiry and Privacy in the Indian BPO Industry

Message from KPMG in India

Akhilesh Tuteja Executive Director, KPMG in India

State of Data Secutiry and Privacy in the Indian BPO Industry

State of Data Secutiry and Privacy in the Indian BPO Industry

State of Data Secutiry and Privacy in the Indian BPO Industry

point of differentiation to gain competitive advantage

awareness amongst employees on liabilities arising from data breaches

to report new threats and vulnerabilities in their products / services

liability under ITAA 2008

lines of business in data security initiatives.

State of Data Secutiry and Privacy in the Indian BPO Industry

Interaction and Support, Payroll, Finance & Accounting, etc.)

State of Data Secutiry and Privacy in the Indian BPO Industry

? Strategic options adopted for Business Continuity and Disaster Recovery

State of Data Secutiry and Privacy in the Indian BPO Industry

State of Data Secutiry and Privacy in the Indian BPO Industry

State of Data Secutiry and Privacy in the Indian BPO Industry

Data Security and Privacy

State of Data Secutiry and Privacy in the Indian BPO Industry

threats for data security are internal in nature

State of Data Secutiry and Privacy in the Indian BPO Industry

Finding its place

Drivers (Data security) (% respondents)

Source: DSCI-KPMG Survey 2010

Drivers for data security

State of Data Secutiry and Privacy in the Indian BPO Industry

Security Team Size

Security function positioning (% respondents)

10% 16% 10 37% 37 37% 37 16

10 Central Security Function

2 For each Vertical

For each For each Line Geographical of Service location

Each / major Coordinator client for each relationship relationship

Source: DSCI-KPMG Survey 2010 Source: DSCI-KPMG Survey 2010

Maturity of security practices (% respondents)

Source: DSCI-KPMG Survey 2010

State of Data Secutiry and Privacy in the Indian BPO Industry

Maturity of security practices

Drivers for data privacy

Drivers (Data privacy) (% respondents)

End customer concerns over trans-border data flow

Global data protection regulations

Data privacy clauses in client contracts

Clients privacy program

Protecting privacy of employee data

Data Protection Authorities (Client geographies) 100% Less Important

Source: DSCI-KPMG Survey 2010

State of Data Secutiry and Privacy in the Indian BPO Industry

Dedicated privacy function

Privacy team size (% respondents)

Source: DSCI-KPMG Survey 2010

Maturity of privacy practices (% respondents)

Understanding exists of different roles and entities for data protection

Understanding exists about Privacy Principles and their applicability

Dedicated policy initiative for privacy

Processes are reviewed regularly from privacy perspective