The first day of OWASP AppSec Asia Conference 2009 ended with a panel discussion on security concerns in offshoring. This panel consisted of eminent security professionals from varied backgrounds such as Vakul Sharma, a lawyer from the Supreme Court of India; Kamlesh Bajaj, the CEO of Data Security Council of India (DSCI); Terry Thomas, partner, Ernst & Young; Raghavendra Vaidya, the CIO of GE Capital; Pankaj Agrawal, the CISO of Aircel Ltd and Sunil Gujral, the executive vice president and CTO of Quatrro BPO.
The panel was moderated by Howard Schmidt, former special advisor of cyberspace security for the White House. This discussion started off with opinions on the top offshoring security challenges faced by members. According to Sharma, India still lacks surveillance capability,
According to Thomas, the inability of service providers to take information security to a strategic level is the major offshoring infosec issue. In most cases, security is treated as an operational or tactical measure. Agrawal says that employees of service providers frequently change jobs, thus creating scenarios where it becomes very difficult to secure critical business data.
On being asked about their best achievements in the areas of improving information security in offshoring, Sharma and Bajaj mentioned that the IT amendment act and DSCI framework (soon to be launched) are steps which will go a long way in proving the seriousness of India's data protection regime. Bajaj explained that filing of compliance checklists does not provide enough security as such, so DSCI will also come up with an implementation methodology. "However, we are facing a major challenge when it comes to determining the extent of how prescriptive best practices can be," said Bajaj.
Service providers (as well as outsourcers) provided examples of their successful information security related initiatives. Gujral explained that adhering to compliance is often boring for employees. Hence Quatrro's team created skits on compliances and information security to explain how the BPO is required to follow regulations. According to Thomas, audits and compliance requirements cover up to 90% of the common security requirements. He suggested the building of a strong audit plan which covers these common factors.
Vaidya pointed out the concerns of letting service providers access organizational networks and dealing with multiple service providers (with differing security levels). To resolve this issue, GE India came up with a program for partner certification, where they are required to follow the same level of security standards. On this front, Agrawal detailed how Aircel's identity and access management initiative has helped it solve identity provisioning and deprovisioning issues.
The panel also struggled to determine whether compliance drives security or security drives compliance. Bajaj explained that Indian companies need to work out the cost of security breaches to the company, which will help them understand why compliance is essential. Gujral recommended that the company can start with basic hygiene. Later, by the nature of its business, the organization can decide to become compliant with related regulations.