Although India ranks among the top destinations for IT consultation and outsourcing, data security and privacy remains a major concern. Maintaining security of confidential data has been a constant struggle for ITeS and BPO companies.
More resources on DLP
Cognizant, which serves sensitive verticals like healthcare, BFSI, technology and energy has a clear mandate to protect client as well as corporate data from theft or leakage. Moreover, the company felt a strong need for a data protection system that would protect its intellectual properties and also adhere to international regulatory standards and customer policies. Having understood emerging threats and adopting security tools and processes, it has put in place a dedicated security group responsible for defining information security policies, evaluating security products and auditing systems for compliance. Cognizant already has a number of sophisticated security tools like antivirus, spam management, intrusion detection systems, identity management systems and internet filtering software.
"DLP was developed as part of our enterprise risk management (ERM) program. We wanted a holistic view of the key risks faced by us, and the optimum strategy to manage them," says Satish Das, the chief security officer and assistant vice president for ERM of Cognizant.
Cognizant first created a separate information leakage monitoring policy to bring in more clarity on the operational fronts of DLP. Identification and classification of confidential data is the foremost step in DLP implementation. Due to presence of a heterogeneous environment to service customers across sectors and verticals, data classification was a difficult task. But since Cognizant was already compliant with BS7799/ ISO27001, this ensured that all information assets are labeled, and all data is handled as per labeling and standards.
Das' team began scouting and evaluating DLP tools from well-known vendors. "They were technically comparable. But our requirement was a solution that would seamlessly integrate with our existing URL filtering solution. This would help us define customized policies related to the existing URL filters," says Das. Policy management, accuracy in content monitoring, administration and reporting,comprehensive protocol support, forensic capabilities, and product support were some of the other selection criteria. The company opted for Websense's DLP solution, as it has been using a URL filter solution from the same vendor for the last three years. The data discovery module of this solution simplified scan of projects segments for critical or sensitive documents over the network, which was time consuming and an error prone activity earlier.
Cognizant has finished the initial phase of its DLP implementation across all locations. The information leakage policy has been rolled out for critical accounts and internal projects. The DLP solution addresses three kinds of data -- at rest, in motion and in use. Cognizant has currently deployed Web and email modules of the solution, which will help the company monitor and block usage of any confidential data over Web and email.
As part of its data loss protection strategy, Cognizant has also implemented Microsoft's Document Right Management System (DRMS) solution. "We are at present working with Websense to integrate the DLP solution with the Microsoft DRMS platform," says Das.
User acceptance, data classification and rule streamlining over the company's wide footprint were some of the major challenges of the DLP implementation. However, according to Das, an extremely supportive management made it easier for the information security group to bring out this activity.
The DLP implementation has significantly improved awareness about data security and privacy among Cogizant's associates. "Till date, we were only educating the associates based on statistical figures and third-party exposures. Now, thanks to DLP, we are able to showcase the incidents directly affecting the associate," says Das. Employees now realize the potential of information leakage and its repercussions as well. On the business front the company has been able to significantly increase customer's confidence on its efforts in information protection. "This has helped our business teams in the bidding processes as well," says Das.
In the next phase, Cognizant wants to deploy fingerprinting of critical documents. Fingerprinting mainly keeps an image copy of important documents and monitors their movement on the network. Post this, the company plans to roll out the end-point DLP agents in project-specific laptops.