Data security remains a top priority for Indian BPO companies in their current operating
scenario, which is whereISO
27001 certification helps companies tide over this concern smoothly (while keeping customers
satisfied). e-care India, a healthcare outsourcing services company based out of Chennai, often
used to hear customer concerns related to data security. The company specializes in medical billing
facility.
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
|
||||
In the course of its business, e-care India clearly sensed that security and safe handling of data
being sent offshore for processing are major concerns in the US, the market from where it gets most
of its customers. The need to protect customer's private and confidential information led e-care
India to consider ISO
27001 certification. "The client agreements clearly demand privacy and secrecy of the
information. Protection of client data is our primary concern. We realized that ISO 27001
certification can address this concern, and provide greater confidence to our US clients, thus
enhancing our business prospects in that market," says M S Rajagopal, the vice president of
operations and head of ISMG at e-care India.
e-care India's management itself drove the decision to adopt ISO 27001, and the project
kick-started in mid-2008. The company decided to hire Guardian Independent Certification (India) as
its consulting partner. The consultancy firm had earlier helped e-care India to achieve ISO 9001
certification; therefore, it was easier to choose them as partners for ISO
27001 certification.
Guardian Independent Certification recommended conducting a GAP analysis for e-care India. During
this process, e-care India identified every asset and threat, vulnerabilities for the assets,
likelihood of security incident occurrences, and finally, defined the different levels of risk for
each asset as high, medium or low.
Process changes
Prior to achieving
ISO 27001 certification, e-care India had become a Health Insurance Portability and
Accountability Act (HIPAA) certified company. Therefore, the company's earlier investments in
security controls and strict procedures came in handy during ISO 27001 certification. "We were
already addressing most of the identified risks. However, we needed to document them for ISO 27001
certification," explains Rajagopal. After the GAP analysis, the company was asked to implement new
firewalls, as the existing firewalls did not provide logs (which need to be monitored as per ISO
27001 certification rules). e-care India also used to face frequent power problems due to the
location of its office. To combat this, generators were recommended for power backups in order to
ensure 24/7 business continuity and availability.
As far as process changes are concerned, e-care India did not have proper vulnerability assessment
regimes. Since this is among the critical ISO
27001 certification requirements, the consultant firm suggested that the company have regular
vulnerability assessment practices in place. Besides, the company did not handle any original data,
it always used copies of data for processing, which were also destroyed after use.
|
|||||||||||||||||
It took e-care India around a year to get the ISO 27001
certification. The audit process was implemented in two phases; the first audit was conducted
within five months of the GAP analysis, while the second phase was implemented at the end of the
year. Each time the company conducted an audit, it found certain lacunae, a majority of which were
in the area of documentation. Rajagopal stresses now that documentation is one of the most critical
requirements of the ISO
27001 certification process. "ISO 27001 certification has actually become a good marketing tool
for us to prove our mettle in the area of information security," he says. The company has been
successful in improving customer satisfaction levels after achieving the certification.
As ISO 27001 certification presses on continuous improvement and maintenance of security systems,
the company has set up a separate ISO team, which has representation from the top management as
well as every department. This team handles the responsibility of performing regular audits on
security controls and compliance procedures on a weekly basis to ensure constant feedback.
Rajagopal feels that a company looking to achieve ISO 27001 certification should consider people
awareness as a very crucial aspect in the whole process. In fact, this aspect scores even higher
than infrastructure. "There should be continuous awareness training on what data security is all
about and the implications of data security violation. The measures put in place for ISO 27001
certification become effective, only when these are achieved," he signs off.