Leading Indian ITES player Tata Consultancy Services (TCS) BPO has announced its pilot implementation of Data security Council of India (DSCI)'s Data Security Framework (DSF).
TCS BPO serves 150 customers across 40 countries and
conducts more than 1.5 billion transactions per year. The company
handles extremely sensitive information including IPR, financial, personal and health
information. As a result, it also needs to comply with regulations of different countries
(resulting in further complexity to its security matrix). Although TCS BPO is an adopter of ISO
27001 and has fairly robust information security practices, it was open to improvise their
practices by evaluating the best practices that were newly designed by DSCI. Pranav Dasnurkar, the
head of information security for TCS BPO informed, “We were open to have a bottom-up approach that
can unearth risks hidden in processes.”
TCS is a member of the executive council of DSCI and considering the scale of its operations offered to be a pilot for DSF and DPF framework. DSCI launched the DSF and DPF frameworks in 2009. Around March 2010 TCS BPO chose to experiment with a pilot project of DSCI's data security framework on certain F&A, HR and pharmaceutical processes (which handles financial personal and health information respectively). In association with DSCI, TCS BPO has developed an Excel-based tool which captures these data-centric elements. TCS BPO plans to build more intelligence into the tool as it progresses. The pilot also brought clarity on the portfolios like the data controller and data processor.
According to Dasnurkar, this pilot implementation has brought revelations for TCS BPO in terms of hidden risks. Risks identified by the Excel tool can be classified into two—risks pertaining to the client and those affecting TCS BPO. This helps TCS BPO to get a distinct demarcation of liabilities for security risks. Besides these, now TCS BPO has gained the confidence to renegotiate security service level agreements with its clients. It will continue with DSCI’s DSF pilot, with plans to feed the output of DSF into its existing risk management framework. Depending on the success of data security framework, TCS BPO will also look at adoption of DSCI's data privacy framework.