DSCI framework to strengthen data protection regime in India

By Dhwani Pandya, Principal Correspondent 04 Nov 2009 | SearchSecurity.in

Enterprise IT tips and expert advice Digg This!     StumbleUpon     Del.icio.us

Many Indian IT BPO and knowledge process outsourcing (KPO) organizations serve clients from across various locations such as the U.S., U.K. and Australia. Hence these organizations are subject to these countries' data security and privacy protection regulations. According to DSCI, IT BPO players face major challenges when it comes to meeting multiple regulatory requirements and establishing the corresponding security controls. "After deep analysis of these compliance requirements and other emerging security risks, we decided to develop comprehensive best practices framework," says Kamlesh Bajaj, the CEO of DSCI. The IT amendment act 2008 also now necessitates that Indian enterprises implement reasonable security practices to protect personal data.

The DSCI framework

DSCI has developed a separate framework for data security and privacy. The security framework comprises of 16 best practices which are basically an extension of the ISO 27001 standard. Although several large Indian companies have already adopted the ISO 27001 standard, Bajaj feels that these organizations need more when it comes to data security and privacy. "The security threat landscape has changed over past few years, which calls for special attention. For example, ISO 27001 covers only a few aspects of application security. However, application security threats have become very sophisticated, and organizations need to evolve their security practices. DSCI's security framework tries to address such new threat areas with detailed understanding," says Bajaj. It consists of best practices in various areas like application security, business continuity, disaster recovery, threat management, infrastructure security, risk, compliance and access management. The DSCI framework tries to guide organizations on how to create application security strategies, architecture, intelligence mechanisms, integration of applications security in the overall application life cycle management, testing of applications and vulnerability assessment.

The DSCI privacy framework is specially aimed at data protection practices for companies engaged in outsourcing. DSCI has developed nine best practice areas for protection of personal data, which include creating visibility over personal information, privacy policies, regulatory compliance intelligence, privacy contract management, and information usage.

Since the DSCI framework only covers best practices, DSCI plans to develop an implementation methodology that provides information on the technical and operational aspects of security best practices.

Regulatory compliance intelligence practices can help organizations to build internal compliance mechanisms. "This will help organizations to understand compliance requirements and laws of different geographies. It will also create a mechanism which keeps tracks of data privacy regulation changes," says Bajaj. Data privacy related procedures should also be able to address questions as to the choice of jurisdiction and laws that govern specific issues, according to the DSCI privacy framework.

DSCI has already conducted seminars in various Indian cities such as Mumbai, Delhi, Calcutta, Chennai and Bangalore to create awareness about the framework. "We have also carried out Web seminars for four large service providers, and their responses have been very positive," claims Bajaj. At the moment, DSCI is conducting pilot tests with Indian organizations and plans to have publicly available case studies by December 2009. Since the framework only covers best practices, DSCI plans to develop an implementation methodology that provides information on the technical and operational aspects of security best practices.

As far as the DSCI framework's enforcement and certification are concerned, DSCI is yet to come up with a definite methodology. "We will scale up our operation in the first quarter of 2010. Leveraging various mediums like IT consulting firms and vendors is possible once we reach a particular level. We are also setting up an advisory group which will freeze on ideas for certification and rating of service providers," explains Bajaj. DSCI is yet to decide charges for the certification.

More details on the DSCI framework are available on the DSCI website.

Tags: Business compliance management,  Enterprise risk management strategies,  Information security certifications and professional training,  Data loss prevention technologies,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Business compliance management Noted cryptographer on SSL, encryption and cloud computing What's a risk management strategy worth to your S&P credit rating? ISO 27001 certification: Preparation in four steps Two factor authentication gets token agnostic at Central Bank of India PCI tokenization push promising but premature, experts say Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Enterprise risk management strategies Noted cryptographer on SSL, encryption and cloud computing What's a risk management strategy worth to your S&P credit rating? ISO 27001 certification: Preparation in four steps Two factor authentication gets token agnostic at Central Bank of India Considering two-factor authentication? Do cost, risk analysis PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts Information security certifications and professional training ISO 27001 certification: Preparation in four steps Applying the ISO 27005 risk management standard Microsoft extends SDL program, adds Agile development template New ISO 31000 risk management standard receives good early reviews ISACA's risk management certification makes its entry An information security career: What does it take? IT (Amendment) Act, 2008 has information security market on toes CISO career 101: Chief Information Security Officer route basics Benefits of ISO 27001 and ISO 27002 certification for your enterprise How to use Internet security threat reports

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary knowledge process outsourcing (KPO)  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary