Indian BPO and the ongoing struggle with data security issues

By Dhwani Pandya, Principal Correspondent 12 Nov 2009 | SearchSecurity.in

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

"Organizations need to inculcate an "information security culture" amongst employees — more so in smaller companies. In the medical transcription segment, there are a number of very small companies where the security implementation can be termed unsatisfactory," says Na Vijayashankar (Naavi), an independent cyber law consultant based out of Bangalore. To this end, the Data Security Council of India (DSCI) set up by Nasscom with the sole mission of promoting India as a secure outsourcing destination has begun enquiries into the Pune-based BPO in question, and is expected to take action. Although he calls the incident unfortunate, Dr. Kamlesh Bajaj, the CEO of DSCI, feels that such issues are often blown out of proportion by international media. "It's essential to dispel the notion that India does not have a proper data protection regime. The new IT (Amendment) Act 2008 provides adequate protection against data security and privacy," claims Bajaj.

While a couple of such incidents do not reflect the industry in general, it is important that the Indian BPO industry wakes up to such incidents. The first thing to contemplate is the seriousness of IT BPOs about privacy and security of the data that they control. "Many units are only cost and functionality conscious — in their scheme of things, security is not a priority. Many of these small units work as outsourced agents of other BPOs, and are not directly exposed to the foreign vendor. Hence they try to cut costs at the expense of security," says Naavi. Larger BPO units are comparatively more proactive to thwart security incidents.

Most BPOs with clients from U.K. and the U.S. are required to follow highest security standards like ISO 27001. These BPOs also need to comply with regulations like the Health Insurance Portability and Accountability Act (HIPAA) (in case of medical and health related data) and Sarbanes-Oxley Act (in case of financial data). Despite this, security shortfalls seem rampant in the country. "While many of the companies do conduct ISO 27001 audits, there could be inadequate follow-ups, resulting in dilution of security after the audit," says Naavi. Besides, the typical small and medium-sized business (SMB) does not conduct ISO 27001 or other such audits. "Some of the small medical transcription companies are not even aware about HIPAA compliance."

In some cases, Indian organizations lack a strong data protection policy to prevent such incidents. "The matter becomes serious when pilferage is committed by employees dealing in confidential data," says Rajendra Sawant, the chief information officer of Adventity Global Services Pvt Ltd.

Most BPOs with clients from U.K. and the U.S. are required to follow security standards like ISO 27001. These BPOs also need to comply with regulations like HIPAA and Sarbanes-Oxley Act.

As data security is a complex and serious concern, it must be addressed at all three levels, i.e. process (policy), people, and technology. The CISO of a leading BPO organization says on condition of anonymity that it's possible only if BPOs thoroughly understand their information assets. Every BPO should identify all possible channels through which data can go out. BPOs must also have effective and regular monitoring, control and audit practices in place.

Real-time monitoring and analysis of security logs, as well as designing limited Internet and email access for a few approved users is necessary, suggests Sawant. To achieve this, Adventity uses a Chinese Wall Security Policy approach for some of its customers. "The basis of our Chinese wall policy is that people are allowed access to information which does not conflict with any other information that they already possess. This is the basic model used to provide both privacy and integrity for data," Sawant explains.

The high employee attrition rate in the BPO industry also escalates data protection risks. According to Naavi, it is wrong to impose security as a technical measure. One can introduce security software and declare policies, but it is not easy to make people adopt the same. The rationale behind security controls must be explained to employees. Getting employees to sign non-disclosure agreements are now a common feature in BPOs.

Leading BPO companies understand the significance of implementing the latest technologies. "Our IT professionals have security controls in place at various levels right from servers to firewalls, IPS and endpoint data protection along with content filter solutions. Client data transfers are usually in encrypted and secured forms. Apart from this, electronic access control is used to secure the premises and restrict unauthorized entry," says Sawant.

Data loss prevention (DLP) technology tools are the latest in the security market. "DLP is still on the path to becoming a mature technology. At the moment, DLP is being implemented only by large BPOs. SMBs cannot afford such solutions, and hence DSCI has come up with its Data Security and Privacy framework for BPOs. This will help BPOs strengthen their data protection regime," says Bajaj.

Naavi suggests that SMBs should come together to form an 'Information Security Consortium' and adopt a voluntary information security standard (on the lines of LIPS 1008, a standard suggested for legal process outsourcing units in India). "We need to make it mandatory for all medical transcription companies (as well as other similar units) to incorporate "cyber ethics" training to employees. Though the DSCI already functions as a self regulatory agency for BPOs, it may not be possible for DSCI to cater to the SMB sector's requirements. Hence I advocate an industry-led initiative at the SMB level, which works along with other bodies such as DSCI," says Navi.

Tags: Enterprise risk management strategies,  Business compliance management,  Risk Management Strategies,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise risk management strategies PCI tokenization push promising but premature, experts say Clientless SSL VPN vulnerability and Web browser protection Information rights management helps L&T protect its knowhow Cloud Security Alliance releases top cloud computing security threats Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Zeus Trojan continues reign infecting 74,000 PCs in global botnet Business compliance management PCI tokenization push promising but premature, experts say Information rights management helps L&T protect its knowhow Voice data security risks on the rise, say experts Firewall audit tools aid compliance Interest in data leakage protection, event log management rises Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Fraud risk management is key to avoid Wipro-like incidents Security awareness is the key... cultivate employee loyalty Jim Reavis on cloud computing security and regulatory compliance Risk Management Strategies PCI tokenization push promising but premature, experts say 11 application security tweaks for a secure SDLC Improving regulatory compliance management through log analysis, SIEM Applying the ISO 27005 risk management standard Zeus Trojan continues reign infecting 74,000 PCs in global botnet RAM-scraping attacks are a rising -- but preventable -- threat Jim Reavis on cloud computing security and regulatory compliance The TCS Website hack: Don't let your company join the list SIEM systems streamline compliance processes, offer security benefits Microsoft extends SDL program, adds Agile development template

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary knowledge process outsourcing (KPO)  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary