CHAPTER 12
In the UK, the Data Protection Act is used to ensure that personal data is accessible to those whom it concerns, and provides redress to individuals if there are inaccuracies. This is particularly important to ensure individuals are treated fairly, for example for credit checking purposes. The Data Protection Act states that only individuals and companies with legitimate and lawful reasons can process personal information and cannot be shared.
The International Standard ISO/IEC 17799 covers data security under the topic of information security, and one of its cardinal principles is that all stored information, i.e., data, should be owned so that it is clear whose responsibility it is to protect and control access to that data.
The Trusted Computing Group is an organization that helps standardize computing security technologies.
Indian companies are establishing India's reputation as a trustworthy outsourcing destination by proactively addressing data privacy and security concerns.
Data privacy and security are not new concepts in outsourcing. When there is transfer of sensitive and confidential information, security concerns about data leakage or misuse do arise. For anti-outsourcing lobbies, data privacy and security concerns are cited as one of the main reasons to curb outsourcing. Some consider the security risks to be the same if the data were handled offshore or onshore, while others are unsure about the data privacy and security laws in countries like India and view it as a serious deterrent to their decision to outsource.
Whether or not the security concerns are baseless, companies in the US and UK are under increasing pressure with legislations that mandate the privacy of customers' financial and medical data. Indian companies realize that they need to scale up their data privacy in order to address these security concerns before there actually turns out to be a problem. From individual companies to associations like NASSCOM, proactive measures are being taken to ensure that India's unique value proposition is "trustworthy outsourcing".
Most data privacy and security concerns of companies outsourcing to India are unfounded. But the Indian Government and Associations such as NASSCOM are working towards ensuring that data privacy laws in India are at par with international legislation.
NASSCOM: The National Association of Software Services Companies or NASSCOM is working with the government to address security concerns in outsourcing to India and to ensure that India's data privacy legislation is more in line with the U.S. It also intends to have the security practices of all its 860 members audited by international accounting firms. A cyber crime unit, which NASSCOM initiated in Bombay's police department where officers were trained to investigate data theft, is planned in nine other cities.
NASSCOM also encourages Indian companies to share information on back office workers, create a Certification Authority for safety and plug gaps in Indian laws by familiarizing themselves with international laws.
Indian companies have already put in place or are currently honing their data privacy and security measures even before the Government finishes with the legislation. Employees access their workplace with the use of swipe cards, conform to prescribed modes of data transfer and shred notes of client conversations after the shift ends. Visitors are not allowed into the working area of a BPO company. Third party call centre operations in India and back-office subsidiaries of global companies such as General Electric, are adding state-of-the-art systems to monitor phone conversations, prevent data misuse, and to ensure total compliance to data privacy and IT security measures.
A recent incident of data misuse by an employee of a well-known BPO in India has resulted in rising security concerns about outsourcing. Whether global clients dismiss it as a one-off case or the episode unleashes a fresh round of BPO backlash, it is clear that vendor companies in India are focusing not only on network safety features but also on the quality of employees that they hire. There has been an increased focus on:
Data privacy legislation: Regulatory bodies and companies are pushing for comprehensive data protection, security and privacy legislation in India along the lines of Europe, U.S. and UK to address security concerns of customers.
Technology: Companies in U.S. may want to see more investments in new technologies such as keypad authentication of PIN numbers for credit card processing, etc.
Legal enforceability of SLAs: The US and European customers will have greater confidence in Indian vendors if their contracts are made legally enforceable, both in their home country and in India.
Background checks of candidates: HR will have to adopt best practices for comprehensive screening and background checking of all new hires, as is done in countries like the U.S. and UK.
Outsource2india has made substantial budget outlays for data privacy and security. Our core team of data privacy and IT security experts has ensured that proactive processes are in place to prevent security breaches and data misuse, rather than having to address such mishaps after they arise.
O2I's well-defined data privacy and security measures are built into our processes as well as our IT infrastructure and network.
Non-disclosure/confidentiality agreements.
Audit trials for all system activities.
Access to registered and authorized users only.
Scanning of servers for penetration testing.
Data Security at O2I: Network.
Total secured CISCO VPN Tunnel to client.
Secured Cisco(r) Intelligent switches and Cisco(r) Network Assistant optimized for LAN.
Cisco(r) PIX(r) Firewall to block all ports for HTTP, FTP, TCP/IP, UDP and even ICMP.
Virtual Private Network (VPN) protection and Secure Network.
Secure network firewalls.
Secure Encrypted Web Servers and laptops.
Biometric Access.
Data Security and Privacy measures for O2I employees.
Secure Smart Card and Secure Premises Login.
Secure Remote Access (VPN).
Single sign-on to enterprise and desktop applications.
Despite technology-driven protection devices and timely detections mechanisms, we recognize that our employees' attitudes towards data privacy are key to addressing security concerns of our clients. We conduct detailed back-ground checks on candidates before they are hired. All our employees are bound by confidentiality agreements and are adequately trained in data security processes.
India is pursuing the tag of "trustworthy outsourcing" with a fierce determination. BangaloreIT.Com, an IT summit which was held in November 2004, focused on outsourcing and issues related to privacy and data security. It is organized by the Department of IT, Biotechnology and Science and Technology in association with Software Technology Parks of India, Bangaluru. The event saw 400 companies from India and 14 other countries participate. International business experts, companies, and IT professionals educated the participants on key issues like best management practices in outsourcing, wireless technology, third-generation technology and information security among other things.
The proactive measures the Government and individual companies taken have definitely made an impression. Hill & Associates, an enterprise security and risk management consultancy firm, conducted a study which revealed that Indian cities Bangaluru, Hyderabad and Mumbai are low risk outsourcing locations. India is not only moving up the value chain by offering more complex services, but is determined to establish its credibility as a trustworthy destination for outsourcing.
The organizational success rests on the management and protection of the mission-critical data. Data, the essential asset of your business, is extensively used for customer relationship management that includes up-selling, cross-selling and other business services targeted at the customers. Hence, safeguarding business data is vital as its inappropriate usage can lead to greater concerns; this is where Data Security plays an important role.
There is a valid fear that this sensitive information could be altered or used to create negative consequences. Though, Data Security can ensure primary security concerns, it is not the foolproof solution to assure confidentiality. Data Privacy addresses all the issues. It enables sharing of data without compromising its confidentiality.
Protecting customer data has emerged as key issue for organizations today. As data is subjected to a variety of internal or external threats, organizations need a robust security system that not only protects the data from external intrusions but also from internal threats from charlatan employees.
Data security addresses following five aspects:
Aspects of Data.
Security.
Available.
Technological Measures:
Availability Backup Technologies, Cluster Solutions, Anti-virus Solutions and so on.
Authentication:
Passwords, PINs, Tokens, Smartcards and Biometrics Technologies like Finger Scan, Iris Scan and so on.
Access Control Lists (ACL), Directories, Firewalls, and so on.
Confidentiality, Integrity, and Non-repudiation SSL, VPNs, Public Key Infrastructure and so on.
Data security can be gained only through a combination of products and processes. Together, they determine the choice of technologies that should be deployed in a particular business case. The technological measures have to be implemented in combination with monitoring technologies, like Intrusion Detection Technologies, to ensure the security of the data assets.
The following three processes should be considered while selecting the various options for data security:
Risk mitigation;
Risk Monitoring;
Business Continuity Plan: Resumption of business operations in the event of a failure.
A security solution that takes into account all the above processes will be a complete and effective solution.
An Information Security Management System (ISMS) needs to be developed to assure complete data security.
The essential components of an effective Information Security Management System that form the building blocks of a complete data security system are:
Risk Management System - This system consists of processes to identify, mitigate, and manage risks.
Security Policy and Security Procedures - This states the organization's security objectives, security levels, and the type of security that it wishes to achieve. The security policy of the organization will form the basis for implementing the security procedures.
Business Continuity Plan - The security policy is essentially a preventive measure to mitigate risks to data assets. However, in the event of a disaster, the Business Continuity Plan serves as the guiding plan to recover and resume business operations within acceptable time.
Organizations manage large amount of customer data that could be in the form of:
Customer expenditure patterns as in case of Organizations providing Financial Services.
Customer health data as in case of Health Care Organizations.
Projects executed for customers as in case of companies providing technical expertise and so on.
This data is a strategic business asset as it can be used to provide further services to the customer and build other marketing strategies around this data. Corporations could use this asset for cross selling and sharing it with their business partners. The importance of this strategic business asset can be gauged from the 'Goldfish ruling'.
Customer data essentially belongs to the customer and the right to determine its use and disclosure, therefore, belongs to the customer. Data privacy laws have been exemplified this through the HIPAA Privacy Law in the health care sector and the Gramm-Bleach-Blighly Act in the financial services sector.
Data privacy is the responsible handling of customer data by organizations. Data privacy is further complicated because businesses are becoming more and more e-enabled. Some of the challenges in formulating and implementing data privacy solutions are:
Liability towards business partners for data sharing for the cross-selling purposes.
Multiple Customer Databases and Data Warehouses populate Enterprise Systems leading to problems in access control.
Lack of awareness amongst employees.
Outsourcing of business processes.
Diverse Privacy Laws across various countries.
Data security essentially refers to protection of corporate business assets from unauthorized access, misuse, and damage. Implementation of data security measures, therefore, is a corporate business need.
Data privacy refers to the responsible handling of customer data by corporations including its secondary use. Secondary use means data collected for one purpose that is subsequently used for other business purposes, like cross selling, that may or may not be known to the customer or business client.
Responsible handling, thus, includes:
Making the customer aware about the purpose of data collection and limiting the collection of data to only the intended purpose.
Taking consent from the customer for every non-standard use of the customer data.
Giving the customer access to data collected from him or her.
Providing recourse in case of violations.
Ensuring the availability and reliability of customer data and preventing it from unauthorized access.
Corporations cannot maintain the privacy of their customer data without implementing security. Data security, therefore, is one of the building blocks for data privacy.
The five building blocks mentioned in the section above are called the five fair information practices which consist of the following:
Notice and Awareness: Corporations should give customers clear and written details about the usage and the disclosure of the data. Systems with customer data and its usage should be made known. A continuous customer awareness program about the use of collected data will optimize transparency.
Choice and Consent: Choice refers to the right of customers to request restrictions on the uses and disclosures of their data. Consent refers to receiving customer's permission before customer data is used and disclosed.
Access: This refers to customer's rights to use their data. Customers should be able to see and get copies of their records, and request amendments. The challenge for organizations is in determining the extent to which customers should be allowed to amend data and the type of data that can be amended or deleted.
Accountability, Enforcement and Recourse: Organizations should be held accountable for the customer data that they possess and for establishing mechanisms that will ensure compliance to policies and procedures. Organizations should provide for reasonable methods to resolve disputes related to the use of data.
Data Security/Integrity: This refers to a data privacy assurance principle stating that gathered customer data, to the extent necessary, would be complete, current and accurate. Organizations must take reasonable measures to assure customer data's reliability for its intended use, and protect it from loss, misuse, alteration, or destruction.
© Universal law Publishing Co.