Upload
rajdeep-biswas
View
68
Download
1
Embed Size (px)
Citation preview
Businesses continue to drive IT operations, which in turn try to sustain existing
systems, often at the cost of security. Customers, on the other hand, are
demanding more security as their worries about cyber crimes, privacy and
identity theft grow. In the networked world, business partners, suppliers, and
vendors also demand assurance of essential and adequate security when they
inter-operate to share information and business data for faster and cost-effective
transactions. At the same time, regulatory and law-enforcement agencies require
proof of compliance with a plethora of security regulations. Under these
circumstances, there is no better way of understanding security preparedness of
companies than through a survey.
It gives me great pleasure to see the results of the survey of BPO companies,
conducted by DSCI through KPMG in India with the active support of DIT. I’m
sure, this survey will help the industry understand the areas that need focus in
order to improve its practices, and present to its clients the best practices
approach for trusted business partnership.
Dr. Gulshan RaiDG, CERT-In
Message from CERT-In
State of Data Secutiry and Privacy in the Indian BPO Industry
This is the third DSCI-KPMG Security Survey, conducted in association with
CERT-In. While designing the questionnaire for this survey, we decided that rather
than conducting a general security survey, we would focus on BPO and Banking
domains. Specific questionnaires were, therefore, drawn up to address the
concerns of these domains.
We present the results of the BPO industry in this report. The depth of questions
may perhaps lead one to conclude that the survey is an attempt at assessment
rather than merely a high-level information capture. At DSCI, we felt that this was
important with a view to understand the data protection trends, underlying issues
and concerns that may be unique and specific to the BPO industry. The focus, in
general is on positioning of security and privacy in organizations; maturity and
characteristics of key security disciplines such as Threat & Vulnerability
Management, Incident Management, among others. Such in-depth questionnaire
was expected to bring out the BPO responses to the rising data breaches
globally.
I am pleased to state that the in-depth approach has resulted in findings that are
more promising. For the BPO industry, while the survey suggests that employee
awareness of data protection continues to be a challenge, the managements are
alive to privacy requirements of clients since many BPOs have established a
privacy team that is distinct from security. Security organization itself is maturing
with CISOs being involved in strategic tasks. An interesting result is the
awareness among BPOs that they may be liable for breaches arising from
vulnerabilities in clients’ environment unless they are vigilant enough to negotiate
a suitable contract. Among the areas that need attention of management, the
following are worth mentioning: employee security awareness should be
increased, need for compliance with amended IT Act should be understood, and
Lines of Business should be involved in data security initiatives.
Dr. Kamlesh BajajCEO, DSCI
Message from DSCI
State of Data Secutiry and Privacy in the Indian BPO Industry
Message from KPMG in India
The BPO industry in India has always been under significant influence of data
protection regulations. In its initial years of growth phase, corporations have gone
through fairly intense scrutiny of customer audits, which sometimes have been
considered to be crossing the boundary of reasonable controls expectations. In
any case, most CISOs have privately admitted that those audits helped them
learn the tricks of the trade and made them better every time they underwent
such an audit.
The industry has also been conscious that managing adequate level of
information protection is essential for the survival. There have been instances of
penalties being charged for non-compliance to information security safeguards. In
a few extreme cases, clients have renegotiated contracts with their service
providers at lower rates just because the security controls have been found to be
weak. Some experts believe that information security issues can easily become
non-tariff barriers, if the industry as a whole does not embrace appropriate risk
mitigation measures. Given this context and the current global economic
scenario, it couldn’t have been a better time for the industry to demonstrate that
it has the right strategies in place to manage and mitigate the risks of information
security breaches.
The survey validates that the industry understands these implications very well
and have put in place the baseline measures to manage the risk. The survey is
aimed at identifying protection measures of information security in general and
those specific for personally identifiable information (privacy). While the industry
participants have developed frameworks for addressing the information security
concerns, the aspects relating to privacy haven’t matured as much. The survey
highlights current state of the industry and attempts to identify future direction
for a holistic information protection program.
It is argued that surveys conducted through the owners of process many a times
produce more optimistic results and portray the realities better than what it really
is. However, the purpose of the survey being more directional than quantitative
assessment, it serves the purpose of identifying trends and priorities of the
industry. This survey should act as a useful guide for senior executives of BPO
companies in formulating their future positions and will be a good tool for many
CISOs in developing business cases for comprehensive information security
programs. We hope that the companies, which use the services of Indian BPO
industry will also benefit from this survey as it will help them reposition their
compliance monitoring efforts in right direction.
Akhilesh TutejaExecutive Director, KPMG in India
State of Data Secutiry and Privacy in the Indian BPO Industry
Contents
Introduction 02
Data Security and Privacy 08
Information Security Governance 16
Extended Boundaries 24
Regulations 30
Internal Processes 36
Way Forward 47
State of Data Secutiry and Privacy in the Indian BPO Industry
Introduction
State of Data Secutiry and Privacy in the Indian BPO Industry
02
The survey provides insights into the data security and privacy
environment of Indian BPO industry. There is evidence that validates
general perceptions about security and privacy practices and then
there are some outliers that do not align to the seemingly obvious.
Some of the findings of the survey are as follows:
?The industry treats data security more as a hygiene factor, rather than a
point of differentiation to gain competitive advantage
?Customer requirements remain primary drivers for data security to most
of the organizations
?Almost 50 percent of the organizations are negotiating contracts to ensure
that any liability arising from vulnerabilities in the client’s environment is
borne by the client
th?More than 3/4 of the organizations face challenges due to a lack of
awareness amongst employees on liabilities arising from data breaches
?CISOs of majority of the organizations are spending significant time on
strategic initiatives; for example, identifying security implications of new
business initiatives
?Only 44 percent of the respondents are mandating vendors / third parties
to report new threats and vulnerabilities in their products / services
?There seems to be lack of clarity amongst organizations regarding their
liability under ITAA 2008
?More than 75 percent of the organizations involve process owners and
lines of business in data security initiatives.
State of Data Secutiry and Privacy in the Indian BPO Industry 00
03
Highlights
Summary
Indian BPO industry has grown nine times from USD 1.6 billion to USD 14.7
billion in just a decade and is expected to witness robust growth in years to
come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at
USD 60 billion is expected to reach USD 225 billion. During the same period, the
growth in ‘domestic BPO’ revenue is expected to expand seven- folds to reach
USD 15 to USD 17 billion, while ‘export revenue’ is expected to reach USD 50
billion. To sustain this phenomenal growth, the Indian BPO industry needs to
overcome one of the major challenges facing the industry today – addressing
Data Security and Privacy concerns of their stakeholders.
Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERT-
In (DIT), jointly conducted a survey to assess current state of data security and
privacy practices being adopted by the Indian BPO industry and to gain insights
into how the Indian BPO industry is addressing clients concerns.
As part of this initiative, 50 organizations were surveyed with the following
objectives:
?Positioning of data security and privacy in the BPO organizations -
analyzing CISOs’ role and the tasks performed by the security organization
?Maturity and characteristics of key security disciplines such as ‘Threat &
Vulnerability Management’ and ‘Incident Management’ in the wake of
rising data breaches globally
?Level of perceived risks in different Lines of Service (e.g. Customer
Interaction and Support, Payroll, Finance & Accounting, etc.)
?Managing risks arising from clients’ environments
?Mechanisms adopted for conducting employee background screening
State of Data Secutiry and Privacy in the Indian BPO Industry
04
?Strategic options adopted for Business Continuity and Disaster Recovery
management
?Impact of IT (Amendment) Act, 2008 on the industry
?Evolution of Physical Security and its integration with data security
In order to ensure that the survey results represent the Indian BPO industry at
large, we interviewed CISOs and their equivalents in organizations across BPO
industry segments and sizes.
The survey results highlight trends and insights into the state of data security and
privacy in the Indian BPO industry – many ‘generally known’ practices are
validated, yet certain unexpected insights are revealed.
The maturity of the Indian BPO industry with respect to data security and privacy,
is reflected in the fact that most organizations treat security more as a hygiene
factor rather than a point of differentiation to gain competitive advantage. End
customers in client geographies are concerned about their personal data in the
trans-border data flow. Indian BPO industry realizes this and is equally concerned
about any bad publicity in media, which may result from a data breach. Even the
clients have made a note of such concerns and demand BPO organizations to
undertake privacy initiative and have exclusive mention of data privacy clause in
their contracts. The first section of the report – ‘Data Security & Privacy’ – reveals
these and other such trends in detail.
The information security function in general has been formalized with most
organizations having a designated CISO. However, no standardization with
respect to reporting alignment exists as it varies significantly within the
responding organizations. CISOs are also moving away from security related
operational tasks and are becoming more involved in strategic activities. The
survey reveals that industry needs to increase involvement of business managers
for understanding security requirement of the business.
Data security and privacy
Information security governance
State of Data Secutiry and Privacy in the Indian BPO Industry
05
Extended boundaries
Regulations
Internal processes
As the industry has been expanding across geographies to serve global clients,
they continue to face a challenge in meeting multiple regulatory or client
requirements. These organizations being well aware of the liabilities arising from
any data breach have been re-negotiating contracts with clients to ensure that any
liability arising from vulnerabilities in the client’s environment is borne by the
client. Similar focus needs to be given to third party service providers since they
have access to client/organization confidential information.
Industry’s focus on global clients is all the more evident from the fact that its data
security and privacy related technological investments are driven by global
regulatory requirements. However, with introduction of Information Technology
(Amendment) Act, 2008 (ITAA 2008), organizations are starting to realize the
liabilities arising from it and have also started revising their security policy to
incorporate ITAA 2008 requirements. As awareness of ITAA 2008 is low, there is
a risk of underestimating the liabilities arising from non-compliance to regulatory
obligations.
There are clear indicators that internal processes have been designed to meet the
best practices. However, the implementation and continuous testing/ monitoring
varies across the organizations.
The findings indicate the level of maturity the industry has achieved when it
comes to processes such as threat & vulnerability management, employee
screening, security incident management, BCP/DRP and physical security
controls.
State of Data Secutiry and Privacy in the Indian BPO Industry
State of Data Secutiry and Privacy in the Indian BPO Industry
Data Security and Privacy
State of Data Secutiry and Privacy in the Indian BPO Industry
08
?Client/contractual requirements and
global data protection regime are the
key drivers for data security practices
in BPO industry
?Organizations perceive that key
threats for data security are internal
in nature
?Respondents are conscious of their
brand image and therefore adopting
data privacy initiatives to prevent any
data breach incident, which may lead
to bad publicity in media
?Organizations focus on data privacy
to address rising concerns of clients’
end customers’ vis-à-vis their
personal data in the trans-border
data flow
?Majority of organizations do not have
dedicated or separate privacy team;
instead, they use data security team
to drive and support privacy
initiatives.
Key findings
State of Data Secutiry and Privacy in the Indian BPO Industry
Finding its place
Survey reveals that to address end customers’ concern vis-à-vis their
personal data in trans-border data flow, clients are becoming stringent with
respect to ‘Data Security’ & ‘Data Privacy’, which is driving organizations
security and privacy initiatives.
Drivers for data security
Majority of respondents consider security as a hygiene factor rather than a
competitive advantage. Seventy percent of organizations perceive that key
threats for data security are internal in nature. Though internal and external
threats are one of the drivers for security, client/contractual requirements, global
data protection regime and associated liabilities remain the primary drivers for
data security in the industry. At the same time, ITAA 2008 is also becoming an
important driver for data security for organizations.
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Drivers (Data security) (% respondents)
Clients continue to drive the information security requirements. They have helped corporations mature their information security programs through periodic audit and monitoring.
10
94
10 82 6 8
0
10
20
30
40
50
60
70
80
90
100
CentralSecurityFunction
For eachGeographical
location
For each Lineof Service
For eachVertical
Each / majorclient
relationship
Coordinatorfor each
relationship
Security function positioning (% respondents)
Security function
Respondents believe that organizations place due importance to security function rdinternally. This is also coupled with the fact that almost 2/3 of the organizations
have more than five member security team. Most organizations have a central
security function, responsible for data security & privacy, enabling them to ensure
uniformity of controls across organization.
Security is still a centralized function as revealed by the survey. However,
geographical expansion of operations, rising revenue in the Lines of Services and
business growth in client relationships seem to be driving the structure of the
security organization towards localized/decentralized security function.
82
78
74
70
60
58
58
48
44
Focus on ISO 27001
Continuous Vigilance on evolving issues
Keeping top management aware of the risks& liabilities
Constant review of the environment
Providing architectural treatment to securitysolutions
Use enterprise portal to manage securityrequirements
Collaborate with external sources & internalfunctions
Proactively adopt techniques such as threatmodeling, threat tree etc
Focus to innovation in the security initiatives
Maturity of security practices (% respondents)
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
37
37
10 16
Security Team Size(% respondents)
Less than 5 6-10 11-20 More than 20
10%
37%
37%
16%
Source: DSCI-KPMG Survey 2010
11
Maturity of security practices
Drivers for data privacy
Organizations are following standardized processes by taking major strength from
well known standards such as ISO 27001. At the same time, a majority of
organizations keep continuous vigilance on evolving security issues &
vulnerabilities along with constant review of the environment to assess its
security posture. With the current baseline, organizations are adopting forward
looking initiatives such as:
• Providing architectural treatment to security solutions
• Usage of enterprise portal to manage security
• Adopting techniques such as threat modeling, threat tree, etc.
• Focusing on innovation in security initiatives.
Data privacy, as with data security, is primarily driven by client/contractual
requirements and global regulations. However, there are other factors driving data
privacy as well. Organizations are conscious of the fact that a small incident of
data breach, can impact their brand image to a large extent. This also gets
reflected by the fact that 73 percent of the organizations consider bad publicity in
media in case of data breach as a critical driver for their data privacy initiatives.
This becomes all the more important when most of the organizations are trying
to address the concerns of end customers’ vis-à-vis their personal data in trans-
border data flow. Clients’ concern are highlighted by the fact that 50 percent of
the respondents mentioned that their clients demand them to undertake privacy
initiatives and exclusively mention data privacy clauses in contracts. Though the
prime focus remains on end customer’s data, 48 percent of the organizations
have started to focus on protecting the privacy of their employee’s data.
73
73
65
56
50
48
33
24
21
31
35
46
46
33
2
6
4
8
4
6
33
0% 20% 40% 60% 80% 100%
Reputational damage
End customer concerns over trans-border data flow
Global data protection regulations
Data privacy clauses in client contracts
Client’s privacy program
Protecting privacy of employee data
Data Protection Authorities (Clientgeographies)
Drivers (Data privacy) (% respondents)
Critical Important Less Important
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
12
Privacy function
While primary drivers for data security and data privacy are the same, the controls and
capabilities required for ensuring them are quite different. Realizing this, organizations are
moving towards deploying dedicated personnel for privacy. This is evident from the fact that
41 percent of the organizations have a dedicated privacy function with a team strength of
more than two members.
64
62
62
60
54
52
40
16
8
Understanding exists of different roles and entities for data protection
Understanding exists about Privacy Principles and their applicability
Dedicated policy initiative for privacy
Processes are reviewed regularly from privacy perspective
Specific technology, solutions and processes are deployed for privacy
Scope of audit charter is extended to include privacy
Privacy impact Assessment is performed for new initiatives
Privacy has just appeared on the organization’s agenda
Privacy is seriously lacking as compared to security
Maturity of privacy practices (% respondents)
State of Data Secutiry and Privacy in the Indian BPO Industry
Not Applicable
Less than 2
2-5
More than 5
Privacy team size (% respondents)
43%
16%
11%30%
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Yes, 40% No, 60%
Dedicated privacy function(% respondents)
Privacy gets treated as a sub-set of information security program, which may lead to under-estimation of legal implication.
13
Maturity of privacy practices
The survey reveals that more than 60% of the organizations:
• understand different roles & entities that exist for data protection,
• understand Privacy Principles & their applicability,
• have dedicated privacy policy initiative, and
• regularly review their processes from privacy perspective.
However, not all of these organizations have extended the scope of audit charter to
include privacy and nor do they perform privacy impact assessment whenever new
initiatives are undertaken. Organizations can achieve a much better state of privacy, if
they take a step towards establishing a privacy function with required empowerment.
State of Data Secutiry and Privacy in the Indian BPO Industry
State of Data Secutiry and Privacy in the Indian BPO Industry
Information security governance
State of Data Secutiry and Privacy in the Indian BPO Industry
16
?CISOs of majority of the
organizations are spending
significant time on strategic
initiatives; for example, evaluating
and mitigating security implications
of new business initiatives.
?Organizations are seeking external
assistance largely in security gap
assessment and application security
testing
?Organizations are maturing to
understand and distinguish security
related operational tasks from
strategic security tasks
?Many organizations still do not
involve business manager in
understanding security
requirements.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
Doing a reality check
The survey results indicate that organizations have come to realize the
significance of CISO and his/her role. CISOs have started to get involved in
strategic tasks, moving away from operational activities.
Role of CISO
The survey reveals that CISOs of nearly 65 percent of the organizations are spending
significant amount of their time on activities like:
?Overseeing security policy enforcement
?Participating in business strategy meetings
?Interacting with support functions for enforcing measures
?Planning for remedial measures
?Issuing guidelines to enterprise units
?Overseeing security projects
?Checking for new issues, threats & vulnerabilities
?Convening meetings of security forums.
This clearly indicates that CISOs are spending significant amount of time on strategic
tasks instead of operational tasks. However, standardization in CISOs role is lacking.
This is evident from the survey results - 29 percent of CISOs spend significant amount
of time on reviewing & approving change requests; at the same time 22 percent
CISOs do not consider it as part of their responsibility. Similarly, more than 50 percent
CISOs spend significant amount of time on ‘reviewing state of security in service
delivery channels’ & ‘reviewing security reports’. However, nearly 15 percent believe
they are not responsible for reviewing these tasks.
CISOs’ reporting line
The survey reveals that organizations have not come to consensus on ‘whom should
the CISO report to?’ This is evident from the fact that there is no standardization on
reporting alignment of CISOs. Further, CISOs have multiple reporting lines, resulting in
a lack of focus and accountability. The survey also revealed that 30 percent of
organization’s CISOs are reporting to CIO/CTO, highlighting the concerns with respect
to independence of security function.
CISO reports to (% respondents)
30
18
16
16
14
4
Chief Executive Officer (CEO)
Chief Operating Officer (COO)
Chief Information Officer (CIO)
Chief Risk Officer (CRO)
Chief Technology Officer (CTO)
Head Quality Assurance
2
8
Audit Committee
Others
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
18
State of Data Secutiry and Privacy in the Indian BPO Industry
Organizations need to refine CISO’s role, ensuring minimal involvement in operational
tasks such as review reports of security scans.
90
84
80
71
69
69
65
65
63
61
57
57
51
45
37
29
23
6
12
12
16
24
20
31
27
33
29
33
29
33
45
51
49
52
4
4
8
12
6
10
4
8
4
10
10
14
16
10
12
22
25
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Overseeing security policy enforcement
Participating in business strategy meetings
Interacting with support functions for enforcing measures
Planning for remedial measures
Issuing guidelines to enterprise units
Overseeing security projects
Checking for new issues, threats and vulnerabilities
Convening security forum meeting
Preparing reports for higher management’s consumption
Reviewing reports of security scan, assessment and audits
Reviewing & responding on security alerts, incidents, issues
Reviewing state of security in Service delivery channels
Reviewing security reports
Overseeing security training of employees
Interacting with IT teams for maintenance of security devices
Reviewing and approve change request
Approving official request of reporting officers
CISO spends time on (% respondents)
Significant Amount of Time Non Significant Amount of Time Not Responsible
Source: DSCI-KPMG Survey 2010
The role and expectations from CISO vary across organizations, whilst many spend time on strategic items, a fair bit of operational tasks take his/her attention.
19
Security tasks
Security of the organization is the prime
responsibility of the CISO and his/her team.
However, other functions like IT Infrastructure
Team, Business Unit, Corporate Compliance,
etc. are also involved in the security
management tasks. The survey indicated that
various teams are being involved in right capacity
for security management tasks. This indicates
that organizations are aware of stakeholders
required to be involved for effective
management of security. Trends clearly visible
from survey responses are:
?Operational tasks such as installation of
security solutions, administration of
security technologies, security testing is
performed by IT security and IT
infrastructure team, allowing CISO to focus
on strategic tasks
? The gaps in the security skills are bridged
by availing services of external consultants
for the tasks such as security gap/baseline
assessments, application security testing,
code review, etc.
Though CISO is actively getting involved in
business activities such as business strategy
planning, understanding business requirements
of security etc., involvement of business
managers in security initiatives needs to be
further enhanced.
15
15
64
38
9
36
15
6
Business Manager
Corporate Compliance
CISO
IT Security
IT Infra Team
Audit Team
External Consultant
External Service Provider
Security gap/baseline assessment (% respondents)
Keeping track of evolving threats & Vulnerabilities (% respondents)
12
52
68
16
Corporate Compliance
CISO
IT Security
IT Infra Team
Security requirements of business(% respondents)
63
19
58
27
19
Business Manager
Corporate Compliance
CISO
IT Security
IT Infra Team
Application Security Testing(% respondents)
27
61
20
11
20
CISO
IT Security
IT Infra Team
Audit Team
External Consultant
Security Authorization of Change Requests(% respondents)
16
8
48
58
18
Business Manager
Corporate Compliance
CISO
IT Security
IT Infra Team
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
20
Security tasks
BusinessManager
CorporateCompliance
CISO ITSecurity
IT InfraTeam
Audit Team
External Consultant
External ServiceProvider
External Consultant
/ServiceProvider
Security Gap/baseline Assessment 15 15 64 38 9 36 15 6 21
Security Strategy Plan 22 14 80 29 16 2 2 0 2
Security Requirements Of Business 63 19 58 27 19 2 0 0 0
Preparing Security Policies & Procedures 6 14 82 41 16 2 10 0 10
Implementating Policies & Procedures 49 20 57 55 47 18 4 4 8
Defining & Managing Security Architeture 8 6 65 55 31 0 4 2 6
Compliance Reporting To Clients56 25 52 21 8 10 2 2 4
Advisory Vis-a-vis Data Security Architecture 17 28 77 26 9 4 19 2 21
Security Solutions Evaluation And Procurement 4 10 69 69 44 4 6 8 15
Install Security Solutions, Products And Tools 2 2 32 62 68 2 6 8 14
Administration Of Security Technologies 0 0 12 66 64 2 0 2 2
Security Testing - VA and PT0 2 22 64 36 12 12 12 24
Application Security Testing , Code Review, Etc. 9 2 27 61 20 11 20 0 20
Conducting And Managing Internal Audits/assments 4 22 61 20 4 71 6 2 8
Security Monitoring 10 10 38 72 30 12 4 4 8
Security Authorization Of Change Requests 16 8 48 58 18 2 0 2 2
Report, Investigate And Close Security Incidents 12 18 68 58 24 6 2 2 4
Keep Track Of The Evolving Threats And Vulnerabilities 0 12 52 68 16 6 6 4 10
Strategies For Protecting Against New Threats And Vulnerabilities 4 16 76 58 16 2 4 0 4
Keep Track Of The Evolving Regulatory Requirements 20 36 62 26 2 8 8 2 10
Participate In Initial Client Meetings To Understand Clients’ Security Requirements
57 17 67 41 24 2 0 0 0
Administration & Testing Bcp /dr Plans 32 18 59 55 52 5 2 2 5
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
21
State of Data Secutiry and Privacy in the Indian BPO Industry
State of Data Secutiry and Privacy in the Indian BPO Industry
Extended boundaries
State of Data Secutiry and Privacy in the Indian BPO Industry
24
?Meeting multiple regulatory/client
requirements and ensuring employee
seriousness towards data security &
privacy continue to remain key
challenges for organizations
?Organizations are continuously
focusing on spreading awareness
about security but challenges seem
to persist
?Organizations are increasingly
focusing on deploying technical and
organizational safeguards to mitigate
risks arising from client‘s
environment
?Organizations have started
negotiating contracts to ensure that
any liability arising from
vulnerabilities in the client’s
environment is borne by the client
?Organizations have adopted ‘Third
Party Risk Assessment Framework’
along with conducting Vendor Risk
Management exercise for their
service providers.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
Overcoming challenges
Meeting multiple client/regulatory requirements, while serving clients across
geographies, is a key challenge faced by organizations.
Challenges in managing data security & privacy
Organizations face the challenge of meeting multiple regulatory/client security and
privacy requirements. Internal threats are also a major roadblock in ensuring data
security and privacy, especially when 73 percent of the organizations believe that there
is a lack of seriousness amongst their employees towards data security. Employees in
the young age group with high attrition rates pose a significant challenge in continued
sustenance and management of security & privacy. Organizations need to focus on
spreading awareness on liabilities arising from data breach as it continues to be a
challenge for more than 75 percent of the respondents.
The survey also highlights the fact that 70 percent of the organizations are facing
challenges with respect to ensuring data security and privacy at the client’s
environment. The respondents found to be concerned about relatively moderate
controls implemented at client’s environment. Managing security becomes even more
challenging when employees are highly involved with client organization or could
connect to client‘s environment through public networks.
Challenges faced (% respondents)
45
44
38
35
33
33
27
25
25
22
20
20
20
18
16
16
15
15
9
27
30
36
35
47
26
50
48
35
39
37
30
22
45
43
49
47
40
24
29
26
26
29
20
42
23
27
40
39
43
50
59
37
41
36
38
45
67
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Meeting multiple client requirements
Employees in young age group with high attrition rates
Meeting multiple regulatory requirements
Client providing liberal access to BPO employees
Emerging and evolving threats and vulnerabilities
Employees connecting to client environment through public network
Lack of employee awareness on liabilities arising from data breaches
Non seriousness of employees for security and privacy
High involvement of employees with client organization
Understanding global data protection regulations
Different connectivity models
Different means used to transfer or access the data
Inadequate budget allocation for data security & privacy
Increased volume and complexity of data intensive transactions
Difficultly to bring visibility over the data
Managing third party risks
International spread of operations
Client prefer business flexibility over the security
Lack of support from Top / Senior Management
Key Challenge One of the challenges Not a challenge
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
26
Mitigating client environment risk (% respondents)
71
60
54
50
25
Making employees aware of the risks in clientenvironment
Deploying extra technical and organizationalsafeguards
Negotiating contracts to make client liable for exploitation of client’s environment
Include client’s environment in risk management process
Do not consider client environment risk as partof our risk management process
Mitigating client environment risk
Mitigating Third Party Risk
There is an increasing realization about the risks associated with access to the client
data systems. Seventy five percent of the respondents have extended the scope of
risk management processes to include the risks introduced by client’s environment.
Organizations are making their employees aware of the risks that arise from client’s
environment and are also deploying additional technical and organizational controls to
mitigate these risks. Further, organizations have started negotiating contracts to
ensure that any liability arising from vulnerabilities in the client’s environment is borne
by the client.
Organizations realize that with the increasing use of third party service providers, the
risk of data breach increases especially when these service providers have access to
confidential information. Therefore, most of the organizations sign Non Disclosure
Agreements / Confidentiality Agreements with the third party service providers and
use contract as an instrument to make the third party service providers liable for any
security breaches. Beyond that, 48 percent organizations have controls deployed as
per ‘Third Party Risk Assessment Framework’ and 52 percent conduct ‘Vendor Risk
Management’ exercises.
96
77
75
58
Signing Non Disclosure Agreement
Deploying technical and organizationalsafeguards
Contract to make the third party liable forany security breaches
Making our employees aware of the risksarising from third party services
Mitigating third party risk (% respondents) Third party risk management (% respondents)
48
52
42
42
Controls deployed as per "Third Party RiskAssessment Framework"
Conducting Vendor Risk Managementexercise
Both
Neither
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010 Source: DSCI-KPMG Survey 2010
27
State of Data Secutiry and Privacy in the Indian BPO Industry
State of Data Secutiry and Privacy in the Indian BPO Industry
Regulations
State of Data Secutiry and Privacy in the Indian BPO Industry
30
?Organizations continue to consider
regulatory requirements as a primary
driver for their investments
?Adoption of an enterprise level
automated tool for managing
compliance is still in the nascent
stage
?There seems to be lack of clarity
amongst organizations regarding
their liability under ITAA 2008
?A large percentage of the
organizations have not activated legal
function to understand, interpret and
suggest necessary precautions to
comply with ITAA 2008. This explains
the low level of awareness amongst
the organizations.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
Staying compliant
The survey results reveal that although organizations have started to create
awareness on ITAA 2008, the level of awareness still needs to be
strengthened.
Tracking contractual / Regulatory requirements
thThe survey highlights that more than 3/4 of the organizations involve legal department
in the initial stages of contract negotiation and maintain an inventory of contractual /
regulatory requirements for each client relationship. However, only 50 percent of the
organizations are well aware of legal & compliance requirements for each type of data
element. Further, only 30 percent of the organizations use enterprise level tool to help
manage compliance. These could be the possible reasons why organizations continue
to face challenge in managing regulatory/client requirements.
Steps taken to track contractual / Regulatory requirements (% respondents)
86
76
70
66
66
62
54
50
46
30
Involve legal department in initial stages of deal negotiation
Maintaining an inventory of contractual / regulatory requirements for eachclient relationship
Compliance / audit / risk manager for each relationship
Mechanism to track regulatory changes
Managed and shared legal & compliance related information effectively
Ensure understanding, interpretation and applicability of legal terms
Business process owners self declare compliance to contractual / regulatory requirements
Legal and compliance requirements and liabilities for each type of dataelement are well known
Subscribed to services that notifies the legal and regulatory changes
An enterprise wide tool helps manage compliance effectively
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Compliance processes remain largely manual.
32
Response to liabilities due to data breach
In the wake of global regulations and ITAA 2008, specifying increased civil as well as
criminal liability per data breach, most of the organizations are responding by:
• strengthening their mechanism for monitoring & incident management, and
• creating awareness within the organization and third parties.
44
2231
2
49
1633
20
10
20
30
40
50
60
Yes No Not Sure ITAA 2008 is notapplicable
My Organization can be sued under ITAA 2008 by (% respondents)
End Customers Employees
Awareness on ITAA 2008
Creating awareness on ITAA 2008
There seems to be a lack of clarity amongst respondents regarding applicability of ITAA
2008 as more than 50 percent respondents either responded negative or ‘not sure’
with respect to their liabilities under ITAA 2008.
Low level of awareness around ITAA 2008 could be understood from the fact that rdalmost 1/3 of the organizations have not started specific initiatives towards creating
rdawareness on ITAA 2008 amongst their Top Management, whereas 2/3 of them have
not yet started creating awareness for their clients, employees and contractors.
30
70
3524 15
01020304050607080
BoardMembers
Top / SeniorManagement
Employees Contractors /Third Partyemployees
Clients
Create awareness amongst (% respondents)
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Response to liabilities due to data breach (% respondents)
78
76
58
58
47
18
Strengthening monitoring and incidentmanagement mechanism
Creating awareness within theorganization and third parties
Review the client contracts
Activating legal function
Establish a breach notification mechanism
Developing a strong forensic investigationcapabilities
Source: DSCI-KPMG Survey 2010
While there is greater awareness of global regulations, the implications of ITAA 2008 remain largely unknown.
33
Response to ITAA 2008
ITAA 2008 as a driver for technology investments
Since most of the organizations have not even involved their legal function to interpret
and suggest necessary safeguards to comply with ITAA 2008, they don’t realize the
impact of the breach. This is highlighted by the fact that 67 percent organizations have
not extended the scope of the security and privacy program to cover employee
personal data.
Organizations’ lack of focus towards ITAA 2008 could be related to the fact that more rdthan 2/3 of the organizations consider global regulations as a primary driver for their
technology investments to enhance information security and regulatory compliance.
ITAA 2008 as a Driver (% respondents)
19
72
2611
01020304050607080
ITAA 2008 issignificant
investment driver
Global regulations as a primary driver
ITAA 2008 hasrecently acquired a
place in thediscussion
ITAA 2008 does nothave any bearings
on investmentdecision
State of Data Secutiry and Privacy in the Indian BPO Industry
Steps taken in response to ITAA 2008 (% respondents)
46
39
39
33
33
33
30
24
20
17
Strengthening monitoring and incidentmanagement mechanism
Identify the personal information flow tothe organization
Activating legal function
Revising organization’s security policy
Contacting external information sources
Extending the scope of security & privacyto cover employee's personal data
Collaborating with competitors / peers
Review the vendor contracts
Identifying and making an inventory ofscenarios
Developing a strong forensic investigationcapabilities
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
State of Data Secutiry and Privacy in the Indian BPO Industry
Internal processes
State of Data Secutiry and Privacy in the Indian BPO Industry
36
?Organizations involve process
owners and Lines of Business in
their data security initiatives
?Organizations keep a vigilant track of
new issues, vulnerabilities and
threats. However, most of them do
not have a mechanism in place that
is capable of swiftly testing the
relevance of these issues in their
environment
?More than half of the organizations
surveyed do not mandate vendors /
third parties to report new threats
and vulnerabilities in their products /
services
?The industry has matured over the
years in terms of processes such as
security incident management,
BCP/DRP and physical security
management.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
Being prepared
Internal processes of organizations have matured over the years to a point
where most of the organizations are keeping track of threats & vulnerabilities
and have also established processes for employee background screening,
security incident management, BCP/DRP and physical security control.
Data centric approach
Organizations are bringing a data centric approach in their security initiatives by
understanding the type of operations, client requirements and underlying resources
and access patterns. Further, organizations are increasing aware on how data is
managed in its life cycle and having granular level visibility over the data in each of its
client relationships and business processes. The survey also reveals that 78 percent of
the organizations involve process owners and Lines of Business in their data security
initiatives.
Data sentric approach (% respondents)
78
76
66
66
64
50
36
Involvement of process owners & LoB in the data security initiatives
Understanding about the type of operations,client requirements etc
Aware of how the data is managed in its lifecycle
Data classification techniques have beendeployed and followed rigorously
Granular level visibility over the data
Organization is aware of issues in the clientenvironment
Uniformity of controls is maintained at both client & organization's environments
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
38
Perceived risk based on lines of service
Global regulations could be the prime reason why organizations perceive business
processes involving personal information as high risk. More than 2/3rd of the
organizations perceive the following business processes as high risk:
?Human resource operations
?Health information processing
?Finance & accounting
?Payroll accounting.
Level of perceived risk (% respondents)
73
72
72
66
54
53
46
41
39
22
22
13
0
17
17
28
24
27
28
46
44
45
56
61
47
38
10
10
0
10
19
19
8
16
16
22
17
40
62
0% 20% 40% 60% 80% 100%
Human Resource Operations
Health Information Processing
Finance and Accounting
Payroll Processing
Legal Processing
Customer Interaction and Support
Billing Management
Business Analytics
Knowledge Services
Supply Chain Management
Procurement Services
Engineering and Design Services
Printing and Publishing Services
High Medium Low
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Processes involving personally identifiable information are perceived as high risk.
39
Keep track of evolving threats &
vulnerabilities
Organizations have established appropriate
measures to keep track of new threats and
vulnerabilities, wherein they subscribe to
newsletters, CERT-In alerts, exploit databases and
by periodically visiting websites of data security
vendors. However, there is a need for collaborative
effort amongst peer organizations which could
benefit the entire industry. Organizations should
also consider stronger engagement with
vendors/third parties and insist that they report
new threats and vulnerabilities in their products /
services so that appropriate controls could be
implemented in a timely manner.
Keep track of evolving threats & vulnerabilities(% respondents)
86
76
74
68
62
54
46
44
40
32
30
Risk based internal or external audits
Subscribing to newsletters
Through websites of data security vendors
Subscribing to vulnerability, exploits databases,etc
Subscribing to CERT-In alerts
Through peers / competitors
Security research reports of product andprofessional organizations
Mandating the vendors to report new threats &vulnerabilities in their products
Through discussions on security forums on theinternet
Subscribing to Analysts reports
Provided by the client organizations as part oftheir Risk Management process
Threat (% respondents)
& vulnerability management
84
76
72
62
60
56
50
46
26
24
Keep vigilant track of new issues, vulnerabilityand threats
The version of each critical asset is up-to-date
Integration with IT infrastructure managementprocesses
IT infrastructure is homogeneous
An architectural treatment is given to threat andvulnerability management
Mechanism to test the relevance of issuesswiftly, without delays
Scope of the function is extended to mobilecomputing devices etc
Collaborates with agencies like CERT-In andother knowledge sources
IT infrastructure is heterogeneous
Compatibility of business application & costhinder to make the asset up to date
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
While organizations keep a close eye on threats and vulnerabilities, they lag in swift response.
40
Threat & vulnerability management
Solutions adopted for data protection
The survey reveals that organizations are tracking threats and vulnerabilities. However,
most of them do not have a mechanism in place that is capable of swiftly testing the
relevance of these issues in their environment. Majority of the organizations ensure
that version of each critical asset is up-to-date to make the asset free of vulnerabilities.
However, 24 percent of the organizations face compelling reasons such as
compatibility of business application and cost escalation hindering version upgrades.
Further, heterogeneous nature of IT infrastructure poses challenge to around 26
percent of respondents in managing threats and vulnerabilities.
Organizations have adopted solutions related to encryption and have started to
develop fraud management and forensic capabilities internally. In the wake of data
protection regulations, more than 50 percent of the organizations have deployed or are
planning to deploy the following solutions:
?Hard Disk Encryption
?Email Encryption
?Data Loss Prevention (DLP)
?Security Incident and Event Monitoring (SIEM)
?Mobile Data Protection
?Legal and Compliance Management.
Solutions deployed or planning to deploy (% respondents)
78
72
66
62
52
52
46
44
42
36
34
28
6
Hard Disk Encryption
Email Encryption
Data Loss Prevention (DLP)
Security Incident and Event Monitoring (SIEM)
Mobile Data Protection
Legal and Compliance Management
Database Activity Monitoring
Data Masking
Fraud Management
Compliance Notification Services
Threat Management for mobile computing devices
Computer Forensic
Do not have sufficient budget
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
41
Background screening
Employee background screening is one of the key controls in terms of security,
especially when employees have access to critical / confidential information of clients.
Background screening is also important from the fact that a majority of the
organizations see internal threats as one of the key drivers for data security.
Background screening is one of the basic controls for ensuring security; this is evident
from that fact that 72 percent of the organizations follow this process for all their
employees. Realizing that background screening is not their core competency, 80
percent of the organizations have outsourced it to third party vendors.
Realizing the importance of background screening, NASSCOM started the initiative
called National Skills Register (NSR), to have a credible information repository about all
personnel working in the IT and BPO industry. Most of the participants are aware of
NSR and its value. However, the adoption of NSR as an exclusive source for employee
background screening has been limited.
Background screening is conducted for(% respondents)
14 10 72
Selected relationships Selected Lines of Service
All employees
Background screening is conducted by(% respondents)
18
80
12
Internally
By Third party
Both
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
42
Security Incident Management
Most organizations state that they have formal security incident management in place.
Most of the respondents have established mechanism for internal employees and
customers to report incidents, define detect & investigative requirements and
proactively detect anomalies. The survey reveals that 71 percent of the organizations,
incident management supports data breach notification requirements of clients.
Further, the incident management process is integrated with IT processes for remedial rdactions and almost 2/3 of the organizations have extended the scope of security
monitoring to all critical log sources. Organizations have formal processes for reporting
security incidents, but only 29 percent of them extend the scope of incident
management to third parties.
Security incident management (% respondents)
84
78
71
69
67
67
63
59
57
55
53
47
41
37
33
29
Mechanism exists for internal employees and customers to report incidents
Logs are securely managed and archived in accordance to compliancerequirements
Incident management supports data breach notification requirements(regulatory) of clients
There is a formal reporting mechanism to report incident to the management,client and regulatory authorities
There is a mechanism to define detective and investigative requirements
Incident management mechanism is integrated with organization ITprocesses for remedial actions
Scope of security monitoring is extended to all the critical log sources
Real time monitoring mechanisms exist that can proactively detect anomalies
Business rules are defined to identify incidents
There is an inventory of all the possible scenarios that can lead to an incident
Effective solution is implemented for log management, security monitoringand incident management mechanism
Incident management mechanism takes inputs from external knowledgesources on vulnerabilities, anomalous patterns and threats
There is a mechanism that generate an incident based on patterns andbusiness rules
Incident management mechanisms supports forensic capabilities
Collaborate with CERT-IN for incident reporting and response
Scope of the incident management is extended to third parties
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
43
Business Continuity / Disaster Recovery Planning
The survey revealed that respondents have a mature BC/DR planning process in place
wherein the scope of BCP/DRP covers strategies for client business processes and
recovery objectives of each client relationship being defined. The scope of BCP/DRP
for most organizations, also cover scenarios like city outage and externally provisioned
systems, applications and networks. Organizations also realize that the knowledge
around BCP/DRP is important, therefore emphasis is given to providing cross-
functional training and BC/DR drills being conducted frequently. Though significant
level of automation exists for DR operations, organizations are yet to adopt automation
tools for the entire BCP/DRP. This is evident from that fact that more than 40 percent
of the organizations follow manual processes and do not have operational metrics to
help take routing decisions. The survey further revealed that though the processes for
many organizations around BCP/DRP are matured, only 50 percent of organizations
have realized that third parties should also be mandated to meet BCP/DRP
requirements.
The scope of BCP/DRP (% respondents)
78
76
74
66
Covers the strategies for client business processes
Extended to cover scenarios like city outage
Recovery objectives for each client relationships
Covers the externally provisioned systems, application and network
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
For BCP/DRP there exists (% respondents)
80
58
56
28
Mapping of each of business operation with associated Infrastructurecomponent
Significant level of automation for DR operations
Operational metrics to help take routing decisions
Automated tool to perform BCP/DR process
Source: DSCI-KPMG Survey 2010
For BCP/DRP (% respondents)
73
73
70
66
64
50
Adequate technical measures are deployed to migrate or route businessprocesses from one operational location to other
Drill is conducted frequently
The knowledge is managed effectively
Emphasis given on providing cross functional training to employees
Architectural treatment given to availability preparedness that drivesredundancy of infrastructure components
Contracts with third parties include obligation to meet our BCP / DRrequirements
Source: DSCI-KPMG Survey 2010
BC/DR plans cover most elements of organization’s internal boundaries, but few include aspects relating to third parties.
44
Physical Security
The respondents realize that risk of data leakage increases once a person has physical
access to the operational facility. Therefore, organizations have established strong
physical security controls for perimeter, entry points and interior areas along with
mechanisms for identification & authorization of employee. Organizations also ensure
significant level of collaboration between physical security, information security and
other functions. However, in most of the organizations physical security is not
integrated with IT Security.
Physical security (% respondents)
98
98
96
88
88
86
84
82
78
76
72
70
48
48
6
Adequate controls exists for perimeter, entry points and interior areas
There exists a mechanism for identification and authorization of employee
Entry to the delivery centers is restricted to authorized persons only
A process exists for the movement of assets into the operating areas
Physical security function is owned by the Admin department
A process exists for provisioning and de-provisioning access of visitors,partners, and support services
Physical security operation is driven by stringent and consistent processes
Significant level of collaboration exists between physical security, informationsecurity and other functions of the organization
Segregation of duties is maintained in shared facilities
The scope of security testing is extended to cover physical security controls
The scope of the security monitoring and incident management mechanismis extended to integrate the physical security components
An architectural treatment given to the physical security countermeasures
Physical security is integrated with IT security through competent solutions
There is centralized monitoring of physical security across various locations by Physical Security Operations Center (PSOC)
Physical security function is owned by the IT department
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
In the times of digital convergence, physical security and digital security controls remain disintegrated.
45
State of Data Secutiry and Privacy in the Indian BPO Industry
Over time, the Indian BPO Industry has withstood significant customer and regulatory
scrutiny, and has been able to demonstrate that it is able to embrace data security and
privacy governance processes that are required as a minimum baseline for providing
outsourcing services in a high trust mode. While customers have largely driven
consciousness of risks and requisite controls, most organizations in the industry have
developed frameworks that aid them in first line defense, detection, and reacting in an
appropriate manner to events that threaten this high trust environment. The industry
also continually expands its horizons to newer markets, and has gained a reputation in
understanding its exposure to legislation and regulation in varying markets. C-level
executives of the BPO industry are well conversant with their responsibilities and
liabilities from a data security and privacy standpoint, and implications of risks
emanating from these topics regularly underpin the strategic priorities and decision
making processes of such executives.
One of the themes emerging from the survey is that while the BPO industry has
attained a high level of maturity on data security, business continuity preparedness,
background screening of employees, etc., there are many emerging issues that require
its attention. These issues are majorly attributed to the rapidly evolving security and
regulatory landscape.
Global regulations require organizations to protect the privacy of end customers. The
interpretation of these regulations is becoming a significant challenge, requiring a
dedicated effort. This will lead to the emergence of a privacy function in a BPO, moving
away from the current practice of positioning privacy within the ambit of security. The
privacy function will have to bring the necessary regulatory intelligence that supports
the geographical expansion of organizations. On the other hand, it will have to
reengineer organization’s processes to demonstrate compliance to the regulations.
The ever changing threat landscape is driving organizations to redefine their security
strategies and programs. The rising complexity and heterogeneous nature of
underlying infrastructure pose a significant challenge in doing so. They need to build
the right capabilities for maintaining their security posture and responding swiftly to
the new threats.
Over the years, BPOs have witnessed substantial growth and have penetrated into
new Lines of Service. In doing so, they are challenged with protection of sensitive
client data. A particular Line of Service is characterized by a specific set of security
concerns and liabilities. To sustain its growth, BPO industry should pay close attention
to understanding of the risks and liabilities associated with the Lines of Service it is
serving.
To overcome the challenges identified by the survey, it is important for the
organizations to adopt a data-centric approach to manage security & privacy risks and
review all processes, functions and client relations from the data perspective.
BPO as an industry is facing unique challenges and there is a strong case for
collaboration between organizations. The industry treats security as hygiene rather
than a competitive advantage. The entire industry can learn from its experiences, and
provide a consistent and unified message of a high trust environment at the industry
level.
Way forward
State of Data Secutiry and Privacy in the Indian BPO Industry
47
DSCI Core Team
KPMG Core Team
KPMG Survey Team
DSCI Project Advisory Group
Vinayak Godse Director – Data Protection
Vikram Asnani Senior Consultant – Security Practices
Rahul Jain Senior Consultant – Security Practices
Navin Agrawal Executive Director
Nitin Khanapurkar Executive Director
Atul Gupta Director
Vijay Subramanyam Director
Vidur Gupta Associate Director
Deepak Agarwal Consultant
Abhijit Varma
Ankit Goel
Arihant Garg
Jignesh Oza
Lekha Ragupathi
Nayab Kohli
Nitin Shah
Rahul Gupta
Rahul Singhal
Sundar Ramaswamy
Syamala Raju Peketi
N. Balakrishnan Chairman, DSCI and Associate Director, IISc Bangalore
BJ Srinath Senior Director, Cert-In
Anjali Kaushik MDI Gurgaon
Akhilesh Tuteja Executive Director, KPMG
Kartik Shahani Country Manager, India and SAARC, RSA
Satish Das CSO, Cognizant
Baljinder Singh Global Head of Technology, InfoSec & BCM, EXL Service
Vishal Salvi CISO, HDFC Bank
Ashwani Tikoo CIO, CSC
PVS Murthy Global Head – Information Risk Management Advisory, TCS
Deepak Rout CISO, Uninor
Seema Bangera DGM – Information Security, Intelenet Global
Acknowledgments
State of Data Secutiry and Privacy in the Indian BPO Industry
KPMG Contact
Director, IT Advisory Services
KPMG in India
T: +91 124 307 4134
Atul Gupta
www.kpmg.com/in
DSCI Contact
Director - Data Protection
DSCI
T: +91 11 2615 5071
Vinayak Godse
www.dsci.in
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks
or trademarks of KPMG International Cooperative (“KPMG International”), a Swiss
entity.
Printed in India.Copyright © 2010 DSCI. All rights reserved.