Upload
gurbinder-sharma
View
223
Download
0
Embed Size (px)
Citation preview
7/29/2019 Service Provider Assessment Framework
1/68
Service Provider
Assessment FrameworkA Platform for Building Synergies between Clients and
Service Providers for Trusted Global Sourcing
A Study Report
Data Security Council of India in collaboration with Ernst & Young
December 2010
Under Cyber Security Awareness Program,
Department of Information Technology, Government of India
7/29/2019 Service Provider Assessment Framework
2/68
Data Security Council of India (DSCI) is a section 25, not-for-prot company, setup by NASSCOM as
an independent Self Regulatory Organization (SRO) to promote data protection, develop security andprivacy codes & standards, and encourage the IT/BPO industry to implement the same.
For more information about DSCI or this report, please contact:
Data Security Council of India
Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi 110057, India
Phone: +91-11-26155070
Fax: +91-11-26155072
Email: [email protected]
2010 DSCI. All rights reserved.
About DSCI
DisclaimerThis document contains information that is Intellectual Property of DSCI.
DSCI expressly disclaims to the maximum limit permissible by law, all
warranties, express or implied, including, but not limiting to implied warranties
of merchantability, tness for a particular purpose and non-infringement. DSCI
disclaims responsibility for any loss, injury, liability or damage of any kind resulting
from and arising out of use of this material/information or part thereof. Views
expressed herein are views of DSCI and/or its respective authors and should not
be construed as legal advice or legal opinion. Further, the general availability of
information or part thereof does not intend to constitute legal advice or to create a
Lawyer/ Attorney-Client relationship, in any manner whatsoever.
7/29/2019 Service Provider Assessment Framework
3/68
3
Service Provider Assessment Framework
7/29/2019 Service Provider Assessment Framework
4/68
Service Provider Assessment Framework
The IT (Amendment) Act, 2008 has established a strong data protection regime in the country,
by requiring body corporates to implement reasonable security practices to protect sensitivepersonal information. What is reasonable security though? An organization is expected to have
a comprehensive information security program, with appropriate controls that are commensurate
with its information assets and risk assessment. In the event of a security breach, it should be able
to demonstrate that its practices were in conformance with its written security policy, and that its
controls were adequate. It is, however not that easy, since enterprises are outsourcing some of their
work, and they must manage information risk across a vast global network of Service Providers.
Outsourcing thus brings into focus the practices followed by Service Providers, and
their accountability.
Service Providers are subjected to ongoing assessments and on-site audits, which are labor-
intensive and costly for both the sides. Likewise, Service Providers with hundreds of Clientsdistributed in various geographies must submit themselves to several audits by the Clients.
Moreover, the multiple assessments are based on different frameworks, questionnaires and audit
approaches clearly they result in wasted effort and time; and, of course, higher costs. It is the wish
of both - Clients and Service Providers - that third-party evaluations that are standards-based, or
framework-based, may ease the assessment burden. But how do they view the implementation of
a standard, or best practices for security; and an assessment framework to validate that this has
indeed made the organization secure? Again both of them will have a different perspective on this.
Can enterprises take a methodical approach to assessing and managing the risks through
frameworks like ISO 27001; BITS Shared Assessment Program, Moodys Vendor Information Risks
ratings, Information Security Forum, COSO, NIST or COBIT? Will attestation of a Service Providerspractices necessarily be in the form of a third-party certication, or a maturity rating of its practices?
Foreword
7/29/2019 Service Provider Assessment Framework
5/68
With DSCI best practices and data-centric methodology, weve rolled out a solution for adoption by
Service Providers to make them secure. DSCI Security Framework (DSF) is based on a number ofsecurity principles, that help make the security program of an organization dynamic, instead of a static
checklist approach that relies on bulky documentation. We wanted to review the available assessment
frameworks, to see how DSF could t into them, and how rating of practices may give a sense of
security to organizations, and also show them the direction for improvements. In short, itll help realize
an effective security program, and transparent assessment framework, that may address the concerns
of both Clients and Service Providers. In the process, reasonable security practices will
get implemented.
It is with this in view that DSCI partnered with Ernst & Young Pvt. Ltd. (EY) in this study, which required
extensive knowledge and experience in the domain, to review the existing frameworks and think
through the advantages of certication/ratings. Survey of Clients and Service Providers, based on anin-depth questionnaire gives key pointers to the concerns of both the groups, and points towards a
possible third-party ratings approach that may be useful and acceptable to both, namely Clients and
Service Providers.
I would like to acknowledge the great team effort of DSCI and EY in conducting this study, and creating
a useful analysis. I hope this report will generate sufcient interest among Clients, Service Providers,
and even governments and regulators that will help DSCI arrive at the right decisions in taking the next
steps in certication/rating of Service Providers.
Kamlesh Bajaj
CEO, DSCI
7/29/2019 Service Provider Assessment Framework
6/68
Service Provider Assessment Framework
The study teamData Security Council of India
Mr. Vinayak Godse Director Data Protection
Mr. Vikram Asnani Senior Consultant Security Practices
Mr. Rahul Jain Senior Consultant Security Practices
Ernst & Young Pvt. Ltd.
Ms. Nity Singh Manager Advisory Services
Mr. Taslimm Quraishi Manager Advisory Services
Mr. Lalit Kalra Consultant Advisory Services
DSCI Project Advisory Group
Prof. N. Balakrishnan Chairman DSCI and Associate Director, Indian Institute
of Science (IISc), Bangalore
Mr. B.J. Srinath Senior Director, Indian Computer Emergency Response
Team (CERT-In)
Prof. Anjali Kaushik Management Development Institute, Gurgaon
Mr. Akhilesh Tuteja Executive Director, KPMG
Mr. Kartik Shahani Country Manager, India & SAARC, RSA
Mr. Satish Das CSO, CognizantMr. Baljinder Singh Global Head of Technology, Information Security &
Business Continuity, EXL Service (I) Pvt. Ltd.
Mr. Vishal Salvi CISO, HDFC Bank Pvt. Ltd.
Mr. Ashwani Tikoo CIO, Computer Sciences Corporation India Pvt. Ltd.
Mr. PVS Murthy Global Head Information Risk Management
Advisory, TCS
Mr. Deepak Rout CISO, Uninor
Ms. Seema Bangera DGM Information Security, Intelenet Global
7/29/2019 Service Provider Assessment Framework
7/68
Service Provider Assessment Framework
Executive summaryBusinesses today are global, complex and fast evolving, and technology has made
business transactions independent of space and time. This has enabled businesses tofocus on its core competencies and outsource non-core business operations to Service
Providers, who are capable of providing services to the businesses from around the
world round the clock. Information Security and Privacy becomes crucial when it comes
to outsourcing as technology enables free ow of information across borders between
Clients and Service Providers. This information could be business sensitive information
and / or sensitive personal information of the Clients end customers including but not
limited to health related information, credit card details, social security number, etc.
Also, stringent global data protection regulations make the businesses liable for loss,
misuse, wrongful disclosure of any personal information of any citizen irrespective
whether the failure is at outsourcers end or Service Providers end.
The Indian IT/BPO Service Providers are striving hard to ensure that security and
privacy of data is well maintained. They follow stringent security controls specied by
the Clients through contractual obligations. The Clients conduct regular Information
Security and Privacy assessments of the Service Providers to ensure compliance
with the contractual obligations and / or regulatory requirements or to simply assess
the security posture of Service Providers. In this outsourcing ecosystem, many
Clients have developed and applied their own proprietary assessment frameworks for
evaluating their Service Providers. Service Providers, on the other hand, strain their
resources to respond to diverse client information requests. This isolated approach
proves to be an inefcient and costly affair, both for the Clients and the Service
Providers. Inconsistencies arising from use of different assessment methodologies
cause delays, resulting in inefcient use of time and resources. Aggravating the
problem is the unavailability of generally accepted standard for Service Provider
assessments. To overcome these issues and challenges, DSCI as an industry initiative
seeks to establish a well dened Service Provider Assessment Framework in order to
have a common assessment approach that can be used to assess different
Service Providers.
This study especially through its survey attempts to understand the perspective of
Client and Service Provider organizations with respect to Service Provider assessments
and takes inputs to dene a Service Provider Assessment Framework.
7/29/2019 Service Provider Assessment Framework
8/68
Service Provider Assessment Framework
The survey results reveal that:
DSCI should play a vital role in conducting Service Provider assessments and sharingthe outcome in the ecosystem. It should:
have an Service Provider assessment program that comprises of framework, processes,
and methodology for assessments
provide an organization wide security and privacy maturity rating, and domain specic
maturity rating that may be shared in the ecosystem after taking the due permission of the
Service Providers
A new standard mapped to prevalent standards should be considered as a potential
assessment standard for third party assessments of Service Providers
DSCI as an industry initiative and a Self Regulatory Organization having
representation from both the Client and Service Provider organizations should
empanel auditing rms for conducting independent third party assessments of
Service Providers
The study also focused on understanding of various assessment models which included
Malcolm Baldrige Framework, Capability Maturity Model Integration (CMMI), CRISIL
Ratings, BITS framework, e-Sourcing Capability Model (eSCM), Moodys assessment
framework. The study of assessment models reveals that:
Service Provider Assessment Framework should be easy to comprehend and
adaptable regardless of size of the organization and nature/ complexity of its
processes
The framework assessment areas should be outlined in the form of best practices
rather than a stringent set of controls. This would provide an opportunity to
organizations for implementing / performing the control activities according to the
needs of the organization specic environment
The framework should follow a process-approach and outline measurable
assessment areas
It should be reviewed and updated (if required) on a periodic basis
The maturity criteria should be transparent, and should help in assigning a formal
maturity rating to a Service Provider
Overall, DSCI may develop a Service Provider Assessment Framework that is aligned
to DSF Best Practices & the maturity criteria dened for each of its sixteen security
disciplines and the study results elucidated in this report; and make it popular in the
ecosystem by performing pilot runs. The framework may follow a CMMI-like rating
methodology which is assessment of the security and privacy practices at both the
layers capability/ maturity of the business processes, and maturity of the organization.
7/29/2019 Service Provider Assessment Framework
9/68
Introduction.................................................................................................................. 1Survey Highlights......................................................................................................... 5
Detailed Survey Results ...............................................................................................7
Key drivers for Service Provider assessments....................................................7
Scale of Service Provider assessments.............................................................. 9
Current assessment program/ mechanism ....................................................... 11
Focus on Data Privacy in Service Provider assessments .................................13
Types of Service Provider assessments ........................................................... 14
Level of perceived risk IT services .................................................................15
Level of perceived risk BPO services .............................................................17
Risk proling of Service Providers..................................................................... 18
Frequency of Service Provider assessments ....................................................19
Budget and cost for Service Provider assessments..........................................21
Modes of Service Provider assessments ..........................................................23
Service Provider assessment challenges..........................................................25
Service Provider assessments solutions and future landscape .....................27
Inuence of IT (Amendment) Act, 2008 on Service Provider assessments ......29
Third party assessments ...................................................................................31
Third party assessors ........................................................................................33
Standards for Service Provider assessments ...................................................35
Role of DSCI in Service Provider assessments ................................................37
Outcome of Service Provider assessments ......................................................39
Sharing of Service Provider assessment results...............................................41
Recommendations......................................................................................................43
Annexure .................................................................................................................... 45
Glossary .....................................................................................................................57
References .................................................................................................................57
Content
7/29/2019 Service Provider Assessment Framework
10/68
1
Service Provider Assessment Framework
Background
As buyers of Information Technology (IT) and Business Process
Outsourcing (BPO) services become increasingly sophisticated
and demanding, Service Providers are challenged to achieve
new levels of efciency, agility and transparency in service
delivery and protection of information. Clients increasingly
expect real evidence of robust process management, continuous
improvement, effective governance, and measures adopted for
ensuring Information Security and Privacy.
Objective
DSCI engaged EY to study the current landscape of Service
Provider (IT/BPO organizations) assessments conducted by the
Client organizations, and assist in documenting the assessment
approach that may be adopted in order to minimize the challenges
of both, Client and Service Provider organizations, with an intent
of evaluating and reporting on Information Security and Privacy
posture of the Service Providers.
Approach
In order to achieve the project objectives, the joint study team
undertook the following steps:
Primary research : A survey of Client and Service Provider
organizations was undertaken to gain an insight into the currentService Provider assessment program. The survey covered the
following aspects:
Business drivers for Client organizations to conduct Service
Provider Assessments
Introduction
7/29/2019 Service Provider Assessment Framework
11/68
2
The value that various Service Provider assessments conducted by
Client organizations bring to the Service Providers
Investments made, and challenges faced by the Service Provider
and Client organizations in driving such assessments
Possible solutions for overcoming the current challenges
Role of DSCI and third parties in Service Provider assessments
Secondary research : A study was undertaken to document
the pros and cons of prevalent assessment frameworks likeCapability Maturity Model Integration (CMMI), BITS sharedassessment program, Carnegie Mellon University e-Sourcing
Capability Model (eSCM), etc. The list of assessment frameworkswas documented on the basis their widespread use, and
international recognition in performing assessments. The studyareas included the following:
Assessment areas / ease of use by the organization being
assessed
Assessment methodology / scoring pattern / process of sharing
assessment results
Acceptability / popularity of the framework
Independence of examiners
Frequency of framework update to cater to future requirements
The team also studied DSCI Security Framework (DSF)
Best Practices and maturity rating criteria for each of its sixteen
disciplines to gather inputs (in addition to the inputs provided by
primary and secondary research) for dening Service Provider
Assessment Framework.
7/29/2019 Service Provider Assessment Framework
12/68
3
Service Provider Assessment Framework
Prole of participantsThe survey respondents were a set of Client and Service
Provider organizations. The respondents were majorly from
Information Technology (IT), Business Process Outsourcing (BPO),
Telecommunications and Financial Services verticals. Correspondingly,
the survey results have been divided into two perspectives Clients
perspective and Service Providers perspective, and may be
read accordingly.
Industry wise distribution
KPOBPO IT Services
42.00%
50.00%
8.00%
Client organizations
Service Provider organizations
37.00%
18.00%
36.00%
9.00%
Industry wise distribution
Telecommunication Banking
Technology Financial Services
7/29/2019 Service Provider Assessment Framework
13/68
4
Service Provider Assessment Framework
6$ 1 billion to $ 9 billion
4$ 100 million to $ 249 million
1$ 10 billion to $ 24 billion
1Less than $ 100 million
Number of Service Providers
Number of Client organizations
3
3
1
2
More than $ 24 billion
$ 1 billion to $ 24 billion
$ 100 million to $ 249 million
Less than $ 100 million
Client organizations
Service Provider organizations
The sample size selected for the survey was limited and this should betaken into consideration when interpreting the survey results.
7/29/2019 Service Provider Assessment Framework
14/68
5
Service Provider Assessment Framework
Service Provider assessments are conducted by Client organizationsin order to protect business sensitive information, and mitigate security
& privacy risks while outsourcing work to Indian IT/ BPO companies.These assessments help Service Provider organizations to align
security & privacy initiatives to their Clients requirements and build onthe existing relationship with the Clients
Comprehensive risk based assessments covering all the domains ofsecurity are carried out annually by majority of Client organizations.
Vulnerability assessments and penetration testing continue to display
strong acceptance (100%) by Client organizations in Service Providerassessment programs
Most of the Service Provider organizations reported that ISO 27001controls checklist is used as a mechanism by their Clients for
conducting assessments. On the other hand, Client organizationsrevealed that a proprietary Service Provider assessment program has
been developed to conduct Service Provider assessments
Provisions of the IT (Amendment) Act, 2008 (ITAA 2008) need to beappropriately incorporated in the Client-Service Provider contracts
High number of assessments around the year is the most critical
challenge faced by Service Providers at the time of assessments,followed by meeting diverse & varied assessment. Whereas for
Clients, rising legal liabilities, regulatory requirements, level of securityawareness in the Service Providers, ensuring compliance by Service
Providers, and Service Provider commitment to ensure InformationSecurity & Privacy are some of the critical challenges faced in
assessing Service Providers
Survey highlights
7/29/2019 Service Provider Assessment Framework
15/68
6
Currently, Service Provider assessments are majorly conductedonsite by Clients internal staff. Majority of the Client organizations
indicated that auditing rms empanelled by a joint industry consortiumof outsourcers and the Service Providers could act as the third party
assessors for conducting independent Service Provider assessments
More than half of the Service Provider respondents suggested thatDSCI should have a Service Provider assessment program that
comprises of framework, processes, methodology for assessments
Clients and Service Providers reveal that third parties should conductService Provider assessments, based on a standardized assessmentmethodology. This would save costs and efforts by avoiding the need
for conducting assessments of multiples Service Providers
Both Client and Service Provider respondents suggested a newstandard mapped to ISO 27001, NIST SP, COBIT, ITIL etc. that meets
all the regulatory requirements like GLBA, HIPAA, PCI DSS etc., as apotential assessment standard for third party assessments of
Service Providers
DSCI should provide organization wide security and privacy maturityrating, and also domain specic maturity rating
7/29/2019 Service Provider Assessment Framework
16/68
7
Service Provider Assessment Framework
Key drivers for Service Provider assessments
The survey results reect that majority of the Clients consider
protecting business sensitive information, and mitigating security
& privacy risks as the critical business drivers for conducting
Service Provider assessments. On the other hand, Service
Providers report that Clients corporate policy requirements, and
achieving end customer condence are the main reasons which
drive their Clients to conduct assessments.
Detailed survey
results
Clients perspective
Business drivers for conducting Service Provider assessments
88.89%
88.89%
77.78%
77.78%
55.55%
44.44%
33.33%
Protecting business sensitive information including
intellectual property
Mitigating security and privacy risks that exist in
outsourcing arrangements
To address the security and privacy concerns of
some of the key stakeholders within our organization
Strengthening of data protection regime in the
geographies where we operate, stipulating stringent
requirements and heavy fines for a data breach
Use Service Provider assessments as a mechanism to
foster a culture of compliance at all Service Providers and
introducing a sense of competition among them with regards
to fulfillment of their data security and data privacy needs
Addressing security and privacy risks that arise
from use of emerging technologies
Data protection regulations demand our
organization to undertake regular assessments of
third parties
44.44%Our corporate policies require us to undertake a
comprehensive vendor risk assessment
Achieving end customer confidence and preventing
loss of reputation by mitigating risks of privacy/
information leakage that may arise at Service Provider end
55.55%
7/29/2019 Service Provider Assessment Framework
17/68
8
Service Provider assessment as a mechanism to foster a culture
of compliance was selected by the least number (thirty three
percent) of Clients while the same response was selected by fty
percent of the Service Provider organizations, as a reason for
conducting assessments.
Reasons that drive Clients to conduct Service Provider assessments
66.67%
66.67%
58.33%
58.33%
50.00%
50.00%
41.67%
41.67%To address the security and privacy concerns of
some of the key stakeholders in Client organization
Protecting business sensitive information including
intellectual property
Clients use Service Provider assessments as a mechanism
to foster a culture of compliance at all its Service Providers
and introducing a sense of competition among them with
regards to fulfillment of their data security and data privacy needs
Clients corporate policies require them to
undertake a comprehensive vendor risk assessment
Achieving end customer confidence and preventing
loss of reputation by mitigating risks of privacy/
information leakage that may arise at Service Provider end
Mitigating security and privacy risks that exist in
outsourcing arrangements
Data protection regulations demand Client organization
to undertake regular assessments of third parties.
Strengthening of data protection regime in the
Client geographies that stipulate stringent
requirements and heavy fines for a data breach
Service Providers perspective
Protecting business
sensitive information
and mitigating security
and privacy risks are
the major drivers for
conducting Service
Provider assessments
7/29/2019 Service Provider Assessment Framework
18/68
9
Service Provider Assessment Framework
Scale of Service Provider assessmentsThe survey results show that the number of Service Provider
assessments is directly proportional to the number of Clients or Service
Providers that an organization is engaged with. This is proven by the
fact that Clients working with 500 Service Providers conduct more
than 100 Service Provider assessments annually, and those with 200
& 300 Service Providers conduct 10-50 and 50-100 Service Provider
assessments respectively. Also, Service Providers engaged with 800
Clients undergo 100-200 assessments annually, and those with 700 &
600 Clients undergo 50-100 assessments respectively 50-100
assessments respectively.
Number of Service Providers the organization is engaged with
0
100
200
300
400
500
600
1 2 3 4 5 6 7 8 9
Numberof
S
eviceProviders
Clients
11.11%0-5
22.22%5-10
44.44%10-50
Number of Service Provider assessments conducted
11.11%
11.11%Above 100
um
ero
annualassessments
50-100
Clients perspective
7/29/2019 Service Provider Assessment Framework
19/68
10
Service Provider Assessment Framework
Service Providers perspective
Number of Clients serviced by the organization
0
100
200
300
400
500
600
700
800
900
1 2 3 4 5 6 7 8 9 10 11 12
NumberofClients
Service Providers
Number of Service Provider assessments faced
9.09%
Numberofan
nualassessments
36.36%50-100
Above 400
27.27%200-400
9.09%100-200
18.18%10-50
0.00%0-10
7/29/2019 Service Provider Assessment Framework
20/68
11
Service Provider Assessment Framework
Current assessment program/ mechanismProprietary Service Provider assessments followed by SAS 70 and ISO
27001 checklist are the most commonly adopted assessment programs/
mechanisms by Client organizations.
On the other hand, more than ninety percent Service Providers reported
that their Clients use ISO 27001 checklist for conducting assessments.
This is closely followed by proprietary assessment programs and
assessment programs of Client appointed external auditors (sixty seven
percent each).
The survey further revealed that majority of the Client organizationsdo not consider ISO 27001 certication as an alternative to conducting
Service Provider assessments.
Interestingly, the survey also highlighted that BITS Shared Assessment
Program is not used by any of the Client organizations for conducting
Service Provider assessments.
77.78%
44.44%
44.44%
33.33%
22.22%
22.22%
11.11%
0.00%
ISO 27001 controls checklist
BITS shared assessment program
Assessment program developed by our
organization (proprietary)
Reliance on Statement on Auditing Standards
(SAS) No. 70 report provided by the auditing
firm assessing your Service Providers
Asking the Service Providers to get ISO 27001
certified thereby eliminating the need for
getting assessed
Use pre-defined controls list provided by an
assessment tool
Asking the Service Providers to provide self
declaration/attestation for compliance to oursecurity policies/requirements
Assessment program of the appointedexternal auditor
Service Provider assessment program/mechanism used by the organization
Clients perspective
7/29/2019 Service Provider Assessment Framework
21/68
12
Service Provider Assessment Framework
78% Clientorganizations use
proprietary assessment
programs for conducting
Service Provider
assessments. However,
the Service Providers
report that their
Clients use ISO 27001
checklist for conducting
security and privacy
assessments
Programs / mechanisms used by Clients for conducting assessments
91.67%
66.67%
66.67%
41.67%
25.00%
16.67%
16.67%
0.00%
ISO 27001 controls checklist
BITS shared assessment program
Others
Use pre-defined controls list provided by
an assessment tool
Providing self declaration / attestation forcompliance to client security policies/
requirements
Getting ISO 27001 certification
eliminates the need for getting assessed
Assessment program of the client
appointed external auditor
Assessment program developed by the
client (proprietary)
Service Providers perspective
7/29/2019 Service Provider Assessment Framework
22/68
13
Service Provider Assessment Framework
Focus on Data Privacy in Service Provider assessmentsThe survey reveals that majority of the Client organizations cover
privacy during Service Provider assessments. Contrastingly, majority
of the Service Providers report that privacy is not covered as part of
the assessments.
Eleven percent of the Client organizations also revealed that privacy
is not covered as part of Service Provider assessments. Also, Client
organizations seem to be satised with the current focus on privacy as
no Clients foresee the need for a change in the privacy focus in Service
Provider assessment programs.
Privacy is not covered
11.00%
56.00%33.00%
Coverage of privacy in Service Provider assessments
Strongly
Moderately Needs improvement (0%)
Coverage of privacy in Service Provider assessments
41.67%
25.00%
33.33%
Minority of clients Service Providers
assessment programs cover PrivacyMajority of clients Service Providers
assessment programs cover Privacy
Nearly half of the clients assessment
programs cover Privacy
None of the clients Service Provider
assessment programs cover Privacy (0%)
Clients perspective
Service Providers perspective
Majority of the Service
Providers report that
their Clients do not
cover Privacy during
assessments while
Clients stronglyperpetuate the coverage
of Privacy in Service
Provider assessments
7/29/2019 Service Provider Assessment Framework
23/68
14
Service Provider Assessment Framework
Clients perspective
Service Providers perspective
Types of Service Provider assessmentsVulnerability Assessment and Penetration Testing as a methodology of
Service Provider assessments has a strong acceptance (100%) from
Client organizations.
While only twenty ve percent of Service Providers reveal line of service
specic assessments is considered important by
their Clients, Client organizations give more importance to
these assessments.
Service Providers reveal that
Client organizations display
a strong propensity towards
undertaking comprehensive
risk-based assessments,
and compliance basedassessments
Different types of Service Provider assessments conducted by
the organization
100.00%
88.89%
77.78%
77.78%
Risk based assessments
Lines of Service specific assessment (e.g.
conducting application security assessment forapplication development services)
Technical: vulnerability assessment and
penetration testing
Regulatory / Compliance: Assessments to check
compliance with applicable regulations (e.g. HIPAA,
GLBA) or Assessments based on compliance to
Standards like ISO 27001 and PCI DSS
Different types of assessments conducted by Client organizations
100.00%
83.33%
75.00%
75.00%
25.00%
Comprehensive risk based assessmentcovering all the domains of security
Assessment based on well-known
standards like ISO 27001
Comprehensive compliance based
assessment
Line of Service specific assessment (e.g.
conducting application security assessment for
application development services)
Technical assessment of the IT systems including
vulnerability assessment and penetration testing
7/29/2019 Service Provider Assessment Framework
24/68
15
Service Provider Assessment Framework
Level of perceived risk IT servicesResults indicate that Client organizations perceive that outsourcing
Custom Application Development services (seventy eight percent)
involves high risk. This is distantly followed by Infrastructure, Network
and Desktop Outsourcing and Software Deployment and Support at
sixty seven percent each.
Service Providers cited Infrastructure Outsourcing followed by Network
and Desktop Outsourcing as the critical risk areas for Service Provider
assessments.
Clients as well as Service Provider organizations do not attachimportance to IT Education and training services for assessments.
33.33% 11.11% 33.33%Hardware deployment and support
Level of perceived risks in the services outsourced by
Client organizations: IT services
High Medium Low
77.78% 11.11%Custom application development
55.56% 33.33%Application management
66.67% 11.11% 11.11%Infrastructure services outsourcing
66.67% 11.11% 11.11%Software deployment and support
44.44% 22.22% 22.22%System integration
44.44% 44.44%Software testing
66.67% 22.22%Network and desktop outsourcing
44.44% 33.33%Hosted application management
44.44% 33.33%Hosted infrastructure services
33.33% 22.22% 22.22%Network consulting and integration
11.11% 22.22% 44.44%IT education and training
22.22% 22.22% 33.33%IT consulting
Custom Application
Development,
Network and Desktop
Outsourcing together
with Infrastructure
outsourcing are currentwatchwords in the
context of Service
Provider assessments
Clients perspective
7/29/2019 Service Provider Assessment Framework
25/68
16
Service Provider Assessment Framework
41.67%
33.33%
25.00%
25.00%
25.00%
16.67%
8.33%
8.33%
8.33%
16.67%
8.33%
33.33%
8.33%
16.67%
8.33%
Infrastructure services outsourcing
Level of perceived risks in the services outsourced by Client
organizations: IT services
Network and desktop outsourcing
Application management
Hosted application management
Hosted infrastructure services
System integration
Software testing
Custom application development
8.33% 16.67%Software deployment and support
8.33% 16.67%Hardware deployment and support
16.67% 8.33%Network consulting and integration
8.33% 16.67%IT education and training
16.67% 8.33%IT consulting
High Medium Low
Service Providers perspective
7/29/2019 Service Provider Assessment Framework
26/68
17
Service Provider Assessment Framework
Level of perceived risk BPO servicesThe survey results indicate that sixty seven percent of Client
organizations and forty two percent of Service Provider organizations
consider that Finance and Accounting services involve high risk.
66.67% 11.11%Finance and accounting
44.44% 22.22%Customer interaction and support
44.44% 33.33% 11.11%Human resource management
44.44% 22.22% 11.11%Knowledge services
44.44% 22.22% 11.11%Vertical specific BPO services
22.22% 33.33% 11.11%Procurement services
High Medium
Level of perceived risks in the service outsourced by Client
organizations: BPO services
Low
41.67%
25.00%
25.00%
25.00%
16.67%
8.33%
8.33%
8.33%
16.67%
16.67%
8.33%
8.33%
8.33%
8.33%
Finance and accounting
Level of perceived risks in the service outsourced by Client
organizations: BPO services
Customer interaction and support
Human resource management
Knowledge services
Vertical specific BPO services
Procurement services
High Medium Low
Clients perspective
Service Providers perspective
Finance and Accounting
services are considered
important by majority
of the organizations in
the context of Service
Provider assessments
7/29/2019 Service Provider Assessment Framework
27/68
18
Service Provider Assessment Framework
Clients perspective
Risk proling of Service ProvidersThe growing awareness of the risk management in the Indian IT/
BPO industry was clearly evident from the survey, which displayed
that almost ninety percent of the Client organizations undertake a risk
proling for their Service Providers.
The survey results also emphasize the importance of Information
Security and Privacy with nature and criticality of the business
outsourced along with sensitivity of the data exported to Service
Providers being given the most important criterion for risk proling.
Undertake risk profilingDo not undertake risk profiling
11.00%
89.00%
88.89%
88.89%
88.89%
66.67%
55.56%
44.44%
44.44%
Sensitivity of data exported to the Service Providers
Type of connectivity with the Service Providers
Dependency on the Service Providers
Size and maturity of the Service Providers
ISMS certification achieved by the Service Providers
Nature & criticality of the business/
services outsourced
Security incidents/breaches in the past
Criteria used for risk profiling of Service Providers
89% of the Client
organizations relyon risk proling to
determine the frequency
of Service Provider
assessments
7/29/2019 Service Provider Assessment Framework
28/68
19
Service Provider Assessment Framework
Frequency of Service Provider assessmentsThe fact established in the previous question gets reestablished
by the frequency of Service Provider assessments undertaken by
Client organizations that perform risk proling; the survey results
show that the Service Providers identied under critical risk
category undergo quarterly assessments.
A similar trend is observed for the Service Providers identied
under Medium and Low risk categories, undergoing half
yearly and yearly assessments by fty six and forty ve percent
respondents respectively.
Organizations that do not undertake risk proling, yearly
assessments are preferred by almost twenty three percent of the
organizations. Also eleven percent of Client organizations believe
that the frequency depends on the trust and relationship between
Client and Service Providers.
Frequency of assessing the Service Providers
33.33%
22.22%
11.11%
22.22%
55.56%
22.22%
11.11%
22.22%
22.22%
11.11%
44.44%
33.33%
Critical risk
High risk
Medium risk
Low risk
Negligible
Quarterly Half yearly Yearly
Clients perspective
The Service Providers
with critical risk undergo
quarterly assessments
as per thirty three
percent of Client
organizations
7/29/2019 Service Provider Assessment Framework
29/68
20
Service Provider Assessment Framework
7/29/2019 Service Provider Assessment Framework
30/68
21
Service Provider Assessment Framework
Clients perspective
The cost of periodic
Service Provider
assessments is built into
the service delivery cost
of Service Providers,
and is a part of the
contractual terms
Budget and cost for Service Provider assessmentsThis question was aimed at identifying the cost impact of Service
Provider assessments on Clients and Service Providers.
Results highlight that majority of the Client organizations allocate only
a small portion of IT security budget for Service Provider assessments.
Only one of the respondents indicated that the organization
allocates signicant portion of IT security budget for Service Provider
assessments. On the other hand, majority of the Service Providers
allocate a considerable portion of the IT security budget towards
assessments. This is because the cost for periodic Service Provider
assessments is built into the service delivery cost of Service Providersand is part of the contract with the Service Providers.
Service Provider respondents in the Others category indicated that cost
of the assessment could be borne by either party, and it depends on the
relationship and understanding between the Client and the
Service Provider.
Portion of the IT security budget allocated for conducting Service
Provider assessments
44.44%
22.22%
22.22%
11.11%
Small
Considerable
Negligible
Significant
Cost of Service Provider assessments
55.56%
44.44%
22.22%
22.22%
11.11%
11.11%
11.11%The cost is borne at the time of the Service
Provider assessments by the Service Provider
Efforts spent by the Service Provider resources
in coordinating / facing the assessments are
billed by the Service Providers
Significant cost of the Service Provider assessments
comprises of overhead expenses like travel, etc
for our assessors
The cost is borne at the time of the Service
Provider assessments and is shared between
Client and Service Provider as per the contract
The cost is borne at the time of the Service
Provider assessments by the Client
We allocate a portion of our IT security budget
for conducting Service Provider assessments
The cost for periodic Service Provider assessments
is a part of the contract
7/29/2019 Service Provider Assessment Framework
31/68
22
Service Provider Assessment Framework
Portion of IT security budget allocated for facing assessments
66.67%
25.00%
8.33%
0.00%
Considerable
Small
Significant
Negligible
Cost of Service Provider assessments
66.67%
33.33%
33.33%
25.00%
16.67%
8.33%
8.33%
16.67%Others
The cost for periodic Service Provider assessments is a
part of the contract
The cost is borne at the time of the Service Provider
assessments by the Client
Efforts spent on Service Provider assessments
is billed to the clients
The cost is borne at the time of the Service Provider
assessments and is shared between Client and Service
Provider as per the contractThe cost is borne at the time of the Service Provider
assessments by the Service Provider
Significant cost of the assessments comprises of
overhead expenses like travel,and stay arrangements
for clients and/ or their sourced assessors
We allocate a portion of our IT security budget for
Service Provider assessments
Service Providers perspective
7/29/2019 Service Provider Assessment Framework
32/68
23
Service Provider Assessment Framework
Modes of Service Provider assessmentsClient organizations prefer conducting onsite assessments post a
self assessment by the Service Provider organizations either by
their internal staff or by sourced assessors.
The survey results highlight that higher the risk perceived during
risk proling, more is the focus on assessments. Majority of the
respondents conduct onsite assessments for critical, high and
medium risk Service Providers. For low risk category of Service
Providers, majority of the Client organizations adopt offshore self
assessments.
Client organizations that do not perform the risk proling of their
Service Providers prefer to undertake onsite assessment by
sourced assessors from auditing rms.
Type Self
Assessment(offshore)
Telephonic
(offshore)
Onsite
by OrgInternal
staff
Onsite by org
internal staffand sourced
assessors
from auditing
rms
Onsite by
sourcedassessors
Third Party
AssessmentsCategory
Critical risk 2 2 6 4 3 3
High risk 2 2 6 3 4 3
Medium risk 4 2 6 3 1 2
Low risk 5 3 4 1 0 0
Negligible 3 2 4 1 0 0
Clients perspective
*For Client organizations that undertake risk proling of
Service Providers
*This data table is for eight Clients. Eight out of nine Clients interviewed undertake risk proling.
7/29/2019 Service Provider Assessment Framework
33/68
24
Service Provider Assessment Framework
Modes adopted by Clients for conducting Service Provider assessments
100.00%
75.00%
66.67%
66.67%
25.00%
25.00%
8.33%
8.33%
Onsite assessments are conducted by
clients internal staff
Onsite assessments are conducted by
sourced assessors
Onsite assessments are conducted by
an independent Third party
Telephonic assessments are conducted by
sourced assessors hired by client organization
Telephonic assessments are conductedby clients internal staff
Self assessment questionnaire are provided in
an assessment tool available online; we directly
upload our responses and evidences in
the tool without any intervention of the client
Onsite assessments jointly conducted
by sourced assessors and clients internal staff
Self assessment questionnaire are sent through
email and we revert with the filled questionnaire and
evidences without any intervention of the client
Service Providers perspective
Onsite assessments byClients internal staff or
sourced assessors is
the preferred mode of
assessment by Clients
7/29/2019 Service Provider Assessment Framework
34/68
25
Service Provider Assessment Framework
Service Provider assessment challengesThe survey results provide insight into the factors that inuence
Information Security and Privacy assessments in IT/BPO organizations.
Subcontracting by Service Providers and comfort provided by
certications like ISO 27001 are the critical challenges faced by Client
organizations in assessing Service Providers on Information Security &
Privacy according to forty four percent of Client organizations. This is
one of the reasons why Client organizations do not consider ISO 27001
certication as an alternative to Service Provider assessments.
44.44%
44.44%
33.33%
22.22%
22.22%
22.22%
22.22%
22.22%
11.11%
11.11%
11.11%
11.11%
11.11%
11.11%
11.11%
33.33%
11.11%
33.33%
44.44%
33.33%
55.56%
22.22%
55.56%
44.44%
22.22%
22.22%
22.22%
22.22%
33.33%
55.56%
44.44%
44.44%
11.11%
44.44%
22.22%
11.11%
33.33%
55.56%
11.11%
22.22%
55.56%
55.56%
44.44%
55.56%
44.44%
11.11%
44.44%
44.44%
Comfort/ assurance provided by
certifications like ISO 27001
Challenges faced by Client organizations
Subcontracting by the Service Providers
Inadequate budget
Auditor accreditation and
Auditors management
Service Provider commitment
Meeting multiple customer requirements
Quantum of assessments
Rising legal liabilities/
regulatory requirements
Level of security awareness in
the Service Providers
Ensuring compliance by your
Service Provider
Sensitizing key resources of
Service Providers
High direct and indirect costs
Nature of outsourced work
Tracking and closure of
assessment findings
High Medium Low
Adoption of Non standardized Information
Security and Privacy framework
Availability of skilled resources forconducting the assessments
Multiple Service Providers for differentlines of services in multiple geographies
Clients perspective
Subcontracting by
the Service Providersand comfort provided
by certications like
ISO 27001 are most
signicant assessment
challenges faced by
Client organizations
7/29/2019 Service Provider Assessment Framework
35/68
26
Service Provider Assessment Framework
Service Providers perspective
Factors such as cost, quantum of assessments were the least importantchallenges as perceived by Client organizations. Whereas, majority of
Service Providers perceive high number of assessments around the
year as one of the most signicant challenges.
This difference in opinion regarding the challenges faced by Client
and Service Provider organizations clearly indicates development of a
robust assessment solution that meets the requirements of both parties.
50.00%
33.33%
33.33%
25.00%
16.67%
8.33%
33.33%
41.67%
25.00%
50.00%
33.33%
8.33%
8.33%
33.33%
33.33%
16.67%
25.00%
High number of assessments around the year
High Medium Low
Meeting diverse and varied assessment
requirements of different clients
Closing the findings by providing evidences and
satisfying the client / auditors
High direct and indirect costs associated with
getting assessed multiple times
Ensuring availability of time and resources for
coordinating/facing the assessments
Aligning to different areas of assessment/assessment methodologies adopted by
different clients High number of
assessments around
the year, and meeting
diverse Client
requirements are critical
challenges faced by
most of the Service
Providers
7/29/2019 Service Provider Assessment Framework
36/68
27
Service Provider Assessment Framework
Service Provider assessments solutions andfuture landscape
An attempt was made to identify the possible solutions for the
challenges faced by organizations. The survey results reveal that
approximately thirty three percent of Clients and forty two percent of
Service Provider organizations prefer the development and adoption of
an international standard for Service Provider assessment. Also, usage
of BITS shared assessment program was selected by forty four Client
Organizations as a rst preference among solutions.
Results indicate that more than forty percent of Service Providers regard
development and adoption of an internal standard as a rst preference.Independent third party assessments conducted by Self Regulatory
Organizations (SRO) promoted by the Service Providers tops the chart
for Service Providers as a second preference.
Clients perspective
Possible solution to overcome identified challenges
44.00%
33.00%
22.00%
22.00%
11.00%
11.00%
11.00%
11.00%
33.00%
22.00%
11.00%
11.00%
11.00%
11.00%
First reference Second preference Third preference
Industry & Service Provider promoted and
standardized third party assessmentprograms like BITS
Development and adoption of international
standards for Service Provider
Assessment
There is no need for Service Provider
assessments as data security and privacy
risks are already addressed through contracts
Self declaration by Service Providers for complying /
fulfilling clients security requirements, therebymaking them liable for any security incident/data
breach / violation shoul d suffi ce
ISO 27001 certification should be accepted globally
as a seal of trust and assurance; eliminating
the need for Service Provider assessments
Independent third party assessments
conducted by Self Regulatory
Organizations (SRO) promoted by the
Service Providers
As per Client
organizations,industry and Service
Provider promoted and
standardized third party
assessment program can
be used for assessments.
This is closely followed
by development
and adoption of an
international standard
7/29/2019 Service Provider Assessment Framework
37/68
28
Service Provider Assessment Framework
Development and
adoption of an
international standard
is the rst preferencechosen by Service
Providers
Possible solution to overcome identified challenges
41.67%
33.33%
25.00%
8.33%
8.33%
0.00%
8.33%
25.00%
8.33%
41.67%
25.00%
8.33%
8.33%
33.33%
8.33%
16.67%
First preference Second preference Third preference
Development and adoption of international
standards for Service Provider assessment
ISO 27001 certification should be accepted by all
the clients globally as a seal of trust and
assurance; eliminating the need for Service
Provider assessments
Industry & Service Provider promoted and
standardized third party assessment programs
like BITS
Independent Third Party assessments conducted
by Self Regulatory Organizations (SRO)
promoted by the Service Providers
There is no need for Service Provider
assessments as data security and privacy risks
are already addressed through contracts
Self declaration by Service Providers for complying/
fulfilling clients security requirements, thereby
making them liable for any security incident/
data breach/violation should suffice
Service Providers perspective
7/29/2019 Service Provider Assessment Framework
38/68
29
Service Provider Assessment Framework
Inuence of IT (Amendment) Act, 2008 on ServiceProvider assessments
There is widespread awareness about IT (Amendment) Act, 2008
in the industry.
More than fty percent of Service Provider and thirty three percent
of Client organizations report that IT (Amendment) Act, 2008 will
assist in strengthening the data protection initiatives of Indian
Service Providers, and would provide greater assurance to the
Clients. Approximately thirty three percent of Client organizations
believe that IT (Amendment) Act, 2008 will have no impact on
their Information Security and Privacy needs as they need tocomply with their countrys regulations outside of India.
A similar number of Service Provider organizations revealed that
they were not sure about the impact/ inuence of IT (Amendment)
Act, 2008 on Clients assessment strategy.
Influence of IT (Amendment) Act, 2008 on Service Provider
assessment strategy
66.67%
33.33%
33.33%
11.11%
0.00%
Provisions of IT (Amendment) Act, 2008
need to be appropriately incorporated in
the client-Service Provider contracts
IT (Amendment) Act, 2008 will have no
impact as we need to comply with regulations
we are subjected to
IT (Amendment) Act, 2008 will strengthen
the data protection initiatives of Indian
Service Providers and therefore will help
provide greater assurance to us for
outsourcing our work to India
Im not aware of IT (Amendment) Act, 2008
Self declaration by Service Providers for
complying/fulfilling clients security requirements,
thereby making them liable for any security
incident/data breach/violation should suffice
IT (Amendment) Act,
2008 needs to be
incorporated in Client-
Service Provider
contracts this would
assist in strengthening
the data protection
initiatives of Service
Providers
Clients perspective
7/29/2019 Service Provider Assessment Framework
39/68
30
Service Provider Assessment Framework
Service Providers perspective
Influence of IT (Amendment) Act, 2008 on Service Provider
assessment strategy
58.33%
33.33%
0.00%
8.33%Others
Not sure what will be the impact of IT
(Amendment) Act, 2008
IT (Amendment) Act, 2008 will strengthen the data
protection initiatives of Indian Service Providers and
therefore will help provide greater assurance to the
clients outsourcing their work to India
IT (Amendment) Act, 2008 will have no impact
as clients need to comply with regulations
they are subjected to
7/29/2019 Service Provider Assessment Framework
40/68
31
Service Provider Assessment Framework
Third party assessmentsThird party assessments have gained importance in the Indian IT/BPO
industry. Both Clients and Service Providers revealed that third parties
should conduct Service Provider assessments based on a standardized
assessment methodology.
Majority of respondents emphasized that use of third parties would
not only help in ensuring transparency and independence of the
assessments but also save cost and efforts.
A few Clients also reported that their organizations Executive
Management may not approve/ recognize third party assessments.
Options for third party assessments
66.67%
66.67%
55.56%
55.56%
55.56%
55.56%
22.22%
11.11%
11.11%
Third parties can conduct assessments of the
Service Providers, based on a standardized
assessment methodology, at a defined frequency
Third Party assessments would save costs and
efforts by avoiding the need for conducting
assessments of multiple Service Providers
Our regulators / customers may not approve or
recognize Third Party assessments
Third party assessments can be successful only
if it is accepted by the outsourcing community
and regulators
Third Party assessments will bring transparency
and independence
Adopting Third Party assessments may raise
trust and accountability issues
My organizations Executive Management
may not approve or recognize Third
Party assessments
The Third Party assessments will ensure that
our resources are able to focus on improving security
& privacy posture
hird Party assessments may not be able to addressthe specific assessment requirements arising out
of a particular Client-Service Provider relationship
Majority of Clients
and Service Providers
report that third parties
should conduct Service
Provider assessments,
based on a standardized
assessment
methodology at a
dened frequency
Clients perspective
7/29/2019 Service Provider Assessment Framework
41/68
32
Service Provider Assessment Framework
Third party assessments
would save cost and
efforts by avoiding
multiple assessments
from different Clients
Service Providers perspective
Options for third party assessments
66.67%
41.67%
41.67%
41.67%
33.33%
16.67%
16.67%
Third party assessments may not be able to address
the specific assessment requirements arising out
a particular client Service Provider relationship
Adopting Third Party assessments may raise
trust and accountability issues
Third parties can conduct assessments of the
Service Providers, based on a standardized
assessment methodology, at a defined frequency
Third Party assessments would save costs and
efforts by avoiding multiple assessments fromdifferent clients
Third Party assessments will bring transparency
and independence
Third party assessments can be successful only if
all our clients accept it, irrespective of industry,
geography, Line of Service, etc.
The Third Party assessments will ensure that our
resources are able to focus on improving security &
privacy posture instead of supporting multiple assessments
Thirty three percent of Service Providers expressed their concernsregarding the use of third party assessments stating that they third party
assessments could be helpful if their Clients accept these.
7/29/2019 Service Provider Assessment Framework
42/68
33
Service Provider Assessment Framework
Third party assessorsThe survey highlighted that the auditing rms empanelled by a
joint industry consortium of outsourcers and the Service Providers
are the most potential third party assessors for conducting
independent Service Provider assessments, seemingly
acceptable to both the Client and Service Provider organizations.
This option was selected by sixty six and fty percent of the Client
and Service Provider organizations respectively. Such an industry
consortium will represent the interests and challenges of both the
sides the Clients and Service Providers.
Potential entity acting as third party for conducting independent
Service Provider assessments
66.67%
55.56%
33.33%
0.00%
Auditing firms empanelled by a joint
industry consortium of outsourcers and the
Service Providers
Auditing firms empanelled by the
outsourcers industry consortium
Self Regulatory Organizations (SRO)promoted by the Service Providers
Auditing firms empanelled by
the Service Providers
Clients perspective
Auditing rms
empanelled by a jointindustry consortium
of Client and Service
Providers can serve as
third party assessors
for conducting Service
Provider assessments
7/29/2019 Service Provider Assessment Framework
43/68
34
Service Provider Assessment Framework
Service Providers perspective
Potential entity acting as third party for conducting independent
Service Provider assessments
58.33
50.00%
25.00%
8.33%
Self Regulatory Organizations (SRO)
promoted by the Service Providers
Auditing firms empanelled by a joint
industry consortium of outsourcers and the
Service Providers
Auditing firms empanelled by the
outsourcers industry consortium
Auditing firms empanelled by
the Service Providers
7/29/2019 Service Provider Assessment Framework
44/68
35
Service Provider Assessment Framework
Standards for Service Provider assessmentsNew domains of Information Security and Privacy have evolved. The
domains which were not perceived to be critical are now among the
most important security domains. Organizations have to comply with
various models/standards/frameworks to adhere to the changing
domains/rules and regulations. The organizations do no prefer to
comply with so many standards and frameworks and this perception of
the organizations was clearly evident from the survey results.
The survey results highlighted that Client organizations are keen
on adopting a new standard mapped to ISO 27001, NIST Special
Publications, COBIT, ITIL etc. that meets all the regulatory requirementslike GLBA, HIPAA, PCI DSS etc., as a potential standard for third
party assessments. While this view was common amongst Client
organizations and Service Provider organizations with eighty nine and
sixty seven percent respondents respectively selecting this option, in
reality Clients may be more inclined towards new standard than the
Service Providers because they demonstrate compliance to different
regulations. Though this has an indirect impact on Service Providers but
they are primarily driven by contractual obligations.
Both Client and Service Provider organizations have similar number of
respondents who selected ISO 27001 (sixty six percentages). It seemedthat organizations are satised with the acceptance of ISO 27001 as a
A new standard mapped
to ISO 27001, NIST-SP,COBIT, ITIL etc. that
meets all the regulatory
requirements like GLBA,
HIPAA, PCI DSS etc. as
a standard for third party
assessments
Potential assessment standards for third party assessments of
Service Providers
88.89%
66.67%
22.22%
22.22%
11.11%
ISO 27001 standard
A new standard mapped to ISO 27001, NIST
SP, COBIT, ITIL, etc. that meets
all the regulatory requirements like GLBA,
HIPAA, PCI DSS, etc.
Others
Security and Privacy practices defined
by SRO
BITS shared assessment framework
Clients perspective
7/29/2019 Service Provider Assessment Framework
45/68
36
Service Provider Assessment Framework
Potential assessment standards for third party assessments of
Service Providers
66.67%
66.67%
16.67%
8.33%
ISO 27001 standard
Security and Privacy practices defined by SRO
BITS shared assessment framework
A new standard mapped to ISO 27001,
NIST-SP, COBIT, ITIL, etc. that meets all the regulatory
requirements like GLBA, HIPAA, PCI DSS, etc.
Service Providers perspective
standard bearing in mind the challenge faced by Client organizations withrespect to the comfort/ assurance provided by Service Providers through
ISO 27001 certication.
Respondents in the Others category also suggested the use of a unied
compliance framework for assessments.
7/29/2019 Service Provider Assessment Framework
46/68
37
Service Provider Assessment Framework
Role of DSCI in Service Provider assessmentsThe question aimed to identify the role that DSCI could play as
a Self Regulatory Organization (SRO), representative of both
Client and Service Provider organizations, for conducting Service
Provider assessments.
Majority of the Client organizations (sixty seven percent) indicated
that DSCI should create a panel of competent auditors to conduct
Service Provider assessments on behalf of DSCI, develop code of
practices for Data Security and Privacy that should be adopted by
the industry and dene some criteria for assessing the maturity of
the Service Providers.
Fifty eight percent of the Service Provider organizations
indicated that DSCI should develop a Service Provider
assessment program that comprises of framework, processes
and methodology for conducting Service Provider assessments.
This option was also highlighted by a similar number of Client
organizations (fty six percent).
Clients perspective
Role of DSCI in Service Provider assessments
66.67%
66.67%
66.67%
55.56%
55.56%
55.55%
33.33%
11.11%
DSCI should establish a mechanism to manage
the assessment results including sharing of results
with clients and respective Service Providers
Others
DSCI should have code of practices for security
and privacy that need to adopted by its members
The code of practices should have some
criteria for assessing the maturity of the
Service Providers
Code of practices should take a note of existing
preparedness and initiatives of Service
Providers in the areas of security and privacy
DSCI should have mechanism to review
the Service Provider assessments results
on a regular basis
DSCI should have a Service Provider assessment
program that comprises of framework, processes,
methodology for the assessment
DSCI should create a panel of competent
auditors who will conduct the assessments on
behalf of DSCI
Majority of Clients
and Service Providersperpetuated that DSCI
should have a Service
Provider assessment
program that consists of
framework, processes
and methodology of
assessments
7/29/2019 Service Provider Assessment Framework
47/68
Service Provider Assessment Framework
Role of DSCI in Service Provider assessments
58.33%
33.33%
25.00%
25.00%
25.00%
8.33%
8.33%
8.33%Others
DSCI should have a Service Provider assessment
program that comprises of framework, processes,
methodology for the assessments
DSCI should create a panel of competent
auditors who will conduct the assessments
on behalf of DSCI
DSCI should have code of practices for security and
privacy that need to adopted by its members
The code of practices should have some criteria for
assessing the maturity of the Service Providers
DSCI should have mechanism to review the Service
Provider assessments results on a regular basis
DSCI should establish a mechanism to manage the
assessment results including sharing of results with
clients and respective Service Providers
Code of practices should take a note of existing
preparedness and initiatives of Service Providers
in the areas of security and privacy
Service Providers perspective
7/29/2019 Service Provider Assessment Framework
48/68
39
Service Provider Assessment Framework
Outcome of Service Provider assessmentsThe survey results have unequivocally established that there
should be organization-wide Security and Privacy maturity ratings,
and domain specic ratings.
It was also indicated that the both Client organizations as well as
Service Provider organizations prefer ratings over certications.
Outcome of Service Provider assessments Data Security
77.78%
55.56%
44.44%
DSCI should provide organization
wide security maturity rating
DSCI should provide domain specific
maturity rating (e.g. Application
security maturity rating)
DSCI should provide organization
wide security certification to
Service Providers
Outcome of Service Provider assessments Data Privacy
88.89%
44.44%
DSCI should provide organization
wide privacy certification to
Service Providers
DSCI should provide organization
wide privacy maturity rating
Clients perspective
Organization-wide security
and privacy maturity ratingsmay be provided as a
result of Service Provider
assessments
7/29/2019 Service Provider Assessment Framework
49/68
40
Service Provider Assessment Framework
Service Providers perspective
Outcome of Service Provider assessments Data Security
58.33%
33.33%
16.67%
DSCI should provide organization wide
security maturity rating
DSCI should provide organization wide
security certification to Service Providers
DSCI should provide domain specific maturity
rating (e.g. Application security maturity rating)
Outcome of Service Provider assessments Data Privacy
75.00%
50.00%
DSCI should provide organization wide
privacy maturity rating
DSCI should provide organization wide
privacy certification to Service Providers
7/29/2019 Service Provider Assessment Framework
50/68
41
Service Provider Assessment Framework
Sharing of Service Provider assessment resultsMajority of Client organizations (sixty seven percent) conrm that
if DSCI assumes the role of a third party assessor, DSCI should
conduct the assessment of the targeted Service Provider and
share the report with the Client. Client organizations are also in
favor of DSCI conducting assessments of the Service Providers
and sharing the report with Service Providers Clients based upon
the authorization of Service Provider (thirty three percent), while
only eleven percent of the Client organizations suggested DSCI
conducting the assessment of the Service Provider and submitting
its report to the Service Provider.
In case DSCI assumes
the role of a third-party assessor,
Client and Service
Provider organizations
strongly support
DSCI conducting
the assessments of
the targeted Service
Provider and sharing the
report with the Client onreceiving requests from
the Client
Most suitable assessment process in case DSCI assumes the role of a
third party assessor
66.67%
33.33%
11.11%
11.11%
On receiving request from the client, DSCI
conducts the assessment of the targeted
Service Provider and shares the report
with the client
On receiving request from the Service
Provider, DSCI conducts the assessment of the
Service Provider and based on theauthorization of Service Provider, DSCI shares
the report with Service Providers clients
On receiving request from the Service Provider,
DSCI conducts the assessment of the Service
Provider and submits its report to the Service Provider.
Service Provider then shares this report with his
clients when requested or otherwise
Based on DSCI assessments, Service
Providers are benchmarked against defined
parameters and the report is made public
Clients perspective
7/29/2019 Service Provider Assessment Framework
51/68
42
Service Provider Assessment Framework
Most suitable assessment process in case DSCI assumes the role of a
third party assessor
41.67%
41.67%
33.33%
8.33%
8.33%Others
Based on DSCI assessments, Service Providers are
benchmarked against defined parameters and
the report is made public
On receiving request from the Service Provider, DSCI
conducts the assessment of the Service Provider and
based on the authorization of Service Provider,
DSCI shares the report with SPs clients
On receiving request from the client, DSCI conducts
the assessment of the targeted Service Provider and
shares the report with the client
On receiving request from the Service Provider, DSCI
conducts the assessment of the Service Provider and
submits its report to the Service Provider. Service
Provider then shares this report with his clients
Service Providers perspective
More than forty percent of the Service Provider respondents suggestedthat in case DSCI assumes the role of a third party assessor, DSCI should
conduct the assessment of the targeted Service Provider on receiving
request from the Client and share the report with the Client. Same number
of Service Provider organizations also supports the process of DSCI
conducting the assessment on receiving request from the Service Provider
and submitting the report to Service Providers Clients upon authorization.
7/29/2019 Service Provider Assessment Framework
52/68
43
Service Provider Assessment Framework
The survey revealed some interesting ndings and facts, bothfrom Client and Service Provider perspective which were further
validated by the secondary research. Based on the study of
different assessment frameworks and ndings of the survey,
following are some of the salient preliminary recommendations for
developing a Service Provider Assessment Framework:
DSCI should play a vital role in conducting Service Providerassessments and sharing the outcome in the ecosystem. It
should:
Have an Service Provider assessment program that comprises of
framework, processes, and methodology for assessmentsProvide an organization wide security and privacy maturity rating,
and domain specic maturity rating that may be shared in the
ecosystem after taking the due permission of the Service Providers
A new standard mapped to prevalent standards should be
considered as a potential assessment standard for third partyassessments of Service Providers
DSCI as an industry initiative and a Self Regulatory Organization
having representation from both the Client and Service Providerorganizations should empanel auditing rms for conductingindependent third party assessments.
The advantages of prevalent assessment frameworks likeadaptability, exibility, comprehensibility of assessment areas,process-driven, and measurement-based assessment process
should be the characteristics of the Service Provider assessmentframework that may be developed.
Recommendations
7/29/2019 Service Provider Assessment Framework
53/68
44
The assessment model should not become an overhead for an
organization. It should be able to provide specic improvementopportunities that an organization should be able to imbibe. The
assessment criteria should be transparent to the extent possible.The framework should be reviewed at least on an annual basis
by a competent set of technical and process experts, preferablycomprising DSCI members, members from third party assessors,
and the industry.
The assessment framework should be applicable regardless ofsize of the organization and nature/ complexity of its processes.
For this purpose, the assessment methodology adopted should
contain a preliminary set of questions that can be self-assessedby an organization.
The Service Provider assessment framework should provideopportunities to organizations for implementing / performing thecontrol activities according to the needs of the organizations
specic environment.
The framework should follow a process-approach and outlinemeasurable assessment areas. The assessment areas that
would link to specic business processes in an organization willbe easy to align with overall business goals and objectives.
The framework should provide both assessment area/ domain
based maturity rating and organization-wide security and privacymaturity rating that summarizes the appraisal results and permit
comparison amongst organizations.
The assessment model should be easy to comprehend andcompanies should be able to adopt on their own. All assessment
areas should be broken down into a detailed list of specicand measureable steps that are easy to comprehend for
assessment purposes.
7/29/2019 Service Provider Assessment Framework
54/68
45
Service Provider Assessment Framework
Annexures
The study team analysed the shortlisted assessment frameworksfor their advantages and disadvantages when applied to Client-
driven Service Provider assessments. A summary of each
framework is provided below:
Malcolm Baldrige National Quality Program
The Malcolm Baldrige National Quality Award program uses
Malcolm Baldrige Assessment framework to assess the Quality of
applying organization on seven critical areas for an organization.
The framework is based on the processes implemented and
the results achieved. The assessment methodology requires a
self-assessment by the company applying for the award whichassists in dissolving the disparities between small, medium and
large sized companies, and the way the control is implemented
at the organization level. The framework has assigned separate
weights to each individual area. However, the framework does not
provide quantitative requirements for the criteria laid down. The
requirements are subjective, and there are chances that
the results when examined by different examiners may not
be reproducible.
Capability Maturity Model Integration (CMMI)The framework was developed by Software Engineering
Institute (SEI) in an attempt to integrate several disciplines
such as Process and Product development, Acquisition and
Supplier Sourcing. The framework is focused towards software
development organization however the framework can be
implemented across various organizations. The framework can
be implemented using Staged or Continuous representation.
The Staged representation provides the Maturity level for
organizations and the Continuous representation provides
Capability Levels for as a measure assigned individuallyagainst each process area. The framework is exible and
provides opportunities to organizations for undertaking the
7/29/2019 Service Provider Assessment Framework
55/68
46
activities according to their organization specic environment.For assessments the framework undertakes a Process based
approach thereby adding value to the organization in the process
of being assessed for maturity.
BITS Shared Assessment Program
The nancial services industry increasingly relies on information
technology (IT) Service Providers to support the delivery of
nancial services. The BITS shared assessment framework
was developed by BITS IT Service Providers Working Group
to address the concerns, arising out of increased regulatory
scrutiny of nancial institution risk assessment and management
of outsourced IT services. The framework adopts a risk based
approach for conducting the assessments. The framework can
be used as a reference by to create a common understanding of
the nancial services industrys needs among Service Providers
and help to address known control weaknesses in outsourced IT
services, resulting in more consistent and appropriate levels of
management by nancial services companies that outsource IT
services.
The eSourcing Capability Model for Client Organizations(eSCM-CL)
The eSCM was developed by a consortium led by Carnegie
Mellon Universitys Information Technology Service Qualication
Center (ITSqc). The eSCM is best practices capability models
with two purposes (1) to give Client organizations guidance that
will help them improve their capability across the sourcing life-
cycle, and (2) to provide Client organizations with an objective
means of evaluating their sourcing capability. The model aims
at assisting Client organizations to continuously evolve, andimprove their capabilities to develop stronger, enduring and more
7/29/2019 Service Provider Assessment Framework
56/68
47
Service Provider Assessment Framework
trusting relationships with other Service Providers, and to meet
the dynamic demands of business. The eSCM model provides
the organizations the exibility to choose from framework based
(using the framework as best practices) or evaluation based
(using the framework to undertake a formal assessment). The
eSCM for Client organizations is composed of 95 practices
covered under three dimensions Sourcing Life-cycle, Capability
Area, and Capability Level.
Crisil Rating Methodology
CRISIL rates companies in variety of sectors. Since each sector
has its own nuances, CRISIL has customized rating criteria and
methodology for each sector to make the ratings exercise apt and
meaningful. Extensive research is undertaken by Crisil before
assigning rating to an organization. The rating methodology
adopts a risk-based approach thereby helping the organization
to al