Emids Morning Security Virtual India V3


Published on

Virtual Trade Mission: Exploring Opportunities in India

May 7, 2009

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Regulatory enforcement actions (fines, outsourcing restrictions et.al.)Civil suits – individual and class action (data transfer issues, joint & several liability, 3rd party beneficiary suit in data subject country)
  • IT ACT 2000 has provisions for respecting and incorporating the state laws of the client location.
  • Emids Morning Security Virtual India V3

    1. 1. Data Security & Privacy in Offshore Operations May 7, 2009 1
    2. 2. Agenda • Setting the Context • Outlining potential risks • Mitigating the risk – Understanding existing laws and regulations – NASSCOM’s role in the Indian IT market – Looking at vendor best practices – Drafting contracts for success • Question and Answer • References 2 www.eMids.com
    3. 3. Setting the Context Engaging offshore resources has evolved into a best practice for delivering Information Technology and product engineering across several industries. The very nature of the work involves sharing of data and intellectual property. A security breach under these circumstances is a high risk with potentially unpleasant consequences. Differences in law, culture, time zone, and communication seem to amplify the perceived impact of this already inherent risk. This presentation attempts to separate perception from reality and offers an executive overview of data privacy and security in offshore delivery centers. 3 www.eMids.com
    4. 4. Potential Risks • Suspension of business activity • Loss of rights to use data • Adverse publicity • Damage to brand/image • Loss of trade secrets and intellectual property • Civil suits – individual and class action • Regulatory enforcement actions 4 www.eMids.com
    5. 5. Mitigating the Risk May 7, 2009 5
    6. 6. Understanding Existing Laws and Regulations • Indian IT Act of 2000 (cyber law) – makes punishable cyber crimes like hacking, damage to computer source code, and breach of confidentiality and privacy • Indian Copyright Act – provides protection for intellectual property • Indian Penal Code Act – provides criminal punishment for cyber crimes • Indian Contract Act – provides for the enforcement of international contracts • World Trade Organization (WTO) – WTO-GATS (General Agreement on Trade in Services) provides for internet privacy and gives structure to the regulatory environment in e- business • United Nations Commission on International Trade (UNCITRAL) – protects international electronic transactions 6 www.eMids.com
    7. 7. NASSCOM’s Role in the Indian IT Market • NASSCOM is both the face of India’s burgeoning software industry and a key arm in catalyzing its growth. It is committed to monitoring the security of data and intellectual capital, helping companies deliver at a high level of quality, and coordinating seamless delivery across geographic and political boundaries. • 4 E Initiatives – Engagement – Works across geographic boundaries with organizations such as: Department of Homeland Security, Treasury – Infrastructure Compliance, Federal Reserve Board – NY, Heritage, Foundation, CSIS, IPI, academia – Education - Research reports, model contracts, SLAs examples, best practices, educational collateral for Indian law enforcement, media around security and privacy – Enactment – Lobbies for the enactment of legislation supporting the IT Industry (such as the IT Act 2000) – Enforcement – joint efforts with Police, lawyers and industry bodies ensures enforcement and constant checks to recognize and initiate action against security infringements 7 www.eMids.com
    8. 8. NASSCOM’s Role in the Indian IT Market • India Cyber Lab – evolved as a unique public-private partnership project for cyber safety • Initiation of Data Security Council of India – Develop data privacy standards – Adoption of best practices – Focus on code of conduct – Promote and encourage voluntary compliance of the code – Provide certifications to organizations • Campaign Against Piracy – Significant contribution towards ending software piracy across India 8 www.eMids.com
    9. 9. Vendor Best Practices Vendor Framework Adherence Client-Centric Activities  ISO 27001  Customer driven audits  SAS 70  Sharing of internal audit  CMMi results  HIPAA / PCI  Reporting of perceived Client-Centric  Legal business entity threats and breaches Activities  Security scope & mission statement Information Vendor Vendor Security Employee Framework Best Practice Awareness Third Party Third Party Entities Vendor Employee Awareness  Independent audits  Background checks Entities  Independent penetration  Whistle blower policies  Workplace awareness testing  Inspection by client’s  Internal/external training and customers certification  Exit agreements 9 www.eMids.com
    10. 10. Vendor Framework Adherence  ISO 27001  SAS 70  CMMi  HIPAA / PCI  Legal business entity  Security scope & mission statement 10 www.eMids.com
    11. 11. Vendor Employee Awareness  Background checks  Whistle blower policies  Workplace awareness  Internal/external training and certification  Exit agreements 11 www.eMids.com
    12. 12. Client-Centric Activities  Customer driven audits  Sharing of internal audit results  Reporting of perceived threats and breaches 12 www.eMids.com
    13. 13. Third Party Entities  Independent audits  Independent penetration testing  Inspection by client’s customers 13 www.eMids.com
    14. 14. Drafting Contracts for Success • Make security as important in the contracting process as scope, deliverables, and pricing • Common contract clauses to consider – Confidentiality – IP Ownership – Return of project materials – Non-Disclosure Agreements (NDAs) – Physical Security / Isolation – Security Audits – Network Security 14 www.eMids.com
    15. 15. Question and Answer 15 www.eMids.com
    16. 16. References • WTO – www.wto.org • CMMi – www.sei.cmu.edu/cmmi • ISO 27001 – www.iso27001security.com • NASSCOM – www.nasscom.org 16 www.eMids.com