RISE Presentation, DSCI


Published on

  • Be the first to comment

  • Be the first to like this

RISE Presentation, DSCI

  1. 1. DSCI and Data Protection RISE Seminar on Biometrics & Ethics Delhi, 24 th Sep, 2009 Kamlesh Bajaj
  2. 2. Agenda <ul><li>Data Protection </li></ul><ul><li>Compliance regulations </li></ul><ul><li>Privacy Perception in India </li></ul><ul><li>Data Protection u/s 43A amended IT Act, 2008 </li></ul><ul><li>Outsourcing- a real risk, but manageable </li></ul><ul><li>Best Practices Framework for Data Protection </li></ul><ul><li>DSCI as SRO </li></ul>
  3. 3. Data Security – Forrester Survey, Q3-2008, Europe <ul><li>DSCI SRO </li></ul><ul><li>DSCI Program </li></ul><ul><li>DSCI Chapters </li></ul><ul><li>DSCI Services </li></ul>
  4. 4. Privacy regulations
  5. 5. Fast climbing individualism ladder New emerging segment – 25-35 years Transformation from Joint to Nuclear family structure Emergence of personalized services Quantum jump in the use of technological solutions for delivery of financial services Phenomenal increase in the number of credit cards issued by the banks Privacy Perceptions in India- Changing Landscape Increasing e-Commerce applications & emergence of m-Commerce Huge investment in e-Governance projects Travel, Airline & Hospitality industry goes online Adoption of Web 2.0 services, social networking Expansion of telecom & mobile connectivity Annoyance over telemarketing calls and messages Increased awareness of personal information being collected Rising concerns over computer and internet security Increased exposure of IT/ITES industry to global data protection regulations Media coverage of national & international data breaches Leading to issues like
  6. 6. <ul><li>Do Not Call Registry </li></ul><ul><li>the LICENSEE condition to take necessary steps to safeguard the privacy and confidentiality of any information about a third party & its business to whom it provides the SERVICE </li></ul><ul><li>Ethical Guidelines for Biomedical Research </li></ul><ul><ul><li>By Indian Council of Medical Research, 2000 </li></ul></ul><ul><li>Identity & records of the human subjects of research or experiment are, as far as possible, kept confidential ; </li></ul><ul><li>No details about identity of said human subjects are disclosed without valid scientific and legal reasons, without the specific consent in writing of the human subject concerned, </li></ul><ul><li>The Telecom Unsolicited Commercial Communication (UCC) Regulations, 2007 , </li></ul><ul><ul><li>By TRAI </li></ul></ul>How Compliance Authorities are responding? <ul><li>Banks/NBFCs/ their agents should not resort to invasion of privacy viz., reveal any information relating to customers, to any other person or organization without obtaining their specific consent </li></ul><ul><li>recognizes the purpose for which the information will be used, and the organizations with whom the information will be shared. </li></ul><ul><li>Banks/NBFCs would be solely responsible for the correctness of information, In case of providing information relating to credit history / repayment, the bank/NBFC may explicitly bring to the notice of the customer. </li></ul><ul><li>The staff of, both the banks and their DSA/DMAs, should be properly </li></ul><ul><li>briefed and trained in privacy of customer information </li></ul>Reserve Bank of India, Master Circular, July 2007
  7. 7. IT (Amendment) Act, 2008- Sections 43A and 72A <ul><li>Section 43 modified: The existing Act provides for penalty for damage to computers, computer systems under the title ‘Penalty and Adjudication’ in section 43 that is widely interpreted as a clause to provide data protection in the country- This section has been “ improved “to include stealing of “ computer source code” for which compensation can be claimed. (Computer source has been defined) </li></ul><ul><li>New Section 43A: Data protection has now been made more explicit through insertion of a new clause 43A that provides for “ compensation to an aggrieved person whose personal data including sensitive personal data may be compromised by a company, during the time it was under processing with the company, for failure to protect such data whether because of negligence in implementing or maintaining reasonable security practices </li></ul><ul><li>Penalty for breach of confidentiality and privacy: 72A- punishment for disclosure of information in breach of a lawful contract is prescribed </li></ul>Improvement to include “ stealing of computer source code ” Data Protection- explicit new clause 43 A - “ Compensation to an aggrieved person ” whose personal data including “ sensitive personal data ” may be compromised by a company Compromised because of “ negligence in implementing or maintaining reasonable security practices” 72 A- Punishment for “ disclosure of information in breach of a lawful contract ” “ Disclosure without the consent “ of the subject person “ will constitute a breach ”
  8. 8. Outsourcing offshore is a real risk, but manageable <ul><li>Use of best practices and standards for managing security </li></ul><ul><li>Control Principles- Scenario based control selection, security requirement translations into controls, </li></ul><ul><li>Security controls- Employee Background check, Hardened desktop- SOE, Secured communication channels, Infrastructure security- Layered defense, Physical security, Logical access control, Data Security, Security Officers, DR /BCP </li></ul><ul><li>Establishment of Assurance mechanisms- Security coordination, Risk Management framework, Security Processes, Security Assessment, Security monitoring & reporting and Incident Management </li></ul><ul><li>Dedicated standards for building and operating outsourcing locations- Outsourced Delivery Centres [ODC] </li></ul><ul><li>Compliance support processes- Active compliance support, compliance reporting </li></ul>Low-cost resources Quality & diversity Scale up & expanding Consistent data security Security at Affordable cost Establishment of rules & standards Promote ethics, quality and best practices Self-Regulation Adoption of best global practices Independent Oversight Focused Mission Enforcement Mechanism Outsourcing Objective DSCI- Data Security & Privacy protection Secure Outsourcing operations Privacy for customer confidence
  9. 9. As an increasing number of organizations take the decision to send more and more mission critical work offshore, “ Security best practices and following some tactical steps” may help to address security issues in global sourcing … Gartner’s Outsourcing &  IT Services Summit, 2007 Security Best Practices and Tactical Steps
  10. 10. IT Act (Amendment) 2008- Sections 43A and 72A The need for data protection was reinforced with the notification of the IT (Amendment) Act, 2008 Service providers in India will be required to implement “ reasonable security practices” to prevent unauthorized access to personal data of customers being processed by them DSCI Security Framework DSCI Privacy Framework DSCI Security Practices DSCI Privacy Practices
  11. 11. Approach towards CAP
  12. 12. DSCI Privacy Principles # Principle Applicability Data Controller Data Processor (or Service Provider) 1 Preventing Data Misuse   2 Notice   3 Choice and Consent   4 Collection Limitation   5 Accuracy   6 Use and Retention   7 Access and Correction   * 8 Disclosure to third parties   9 Security   10 Monitoring and Enforcement   11 Regulatory Compliance   12 Accountability  
  13. 13. DSCI- Data Protection Practices DSCI Security Framework DSCI Security Practices DSCI Privacy Framework DSCI Privacy Practices DSCI Security Framework (DSF©) DSCI Privacy Framework (DPF©) 16 Best Practice areas Based on ISO 27001 Draws upon the tactical recommendations Takes note of new approaches, technology and tactical mechanisms evolved 9 Best Practices and 12 Privacy Principles Privacy Policy Guidelines Privacy Impact Assessment
  14. 14. ASM GRC SEO SSP TVM UAP BDM DSC TSM PEN INS SAT Data Security Physical & Personnel, Third Party Security Security Processes, Monitoring & Testing Security Strategy, Technical Security MIM PES APS SCM DSCI Security Framework (DSF © ) SSP – Security Strategy & Policy SEO – Security Organization ASM – Asset Management GRC – Governance, Risk & Compliance INS – Infrastructure Security APS – Application Security SCM – Security Content Management TVM – Threat & Vulnerability Management UAP – User, Access & Privilege Management BDM – Business Continuity & Disaster Management SAT – Security Audit & Testing MIM – Monitoring & Incident Management PEN – Physical & Environment Security TSM – Third Party Security Management PES – Personnel Security DSC – Data Security
  15. 15. DSCI Privacy Framework
  16. 16. DSCI Stakeholders Board of Directors <ul><li>NASSCOM representation </li></ul><ul><li>Independent directors </li></ul><ul><li>Eminent Academics </li></ul>IT/ ITES Industry <ul><li>All NASSCOM members </li></ul>Steering Committee <ul><li>Senior security & privacy professionals </li></ul><ul><li>IT/ITES, BFSI companies </li></ul><ul><li>Client companies, Captive BPOs, MNC, Foreign Banks </li></ul>Working Groups <ul><li>Education </li></ul><ul><li>Contract guidelines </li></ul><ul><li>Surveys </li></ul><ul><li>Business Model </li></ul><ul><li>Physical Security & BCM </li></ul>Sub working groups <ul><li>Content vetting </li></ul>DSCI Chapters <ul><li>Bangalore, Delhi, Mumbai </li></ul><ul><li>Pune, Kolkatta, Hyderabad, Chandigarh </li></ul><ul><li>Will connect to 300 to 500 security professionals from industry </li></ul>Legal & Regulatory Authorities <ul><li>Data Protection Auth. </li></ul><ul><li>EC </li></ul><ul><li>FTC </li></ul>Client <ul><li>Big ticket outsourcers </li></ul>Security Professionals <ul><li>Independent security professionals </li></ul>Government of India <ul><li>CERT-In </li></ul><ul><li>DIT </li></ul>Other Industry <ul><li>Banks, Financial Institutions, Telecom </li></ul>
  17. 17. DSCI SRO FRAMEWORK ONGOING BASIS AUDITOR IT & BPO Companies SELF CHECKS DSCI Certification / Ratings <ul><li>Awareness Creation </li></ul><ul><li>Data Security </li></ul><ul><li>Data Privacy </li></ul><ul><li>----------------- </li></ul><ul><li>IT/BPO Companies </li></ul><ul><li>Law-Enforcement </li></ul>DSCI <ul><li>Education </li></ul><ul><li>Training </li></ul><ul><li>Surveys </li></ul><ul><li>Guidelines for Contracts </li></ul>Standards / Best Practices FEEDBACK COMPLAINTS DISPUTE RESOLUTION ESCALATION TO GOVT. OF INDIA CLIENTS
  18. 18. Biometric Passports in India by 2010 Biometric PAN card using iris scan Planning use of Biometric card for beneficiaries of NREG, SSP Integrated Prisons Management Systems Health Management Information Systems [HMIS] E-Governace Roadmap- $ 6 Billion investment Use of Biometrics Total projects- 26 mission mode + 6 support Use of Biometrics Private Organizations Data Center Access Ecommerce transactions Critical system access Ethics standards for biometric use by NISG (National Institute of Smart Governance) Incorporate biometric data as a personal information – rules for IT Act (Amendment) 2008 Awareness campaign for users, vendors, organizations and policy makers Promotion of Biometrics ethics
  19. 19. Thank You Kamlesh Bajaj CEO, DSCI [email_address]