Message from CERT-In · This is the third DSCI-KPMG Security Survey, conducted in association with CERT-In. While designing the questionnaire for this survey, we decided that rather

Businesses continue to drive IT operations, which in turn try to sustain existing

systems, often at the cost of security. Customers, on the other hand, are

demanding more security as their worries about cyber crimes, privacy and

identity theft grow. In the networked world, business partners, suppliers, and

vendors also demand assurance of essential and adequate security when they

inter-operate to share information and business data for faster and cost-effective

transactions. At the same time, regulatory and law-enforcement agencies require

proof of compliance with a plethora of security regulations. Under these

circumstances, there is no better way of understanding security preparedness of

companies than through a survey.

It gives me great pleasure to see the results of the survey of BPO companies,

conducted by DSCI through KPMG in India with the active support of DIT. I’m

sure, this survey will help the industry understand the areas that need focus in

order to improve its practices, and present to its clients the best practices

approach for trusted business partnership.

Dr. Gulshan RaiDG, CERT-In

Message from CERT-In

State of Data Secutiry and Privacy in the Indian BPO Industry

This is the third DSCI-KPMG Security Survey, conducted in association with

CERT-In. While designing the questionnaire for this survey, we decided that rather

than conducting a general security survey, we would focus on BPO and Banking

domains. Specific questionnaires were, therefore, drawn up to address the

concerns of these domains.

We present the results of the BPO industry in this report. The depth of questions

may perhaps lead one to conclude that the survey is an attempt at assessment

rather than merely a high-level information capture. At DSCI, we felt that this was

important with a view to understand the data protection trends, underlying issues

and concerns that may be unique and specific to the BPO industry. The focus, in

general is on positioning of security and privacy in organizations; maturity and

characteristics of key security disciplines such as Threat & Vulnerability

Management, Incident Management, among others. Such in-depth questionnaire

was expected to bring out the BPO responses to the rising data breaches

globally.

I am pleased to state that the in-depth approach has resulted in findings that are

more promising. For the BPO industry, while the survey suggests that employee

awareness of data protection continues to be a challenge, the managements are

alive to privacy requirements of clients since many BPOs have established a

privacy team that is distinct from security. Security organization itself is maturing

with CISOs being involved in strategic tasks. An interesting result is the

awareness among BPOs that they may be liable for breaches arising from

vulnerabilities in clients’ environment unless they are vigilant enough to negotiate

a suitable contract. Among the areas that need attention of management, the

following are worth mentioning: employee security awareness should be

increased, need for compliance with amended IT Act should be understood, and

Lines of Business should be involved in data security initiatives.

Dr. Kamlesh BajajCEO, DSCI

Message from DSCI


Message from KPMG in India

The BPO industry in India has always been under significant influence of data

protection regulations. In its initial years of growth phase, corporations have gone

through fairly intense scrutiny of customer audits, which sometimes have been

considered to be crossing the boundary of reasonable controls expectations. In

any case, most CISOs have privately admitted that those audits helped them

learn the tricks of the trade and made them better every time they underwent

such an audit.

The industry has also been conscious that managing adequate level of

information protection is essential for the survival. There have been instances of

penalties being charged for non-compliance to information security safeguards. In

a few extreme cases, clients have renegotiated contracts with their service

providers at lower rates just because the security controls have been found to be

weak. Some experts believe that information security issues can easily become

non-tariff barriers, if the industry as a whole does not embrace appropriate risk

mitigation measures. Given this context and the current global economic

scenario, it couldn’t have been a better time for the industry to demonstrate that

it has the right strategies in place to manage and mitigate the risks of information

security breaches.

The survey validates that the industry understands these implications very well

and have put in place the baseline measures to manage the risk. The survey is

aimed at identifying protection measures of information security in general and

those specific for personally identifiable information (privacy). While the industry

participants have developed frameworks for addressing the information security

concerns, the aspects relating to privacy haven’t matured as much. The survey

highlights current state of the industry and attempts to identify future direction

for a holistic information protection program.

It is argued that surveys conducted through the owners of process many a times

produce more optimistic results and portray the realities better than what it really

is. However, the purpose of the survey being more directional than quantitative

assessment, it serves the purpose of identifying trends and priorities of the

industry. This survey should act as a useful guide for senior executives of BPO

companies in formulating their future positions and will be a good tool for many

CISOs in developing business cases for comprehensive information security

programs. We hope that the companies, which use the services of Indian BPO

industry will also benefit from this survey as it will help them reposition their

compliance monitoring efforts in right direction.

Akhilesh TutejaExecutive Director, KPMG in India


Contents

Introduction 02

Data Security and Privacy 08

Information Security Governance 16

Extended Boundaries 24

Regulations 30

Internal Processes 36

Way Forward 47

Introduction


02

The survey provides insights into the data security and privacy

environment of Indian BPO industry. There is evidence that validates

general perceptions about security and privacy practices and then

there are some outliers that do not align to the seemingly obvious.

Some of the findings of the survey are as follows:

?The industry treats data security more as a hygiene factor, rather than a

point of differentiation to gain competitive advantage

?Customer requirements remain primary drivers for data security to most

of the organizations

?Almost 50 percent of the organizations are negotiating contracts to ensure

that any liability arising from vulnerabilities in the client’s environment is

borne by the client

th?More than 3/4 of the organizations face challenges due to a lack of

awareness amongst employees on liabilities arising from data breaches

?CISOs of majority of the organizations are spending significant time on

strategic initiatives; for example, identifying security implications of new

business initiatives

?Only 44 percent of the respondents are mandating vendors / third parties

to report new threats and vulnerabilities in their products / services

?There seems to be lack of clarity amongst organizations regarding their

liability under ITAA 2008

?More than 75 percent of the organizations involve process owners and

lines of business in data security initiatives.

State of Data Secutiry and Privacy in the Indian BPO Industry 00

03

Highlights

Summary

Indian BPO industry has grown nine times from USD 1.6 billion to USD 14.7

billion in just a decade and is expected to witness robust growth in years to

come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at

USD 60 billion is expected to reach USD 225 billion. During the same period, the

growth in ‘domestic BPO’ revenue is expected to expand seven- folds to reach

USD 15 to USD 17 billion, while ‘export revenue’ is expected to reach USD 50

billion. To sustain this phenomenal growth, the Indian BPO industry needs to

overcome one of the major challenges facing the industry today – addressing

Data Security and Privacy concerns of their stakeholders.

Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERT-

In (DIT), jointly conducted a survey to assess current state of data security and

privacy practices being adopted by the Indian BPO industry and to gain insights

into how the Indian BPO industry is addressing clients concerns.

As part of this initiative, 50 organizations were surveyed with the following

objectives:

?Positioning of data security and privacy in the BPO organizations -

analyzing CISOs’ role and the tasks performed by the security organization

?Maturity and characteristics of key security disciplines such as ‘Threat &

Vulnerability Management’ and ‘Incident Management’ in the wake of

rising data breaches globally

?Level of perceived risks in different Lines of Service (e.g. Customer

Interaction and Support, Payroll, Finance & Accounting, etc.)

?Managing risks arising from clients’ environments

?Mechanisms adopted for conducting employee background screening


04

?Strategic options adopted for Business Continuity and Disaster Recovery

management

?Impact of IT (Amendment) Act, 2008 on the industry

?Evolution of Physical Security and its integration with data security

In order to ensure that the survey results represent the Indian BPO industry at

large, we interviewed CISOs and their equivalents in organizations across BPO

industry segments and sizes.

The survey results highlight trends and insights into the state of data security and

privacy in the Indian BPO industry – many ‘generally known’ practices are

validated, yet certain unexpected insights are revealed.

The maturity of the Indian BPO industry with respect to data security and privacy,

is reflected in the fact that most organizations treat security more as a hygiene

factor rather than a point of differentiation to gain competitive advantage. End

customers in client geographies are concerned about their personal data in the

trans-border data flow. Indian BPO industry realizes this and is equally concerned

about any bad publicity in media, which may result from a data breach. Even the

clients have made a note of such concerns and demand BPO organizations to

undertake privacy initiative and have exclusive mention of data privacy clause in

their contracts. The first section of the report – ‘Data Security & Privacy’ – reveals

these and other such trends in detail.

The information security function in general has been formalized with most

organizations having a designated CISO. However, no standardization with

respect to reporting alignment exists as it varies significantly within the

responding organizations. CISOs are also moving away from security related

operational tasks and are becoming more involved in strategic activities. The

survey reveals that industry needs to increase involvement of business managers

for understanding security requirement of the business.

Data security and privacy

Information security governance


05

Extended boundaries

Regulations

Internal processes

As the industry has been expanding across geographies to serve global clients,

they continue to face a challenge in meeting multiple regulatory or client

requirements. These organizations being well aware of the liabilities arising from

any data breach have been re-negotiating contracts with clients to ensure that any

liability arising from vulnerabilities in the client’s environment is borne by the

client. Similar focus needs to be given to third party service providers since they

have access to client/organization confidential information.

Industry’s focus on global clients is all the more evident from the fact that its data

security and privacy related technological investments are driven by global

regulatory requirements. However, with introduction of Information Technology

(Amendment) Act, 2008 (ITAA 2008), organizations are starting to realize the

liabilities arising from it and have also started revising their security policy to

incorporate ITAA 2008 requirements. As awareness of ITAA 2008 is low, there is

a risk of underestimating the liabilities arising from non-compliance to regulatory

obligations.

There are clear indicators that internal processes have been designed to meet the

best practices. However, the implementation and continuous testing/ monitoring

varies across the organizations.

The findings indicate the level of maturity the industry has achieved when it

comes to processes such as threat & vulnerability management, employee

screening, security incident management, BCP/DRP and physical security

controls.


Data Security and Privacy


08

?Client/contractual requirements and

global data protection regime are the

key drivers for data security practices

in BPO industry

?Organizations perceive that key

threats for data security are internal

in nature

?Respondents are conscious of their

brand image and therefore adopting

data privacy initiatives to prevent any

data breach incident, which may lead

to bad publicity in media

?Organizations focus on data privacy

to address rising concerns of clients’

end customers’ vis-à-vis their

personal data in the trans-border

data flow

?Majority of organizations do not have

dedicated or separate privacy team;

instead, they use data security team

to drive and support privacy

initiatives.

Key findings


Finding its place

Survey reveals that to address end customers’ concern vis-à-vis their

personal data in trans-border data flow, clients are becoming stringent with

respect to ‘Data Security’ & ‘Data Privacy’, which is driving organizations

security and privacy initiatives.

Drivers for data security

Majority of respondents consider security as a hygiene factor rather than a

competitive advantage. Seventy percent of organizations perceive that key

threats for data security are internal in nature. Though internal and external

threats are one of the drivers for security, client/contractual requirements, global

data protection regime and associated liabilities remain the primary drivers for

data security in the industry. At the same time, ITAA 2008 is also becoming an

important driver for data security for organizations.


Source: DSCI-KPMG Survey 2010

Drivers (Data security) (% respondents)

Clients continue to drive the information security requirements. They have helped corporations mature their information security programs through periodic audit and monitoring.

10

94

10 82 6

8

0

10

20

30

40

50

60

70

80

90

100

CentralSecurityFunction

For eachGeographical

location

For each Lineof Service

For eachVertical

Each / majorclient

relationship

Coordinatorfor each

relationship

Security function positioning (% respondents)

Security function

Respondents believe that organizations place due importance to security function rdinternally. This is also coupled with the fact that almost 2/3 of the organizations

have more than five member security team. Most organizations have a central

security function, responsible for data security & privacy, enabling them to ensure

uniformity of controls across organization.

Security is still a centralized function as revealed by the survey. However,

geographical expansion of operations, rising revenue in the Lines of Services and

business growth in client relationships seem to be driving the structure of the

security organization towards localized/decentralized security function.

82

78

74

70

60

58

58

48

44

Focus on ISO 27001

Continuous Vigilance on evolving issues

Keeping top management aware of the risks& liabilities

Constant review of the environment

Providing architectural treatment to securitysolutions

Use enterprise portal to manage securityrequirements

Collaborate with external sources & internalfunctions

Proactively adopt techniques such as threatmodeling, threat tree etc

Focus to innovation in the security initiatives

Maturity of security practices (% respondents)




37

37

10 16

Security Team Size(% respondents)

Less than 5 6-10 11-20 More than 20

10%

37%

37%

16%


11

Maturity of security practices

Drivers for data privacy

Organizations are following standardized processes by taking major strength from

well known standards such as ISO 27001. At the same time, a majority of

organizations keep continuous vigilance on evolving security issues &

vulnerabilities along with constant review of the environment to assess its

security posture. With the current baseline, organizations are adopting forward

looking initiatives such as:

• Providing architectural treatment to security solutions

• Usage of enterprise portal to manage security

• Adopting techniques such as threat modeling, threat tree, etc.

• Focusing on innovation in security initiatives.

Data privacy, as with data security, is primarily driven by client/contractual

requirements and global regulations. However, there are other factors driving data

privacy as well. Organizations are conscious of the fact that a small incident of

data breach, can impact their brand image to a large extent. This also gets

reflected by the fact that 73 percent of the organizations consider bad publicity in

media in case of data breach as a critical driver for their data privacy initiatives.

This becomes all the more important when most of the organizations are trying

to address the concerns of end customers’ vis-à-vis their personal data in trans-

border data flow. Clients’ concern are highlighted by the fact that 50 percent of

the respondents mentioned that their clients demand them to undertake privacy

initiatives and exclusively mention data privacy clauses in contracts. Though the

prime focus remains on end customer’s data, 48 percent of the organizations

have started to focus on protecting the privacy of their employee’s data.

73

73

65

56

50

48

33

24

21

31

35

46

46

33

2

6

4

8

4

6

33

0% 20% 40% 60% 80% 100%

Reputational damage

End customer concerns over trans-border data flow

Global data protection regulations

Data privacy clauses in client contracts

Client’s privacy program

Protecting privacy of employee data

Data Protection Authorities (Clientgeographies)

Drivers (Data privacy) (% respondents)

Critical Important Less Important



12

Privacy function

While primary drivers for data security and data privacy are the same, the controls and

capabilities required for ensuring them are quite different. Realizing this, organizations are

moving towards deploying dedicated personnel for privacy. This is evident from the fact that

41 percent of the organizations have a dedicated privacy function with a team strength of

more than two members.

64

62

62

60

54

52

40

16

8

Understanding exists of different roles and entities for data protection

Understanding exists about Privacy Principles and their applicability

Dedicated policy initiative for privacy

Processes are reviewed regularly from privacy perspective

Specific technology, solutions and processes are deployed for privacy

Scope of audit charter is extended to include privacy

Privacy impact Assessment is performed for new initiatives

Privacy has just appeared on the organization’s agenda

Privacy is seriously lacking as compared to security

Maturity of privacy practices (% respondents)


Not Applicable

Less than 2

2-5

More than 5

Privacy team size (% respondents)

43%

16%

11%30%



Yes, 40% No, 60%

Dedicated privacy function(% respondents)

Privacy gets treated as a sub-set of information security program, which may lead to under-estimation of legal implication.

13

Maturity of privacy practices

The survey reveals that more than 60% of the organizations:

• understand different roles & entities that exist for data protection,

• understand Privacy Principles & their applicability,

• have dedicated privacy policy initiative, and

• regularly review their processes from privacy perspective.

However, not all of these organizations have extended the scope of audit charter to

include privacy and nor do they perform privacy impact assessment whenever new

initiatives are undertaken. Organizations can achieve a much better state of privacy, if

they take a step towards establishing a privacy function with required empowerment.


Information security governance


16

?CISOs of majority of the

organizations are spending

significant time on strategic

initiatives; for example, evaluating

and mitigating security implications

of new business initiatives.

?Organizations are seeking external

assistance largely in security gap

assessment and application security

testing

?Organizations are maturing to

understand and distinguish security

related operational tasks from

strategic security tasks

?Many organizations still do not

involve business manager in

understanding security

requirements.


Key findings

Doing a reality check

The survey results indicate that organizations have come to realize the

significance of CISO and his/her role. CISOs have started to get involved in

strategic tasks, moving away from operational activities.

Role of CISO

The survey reveals that CISOs of nearly 65 percent of the organizations are spending

significant amount of their time on activities like:

?Overseeing security policy enforcement

?Participating in business strategy meetings

?Interacting with support functions for enforcing measures

?Planning for remedial measures

?Issuing guidelines to enterprise units

?Overseeing security projects

?Checking for new issues, threats & vulnerabilities

?Convening meetings of security forums.

This clearly indicates that CISOs are spending significant amount of time on strategic

tasks instead of operational tasks. However, standardization in CISOs role is lacking.

This is evident from the survey results - 29 percent of CISOs spend significant amount

of time on reviewing & approving change requests; at the same time 22 percent

CISOs do not consider it as part of their responsibility. Similarly, more than 50 percent

CISOs spend significant amount of time on ‘reviewing state of security in service

delivery channels’ & ‘reviewing security reports’. However, nearly 15 percent believe

they are not responsible for reviewing these tasks.

CISOs’ reporting line

The survey reveals that organizations have not come to consensus on ‘whom should

the CISO report to?’ This is evident from the fact that there is no standardization on

reporting alignment of CISOs. Further, CISOs have multiple reporting lines, resulting in

a lack of focus and accountability. The survey also revealed that 30 percent of

organization’s CISOs are reporting to CIO/CTO, highlighting the concerns with respect

to independence of security function.

CISO reports to (% respondents)

30

18

16

16

14

4

Chief Executive Officer (CEO)

Chief Operating Officer (COO)

Chief Information Officer (CIO)

Chief Risk Officer (CRO)

Chief Technology Officer (CTO)

Head Quality Assurance

2

8

Audit Committee

Others



18


Organizations need to refine CISO’s role, ensuring minimal involvement in operational

tasks such as review reports of security scans.

90

84

80

71

69

69

65

65

63

61

57

57

51

45

37

29

23

6

12

12

16

24

20

31

27

33

29

33

29

33

45

51

49

52

4

4

8

12

6

10

4

8

4

10

10

14

16

10

12

22

25

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Overseeing security policy enforcement

Participating in business strategy meetings

Interacting with support functions for enforcing measures

Planning for remedial measures

Issuing guidelines to enterprise units

Overseeing security projects

Checking for new issues, threats and vulnerabilities

Convening security forum meeting

Preparing reports for higher management’s consumption

Reviewing reports of security scan, assessment and audits

Reviewing & responding on security alerts, incidents, issues

Reviewing state of security in Service delivery channels

Reviewing security reports

Overseeing security training of employees

Interacting with IT teams for maintenance of security devices

Reviewing and approve change request

Approving official request of reporting officers

CISO spends time on (% respondents)

Significant Amount of Time Non Significant Amount of Time Not Responsible


The role and expectations from CISO vary across organizations, whilst many spend time on strategic items, a fair bit of operational tasks take his/her attention.

19

Security tasks

Security of the organization is the prime

responsibility of the CISO and his/her team.

However, other functions like IT Infrastructure

Team, Business Unit, Corporate Compliance,

etc. are also involved in the security

management tasks. The survey indicated that

various teams are being involved in right capacity

for security management tasks. This indicates

that organizations are aware of stakeholders

required to be involved for effective

management of security. Trends clearly visible

from survey responses are:

?Operational tasks such as installation of

security solutions, administration of

security technologies, security testing is

performed by IT security and IT

infrastructure team, allowing CISO to focus

on strategic tasks

? The gaps in the security skills are bridged

by availing services of external consultants

for the tasks such as security gap/baseline

assessments, application security testing,

code review, etc.

Though CISO is actively getting involved in

business activities such as business strategy

planning, understanding business requirements

of security etc., involvement of business

managers in security initiatives needs to be

further enhanced.

15

15

64

38

9

36

15

6

Business Manager

Corporate Compliance

CISO

IT Security

IT Infra Team

Audit Team

External Consultant

External Service Provider

Security gap/baseline assessment (% respondents)

Keeping track of evolving threats & Vulnerabilities (% respondents)

12

52

68

16


CISO

IT Security

IT Infra Team

Security requirements of business(% respondents)

63

19

58

27

19

Business Manager


CISO

IT Security

IT Infra Team

Application Security Testing(% respondents)

27

61

20

11

20

CISO

IT Security

IT Infra Team

Audit Team

External Consultant

Security Authorization of Change Requests(% respondents)

16

8

48

58

18

Business Manager


CISO

IT Security

IT Infra Team







20

Security tasks

BusinessManager

CorporateCompliance

CISO ITSecurity

IT InfraTeam

Audit Team

External Consultant

External ServiceProvider

External Consultant

/ServiceProvider

Security Gap/baseline Assessment 15 15 64 38 9 36 15 6 21

Security Strategy Plan 22 14 80 29 16 2 2 0 2

Security Requirements Of Business 63 19 58 27 19 2 0 0 0

Preparing Security Policies & Procedures 6 14 82 41 16 2 10 0 10

Implementating Policies & Procedures 49 20 57 55 47 18 4 4 8

Defining & Managing Security Architeture 8 6 65 55 31 0 4 2 6

Compliance Reporting To Clients56 25 52 21 8 10 2 2 4

Advisory Vis-a-vis Data Security Architecture 17 28 77 26 9 4 19 2 21

Security Solutions Evaluation And Procurement 4 10 69 69 44 4 6 8 15

Install Security Solutions, Products And Tools 2 2 32 62 68 2 6 8 14

Administration Of Security Technologies 0 0 12 66 64 2 0 2 2

Security Testing - VA and PT0 2 22 64 36 12 12 12 24

Application Security Testing , Code Review, Etc. 9 2 27 61 20 11 20 0 20

Conducting And Managing Internal Audits/assments 4 22 61 20 4 71 6 2 8

Security Monitoring 10 10 38 72 30 12 4 4 8

Security Authorization Of Change Requests 16 8 48 58 18 2 0 2 2

Report, Investigate And Close Security Incidents 12 18 68 58 24 6 2 2 4

Keep Track Of The Evolving Threats And Vulnerabilities 0 12 52 68 16 6 6 4 10

Strategies For Protecting Against New Threats And Vulnerabilities 4 16 76 58 16 2 4 0 4

Keep Track Of The Evolving Regulatory Requirements 20 36 62 26 2 8 8 2 10

Participate In Initial Client Meetings To Understand Clients’ Security Requirements

57 17 67 41 24 2 0 0 0

Administration & Testing Bcp /dr Plans 32 18 59 55 52 5 2 2 5



21

Extended boundaries


24

?Meeting multiple regulatory/client

requirements and ensuring employee

seriousness towards data security &

privacy continue to remain key

challenges for organizations

?Organizations are continuously

focusing on spreading awareness

about security but challenges seem

to persist

?Organizations are increasingly

focusing on deploying technical and

organizational safeguards to mitigate

risks arising from client‘s

environment

?Organizations have started

negotiating contracts to ensure that

any liability arising from

vulnerabilities in the client’s

environment is borne by the client

?Organizations have adopted ‘Third

Party Risk Assessment Framework’

along with conducting Vendor Risk

Management exercise for their

service providers.


Key findings

Overcoming challenges

Meeting multiple client/regulatory requirements, while serving clients across

geographies, is a key challenge faced by organizations.

Challenges in managing data security & privacy

Organizations face the challenge of meeting multiple regulatory/client security and

privacy requirements. Internal threats are also a major roadblock in ensuring data

security and privacy, especially when 73 percent of the organizations believe that there

is a lack of seriousness amongst their employees towards data security. Employees in

the young age group with high attrition rates pose a significant challenge in continued

sustenance and management of security & privacy. Organizations need to focus on

spreading awareness on liabilities arising from data breach as it continues to be a

challenge for more than 75 percent of the respondents.

The survey also highlights the fact that 70 percent of the organizations are facing

challenges with respect to ensuring data security and privacy at the client’s

environment. The respondents found to be concerned about relatively moderate

controls implemented at client’s environment. Managing security becomes even more

challenging when employees are highly involved with client organization or could

connect to client‘s environment through public networks.

Challenges faced (% respondents)

45

44

38

35

33

33

27

25

25

22

20

20

20

18

16

16

15

15

9

27

30

36

35

47

26

50

48

35

39

37

30

22

45

43

49

47

40

24

29

26

26

29

20

42

23

27

40

39

43

50

59

37

41

36

38

45

67

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Meeting multiple client requirements

Employees in young age group with high attrition rates

Meeting multiple regulatory requirements

Client providing liberal access to BPO employees

Emerging and evolving threats and vulnerabilities

Employees connecting to client environment through public network

Lack of employee awareness on liabilities arising from data breaches

Non seriousness of employees for security and privacy

High involvement of employees with client organization

Understanding global data protection regulations

Different connectivity models

Different means used to transfer or access the data

Inadequate budget allocation for data security & privacy

Increased volume and complexity of data intensive transactions

Difficultly to bring visibility over the data

Managing third party risks

International spread of operations

Client prefer business flexibility over the security

Lack of support from Top / Senior Management

Key Challenge One of the challenges Not a challenge



26

Mitigating client environment risk (% respondents)

71

60

54

50

25

Making employees aware of the risks in clientenvironment

Deploying extra technical and organizationalsafeguards

Negotiating contracts to make client liable for exploitation of client’s environment

Include client’s environment in risk management process

Do not consider client environment risk as partof our risk management process

Mitigating client environment risk

Mitigating Third Party Risk

There is an increasing realization about the risks associated with access to the client

data systems. Seventy five percent of the respondents have extended the scope of

risk management processes to include the risks introduced by client’s environment.

Organizations are making their employees aware of the risks that arise from client’s

environment and are also deploying additional technical and organizational controls to

mitigate these risks. Further, organizations have started negotiating contracts to

ensure that any liability arising from vulnerabilities in the client’s environment is borne

by the client.

Organizations realize that with the increasing use of third party service providers, the

risk of data breach increases especially when these service providers have access to

confidential information. Therefore, most of the organizations sign Non Disclosure

Agreements / Confidentiality Agreements with the third party service providers and

use contract as an instrument to make the third party service providers liable for any

security breaches. Beyond that, 48 percent organizations have controls deployed as

per ‘Third Party Risk Assessment Framework’ and 52 percent conduct ‘Vendor Risk

Management’ exercises.

96

77

75

58

Signing Non Disclosure Agreement

Deploying technical and organizationalsafeguards

Contract to make the third party liable forany security breaches

Making our employees aware of the risksarising from third party services

Mitigating third party risk (% respondents) Third party risk management (% respondents)

48

52

42

42

Controls deployed as per "Third Party RiskAssessment Framework"

Conducting Vendor Risk Managementexercise

Both

Neither



Source: DSCI-KPMG Survey 2010 Source: DSCI-KPMG Survey 2010

27

Regulations


30

?Organizations continue to consider

regulatory requirements as a primary

driver for their investments

?Adoption of an enterprise level

automated tool for managing

compliance is still in the nascent

stage

?There seems to be lack of clarity

amongst organizations regarding

their liability under ITAA 2008

?A large percentage of the

organizations have not activated legal

function to understand, interpret and

suggest necessary precautions to

comply with ITAA 2008. This explains

the low level of awareness amongst

the organizations.


Key findings

Staying compliant

The survey results reveal that although organizations have started to create

awareness on ITAA 2008, the level of awareness still needs to be

strengthened.

Tracking contractual / Regulatory requirements

thThe survey highlights that more than 3/4 of the organizations involve legal department

in the initial stages of contract negotiation and maintain an inventory of contractual /

regulatory requirements for each client relationship. However, only 50 percent of the

organizations are well aware of legal & compliance requirements for each type of data

element. Further, only 30 percent of the organizations use enterprise level tool to help

manage compliance. These could be the possible reasons why organizations continue

to face challenge in managing regulatory/client requirements.

Steps taken to track contractual / Regulatory requirements (% respondents)

86

76

70

66

66

62

54

50

46

30

Involve legal department in initial stages of deal negotiation

Maintaining an inventory of contractual / regulatory requirements for eachclient relationship

Compliance / audit / risk manager for each relationship

Mechanism to track regulatory changes

Managed and shared legal & compliance related information effectively

Ensure understanding, interpretation and applicability of legal terms

Business process owners self declare compliance to contractual / regulatory requirements

Legal and compliance requirements and liabilities for each type of dataelement are well known

Subscribed to services that notifies the legal and regulatory changes

An enterprise wide tool helps manage compliance effectively



Compliance processes remain largely manual.

32

Response to liabilities due to data breach

In the wake of global regulations and ITAA 2008, specifying increased civil as well as

criminal liability per data breach, most of the organizations are responding by:

• strengthening their mechanism for monitoring & incident management, and

• creating awareness within the organization and third parties.

44

2231

2

49

1633

20

10

20

30

40

50

60

Yes No Not Sure ITAA 2008 is notapplicable

My Organization can be sued under ITAA 2008 by (% respondents)

End Customers Employees

Awareness on ITAA 2008

Creating awareness on ITAA 2008

There seems to be a lack of clarity amongst respondents regarding applicability of ITAA

2008 as more than 50 percent respondents either responded negative or ‘not sure’

with respect to their liabilities under ITAA 2008.

Low level of awareness around ITAA 2008 could be understood from the fact that rdalmost 1/3 of the organizations have not started specific initiatives towards creating

rdawareness on ITAA 2008 amongst their Top Management, whereas 2/3 of them have

not yet started creating awareness for their clients, employees and contractors.

30

70

3524 15

01020304050607080

BoardMembers

Top / SeniorManagement

Employees Contractors /Third Partyemployees

Clients

Create awareness amongst (% respondents)




Response to liabilities due to data breach (% respondents)

78

76

58

58

47

18

Strengthening monitoring and incidentmanagement mechanism

Creating awareness within theorganization and third parties

Review the client contracts

Activating legal function

Establish a breach notification mechanism

Developing a strong forensic investigationcapabilities


While there is greater awareness of global regulations, the implications of ITAA 2008 remain largely unknown.

33

Response to ITAA 2008

ITAA 2008 as a driver for technology investments

Since most of the organizations have not even involved their legal function to interpret

and suggest necessary safeguards to comply with ITAA 2008, they don’t realize the

impact of the breach. This is highlighted by the fact that 67 percent organizations have

not extended the scope of the security and privacy program to cover employee

personal data.

Organizations’ lack of focus towards ITAA 2008 could be related to the fact that more rdthan 2/3 of the organizations consider global regulations as a primary driver for their

technology investments to enhance information security and regulatory compliance.

ITAA 2008 as a Driver (% respondents)

19

72

2611

01020304050607080

ITAA 2008 issignificant

investment driver

Global regulations as a primary driver

ITAA 2008 hasrecently acquired a

place in thediscussion

ITAA 2008 does nothave any bearings

on investmentdecision


Steps taken in response to ITAA 2008 (% respondents)

46

39

39

33

33

33

30

24

20

17

Strengthening monitoring and incidentmanagement mechanism

Identify the personal information flow tothe organization

Activating legal function

Revising organization’s security policy

Contacting external information sources

Extending the scope of security & privacyto cover employee's personal data

Collaborating with competitors / peers

Review the vendor contracts

Identifying and making an inventory ofscenarios

Developing a strong forensic investigationcapabilities



Internal processes


36

?Organizations involve process

owners and Lines of Business in

their data security initiatives

?Organizations keep a vigilant track of

new issues, vulnerabilities and

threats. However, most of them do

not have a mechanism in place that

is capable of swiftly testing the

relevance of these issues in their

environment

?More than half of the organizations

surveyed do not mandate vendors /

third parties to report new threats

and vulnerabilities in their products /

services

?The industry has matured over the

years in terms of processes such as

security incident management,

BCP/DRP and physical security

management.


Key findings

Being prepared

Internal processes of organizations have matured over the years to a point

where most of the organizations are keeping track of threats & vulnerabilities

and have also established processes for employee background screening,

security incident management, BCP/DRP and physical security control.

Data centric approach

Organizations are bringing a data centric approach in their security initiatives by

understanding the type of operations, client requirements and underlying resources

and access patterns. Further, organizations are increasing aware on how data is

managed in its life cycle and having granular level visibility over the data in each of its

client relationships and business processes. The survey also reveals that 78 percent of

the organizations involve process owners and Lines of Business in their data security

initiatives.

Data sentric approach (% respondents)

78

76

66

66

64

50

36

Involvement of process owners & LoB in the data security initiatives

Understanding about the type of operations,client requirements etc

Aware of how the data is managed in its lifecycle

Data classification techniques have beendeployed and followed rigorously

Granular level visibility over the data

Organization is aware of issues in the clientenvironment

Uniformity of controls is maintained at both client & organization's environments



38

Perceived risk based on lines of service

Global regulations could be the prime reason why organizations perceive business

processes involving personal information as high risk. More than 2/3rd of the

organizations perceive the following business processes as high risk:

?Human resource operations

?Health information processing

?Finance & accounting

?Payroll accounting.

Level of perceived risk (% respondents)

73

72

72

66

54

53

46

41

39

22

22

13

0

17

17

28

24

27

28

46

44

45

56

61

47

38

10

10

0

10

19

19

8

16

16

22

17

40

62

0% 20% 40% 60% 80% 100%

Human Resource Operations

Health Information Processing

Finance and Accounting

Payroll Processing

Legal Processing

Customer Interaction and Support

Billing Management

Business Analytics

Knowledge Services

Supply Chain Management

Procurement Services

Engineering and Design Services

Printing and Publishing Services

High Medium Low



Processes involving personally identifiable information are perceived as high risk.

39

Keep track of evolving threats &

vulnerabilities

Organizations have established appropriate

measures to keep track of new threats and

vulnerabilities, wherein they subscribe to

newsletters, CERT-In alerts, exploit databases and

by periodically visiting websites of data security

vendors. However, there is a need for collaborative

effort amongst peer organizations which could

benefit the entire industry. Organizations should

also consider stronger engagement with

vendors/third parties and insist that they report

new threats and vulnerabilities in their products /

services so that appropriate controls could be

implemented in a timely manner.

Keep track of evolving threats & vulnerabilities(% respondents)

86

76

74

68

62

54

46

44

40

32

30

Risk based internal or external audits

Subscribing to newsletters

Through websites of data security vendors

Subscribing to vulnerability, exploits databases,etc

Subscribing to CERT-In alerts

Through peers / competitors

Security research reports of product andprofessional organizations

Mandating the vendors to report new threats &vulnerabilities in their products

Through discussions on security forums on theinternet

Subscribing to Analysts reports

Provided by the client organizations as part oftheir Risk Management process

Threat (% respondents)

& vulnerability management

84

76

72

62

60

56

50

46

26

24

Keep vigilant track of new issues, vulnerabilityand threats

The version of each critical asset is up-to-date

Integration with IT infrastructure managementprocesses

IT infrastructure is homogeneous

An architectural treatment is given to threat andvulnerability management

Mechanism to test the relevance of issuesswiftly, without delays

Scope of the function is extended to mobilecomputing devices etc

Collaborates with agencies like CERT-In andother knowledge sources

IT infrastructure is heterogeneous

Compatibility of business application & costhinder to make the asset up to date




While organizations keep a close eye on threats and vulnerabilities, they lag in swift response.

40

Threat & vulnerability management

Solutions adopted for data protection

The survey reveals that organizations are tracking threats and vulnerabilities. However,

most of them do not have a mechanism in place that is capable of swiftly testing the

relevance of these issues in their environment. Majority of the organizations ensure

that version of each critical asset is up-to-date to make the asset free of vulnerabilities.

However, 24 percent of the organizations face compelling reasons such as

compatibility of business application and cost escalation hindering version upgrades.

Further, heterogeneous nature of IT infrastructure poses challenge to around 26

percent of respondents in managing threats and vulnerabilities.

Organizations have adopted solutions related to encryption and have started to

develop fraud management and forensic capabilities internally. In the wake of data

protection regulations, more than 50 percent of the organizations have deployed or are

planning to deploy the following solutions:

?Hard Disk Encryption

?Email Encryption

?Data Loss Prevention (DLP)

?Security Incident and Event Monitoring (SIEM)

?Mobile Data Protection

?Legal and Compliance Management.

Solutions deployed or planning to deploy (% respondents)

78

72

66

62

52

52

46

44

42

36

34

28

6

Hard Disk Encryption

Email Encryption

Data Loss Prevention (DLP)

Security Incident and Event Monitoring (SIEM)

Mobile Data Protection

Legal and Compliance Management

Database Activity Monitoring

Data Masking

Fraud Management

Compliance Notification Services

Threat Management for mobile computing devices

Computer Forensic

Do not have sufficient budget



41

Background screening

Employee background screening is one of the key controls in terms of security,

especially when employees have access to critical / confidential information of clients.

Background screening is also important from the fact that a majority of the

organizations see internal threats as one of the key drivers for data security.

Background screening is one of the basic controls for ensuring security; this is evident

from that fact that 72 percent of the organizations follow this process for all their

employees. Realizing that background screening is not their core competency, 80

percent of the organizations have outsourced it to third party vendors.

Realizing the importance of background screening, NASSCOM started the initiative

called National Skills Register (NSR), to have a credible information repository about all

personnel working in the IT and BPO industry. Most of the participants are aware of

NSR and its value. However, the adoption of NSR as an exclusive source for employee

background screening has been limited.

Background screening is conducted for(% respondents)

14 10 72

Selected relationships Selected Lines of Service

All employees

Background screening is conducted by(% respondents)

18

80

12

Internally

By Third party

Both




42

Security Incident Management

Most organizations state that they have formal security incident management in place.

Most of the respondents have established mechanism for internal employees and

customers to report incidents, define detect & investigative requirements and

proactively detect anomalies. The survey reveals that 71 percent of the organizations,

incident management supports data breach notification requirements of clients.

Further, the incident management process is integrated with IT processes for remedial rdactions and almost 2/3 of the organizations have extended the scope of security

monitoring to all critical log sources. Organizations have formal processes for reporting

security incidents, but only 29 percent of them extend the scope of incident

management to third parties.

Security incident management (% respondents)

84

78

71

69

67

67

63

59

57

55

53

47

41

37

33

29

Mechanism exists for internal employees and customers to report incidents

Logs are securely managed and archived in accordance to compliancerequirements

Incident management supports data breach notification requirements(regulatory) of clients

There is a formal reporting mechanism to report incident to the management,client and regulatory authorities

There is a mechanism to define detective and investigative requirements

Incident management mechanism is integrated with organization ITprocesses for remedial actions

Scope of security monitoring is extended to all the critical log sources

Real time monitoring mechanisms exist that can proactively detect anomalies

Business rules are defined to identify incidents

There is an inventory of all the possible scenarios that can lead to an incident

Effective solution is implemented for log management, security monitoringand incident management mechanism

Incident management mechanism takes inputs from external knowledgesources on vulnerabilities, anomalous patterns and threats

There is a mechanism that generate an incident based on patterns andbusiness rules

Incident management mechanisms supports forensic capabilities

Collaborate with CERT-IN for incident reporting and response

Scope of the incident management is extended to third parties



43

Business Continuity / Disaster Recovery Planning

The survey revealed that respondents have a mature BC/DR planning process in place

wherein the scope of BCP/DRP covers strategies for client business processes and

recovery objectives of each client relationship being defined. The scope of BCP/DRP

for most organizations, also cover scenarios like city outage and externally provisioned

systems, applications and networks. Organizations also realize that the knowledge

around BCP/DRP is important, therefore emphasis is given to providing cross-

functional training and BC/DR drills being conducted frequently. Though significant

level of automation exists for DR operations, organizations are yet to adopt automation

tools for the entire BCP/DRP. This is evident from that fact that more than 40 percent

of the organizations follow manual processes and do not have operational metrics to

help take routing decisions. The survey further revealed that though the processes for

many organizations around BCP/DRP are matured, only 50 percent of organizations

have realized that third parties should also be mandated to meet BCP/DRP

requirements.

The scope of BCP/DRP (% respondents)

78

76

74

66

Covers the strategies for client business processes

Extended to cover scenarios like city outage

Recovery objectives for each client relationships

Covers the externally provisioned systems, application and network



For BCP/DRP there exists (% respondents)

80

58

56

28

Mapping of each of business operation with associated Infrastructurecomponent

Significant level of automation for DR operations

Operational metrics to help take routing decisions

Automated tool to perform BCP/DR process


For BCP/DRP (% respondents)

73

73

70

66

64

50

Adequate technical measures are deployed to migrate or route businessprocesses from one operational location to other

Drill is conducted frequently

The knowledge is managed effectively

Emphasis given on providing cross functional training to employees

Architectural treatment given to availability preparedness that drivesredundancy of infrastructure components

Contracts with third parties include obligation to meet our BCP / DRrequirements


BC/DR plans cover most elements of organization’s internal boundaries, but few include aspects relating to third parties.

44

Physical Security

The respondents realize that risk of data leakage increases once a person has physical

access to the operational facility. Therefore, organizations have established strong

physical security controls for perimeter, entry points and interior areas along with

mechanisms for identification & authorization of employee. Organizations also ensure

significant level of collaboration between physical security, information security and

other functions. However, in most of the organizations physical security is not

integrated with IT Security.

Physical security (% respondents)

98

98

96

88

88

86

84

82

78

76

72

70

48

48

6

Adequate controls exists for perimeter, entry points and interior areas

There exists a mechanism for identification and authorization of employee

Entry to the delivery centers is restricted to authorized persons only

A process exists for the movement of assets into the operating areas

Physical security function is owned by the Admin department

A process exists for provisioning and de-provisioning access of visitors,partners, and support services

Physical security operation is driven by stringent and consistent processes

Significant level of collaboration exists between physical security, informationsecurity and other functions of the organization

Segregation of duties is maintained in shared facilities

The scope of security testing is extended to cover physical security controls

The scope of the security monitoring and incident management mechanismis extended to integrate the physical security components

An architectural treatment given to the physical security countermeasures

Physical security is integrated with IT security through competent solutions

There is centralized monitoring of physical security across various locations by Physical Security Operations Center (PSOC)

Physical security function is owned by the IT department



In the times of digital convergence, physical security and digital security controls remain disintegrated.

45

Over time, the Indian BPO Industry has withstood significant customer and regulatory

scrutiny, and has been able to demonstrate that it is able to embrace data security and

privacy governance processes that are required as a minimum baseline for providing

outsourcing services in a high trust mode. While customers have largely driven

consciousness of risks and requisite controls, most organizations in the industry have

developed frameworks that aid them in first line defense, detection, and reacting in an

appropriate manner to events that threaten this high trust environment. The industry

also continually expands its horizons to newer markets, and has gained a reputation in

understanding its exposure to legislation and regulation in varying markets. C-level

executives of the BPO industry are well conversant with their responsibilities and

liabilities from a data security and privacy standpoint, and implications of risks

emanating from these topics regularly underpin the strategic priorities and decision

making processes of such executives.

One of the themes emerging from the survey is that while the BPO industry has

attained a high level of maturity on data security, business continuity preparedness,

background screening of employees, etc., there are many emerging issues that require

its attention. These issues are majorly attributed to the rapidly evolving security and

regulatory landscape.

Global regulations require organizations to protect the privacy of end customers. The

interpretation of these regulations is becoming a significant challenge, requiring a

dedicated effort. This will lead to the emergence of a privacy function in a BPO, moving

away from the current practice of positioning privacy within the ambit of security. The

privacy function will have to bring the necessary regulatory intelligence that supports

the geographical expansion of organizations. On the other hand, it will have to

reengineer organization’s processes to demonstrate compliance to the regulations.

The ever changing threat landscape is driving organizations to redefine their security

strategies and programs. The rising complexity and heterogeneous nature of

underlying infrastructure pose a significant challenge in doing so. They need to build

the right capabilities for maintaining their security posture and responding swiftly to

the new threats.

Over the years, BPOs have witnessed substantial growth and have penetrated into

new Lines of Service. In doing so, they are challenged with protection of sensitive

client data. A particular Line of Service is characterized by a specific set of security

concerns and liabilities. To sustain its growth, BPO industry should pay close attention

to understanding of the risks and liabilities associated with the Lines of Service it is

serving.

To overcome the challenges identified by the survey, it is important for the

organizations to adopt a data-centric approach to manage security & privacy risks and

review all processes, functions and client relations from the data perspective.

BPO as an industry is facing unique challenges and there is a strong case for

collaboration between organizations. The industry treats security as hygiene rather

than a competitive advantage. The entire industry can learn from its experiences, and

provide a consistent and unified message of a high trust environment at the industry

level.

Way forward


47

DSCI Core Team

KPMG Core Team

KPMG Survey Team

DSCI Project Advisory Group

Vinayak Godse Director – Data Protection

Vikram Asnani Senior Consultant – Security Practices

Rahul Jain Senior Consultant – Security Practices

Navin Agrawal Executive Director

Nitin Khanapurkar Executive Director

Atul Gupta Director

Vijay Subramanyam Director

Vidur Gupta Associate Director

Deepak Agarwal Consultant

Abhijit Varma

Ankit Goel

Arihant Garg

Jignesh Oza

Lekha Ragupathi

Nayab Kohli

Nitin Shah

Rahul Gupta

Rahul Singhal

Sundar Ramaswamy

Syamala Raju Peketi

N. Balakrishnan Chairman, DSCI and Associate Director, IISc Bangalore

BJ Srinath Senior Director, Cert-In

Anjali Kaushik MDI Gurgaon

Akhilesh Tuteja Executive Director, KPMG

Kartik Shahani Country Manager, India and SAARC, RSA

Satish Das CSO, Cognizant

Baljinder Singh Global Head of Technology, InfoSec & BCM, EXL Service

Vishal Salvi CISO, HDFC Bank

Ashwani Tikoo CIO, CSC

PVS Murthy Global Head – Information Risk Management Advisory, TCS

Deepak Rout CISO, Uninor

Seema Bangera DGM – Information Security, Intelenet Global

Acknowledgments


KPMG Contact

Director, IT Advisory Services

KPMG in India

T: +91 124 307 4134

E: [email protected]

Atul Gupta

www.kpmg.com/in

DSCI Contact

Director - Data Protection

DSCI

T: +91 11 2615 5071

E: [email protected]

Vinayak Godse

www.dsci.in

© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of

independent member firms affiliated with KPMG International Cooperative (“KPMG

International”), a Swiss entity. All rights reserved.

The KPMG name, logo and “cutting through complexity” are registered trademarks

or trademarks of KPMG International Cooperative (“KPMG International”), a Swiss

entity.

Printed in India.Copyright © 2010 DSCI. All rights reserved.

Documents

Message from CERT-In · This is the third DSCI-KPMG Security Survey, conducted in association with CERT-In. While designing the questionnaire for this survey, we decided that rather