kpmg_dsci_data_security_privacy_survey_2010
Post on 09-Apr-2018
215 Views
Preview:
TRANSCRIPT
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
1/56
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
2/56
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
3/56
Businesses continue to drive IT operations, which in turn try to sustain existing
systems, often at the cost of security. Customers, on the other hand, are
demanding more security as their worries about cyber crimes, privacy and
identity theft grow. In the networked world, business partners, suppliers, and
vendors also demand assurance of essential and adequate security when they
inter-operate to share information and business data for faster and cost-effective
transactions. At the same time, regulatory and law-enforcement agencies require
proof of compliance with a plethora of security regulations. Under these
circumstances, there is no better way of understanding security preparedness of
companies than through a survey.
It gives me great pleasure to see the results of the survey of BPO companies,
conducted by DSCI through KPMG in India with the active support of DIT. Im
sure, this survey will help the industry understand the areas that need focus in
order to improve its practices, and present to its clients the best practices
approach for trusted business partnership.
Dr. Gulshan Rai
DG, CERT-In
Message from CERT-In
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
4/56
This is the third DSCI-KPMG Security Survey, conducted in association with
CERT-In. While designing the questionnaire for this survey, we decided that rather
than conducting a general security survey, we would focus on BPO and Banking
domains. Specific questionnaires were, therefore, drawn up to address the
concerns of these domains.
We present the results of the BPO industry in this report. The depth of questions
may perhaps lead one to conclude that the survey is an attempt at assessment
rather than merely a high-level information capture. At DSCI, we felt that this was
important with a view to understand the data protection trends, underlying issues
and concerns that may be unique and specific to the BPO industry. The focus, in
general is on positioning of security and privacy in organizations; maturity and
characteristics of key security disciplines such as Threat & Vulnerability
Management, Incident Management, among others. Such in-depth questionnaire
was expected to bring out the BPO responses to the rising data breaches
globally.
I am pleased to state that the in-depth approach has resulted in findings that are
more promising. For the BPO industry, while the survey suggests that employee
awareness of data protection continues to be a challenge, the managements are
alive to privacy requirements of clients since many BPOs have established a
privacy team that is distinct from security. Security organization itself is maturing
with CISOs being involved in strategic tasks. An interesting result is the
awareness among BPOs that they may be liable for breaches arising from
vulnerabilities in clients environment unless they are vigilant enough to negotiate
a suitable contract. Among the areas that need attention of management, the
following are worth mentioning: employee security awareness should be
increased, need for compliance with amended IT Act should be understood, and
Lines of Business should be involved in data security initiatives.
Dr. Kamlesh Bajaj
CEO, DSCI
Message from DSCI
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
5/56
Message from KPMG in India
The BPO industry in India has always been under significant influence of data
protection regulations. In its initial years of growth phase, corporations have gone
through fairly intense scrutiny of customer audits, which sometimes have been
considered to be crossing the boundary of reasonable controls expectations. In
any case, most CISOs have privately admitted that those audits helped them
learn the tricks of the trade and made them better every time they underwent
such an audit.
The industry has also been conscious that managing adequate level of
information protection is essential for the survival. There have been instances of
penalties being charged for non-compliance to information security safeguards. In
a few extreme cases, clients have renegotiated contracts with their service
providers at lower rates just because the security controls have been found to be
weak. Some experts believe that information security issues can easily become
non-tariff barriers, if the industry as a whole does not embrace appropriate risk
mitigation measures. Given this context and the current global economic
scenario, it couldnt have been a better time for the industry to demonstrate that
it has the right strategies in place to manage and mitigate the risks of information
security breaches.
The survey validates that the industry understands these implications very well
and have put in place the baseline measures to manage the risk. The survey is
aimed at identifying protection measures of information security in general and
those specific for personally identifiable information (privacy). While the industry
participants have developed frameworks for addressing the information security
concerns, the aspects relating to privacy havent matured as much. The survey
highlights current state of the industry and attempts to identify future direction
for a holistic information protection program.
It is argued that surveys conducted through the owners of process many a times
produce more optimistic results and portray the realities better than what it really
is. However, the purpose of the survey being more directional than quantitative
assessment, it serves the purpose of identifying trends and priorities of the
industry. This survey should act as a useful guide for senior executives of BPO
companies in formulating their future positions and will be a good tool for many
CISOs in developing business cases for comprehensive information security
programs. We hope that the companies, which use the services of Indian BPO
industry will also benefit from this survey as it will help them reposition their
compliance monitoring efforts in right direction.
Akhilesh Tuteja
Executive Director, KPMG in India
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
6/56 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
7/56
Contents
Introduction 02
Data Security and Privacy 08
Information Security Governance 16
Extended Boundaries 24
Regulations 30
Internal Processes 36
Way Forward 47
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
8/56
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
9/56
Introduction
State of Data Secutiry and Privacy in the Indian BPO Industry
02 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
10/56
The survey provides insights into the data security and privacy
environment of Indian BPO industry. There is evidence that validates
general perceptions about security and privacy practices and then
there are some outliers that do not align to the seemingly obvious.
Some of the findings of the survey are as follows:
? The industry treats data security more as a hygiene factor, rather than a
point of differentiation to gain competitive advantage
? Customer requirements remain primary drivers for data security to most
of the organizations
? Almost 50 percent of the organizations are negotiating contracts to ensure
that any liability arising from vulnerabilities in the clients environment is
borne by the client
th? More than 3/4 of the organizations face challenges due to a lack of
awareness amongst employees on liabilities arising from data breaches
? CISOs of majority of the organizations are spending significant time on
strategic initiatives; for example, identifying security implications of new
business initiatives
? Only 44 percent of the respondents are mandating vendors / third parties
to report new threats and vulnerabilities in their products / services
?
There seems to be lack of clarity amongst organizations regarding theirliability under ITAA 2008
? More than 75 percent of the organizations involve process owners and
lines of business in data security initiatives.
State of Data Secutiry and Privacy in the Indian BPO Industry 00
03
Highlights
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
11/56
Summary
Indian BPO industry has grown nine times from USD 1.6 billion to USD 14.7
billion in just a decade and is expected to witness robust growth in years to
come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at
USD 60 billion is expected to reach USD 225 billion. During the same period, the
growth in domestic BPO revenue is expected to expand seven- folds to reach
USD 15 to USD 17 billion, while export revenue is expected to reach USD 50
billion. To sustain this phenomenal growth, the Indian BPO industry needs to
overcome one of the major challenges facing the industry today addressing
Data Security and Privacy concerns of their stakeholders.
Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERT-
In (DIT), jointly conducted a survey to assess current state of data security and
privacy practices being adopted by the Indian BPO industry and to gain insights
into how the Indian BPO industry is addressing clients concerns.
As part of this initiative, 50 organizations were surveyed with the following
objectives:
? Positioning of data security and privacy in the BPO organizations -
analyzing CISOs role and the tasks performed by the security organization
? Maturity and characteristics of key security disciplines such as Threat &
Vulnerability Management and Incident Management in the wake of
rising data breaches globally
? Level of perceived risks in different Lines of Service (e.g. Customer
Interaction and Support, Payroll, Finance & Accounting, etc.)
? Managing risks arising from clients environments
? Mechanisms adopted for conducting employee background screening
State of Data Secutiry and Privacy in the Indian BPO Industry
04 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
12/56
? Strategic options adopted for Business Continuity and Disaster Recovery
management? Impact of IT (Amendment) Act, 2008 on the industry
? Evolution of Physical Security and its integration with data security
In order to ensure that the survey results represent the Indian BPO industry at
large, we interviewed CISOs and their equivalents in organizations across BPO
industry segments and sizes.
The survey results highlight trends and insights into the state of data security and
privacy in the Indian BPO industry many generally known practices are
validated, yet certain unexpected insights are revealed.
The maturity of the Indian BPO industry with respect to data security and privacy,
is reflected in the fact that most organizations treat security more as a hygiene
factor rather than a point of differentiation to gain competitive advantage. End
customers in client geographies are concerned about their personal data in the
trans-border data flow. Indian BPO industry realizes this and is equally concerned
about any bad publicity in media, which may result from a data breach. Even the
clients have made a note of such concerns and demand BPO organizations to
undertake privacy initiative and have exclusive mention of data privacy clause in
their contracts. The first section of the report Data Security & Privacy reveals
these and other such trends in detail.
The information security function in general has been formalized with most
organizations having a designated CISO. However, no standardization with
respect to reporting alignment exists as it varies significantly within the
responding organizations. CISOs are also moving away from security related
operational tasks and are becoming more involved in strategic activities. The
survey reveals that industry needs to increase involvement of business managers
for understanding security requirement of the business.
Data security and privacy
Information security governance
State of Data Secutiry and Privacy in the Indian BPO Industry
05 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
13/56
Extended boundaries
Regulations
Internal processes
As the industry has been expanding across geographies to serve global clients,
they continue to face a challenge in meeting multiple regulatory or client
requirements. These organizations being well aware of the liabilities arising from
any data breach have been re-negotiating contracts with clients to ensure that any
liability arising from vulnerabilities in the clients environment is borne by the
client. Similar focus needs to be given to third party service providers since they
have access to client/organization confidential information.
Industrys focus on global clients is all the more evident from the fact that its data
security and privacy related technological investments are driven by global
regulatory requirements. However, with introduction of Information Technology
(Amendment) Act, 2008 (ITAA 2008), organizations are starting to realize the
liabilities arising from it and have also started revising their security policy to
incorporate ITAA 2008 requirements. As awareness of ITAA 2008 is low, there is
a risk of underestimating the liabilities arising from non-compliance to regulatory
obligations.
There are clear indicators that internal processes have been designed to meet the
best practices. However, the implementation and continuous testing/ monitoring
varies across the organizations.
The findings indicate the level of maturity the industry has achieved when it
comes to processes such as threat & vulnerability management, employee
screening, security incident management, BCP/DRP and physical security
controls.
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
14/56
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
15/56
Data Security
and Privacy
State of Data Secutiry and Privacy in the Indian BPO Industry
08 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
16/56
? Client/contractual requirements and
global data protection regime are the
key drivers for data security practices
in BPO industry
?Organizations perceive that key
threats for data security are internal
in nature
? Respondents are conscious of their
brand image and therefore adopting
data privacy initiatives to prevent any
data breach incident, which may lead
to bad publicity in media
?Organizations focus on data privacy
to address rising concerns of clients
end customers vis--vis their
personal data in the trans-border
data flow
?Majority of organizations do not have
dedicated or separate privacy team;
instead, they use data security team
to drive and support privacy
initiatives.
Key findings
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
17/56
Finding its place
Survey reveals that to address end customers concern vis--vis their
personal data in trans-border data flow, clients are becoming stringent with
respect to Data Security & Data Privacy, which is driving organizations
security and privacy initiatives.
Drivers for data security
Majority of respondents consider security as a hygiene factor rather than a
competitive advantage. Seventy percent of organizations perceive that keythreats for data security are internal in nature. Though internal and external
threats are one of the drivers for security, client/contractual requirements, global
data protection regime and associated liabilities remain the primary drivers for
data security in the industry. At the same time, ITAA 2008 is also becoming an
important driver for data security for organizations.
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Drivers (Data security) (% respondents)
Clients continue to drive the information security requirements. Theyhave helped corporations mature their information security programs
through periodic audit and monitoring.
10 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
18/56
94
10 82 6
8
0
10
20
30
40
50
60
70
80
90
100
Central
Security
Function
For each
Geographical
location
For each Line
of Service
For each
Vertical
Each / major
client
relationship
Coordinator
for each
relationship
Security function positioning (% respondents)
Security function
Respondents believe that organizations place due importance to security functionrd
internally. This is also coupled with the fact that almost 2/3 of the organizations
have more than five member security team. Most organizations have a central
security function, responsible for data security & privacy, enabling them to ensure
uniformity of controls across organization.
Security is still a centralized function as revealed by the survey. However,
geographical expansion of operations, rising revenue in the Lines of Services and
business growth in client relationships seem to be driving the structure of the
security organization towards localized/decentralized security function.
82
78
74
70
60
58
58
48
44
Focus on ISO 27001
Continuous Vigilance on evolving issues
Keeping top management aware of the risks
& liabilities
Constant review of the environment
Providing architectural treatment to security
solutions
Use enterprise portal to manage security
requirements
Collaborate with external sources & internal
functions
Proactively adopt techniques such as threat
modeling, threat tree etc
Focus to innovation in the security initiatives
Maturity of security practices (% respondents)
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
37
37
10 16
Security Team Size(% respondents)
Less than 5 6-10 11-20 More than 20
10%
37%
37%
16%
Source: DSCI-KPMG Survey 2010
11 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
19/56
Maturity of security practices
Drivers for data privacy
Organizations are following standardized processes by taking major strength from
well known standards such as ISO 27001. At the same time, a majority of
organizations keep continuous vigilance on evolving security issues &
vulnerabilities along with constant review of the environment to assess its
security posture. With the current baseline, organizations are adopting forward
looking initiatives such as:
Providing architectural treatment to security solutions
Usage of enterprise portal to manage security
Adopting techniques such as threat modeling, threat tree, etc.
Focusing on innovation in security initiatives.
Data privacy, as with data security, is primarily driven by client/contractual
requirements and global regulations. However, there are other factors driving data
privacy as well. Organizations are conscious of the fact that a small incident of
data breach, can impact their brand image to a large extent. This also gets
reflected by the fact that 73 percent of the organizations consider bad publicity in
media in case of data breach as a critical driver for their data privacy initiatives.
This becomes all the more important when most of the organizations are trying
to address the concerns of end customers vis--vis their personal data in trans-
border data flow. Clients concern are highlighted by the fact that 50 percent ofthe respondents mentioned that their clients demand them to undertake privacy
initiatives and exclusively mention data privacy clauses in contracts. Though the
prime focus remains on end customers data, 48 percent of the organizations
have started to focus on protecting the privacy of their employees data.
73
73
65
56
50
48
33
24
21
31
35
46
46
33
2
6
4
8
4
6
33
0% 20% 40% 60% 80% 100%
Reputational damage
End customer concerns over trans-border
data flow
Global data protection regulations
Data privacy clauses in client contracts
Clients privacy program
Protecting privacy of employee data
Data Protection Authorities (Client
geographies)
Drivers (Data privacy) (% respondents)
Critical Important Less Important
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
12 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
20/56
Privacy function
While primary drivers for data security and data privacy are the same, the controls and
capabilities required for ensuring them are quite different. Realizing this, organizations are
moving towards deploying dedicated personnel for privacy. This is evident from the fact that41 percent of the organizations have a dedicated privacy function with a team strength of
more than two members.
64
62
62
60
54
52
40
16
8
Understanding exists of different roles and entities for data protection
Understanding exists about Privacy Principles and their applicability
Dedicated policy initiative for privacy
Processes are reviewed regularly from privacy perspective
Specific technology, solutions and processes are deployed for privacy
Scope of audit charter is extended to include privacy
Privacy impact Assessment is performed for new initiatives
Privacy has just appeared on the organizations agenda
Privacy is seriously lacking as compared to security
Maturity of privacy practices (% respondents)
State of Data Secutiry and Privacy in the Indian BPO Industry
Not Applicable
Less than 2
2-5
More than 5
Privacy team size (% respondents)
43%
16%
11%
30%
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Yes, 40% No, 60%
Dedicated privacy function(% respondents)
Privacy gets treated as a sub-set of information security program,which may lead to under-estimation of legal implication.
13 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
21/56
Maturity of privacy practices
The survey reveals that more than 60% of the organizations:
understand different roles & entities that exist for data protection,
understand Privacy Principles & their applicability,
have dedicated privacy policy initiative, and
regularly review their processes from privacy perspective.
However, not all of these organizations have extended the scope of audit charter to
include privacy and nor do they perform privacy impact assessment whenever new
initiatives are undertaken. Organizations can achieve a much better state of privacy, if
they take a step towards establishing a privacy function with required empowerment.
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
22/56
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
23/56
Information
security governance
State of Data Secutiry and Privacy in the Indian BPO Industry
16 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
24/56
? CISOs of majority of the
organizations are spending
significant time on strategic
initiatives; for example, evaluating
and mitigating security implications
of new business initiatives.
?Organizations are seeking external
assistance largely in security gap
assessment and application security
testing
?Organizations are maturing to
understand and distinguish security
related operational tasks from
strategic security tasks
?Many organizations still do not
involve business manager in
understanding security
requirements.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
25/56
Doing a reality check
The survey results indicate that organizations have come to realize the
significance of CISO and his/her role. CISOs have started to get involved in
strategic tasks, moving away from operational activities.
Role of CISO
The survey reveals that CISOs of nearly 65 percent of the organizations are spending
significant amount of their time on activities like:
?Overseeing security policy enforcement
?Participating in business strategy meetings
?Interacting with support functions for enforcing measures
?Planning for remedial measures
?Issuing guidelines to enterprise units
?Overseeing security projects
?Checking for new issues, threats & vulnerabilities
?Convening meetings of security forums.
This clearly indicates that CISOs are spending significant amount of time on strategic
tasks instead of operational tasks. However, standardization in CISOs role is lacking.
This is evident from the survey results - 29 percent of CISOs spend significant amountof time on reviewing & approving change requests; at the same time 22 percent
CISOs do not consider it as part of their responsibility. Similarly, more than 50 percent
CISOs spend significant amount of time on reviewing state of security in service
delivery channels & reviewing security reports. However, nearly 15 percent believe
they are not responsible for reviewing these tasks.
CISOs reporting line
The survey reveals that organizations have not come to consensus on whom should
the CISO report to? This is evident from the fact that there is no standardization on
reporting alignment of CISOs. Further, CISOs have multiple reporting lines, resulting ina lack of focus and accountability. The survey also revealed that 30 percent of
organizations CISOs are reporting to CIO/CTO, highlighting the concerns with respect
to independence of security function.
CISO reports to (% respondents)
30
18
16
16
14
4
Chief Executive Officer (CEO)
Chief Operating Officer (COO)
Chief Information Officer (CIO)
Chief Risk Officer (CRO)
Chief Technology Officer (CTO)
Head Quality Assurance
2
8
Audit Committee
Others
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
18 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
26/56
State of Data Secutiry and Privacy in the Indian BPO Industry
Organizations need to refine CISOs role, ensuring minimal involvement in operational
tasks such as review reports of security scans.
90
84
80
71
69
69
65
65
63
61
57
57
51
45
37
29
23
6
12
12
16
24
20
31
27
33
29
33
29
33
45
51
49
52
4
4
8
12
6
10
4
8
4
10
10
14
16
10
12
22
25
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Overseeing security policy enforcement
Participating in business strategy meetings
Interacting with support functions for enforcing measures
Planning for remedial measures
Issuing guidelines to enterprise units
Overseeing security projects
Checking for new issues, threats and vulnerabilities
Convening security forum meeting
Preparing reports for higher managements consumption
Reviewing reports of security scan, assessment and audits
Reviewing & responding on security alerts, incidents, issues
Reviewing state of security in Service delivery channels
Reviewing security reports
Overseeing security training of employees
Interacting with IT teams for maintenance of security devices
Reviewing and approve change request
Approving official request of reporting officers
CISO spends time on (% respondents)
Significant Amount of Time Non Significant Amount of Time Not Responsible
Source: DSCI-KPMG Survey 2010
The role and expectations from CISO vary across organizations,
whilst many spend time on strategic items, a fair bit of operational
tasks take his/her attention.
19 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
27/56
Security tasks
Security of the organization is the prime
responsibility of the CISO and his/her team.
However, other functions like IT Infrastructure
Team, Business Unit, Corporate Compliance,
etc. are also involved in the security
management tasks. The survey indicated that
various teams are being involved in right capacityfor security management tasks. This indicates
that organizations are aware of stakeholders
required to be involved for effective
management of security. Trends clearly visible
from survey responses are:
?Operational tasks such as installation of
security solutions, administration of
security technologies, security testing is
performed by IT security and IT
infrastructure team, allowing CISO to focus
on strategic tasks
?The gaps in the security skills are bridged
by availing services of external consultants
for the tasks such as security gap/baseline
assessments, application security testing,
code review, etc.
Though CISO is actively getting involved in
business activities such as business strategy
planning, understanding business requirements
of security etc., involvement of business
managers in security initiatives needs to be
further enhanced.
15
15
64
38
9
36
15
6
Business Manager
Corporate Compliance
CISO
IT Security
IT Infra Team
Audit Team
External Consultant
External Service Provider
Security gap/baseline assessment(% respondents)
Keeping track of evolving threats &Vulnerabilities (% respondents)
12
52
68
16
Corporate Compliance
CISO
IT Security
IT Infra Team
Security requirements of business(% respondents)
63
19
58
27
19
Business Manager
Corporate Compliance
CISO
IT Security
IT Infra Team
Application Security Testing(% respondents)
27
61
20
11
20
CISO
IT Security
IT Infra Team
Audit Team
External Consultant
Security Authorization of Change Requests(% respondents)
16
8
48
58
18
Business Manager
Corporate Compliance
CISO
IT Security
IT Infra Team
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
20 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
28/56
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
29/56
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
30/56
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
31/56
Extended
boundaries
State of Data Secutiry and Privacy in the Indian BPO Industry
24 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
32/56
?Meeting multiple regulatory/client
requirements and ensuring employee
seriousness towards data security &
privacy continue to remain key
challenges for organizations
?Organizations are continuously
focusing on spreading awareness
about security but challenges seem
to persist
?Organizations are increasingly
focusing on deploying technical and
organizational safeguards to mitigate
risks arising from clients
environment
?Organizations have started
negotiating contracts to ensure that
any liability arising from
vulnerabilities in the clients
environment is borne by the client
?Organizations have adopted Third
Party Risk Assessment Framework
along with conducting Vendor Risk
Management exercise for their
service providers.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
33/56
Overcoming challenges
Meeting multiple client/regulatory requirements, while serving clients across
geographies, is a key challenge faced by organizations.
Challenges in managing data security & privacy
Organizations face the challenge of meeting multiple regulatory/client security and
privacy requirements. Internal threats are also a major roadblock in ensuring data
security and privacy, especially when 73 percent of the organizations believe that there
is a lack of seriousness amongst their employees towards data security. Employees in
the young age group with high attrition rates pose a significant challenge in continued
sustenance and management of security & privacy. Organizations need to focus on
spreading awareness on liabilities arising from data breach as it continues to be a
challenge for more than 75 percent of the respondents.
The survey also highlights the fact that 70 percent of the organizations are facing
challenges with respect to ensuring data security and privacy at the clients
environment. The respondents found to be concerned about relatively moderate
controls implemented at clients environment. Managing security becomes even more
challenging when employees are highly involved with client organization or could
connect to clients environment through public networks.
Challenges faced (% respondents)
45
44
38
35
33
33
27
25
25
22
20
20
20
18
16
16
15
15
9
27
30
36
35
47
26
50
48
35
39
37
30
22
45
43
49
47
40
24
29
26
26
29
20
42
23
27
40
39
43
50
59
37
41
36
38
45
67
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Meeting multiple client requirements
Employees in young age group with high attrition rates
Meeting multiple regulatory requirements
Client providing liberal access to BPO employees
Emerging and evolving threats and vulnerabilities
Employees connecting to client environment through public network
Lack of employee awareness on liabilities arising from data breaches
Non seriousness of employees for security and privacy
High involvement of employees with client organization
Understanding global data protection regulations
Different connectivity models
Different means used to transfer or access the data
Inadequate budget allocation for data security & privacy
Increased volume and complexity of data intensive transactions
Difficultly to bring visibility over the data
Managing third party risks
International spread of operations
Client prefer business flexibility over the security
Lack of support from Top / Senior Management
Key Challenge One of the challenges Not a challenge
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
26 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
34/56
Mitigating client environment risk (% respondents)
71
60
54
50
25
Making employees aware of the risks in clientenvironment
Deploying extra technical and organizational
safeguards
Negotiating contracts to make client liable for
exploitation of clients environment
Include clients environment in risk
management process
Do not consider client environment risk as part
of our risk management process
Mitigating client environment risk
Mitigating Third Party Risk
There is an increasing realization about the risks associated with access to the client
data systems. Seventy five percent of the respondents have extended the scope of
risk management processes to include the risks introduced by clients environment.
Organizations are making their employees aware of the risks that arise from clients
environment and are also deploying additional technical and organizational controls to
mitigate these risks. Further, organizations have started negotiating contracts to
ensure that any liability arising from vulnerabilities in the clients environment is borneby the client.
Organizations realize that with the increasing use of third party service providers, the
risk of data breach increases especially when these service providers have access to
confidential information. Therefore, most of the organizations sign Non Disclosure
Agreements / Confidentiality Agreements with the third party service providers and
use contract as an instrument to make the third party service providers liable for any
security breaches. Beyond that, 48 percent organizations have controls deployed as
per Third Party Risk Assessment Framework and 52 percent conduct Vendor Risk
Management exercises.
96
77
75
58
Signing Non Disclosure Agreement
Deploying technical and organizational
safeguards
Contract to make the third party liable for
any security breaches
Making our employees aware of the risks
arising from third party services
Mitigating third party risk (% respondents) Third party risk management (% respondents)
48
52
42
42
Controls deployed as per "Third Party Risk
Assessment Framework"
Conducting Vendor Risk Management
exercise
Both
Neither
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010 Source: DSCI-KPMG Survey 2010
27 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
35/56
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
36/56
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
37/56
Regulations
State of Data Secutiry and Privacy in the Indian BPO Industry
30 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
38/56
?Organizations continue to consider
regulatory requirements as a primary
driver for their investments
? Adoption of an enterprise level
automated tool for managing
compliance is still in the nascent
stage
? There seems to be lack of clarity
amongst organizations regarding
their liability under ITAA 2008
? A large percentage of the
organizations have not activated legal
function to understand, interpret and
suggest necessary precautions to
comply with ITAA 2008. This explains
the low level of awareness amongst
the organizations.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
39/56
Staying compliant
The survey results reveal that although organizations have started to create
awareness on ITAA 2008, the level of awareness still needs to be
strengthened.
Tracking contractual / Regulatory requirements
thThe survey highlights that more than 3/4 of the organizations involve legal department
in the initial stages of contract negotiation and maintain an inventory of contractual /
regulatory requirements for each client relationship. However, only 50 percent of the
organizations are well aware of legal & compliance requirements for each type of data
element. Further, only 30 percent of the organizations use enterprise level tool to help
manage compliance. These could be the possible reasons why organizations continue
to face challenge in managing regulatory/client requirements.
Steps taken to track contractual / Regulatory requirements (% respondents)
86
76
70
66
66
62
54
50
46
30
Involve legal department in initial stages of deal negotiation
Maintaining an inventory of contractual / regulatory requirements for each
client relationship
Compliance / audit / risk manager for each relationship
Mechanism to track regulatory changes
Managed and shared legal & compliance related information effectively
Ensure understanding, interpretation and applicability of legal terms
Business process owners self declare compliance to contractual / regulatory
requirements
Legal and compliance requirements and liabilities for each type of dataelement are well known
Subscribed to services that notifies the legal and regulatory changes
An enterprise wide tool helps manage compliance effectively
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Compliance processes remain largely manual.
32 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
40/56
Response to liabilities due to data breach
In the wake of global regulations and ITAA 2008, specifying increased civil as well as
criminal liability per data breach, most of the organizations are responding by:
strengthening their mechanism for monitoring & incident management, and
creating awareness within the organization and third parties.
44
2231
2
49
1633
2
0
10
2030
40
50
60
Yes No Not Sure ITAA 2008 is not
applicable
My Organization can be sued under ITAA 2008 by (% respondents)
End Customers Employees
Awareness on ITAA 2008
Creating awareness on ITAA 2008
There seems to be a lack of clarity amongst respondents regarding applicability of ITAA
2008 as more than 50 percent respondents either responded negative or not sure
with respect to their liabilities under ITAA 2008.
Low level of awareness around ITAA 2008 could be understood from the fact thatrd
almost 1/3 of the organizations have not started specific initiatives towards creatingrd
awareness on ITAA 2008 amongst their Top Management, whereas 2/3 of them have
not yet started creating awareness for their clients, employees and contractors.
30
70
35 24 15
01020304050607080
Board
Members
Top / Senior
Management
Employees Contractors /
Third Party
employees
Clients
Create awareness amongst (% respondents)
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
Response to liabilities due to data breach (% respondents)
78
76
58
58
47
18
Strengthening monitoring and incident
management mechanism
Creating awareness within the
organization and third parties
Review the client contracts
Activating legal function
Establish a breach notification mechanism
Developing a strong forensic investigation
capabilities
Source: DSCI-KPMG Survey 2010
While there is
greater awareness
of global
regulations, the
implications of
ITAA 2008 remain
largely unknown.
33 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
41/56
Response to ITAA 2008
ITAA 2008 as a driver for technology investments
Since most of the organizations have not even involved their legal function to interpret
and suggest necessary safeguards to comply with ITAA 2008, they dont realize the
impact of the breach. This is highlighted by the fact that 67 percent organizations have
not extended the scope of the security and privacy program to cover employee
personal data.
Organizations lack of focus towards ITAA 2008 could be related to the fact that morerd
than 2/3 of the organizations consider global regulations as a primary driver for their
technology investments to enhance information security and regulatory compliance.
ITAA 2008 as a Driver (% respondents)
19
72
2611
01020304050607080
ITAA 2008 is
significant
investment driver
Global regulations
as a primary driver
ITAA 2008 has
recently acquired a
place in the
discussion
ITAA 2008 does not
have any bearings
on investment
decision
State of Data Secutiry and Privacy in the Indian BPO Industry
Steps taken in response to ITAA 2008 (% respondents)
46
39
39
33
33
33
30
24
20
17
Strengthening monitoring and incident
management mechanism
Identify the personal information flow to
the organization
Activating legal function
Revising organizations security policy
Contacting external information sources
Extending the scope of security & privacy
to cover employee's personal data
Collaborating with competitors / peers
Review the vendor contracts
Identifying and making an inventory of
scenarios
Developing a strong forensic investigation
capabilities
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
42/56
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
43/56
Internal
processes
State of Data Secutiry and Privacy in the Indian BPO Industry
36 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
44/56
?Organizations involve process
owners and Lines of Business in
their data security initiatives
?Organizations keep a vigilant track of
new issues, vulnerabilities and
threats. However, most of them do
not have a mechanism in place that
is capable of swiftly testing the
relevance of these issues in their
environment
?More than half of the organizations
surveyed do not mandate vendors /
third parties to report new threats
and vulnerabilities in their products /
services
? The industry has matured over the
years in terms of processes such as
security incident management,
BCP/DRP and physical security
management.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
45/56
Being prepared
Internal processes of organizations have matured over the years to a point
where most of the organizations are keeping track of threats & vulnerabilities
and have also established processes for employee background screening,
security incident management, BCP/DRP and physical security control.
Data centric approach
Organizations are bringing a data centric approach in their security initiatives by
understanding the type of operations, client requirements and underlying resources
and access patterns. Further, organizations are increasing aware on how data is
managed in its life cycle and having granular level visibility over the data in each of its
client relationships and business processes. The survey also reveals that 78 percent of
the organizations involve process owners and Lines of Business in their data security
initiatives.
Data sentric approach (% respondents)
78
76
66
66
64
50
36
Involvement of process owners & LoB in the
data security initiatives
Understanding about the type of operations,
client requirements etc
Aware of how the data is managed in its life
cycle
Data classification techniques have been
deployed and followed rigorously
Granular level visibility over the data
Organization is aware of issues in the client
environment
Uniformity of controls is maintained at both
client & organization's environments
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
38 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
46/56
Perceived risk based on lines of service
Global regulations could be the prime reason why organizations perceive business
processes involving personal information as high risk. More than 2/3rd of the
organizations perceive the following business processes as high risk:
?Human resource operations
?Health information processing
?Finance & accounting
?Payroll accounting.
Level of perceived risk (% respondents)
73
72
72
66
54
53
46
41
39
22
22
13
0
17
17
28
24
27
28
46
44
45
56
61
47
38
10
10
0
10
19
19
8
16
16
22
17
40
62
0% 20% 40% 60% 80% 100%
Human Resource Operations
Health Information Processing
Finance and Accounting
Payroll Processing
Legal Processing
Customer Interaction and Support
Billing Management
Business Analytics
Knowledge Services
Supply Chain Management
Procurement Services
Engineering and Design Services
Printing and Publishing Services
High Medium Low
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Processes involving personally identifiable information are perceived
as high risk.
39 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
47/56
Keep track of evolving threats &
vulnerabilities
Organizations have established appropriate
measures to keep track of new threats and
vulnerabilities, wherein they subscribe to
newsletters, CERT-In alerts, exploit databases and
by periodically visiting websites of data security
vendors. However, there is a need for collaborative
effort amongst peer organizations which could
benefit the entire industry. Organizations should
also consider stronger engagement with
vendors/third parties and insist that they report
new threats and vulnerabilities in their products /
services so that appropriate controls could beimplemented in a timely manner.
Keep track of evolving threats & vulnerabilities(% respondents)
86
76
74
68
62
54
46
44
40
32
30
Risk based internal or external audits
Subscribing to newsletters
Through websites of data security vendors
Subscribing to vulnerability, exploits databases,
etc
Subscribing to CERT-In alerts
Through peers / competitors
Security research reports of product and
professional organizations
Mandating the vendors to report new threats &
vulnerabilities in their products
Through discussions on security forums on the
internet
Subscribing to Analysts reports
Provided by the client organizations as part of
their Risk Management process
Threat(% respondents)
& vulnerability management
84
76
72
62
60
56
50
46
26
24
Keep vigilant track of new issues, vulnerability
and threats
The version of each critical asset is up-to-date
Integration with IT infrastructure management
processes
IT infrastructure is homogeneous
An architectural treatment is given to threat and
vulnerability management
Mechanism to test the relevance of issues
swiftly, without delays
Scope of the function is extended to mobile
computing devices etc
Collaborates with agencies like CERT-In and
other knowledge sources
IT infrastructure is heterogeneous
Compatibility of business application & cost
hinder to make the asset up to date
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
While
organizations keep
a close eye on
threats and
vulnerabilities,
they lag in swift
response.
40 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
48/56
Threat & vulnerability management
Solutions adopted for data protection
The survey reveals that organizations are tracking threats and vulnerabilities. However,
most of them do not have a mechanism in place that is capable of swiftly testing the
relevance of these issues in their environment. Majority of the organizations ensure
that version of each critical asset is up-to-date to make the asset free of vulnerabilities.
However, 24 percent of the organizations face compelling reasons such as
compatibility of business application and cost escalation hindering version upgrades.
Further, heterogeneous nature of IT infrastructure poses challenge to around 26
percent of respondents in managing threats and vulnerabilities.
Organizations have adopted solutions related to encryption and have started to
develop fraud management and forensic capabilities internally. In the wake of data
protection regulations, more than 50 percent of the organizations have deployed or are
planning to deploy the following solutions:
?Hard Disk Encryption
?Email Encryption
?Data Loss Prevention (DLP)
?Security Incident and Event Monitoring (SIEM)
?Mobile Data Protection
?Legal and Compliance Management.
Solutions deployed or planning to deploy (% respondents)
78
72
66
62
52
52
46
44
42
36
34
28
6
Hard Disk Encryption
Email Encryption
Data Loss Prevention (DLP)
Security Incident and Event Monitoring (SIEM)
Mobile Data Protection
Legal and Compliance Management
Database Activity Monitoring
Data Masking
Fraud Management
Compliance Notification Services
Threat Management for mobile computing devices
Computer Forensic
Do not have sufficient budget
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
41 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
49/56
Background screening
Employee background screening is one of the key controls in terms of security,
especially when employees have access to critical / confidential information of clients.
Background screening is also important from the fact that a majority of the
organizations see internal threats as one of the key drivers for data security.
Background screening is one of the basic controls for ensuring security; this is evident
from that fact that 72 percent of the organizations follow this process for all their
employees. Realizing that background screening is not their core competency, 80
percent of the organizations have outsourced it to third party vendors.
Realizing the importance of background screening, NASSCOM started the initiative
called National Skills Register (NSR), to have a credible information repository about all
personnel working in the IT and BPO industry. Most of the participants are aware of
NSR and its value. However, the adoption of NSR as an exclusive source for employee
background screening has been limited.
Background screening is conducted for(% respondents)
14 10 72
Selected relationships Selected Lines of Service
All employees
Background screening is conducted by(% respondents)
18
80
12
Internally
By Third party
Both
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
Source: DSCI-KPMG Survey 2010
42 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
50/56
Security Incident Management
Most organizations state that they have formal security incident management in place.
Most of the respondents have established mechanism for internal employees and
customers to report incidents, define detect & investigative requirements and
proactively detect anomalies. The survey reveals that 71 percent of the organizations,
incident management supports data breach notification requirements of clients.
Further, the incident management process is integrated with IT processes for remedial
rdactions and almost 2/3 of the organizations have extended the scope of security
monitoring to all critical log sources. Organizations have formal processes for reporting
security incidents, but only 29 percent of them extend the scope of incident
management to third parties.
Security incident management (% respondents)
84
78
71
69
67
67
63
59
57
55
53
47
41
37
33
29
Mechanism exists for internal employees and customers to report incidents
Logs are securely managed and archived in accordance to compliance
requirements
Incident management supports data breach notification requirements
(regulatory) of clients
There is a formal reporting mechanism to report incident to the management,
client and regulatory authorities
There is a mechanism to define detective and investigative requirements
Incident management mechanism is integrated with organization IT
processes for remedial actions
Scope of security monitoring is extended to all the critical log sources
Real time monitoring mechanisms exist that can proactively detect anomalies
Business rules are defined to identify incidents
There is an inventory of all the possible scenarios that can lead to an incident
Effective solution is implemented for log management, security monitoring
and incident management mechanism
Incident management mechanism takes inputs from external knowledge
sources on vulnerabilities, anomalous patterns and threats
There is a mechanism that generate an incident based on patterns and
business rules
Incident management mechanisms supports forensic capabilities
Collaborate with CERT-IN for incident reporting and response
Scope of the incident management is extended to third parties
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
43 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
51/56
Business Continuity / Disaster Recovery Planning
The survey revealed that respondents have a mature BC/DR planning process in place
wherein the scope of BCP/DRP covers strategies for client business processes and
recovery objectives of each client relationship being defined. The scope of BCP/DRP
for most organizations, also cover scenarios like city outage and externally provisioned
systems, applications and networks. Organizations also realize that the knowledge
around BCP/DRP is important, therefore emphasis is given to providing cross-
functional training and BC/DR drills being conducted frequently. Though significant
level of automation exists for DR operations, organizations are yet to adopt automation
tools for the entire BCP/DRP. This is evident from that fact that more than 40 percent
of the organizations follow manual processes and do not have operational metrics to
help take routing decisions. The survey further revealed that though the processes for
many organizations around BCP/DRP are matured, only 50 percent of organizations
have realized that third parties should also be mandated to meet BCP/DRPrequirements.
The scope of BCP/DRP (% respondents)
78
76
74
66
Covers the strategies for client business processes
Extended to cover scenarios like city outage
Recovery objectives for each client relationships
Covers the externally provisioned systems, application and network
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
For BCP/DRP there exists (% respondents)
80
58
56
28
Mapping of each of business operation with associated Infrastructure
component
Significant level of automation for DR operations
Operational metrics to help take routing decisions
Automated tool to perform BCP/DR process
Source: DSCI-KPMG Survey 2010
For BCP/DRP (% respondents)
73
73
70
66
64
50
Adequate technical measures are deployed to migrate or route business
processes from one operational location to other
Drill is conducted frequently
The knowledge is managed effectively
Emphasis given on providing cross functional training to employees
Architectural treatment given to availability preparedness that drives
redundancy of infrastructure components
Contracts with third parties include obligation to meet our BCP / DR
requirements
Source: DSCI-KPMG Survey 2010
BC/DR plans cover
most elements of
organizations
internal
boundaries, but
few include
aspects relating to
third parties.
44 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
52/56
Physical Security
The respondents realize that risk of data leakage increases once a person has physical
access to the operational facility. Therefore, organizations have established strong
physical security controls for perimeter, entry points and interior areas along with
mechanisms for identification & authorization of employee. Organizations also ensure
significant level of collaboration between physical security, information security and
other functions. However, in most of the organizations physical security is not
integrated with IT Security.
Physical security (% respondents)
98
98
96
88
88
86
84
82
78
76
72
70
48
48
6
Adequate controls exists for perimeter, entry points and interior areas
There exists a mechanism for identification and authorization of employee
Entry to the delivery centers is restricted to authorized persons only
A process exists for the movement of assets into the operating areas
Physical security function is owned by the Admin department
A process exists for provisioning and de-provisioning access of visitors,
partners, and support services
Physical security operation is driven by stringent and consistent processes
Significant level of collaboration exists between physical security, information
security and other functions of the organization
Segregation of duties is maintained in shared facilities
The scope of security testing is extended to cover physical security controls
The scope of the security monitoring and incident management mechanism
is extended to integrate the physical security components
An architectural treatment given to the physical security countermeasures
Physical security is integrated with IT security through competent solutions
There is centralized monitoring of physical security across various locations
by Physical Security Operations Center (PSOC)
Physical security function is owned by the IT department
State of Data Secutiry and Privacy in the Indian BPO Industry
Source: DSCI-KPMG Survey 2010
In the times of digital convergence, physical security and digital
security controls remain disintegrated.
45 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
53/56
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
54/56
Over time, the Indian BPO Industry has withstood significant customer and regulatory
scrutiny, and has been able to demonstrate that it is able to embrace data security and
privacy governance processes that are required as a minimum baseline for providing
outsourcing services in a high trust mode. While customers have largely driven
consciousness of risks and requisite controls, most organizations in the industry have
developed frameworks that aid them in first line defense, detection, and reacting in an
appropriate manner to events that threaten this high trust environment. The industry
also continually expands its horizons to newer markets, and has gained a reputation in
understanding its exposure to legislation and regulation in varying markets. C-level
executives of the BPO industry are well conversant with their responsibilities and
liabilities from a data security and privacy standpoint, and implications of risks
emanating from these topics regularly underpin the strategic priorities and decision
making processes of such executives.
One of the themes emerging from the survey is that while the BPO industry has
attained a high level of maturity on data security, business continuity preparedness,
background screening of employees, etc., there are many emerging issues that require
its attention. These issues are majorly attributed to the rapidly evolving security and
regulatory landscape.
Global regulations require organizations to protect the privacy of end customers. Theinterpretation of these regulations is becoming a significant challenge, requiring a
dedicated effort. This will lead to the emergence of a privacy function in a BPO, moving
away from the current practice of positioning privacy within the ambit of security. The
privacy function will have to bring the necessary regulatory intelligence that supports
the geographical expansion of organizations. On the other hand, it will have to
reengineer organizations processes to demonstrate compliance to the regulations.
The ever changing threat landscape is driving organizations to redefine their security
strategies and programs. The rising complexity and heterogeneous nature of
underlying infrastructure pose a significant challenge in doing so. They need to build
the right capabilities for maintaining their security posture and responding swiftly to
the new threats.
Over the years, BPOs have witnessed substantial growth and have penetrated into
new Lines of Service. In doing so, they are challenged with protection of sensitive
client data. A particular Line of Service is characterized by a specific set of security
concerns and liabilities. To sustain its growth, BPO industry should pay close attention
to understanding of the risks and liabilities associated with the Lines of Service it is
serving.
To overcome the challenges identified by the survey, it is important for the
organizations to adopt a data-centric approach to manage security & privacy risks and
review all processes, functions and client relations from the data perspective.
BPO as an industry is facing unique challenges and there is a strong case for
collaboration between organizations. The industry treats security as hygiene rather
than a competitive advantage. The entire industry can learn from its experiences, andprovide a consistent and unified message of a high trust environment at the industry
level.
Way forward
State of Data Secutiry and Privacy in the Indian BPO Industry
47 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
55/56
DSCI Core Team
KPMG Core Team
KPMG Survey Team
DSCI Project Advisory Group
Vinayak Godse Director Data Protection
Vikram Asnani Senior Consultant Security Practices
Rahul Jain Senior Consultant Security Practices
Navin Agrawal Executive Director
Nitin Khanapurkar Executive Director
Atul Gupta Director
Vijay Subramanyam Director
Vidur Gupta Associate Director
Deepak Agarwal Consultant
Abhijit Varma
Ankit Goel
Arihant Garg
Jignesh Oza
Lekha Ragupathi
Nayab Kohli
Nitin Shah
Rahul Gupta
Rahul Singhal
Sundar Ramaswamy
Syamala Raju Peketi
N. Balakrishnan Chairman, DSCI and Associate Director, IISc Bangalore
BJ Srinath Senior Director, Cert-In
Anjali Kaushik MDI Gurgaon
Akhilesh Tuteja Executive Director, KPMG
Kartik Shahani Country Manager, India and SAARC, RSA
Satish Das CSO, Cognizant
Baljinder Singh Global Head of Technology, InfoSec & BCM, EXL Service
Vishal Salvi CISO, HDFC Bank
Ashwani Tikoo CIO, CSC
PVS Murthy Global Head Information Risk Management Advisory, TCS
Deepak Rout CISO, UninorSeema Bangera DGM Information Security, Intelenet Global
Acknowledgments
State of Data Secutiry and Privacy in the Indian BPO Industry
2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms
afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.
-
8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010
56/56
KPMG Contact
Director, IT Advisory Services
KPMG in India
T: +91 124 307 4134
E: atulgupta@kpmg.com
Atul Gupta
www.kpmg.com/in
DSCI Contact
Director - Data Protection
DSCI
T: +91 11 2615 5071
E: vinayak.godse@dsci.in
Vinayak Godse
www.dsci.in
top related