kpmg_dsci_data_security_privacy_survey_2010

Upload: neetit

Post on 09-Apr-2018

215 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    1/56

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    2/56

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    3/56

    Businesses continue to drive IT operations, which in turn try to sustain existing

    systems, often at the cost of security. Customers, on the other hand, are

    demanding more security as their worries about cyber crimes, privacy and

    identity theft grow. In the networked world, business partners, suppliers, and

    vendors also demand assurance of essential and adequate security when they

    inter-operate to share information and business data for faster and cost-effective

    transactions. At the same time, regulatory and law-enforcement agencies require

    proof of compliance with a plethora of security regulations. Under these

    circumstances, there is no better way of understanding security preparedness of

    companies than through a survey.

    It gives me great pleasure to see the results of the survey of BPO companies,

    conducted by DSCI through KPMG in India with the active support of DIT. Im

    sure, this survey will help the industry understand the areas that need focus in

    order to improve its practices, and present to its clients the best practices

    approach for trusted business partnership.

    Dr. Gulshan Rai

    DG, CERT-In

    Message from CERT-In

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    4/56

    This is the third DSCI-KPMG Security Survey, conducted in association with

    CERT-In. While designing the questionnaire for this survey, we decided that rather

    than conducting a general security survey, we would focus on BPO and Banking

    domains. Specific questionnaires were, therefore, drawn up to address the

    concerns of these domains.

    We present the results of the BPO industry in this report. The depth of questions

    may perhaps lead one to conclude that the survey is an attempt at assessment

    rather than merely a high-level information capture. At DSCI, we felt that this was

    important with a view to understand the data protection trends, underlying issues

    and concerns that may be unique and specific to the BPO industry. The focus, in

    general is on positioning of security and privacy in organizations; maturity and

    characteristics of key security disciplines such as Threat & Vulnerability

    Management, Incident Management, among others. Such in-depth questionnaire

    was expected to bring out the BPO responses to the rising data breaches

    globally.

    I am pleased to state that the in-depth approach has resulted in findings that are

    more promising. For the BPO industry, while the survey suggests that employee

    awareness of data protection continues to be a challenge, the managements are

    alive to privacy requirements of clients since many BPOs have established a

    privacy team that is distinct from security. Security organization itself is maturing

    with CISOs being involved in strategic tasks. An interesting result is the

    awareness among BPOs that they may be liable for breaches arising from

    vulnerabilities in clients environment unless they are vigilant enough to negotiate

    a suitable contract. Among the areas that need attention of management, the

    following are worth mentioning: employee security awareness should be

    increased, need for compliance with amended IT Act should be understood, and

    Lines of Business should be involved in data security initiatives.

    Dr. Kamlesh Bajaj

    CEO, DSCI

    Message from DSCI

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    5/56

    Message from KPMG in India

    The BPO industry in India has always been under significant influence of data

    protection regulations. In its initial years of growth phase, corporations have gone

    through fairly intense scrutiny of customer audits, which sometimes have been

    considered to be crossing the boundary of reasonable controls expectations. In

    any case, most CISOs have privately admitted that those audits helped them

    learn the tricks of the trade and made them better every time they underwent

    such an audit.

    The industry has also been conscious that managing adequate level of

    information protection is essential for the survival. There have been instances of

    penalties being charged for non-compliance to information security safeguards. In

    a few extreme cases, clients have renegotiated contracts with their service

    providers at lower rates just because the security controls have been found to be

    weak. Some experts believe that information security issues can easily become

    non-tariff barriers, if the industry as a whole does not embrace appropriate risk

    mitigation measures. Given this context and the current global economic

    scenario, it couldnt have been a better time for the industry to demonstrate that

    it has the right strategies in place to manage and mitigate the risks of information

    security breaches.

    The survey validates that the industry understands these implications very well

    and have put in place the baseline measures to manage the risk. The survey is

    aimed at identifying protection measures of information security in general and

    those specific for personally identifiable information (privacy). While the industry

    participants have developed frameworks for addressing the information security

    concerns, the aspects relating to privacy havent matured as much. The survey

    highlights current state of the industry and attempts to identify future direction

    for a holistic information protection program.

    It is argued that surveys conducted through the owners of process many a times

    produce more optimistic results and portray the realities better than what it really

    is. However, the purpose of the survey being more directional than quantitative

    assessment, it serves the purpose of identifying trends and priorities of the

    industry. This survey should act as a useful guide for senior executives of BPO

    companies in formulating their future positions and will be a good tool for many

    CISOs in developing business cases for comprehensive information security

    programs. We hope that the companies, which use the services of Indian BPO

    industry will also benefit from this survey as it will help them reposition their

    compliance monitoring efforts in right direction.

    Akhilesh Tuteja

    Executive Director, KPMG in India

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    6/56 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    7/56

    Contents

    Introduction 02

    Data Security and Privacy 08

    Information Security Governance 16

    Extended Boundaries 24

    Regulations 30

    Internal Processes 36

    Way Forward 47

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    8/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    9/56

    Introduction

    State of Data Secutiry and Privacy in the Indian BPO Industry

    02 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    10/56

    The survey provides insights into the data security and privacy

    environment of Indian BPO industry. There is evidence that validates

    general perceptions about security and privacy practices and then

    there are some outliers that do not align to the seemingly obvious.

    Some of the findings of the survey are as follows:

    ? The industry treats data security more as a hygiene factor, rather than a

    point of differentiation to gain competitive advantage

    ? Customer requirements remain primary drivers for data security to most

    of the organizations

    ? Almost 50 percent of the organizations are negotiating contracts to ensure

    that any liability arising from vulnerabilities in the clients environment is

    borne by the client

    th? More than 3/4 of the organizations face challenges due to a lack of

    awareness amongst employees on liabilities arising from data breaches

    ? CISOs of majority of the organizations are spending significant time on

    strategic initiatives; for example, identifying security implications of new

    business initiatives

    ? Only 44 percent of the respondents are mandating vendors / third parties

    to report new threats and vulnerabilities in their products / services

    ?

    There seems to be lack of clarity amongst organizations regarding theirliability under ITAA 2008

    ? More than 75 percent of the organizations involve process owners and

    lines of business in data security initiatives.

    State of Data Secutiry and Privacy in the Indian BPO Industry 00

    03

    Highlights

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    11/56

    Summary

    Indian BPO industry has grown nine times from USD 1.6 billion to USD 14.7

    billion in just a decade and is expected to witness robust growth in years to

    come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at

    USD 60 billion is expected to reach USD 225 billion. During the same period, the

    growth in domestic BPO revenue is expected to expand seven- folds to reach

    USD 15 to USD 17 billion, while export revenue is expected to reach USD 50

    billion. To sustain this phenomenal growth, the Indian BPO industry needs to

    overcome one of the major challenges facing the industry today addressing

    Data Security and Privacy concerns of their stakeholders.

    Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERT-

    In (DIT), jointly conducted a survey to assess current state of data security and

    privacy practices being adopted by the Indian BPO industry and to gain insights

    into how the Indian BPO industry is addressing clients concerns.

    As part of this initiative, 50 organizations were surveyed with the following

    objectives:

    ? Positioning of data security and privacy in the BPO organizations -

    analyzing CISOs role and the tasks performed by the security organization

    ? Maturity and characteristics of key security disciplines such as Threat &

    Vulnerability Management and Incident Management in the wake of

    rising data breaches globally

    ? Level of perceived risks in different Lines of Service (e.g. Customer

    Interaction and Support, Payroll, Finance & Accounting, etc.)

    ? Managing risks arising from clients environments

    ? Mechanisms adopted for conducting employee background screening

    State of Data Secutiry and Privacy in the Indian BPO Industry

    04 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    12/56

    ? Strategic options adopted for Business Continuity and Disaster Recovery

    management? Impact of IT (Amendment) Act, 2008 on the industry

    ? Evolution of Physical Security and its integration with data security

    In order to ensure that the survey results represent the Indian BPO industry at

    large, we interviewed CISOs and their equivalents in organizations across BPO

    industry segments and sizes.

    The survey results highlight trends and insights into the state of data security and

    privacy in the Indian BPO industry many generally known practices are

    validated, yet certain unexpected insights are revealed.

    The maturity of the Indian BPO industry with respect to data security and privacy,

    is reflected in the fact that most organizations treat security more as a hygiene

    factor rather than a point of differentiation to gain competitive advantage. End

    customers in client geographies are concerned about their personal data in the

    trans-border data flow. Indian BPO industry realizes this and is equally concerned

    about any bad publicity in media, which may result from a data breach. Even the

    clients have made a note of such concerns and demand BPO organizations to

    undertake privacy initiative and have exclusive mention of data privacy clause in

    their contracts. The first section of the report Data Security & Privacy reveals

    these and other such trends in detail.

    The information security function in general has been formalized with most

    organizations having a designated CISO. However, no standardization with

    respect to reporting alignment exists as it varies significantly within the

    responding organizations. CISOs are also moving away from security related

    operational tasks and are becoming more involved in strategic activities. The

    survey reveals that industry needs to increase involvement of business managers

    for understanding security requirement of the business.

    Data security and privacy

    Information security governance

    State of Data Secutiry and Privacy in the Indian BPO Industry

    05 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    13/56

    Extended boundaries

    Regulations

    Internal processes

    As the industry has been expanding across geographies to serve global clients,

    they continue to face a challenge in meeting multiple regulatory or client

    requirements. These organizations being well aware of the liabilities arising from

    any data breach have been re-negotiating contracts with clients to ensure that any

    liability arising from vulnerabilities in the clients environment is borne by the

    client. Similar focus needs to be given to third party service providers since they

    have access to client/organization confidential information.

    Industrys focus on global clients is all the more evident from the fact that its data

    security and privacy related technological investments are driven by global

    regulatory requirements. However, with introduction of Information Technology

    (Amendment) Act, 2008 (ITAA 2008), organizations are starting to realize the

    liabilities arising from it and have also started revising their security policy to

    incorporate ITAA 2008 requirements. As awareness of ITAA 2008 is low, there is

    a risk of underestimating the liabilities arising from non-compliance to regulatory

    obligations.

    There are clear indicators that internal processes have been designed to meet the

    best practices. However, the implementation and continuous testing/ monitoring

    varies across the organizations.

    The findings indicate the level of maturity the industry has achieved when it

    comes to processes such as threat & vulnerability management, employee

    screening, security incident management, BCP/DRP and physical security

    controls.

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    14/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    15/56

    Data Security

    and Privacy

    State of Data Secutiry and Privacy in the Indian BPO Industry

    08 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    16/56

    ? Client/contractual requirements and

    global data protection regime are the

    key drivers for data security practices

    in BPO industry

    ?Organizations perceive that key

    threats for data security are internal

    in nature

    ? Respondents are conscious of their

    brand image and therefore adopting

    data privacy initiatives to prevent any

    data breach incident, which may lead

    to bad publicity in media

    ?Organizations focus on data privacy

    to address rising concerns of clients

    end customers vis--vis their

    personal data in the trans-border

    data flow

    ?Majority of organizations do not have

    dedicated or separate privacy team;

    instead, they use data security team

    to drive and support privacy

    initiatives.

    Key findings

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    17/56

    Finding its place

    Survey reveals that to address end customers concern vis--vis their

    personal data in trans-border data flow, clients are becoming stringent with

    respect to Data Security & Data Privacy, which is driving organizations

    security and privacy initiatives.

    Drivers for data security

    Majority of respondents consider security as a hygiene factor rather than a

    competitive advantage. Seventy percent of organizations perceive that keythreats for data security are internal in nature. Though internal and external

    threats are one of the drivers for security, client/contractual requirements, global

    data protection regime and associated liabilities remain the primary drivers for

    data security in the industry. At the same time, ITAA 2008 is also becoming an

    important driver for data security for organizations.

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Drivers (Data security) (% respondents)

    Clients continue to drive the information security requirements. Theyhave helped corporations mature their information security programs

    through periodic audit and monitoring.

    10 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    18/56

    94

    10 82 6

    8

    0

    10

    20

    30

    40

    50

    60

    70

    80

    90

    100

    Central

    Security

    Function

    For each

    Geographical

    location

    For each Line

    of Service

    For each

    Vertical

    Each / major

    client

    relationship

    Coordinator

    for each

    relationship

    Security function positioning (% respondents)

    Security function

    Respondents believe that organizations place due importance to security functionrd

    internally. This is also coupled with the fact that almost 2/3 of the organizations

    have more than five member security team. Most organizations have a central

    security function, responsible for data security & privacy, enabling them to ensure

    uniformity of controls across organization.

    Security is still a centralized function as revealed by the survey. However,

    geographical expansion of operations, rising revenue in the Lines of Services and

    business growth in client relationships seem to be driving the structure of the

    security organization towards localized/decentralized security function.

    82

    78

    74

    70

    60

    58

    58

    48

    44

    Focus on ISO 27001

    Continuous Vigilance on evolving issues

    Keeping top management aware of the risks

    & liabilities

    Constant review of the environment

    Providing architectural treatment to security

    solutions

    Use enterprise portal to manage security

    requirements

    Collaborate with external sources & internal

    functions

    Proactively adopt techniques such as threat

    modeling, threat tree etc

    Focus to innovation in the security initiatives

    Maturity of security practices (% respondents)

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    37

    37

    10 16

    Security Team Size(% respondents)

    Less than 5 6-10 11-20 More than 20

    10%

    37%

    37%

    16%

    Source: DSCI-KPMG Survey 2010

    11 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    19/56

    Maturity of security practices

    Drivers for data privacy

    Organizations are following standardized processes by taking major strength from

    well known standards such as ISO 27001. At the same time, a majority of

    organizations keep continuous vigilance on evolving security issues &

    vulnerabilities along with constant review of the environment to assess its

    security posture. With the current baseline, organizations are adopting forward

    looking initiatives such as:

    Providing architectural treatment to security solutions

    Usage of enterprise portal to manage security

    Adopting techniques such as threat modeling, threat tree, etc.

    Focusing on innovation in security initiatives.

    Data privacy, as with data security, is primarily driven by client/contractual

    requirements and global regulations. However, there are other factors driving data

    privacy as well. Organizations are conscious of the fact that a small incident of

    data breach, can impact their brand image to a large extent. This also gets

    reflected by the fact that 73 percent of the organizations consider bad publicity in

    media in case of data breach as a critical driver for their data privacy initiatives.

    This becomes all the more important when most of the organizations are trying

    to address the concerns of end customers vis--vis their personal data in trans-

    border data flow. Clients concern are highlighted by the fact that 50 percent ofthe respondents mentioned that their clients demand them to undertake privacy

    initiatives and exclusively mention data privacy clauses in contracts. Though the

    prime focus remains on end customers data, 48 percent of the organizations

    have started to focus on protecting the privacy of their employees data.

    73

    73

    65

    56

    50

    48

    33

    24

    21

    31

    35

    46

    46

    33

    2

    6

    4

    8

    4

    6

    33

    0% 20% 40% 60% 80% 100%

    Reputational damage

    End customer concerns over trans-border

    data flow

    Global data protection regulations

    Data privacy clauses in client contracts

    Clients privacy program

    Protecting privacy of employee data

    Data Protection Authorities (Client

    geographies)

    Drivers (Data privacy) (% respondents)

    Critical Important Less Important

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    12 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    20/56

    Privacy function

    While primary drivers for data security and data privacy are the same, the controls and

    capabilities required for ensuring them are quite different. Realizing this, organizations are

    moving towards deploying dedicated personnel for privacy. This is evident from the fact that41 percent of the organizations have a dedicated privacy function with a team strength of

    more than two members.

    64

    62

    62

    60

    54

    52

    40

    16

    8

    Understanding exists of different roles and entities for data protection

    Understanding exists about Privacy Principles and their applicability

    Dedicated policy initiative for privacy

    Processes are reviewed regularly from privacy perspective

    Specific technology, solutions and processes are deployed for privacy

    Scope of audit charter is extended to include privacy

    Privacy impact Assessment is performed for new initiatives

    Privacy has just appeared on the organizations agenda

    Privacy is seriously lacking as compared to security

    Maturity of privacy practices (% respondents)

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Not Applicable

    Less than 2

    2-5

    More than 5

    Privacy team size (% respondents)

    43%

    16%

    11%

    30%

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    Yes, 40% No, 60%

    Dedicated privacy function(% respondents)

    Privacy gets treated as a sub-set of information security program,which may lead to under-estimation of legal implication.

    13 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    21/56

    Maturity of privacy practices

    The survey reveals that more than 60% of the organizations:

    understand different roles & entities that exist for data protection,

    understand Privacy Principles & their applicability,

    have dedicated privacy policy initiative, and

    regularly review their processes from privacy perspective.

    However, not all of these organizations have extended the scope of audit charter to

    include privacy and nor do they perform privacy impact assessment whenever new

    initiatives are undertaken. Organizations can achieve a much better state of privacy, if

    they take a step towards establishing a privacy function with required empowerment.

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    22/56

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    23/56

    Information

    security governance

    State of Data Secutiry and Privacy in the Indian BPO Industry

    16 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    24/56

    ? CISOs of majority of the

    organizations are spending

    significant time on strategic

    initiatives; for example, evaluating

    and mitigating security implications

    of new business initiatives.

    ?Organizations are seeking external

    assistance largely in security gap

    assessment and application security

    testing

    ?Organizations are maturing to

    understand and distinguish security

    related operational tasks from

    strategic security tasks

    ?Many organizations still do not

    involve business manager in

    understanding security

    requirements.

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Key findings

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    25/56

    Doing a reality check

    The survey results indicate that organizations have come to realize the

    significance of CISO and his/her role. CISOs have started to get involved in

    strategic tasks, moving away from operational activities.

    Role of CISO

    The survey reveals that CISOs of nearly 65 percent of the organizations are spending

    significant amount of their time on activities like:

    ?Overseeing security policy enforcement

    ?Participating in business strategy meetings

    ?Interacting with support functions for enforcing measures

    ?Planning for remedial measures

    ?Issuing guidelines to enterprise units

    ?Overseeing security projects

    ?Checking for new issues, threats & vulnerabilities

    ?Convening meetings of security forums.

    This clearly indicates that CISOs are spending significant amount of time on strategic

    tasks instead of operational tasks. However, standardization in CISOs role is lacking.

    This is evident from the survey results - 29 percent of CISOs spend significant amountof time on reviewing & approving change requests; at the same time 22 percent

    CISOs do not consider it as part of their responsibility. Similarly, more than 50 percent

    CISOs spend significant amount of time on reviewing state of security in service

    delivery channels & reviewing security reports. However, nearly 15 percent believe

    they are not responsible for reviewing these tasks.

    CISOs reporting line

    The survey reveals that organizations have not come to consensus on whom should

    the CISO report to? This is evident from the fact that there is no standardization on

    reporting alignment of CISOs. Further, CISOs have multiple reporting lines, resulting ina lack of focus and accountability. The survey also revealed that 30 percent of

    organizations CISOs are reporting to CIO/CTO, highlighting the concerns with respect

    to independence of security function.

    CISO reports to (% respondents)

    30

    18

    16

    16

    14

    4

    Chief Executive Officer (CEO)

    Chief Operating Officer (COO)

    Chief Information Officer (CIO)

    Chief Risk Officer (CRO)

    Chief Technology Officer (CTO)

    Head Quality Assurance

    2

    8

    Audit Committee

    Others

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    18 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    26/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Organizations need to refine CISOs role, ensuring minimal involvement in operational

    tasks such as review reports of security scans.

    90

    84

    80

    71

    69

    69

    65

    65

    63

    61

    57

    57

    51

    45

    37

    29

    23

    6

    12

    12

    16

    24

    20

    31

    27

    33

    29

    33

    29

    33

    45

    51

    49

    52

    4

    4

    8

    12

    6

    10

    4

    8

    4

    10

    10

    14

    16

    10

    12

    22

    25

    0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

    Overseeing security policy enforcement

    Participating in business strategy meetings

    Interacting with support functions for enforcing measures

    Planning for remedial measures

    Issuing guidelines to enterprise units

    Overseeing security projects

    Checking for new issues, threats and vulnerabilities

    Convening security forum meeting

    Preparing reports for higher managements consumption

    Reviewing reports of security scan, assessment and audits

    Reviewing & responding on security alerts, incidents, issues

    Reviewing state of security in Service delivery channels

    Reviewing security reports

    Overseeing security training of employees

    Interacting with IT teams for maintenance of security devices

    Reviewing and approve change request

    Approving official request of reporting officers

    CISO spends time on (% respondents)

    Significant Amount of Time Non Significant Amount of Time Not Responsible

    Source: DSCI-KPMG Survey 2010

    The role and expectations from CISO vary across organizations,

    whilst many spend time on strategic items, a fair bit of operational

    tasks take his/her attention.

    19 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    27/56

    Security tasks

    Security of the organization is the prime

    responsibility of the CISO and his/her team.

    However, other functions like IT Infrastructure

    Team, Business Unit, Corporate Compliance,

    etc. are also involved in the security

    management tasks. The survey indicated that

    various teams are being involved in right capacityfor security management tasks. This indicates

    that organizations are aware of stakeholders

    required to be involved for effective

    management of security. Trends clearly visible

    from survey responses are:

    ?Operational tasks such as installation of

    security solutions, administration of

    security technologies, security testing is

    performed by IT security and IT

    infrastructure team, allowing CISO to focus

    on strategic tasks

    ?The gaps in the security skills are bridged

    by availing services of external consultants

    for the tasks such as security gap/baseline

    assessments, application security testing,

    code review, etc.

    Though CISO is actively getting involved in

    business activities such as business strategy

    planning, understanding business requirements

    of security etc., involvement of business

    managers in security initiatives needs to be

    further enhanced.

    15

    15

    64

    38

    9

    36

    15

    6

    Business Manager

    Corporate Compliance

    CISO

    IT Security

    IT Infra Team

    Audit Team

    External Consultant

    External Service Provider

    Security gap/baseline assessment(% respondents)

    Keeping track of evolving threats &Vulnerabilities (% respondents)

    12

    52

    68

    16

    Corporate Compliance

    CISO

    IT Security

    IT Infra Team

    Security requirements of business(% respondents)

    63

    19

    58

    27

    19

    Business Manager

    Corporate Compliance

    CISO

    IT Security

    IT Infra Team

    Application Security Testing(% respondents)

    27

    61

    20

    11

    20

    CISO

    IT Security

    IT Infra Team

    Audit Team

    External Consultant

    Security Authorization of Change Requests(% respondents)

    16

    8

    48

    58

    18

    Business Manager

    Corporate Compliance

    CISO

    IT Security

    IT Infra Team

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    20 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    28/56

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    29/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    30/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    31/56

    Extended

    boundaries

    State of Data Secutiry and Privacy in the Indian BPO Industry

    24 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    32/56

    ?Meeting multiple regulatory/client

    requirements and ensuring employee

    seriousness towards data security &

    privacy continue to remain key

    challenges for organizations

    ?Organizations are continuously

    focusing on spreading awareness

    about security but challenges seem

    to persist

    ?Organizations are increasingly

    focusing on deploying technical and

    organizational safeguards to mitigate

    risks arising from clients

    environment

    ?Organizations have started

    negotiating contracts to ensure that

    any liability arising from

    vulnerabilities in the clients

    environment is borne by the client

    ?Organizations have adopted Third

    Party Risk Assessment Framework

    along with conducting Vendor Risk

    Management exercise for their

    service providers.

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Key findings

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    33/56

    Overcoming challenges

    Meeting multiple client/regulatory requirements, while serving clients across

    geographies, is a key challenge faced by organizations.

    Challenges in managing data security & privacy

    Organizations face the challenge of meeting multiple regulatory/client security and

    privacy requirements. Internal threats are also a major roadblock in ensuring data

    security and privacy, especially when 73 percent of the organizations believe that there

    is a lack of seriousness amongst their employees towards data security. Employees in

    the young age group with high attrition rates pose a significant challenge in continued

    sustenance and management of security & privacy. Organizations need to focus on

    spreading awareness on liabilities arising from data breach as it continues to be a

    challenge for more than 75 percent of the respondents.

    The survey also highlights the fact that 70 percent of the organizations are facing

    challenges with respect to ensuring data security and privacy at the clients

    environment. The respondents found to be concerned about relatively moderate

    controls implemented at clients environment. Managing security becomes even more

    challenging when employees are highly involved with client organization or could

    connect to clients environment through public networks.

    Challenges faced (% respondents)

    45

    44

    38

    35

    33

    33

    27

    25

    25

    22

    20

    20

    20

    18

    16

    16

    15

    15

    9

    27

    30

    36

    35

    47

    26

    50

    48

    35

    39

    37

    30

    22

    45

    43

    49

    47

    40

    24

    29

    26

    26

    29

    20

    42

    23

    27

    40

    39

    43

    50

    59

    37

    41

    36

    38

    45

    67

    0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

    Meeting multiple client requirements

    Employees in young age group with high attrition rates

    Meeting multiple regulatory requirements

    Client providing liberal access to BPO employees

    Emerging and evolving threats and vulnerabilities

    Employees connecting to client environment through public network

    Lack of employee awareness on liabilities arising from data breaches

    Non seriousness of employees for security and privacy

    High involvement of employees with client organization

    Understanding global data protection regulations

    Different connectivity models

    Different means used to transfer or access the data

    Inadequate budget allocation for data security & privacy

    Increased volume and complexity of data intensive transactions

    Difficultly to bring visibility over the data

    Managing third party risks

    International spread of operations

    Client prefer business flexibility over the security

    Lack of support from Top / Senior Management

    Key Challenge One of the challenges Not a challenge

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    26 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    34/56

    Mitigating client environment risk (% respondents)

    71

    60

    54

    50

    25

    Making employees aware of the risks in clientenvironment

    Deploying extra technical and organizational

    safeguards

    Negotiating contracts to make client liable for

    exploitation of clients environment

    Include clients environment in risk

    management process

    Do not consider client environment risk as part

    of our risk management process

    Mitigating client environment risk

    Mitigating Third Party Risk

    There is an increasing realization about the risks associated with access to the client

    data systems. Seventy five percent of the respondents have extended the scope of

    risk management processes to include the risks introduced by clients environment.

    Organizations are making their employees aware of the risks that arise from clients

    environment and are also deploying additional technical and organizational controls to

    mitigate these risks. Further, organizations have started negotiating contracts to

    ensure that any liability arising from vulnerabilities in the clients environment is borneby the client.

    Organizations realize that with the increasing use of third party service providers, the

    risk of data breach increases especially when these service providers have access to

    confidential information. Therefore, most of the organizations sign Non Disclosure

    Agreements / Confidentiality Agreements with the third party service providers and

    use contract as an instrument to make the third party service providers liable for any

    security breaches. Beyond that, 48 percent organizations have controls deployed as

    per Third Party Risk Assessment Framework and 52 percent conduct Vendor Risk

    Management exercises.

    96

    77

    75

    58

    Signing Non Disclosure Agreement

    Deploying technical and organizational

    safeguards

    Contract to make the third party liable for

    any security breaches

    Making our employees aware of the risks

    arising from third party services

    Mitigating third party risk (% respondents) Third party risk management (% respondents)

    48

    52

    42

    42

    Controls deployed as per "Third Party Risk

    Assessment Framework"

    Conducting Vendor Risk Management

    exercise

    Both

    Neither

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010 Source: DSCI-KPMG Survey 2010

    27 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    35/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    36/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    37/56

    Regulations

    State of Data Secutiry and Privacy in the Indian BPO Industry

    30 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    38/56

    ?Organizations continue to consider

    regulatory requirements as a primary

    driver for their investments

    ? Adoption of an enterprise level

    automated tool for managing

    compliance is still in the nascent

    stage

    ? There seems to be lack of clarity

    amongst organizations regarding

    their liability under ITAA 2008

    ? A large percentage of the

    organizations have not activated legal

    function to understand, interpret and

    suggest necessary precautions to

    comply with ITAA 2008. This explains

    the low level of awareness amongst

    the organizations.

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Key findings

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    39/56

    Staying compliant

    The survey results reveal that although organizations have started to create

    awareness on ITAA 2008, the level of awareness still needs to be

    strengthened.

    Tracking contractual / Regulatory requirements

    thThe survey highlights that more than 3/4 of the organizations involve legal department

    in the initial stages of contract negotiation and maintain an inventory of contractual /

    regulatory requirements for each client relationship. However, only 50 percent of the

    organizations are well aware of legal & compliance requirements for each type of data

    element. Further, only 30 percent of the organizations use enterprise level tool to help

    manage compliance. These could be the possible reasons why organizations continue

    to face challenge in managing regulatory/client requirements.

    Steps taken to track contractual / Regulatory requirements (% respondents)

    86

    76

    70

    66

    66

    62

    54

    50

    46

    30

    Involve legal department in initial stages of deal negotiation

    Maintaining an inventory of contractual / regulatory requirements for each

    client relationship

    Compliance / audit / risk manager for each relationship

    Mechanism to track regulatory changes

    Managed and shared legal & compliance related information effectively

    Ensure understanding, interpretation and applicability of legal terms

    Business process owners self declare compliance to contractual / regulatory

    requirements

    Legal and compliance requirements and liabilities for each type of dataelement are well known

    Subscribed to services that notifies the legal and regulatory changes

    An enterprise wide tool helps manage compliance effectively

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Compliance processes remain largely manual.

    32 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    40/56

    Response to liabilities due to data breach

    In the wake of global regulations and ITAA 2008, specifying increased civil as well as

    criminal liability per data breach, most of the organizations are responding by:

    strengthening their mechanism for monitoring & incident management, and

    creating awareness within the organization and third parties.

    44

    2231

    2

    49

    1633

    2

    0

    10

    2030

    40

    50

    60

    Yes No Not Sure ITAA 2008 is not

    applicable

    My Organization can be sued under ITAA 2008 by (% respondents)

    End Customers Employees

    Awareness on ITAA 2008

    Creating awareness on ITAA 2008

    There seems to be a lack of clarity amongst respondents regarding applicability of ITAA

    2008 as more than 50 percent respondents either responded negative or not sure

    with respect to their liabilities under ITAA 2008.

    Low level of awareness around ITAA 2008 could be understood from the fact thatrd

    almost 1/3 of the organizations have not started specific initiatives towards creatingrd

    awareness on ITAA 2008 amongst their Top Management, whereas 2/3 of them have

    not yet started creating awareness for their clients, employees and contractors.

    30

    70

    35 24 15

    01020304050607080

    Board

    Members

    Top / Senior

    Management

    Employees Contractors /

    Third Party

    employees

    Clients

    Create awareness amongst (% respondents)

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    Response to liabilities due to data breach (% respondents)

    78

    76

    58

    58

    47

    18

    Strengthening monitoring and incident

    management mechanism

    Creating awareness within the

    organization and third parties

    Review the client contracts

    Activating legal function

    Establish a breach notification mechanism

    Developing a strong forensic investigation

    capabilities

    Source: DSCI-KPMG Survey 2010

    While there is

    greater awareness

    of global

    regulations, the

    implications of

    ITAA 2008 remain

    largely unknown.

    33 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    41/56

    Response to ITAA 2008

    ITAA 2008 as a driver for technology investments

    Since most of the organizations have not even involved their legal function to interpret

    and suggest necessary safeguards to comply with ITAA 2008, they dont realize the

    impact of the breach. This is highlighted by the fact that 67 percent organizations have

    not extended the scope of the security and privacy program to cover employee

    personal data.

    Organizations lack of focus towards ITAA 2008 could be related to the fact that morerd

    than 2/3 of the organizations consider global regulations as a primary driver for their

    technology investments to enhance information security and regulatory compliance.

    ITAA 2008 as a Driver (% respondents)

    19

    72

    2611

    01020304050607080

    ITAA 2008 is

    significant

    investment driver

    Global regulations

    as a primary driver

    ITAA 2008 has

    recently acquired a

    place in the

    discussion

    ITAA 2008 does not

    have any bearings

    on investment

    decision

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Steps taken in response to ITAA 2008 (% respondents)

    46

    39

    39

    33

    33

    33

    30

    24

    20

    17

    Strengthening monitoring and incident

    management mechanism

    Identify the personal information flow to

    the organization

    Activating legal function

    Revising organizations security policy

    Contacting external information sources

    Extending the scope of security & privacy

    to cover employee's personal data

    Collaborating with competitors / peers

    Review the vendor contracts

    Identifying and making an inventory of

    scenarios

    Developing a strong forensic investigation

    capabilities

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    42/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    43/56

    Internal

    processes

    State of Data Secutiry and Privacy in the Indian BPO Industry

    36 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    44/56

    ?Organizations involve process

    owners and Lines of Business in

    their data security initiatives

    ?Organizations keep a vigilant track of

    new issues, vulnerabilities and

    threats. However, most of them do

    not have a mechanism in place that

    is capable of swiftly testing the

    relevance of these issues in their

    environment

    ?More than half of the organizations

    surveyed do not mandate vendors /

    third parties to report new threats

    and vulnerabilities in their products /

    services

    ? The industry has matured over the

    years in terms of processes such as

    security incident management,

    BCP/DRP and physical security

    management.

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Key findings

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    45/56

    Being prepared

    Internal processes of organizations have matured over the years to a point

    where most of the organizations are keeping track of threats & vulnerabilities

    and have also established processes for employee background screening,

    security incident management, BCP/DRP and physical security control.

    Data centric approach

    Organizations are bringing a data centric approach in their security initiatives by

    understanding the type of operations, client requirements and underlying resources

    and access patterns. Further, organizations are increasing aware on how data is

    managed in its life cycle and having granular level visibility over the data in each of its

    client relationships and business processes. The survey also reveals that 78 percent of

    the organizations involve process owners and Lines of Business in their data security

    initiatives.

    Data sentric approach (% respondents)

    78

    76

    66

    66

    64

    50

    36

    Involvement of process owners & LoB in the

    data security initiatives

    Understanding about the type of operations,

    client requirements etc

    Aware of how the data is managed in its life

    cycle

    Data classification techniques have been

    deployed and followed rigorously

    Granular level visibility over the data

    Organization is aware of issues in the client

    environment

    Uniformity of controls is maintained at both

    client & organization's environments

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    38 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    46/56

    Perceived risk based on lines of service

    Global regulations could be the prime reason why organizations perceive business

    processes involving personal information as high risk. More than 2/3rd of the

    organizations perceive the following business processes as high risk:

    ?Human resource operations

    ?Health information processing

    ?Finance & accounting

    ?Payroll accounting.

    Level of perceived risk (% respondents)

    73

    72

    72

    66

    54

    53

    46

    41

    39

    22

    22

    13

    0

    17

    17

    28

    24

    27

    28

    46

    44

    45

    56

    61

    47

    38

    10

    10

    0

    10

    19

    19

    8

    16

    16

    22

    17

    40

    62

    0% 20% 40% 60% 80% 100%

    Human Resource Operations

    Health Information Processing

    Finance and Accounting

    Payroll Processing

    Legal Processing

    Customer Interaction and Support

    Billing Management

    Business Analytics

    Knowledge Services

    Supply Chain Management

    Procurement Services

    Engineering and Design Services

    Printing and Publishing Services

    High Medium Low

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Processes involving personally identifiable information are perceived

    as high risk.

    39 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    47/56

    Keep track of evolving threats &

    vulnerabilities

    Organizations have established appropriate

    measures to keep track of new threats and

    vulnerabilities, wherein they subscribe to

    newsletters, CERT-In alerts, exploit databases and

    by periodically visiting websites of data security

    vendors. However, there is a need for collaborative

    effort amongst peer organizations which could

    benefit the entire industry. Organizations should

    also consider stronger engagement with

    vendors/third parties and insist that they report

    new threats and vulnerabilities in their products /

    services so that appropriate controls could beimplemented in a timely manner.

    Keep track of evolving threats & vulnerabilities(% respondents)

    86

    76

    74

    68

    62

    54

    46

    44

    40

    32

    30

    Risk based internal or external audits

    Subscribing to newsletters

    Through websites of data security vendors

    Subscribing to vulnerability, exploits databases,

    etc

    Subscribing to CERT-In alerts

    Through peers / competitors

    Security research reports of product and

    professional organizations

    Mandating the vendors to report new threats &

    vulnerabilities in their products

    Through discussions on security forums on the

    internet

    Subscribing to Analysts reports

    Provided by the client organizations as part of

    their Risk Management process

    Threat(% respondents)

    & vulnerability management

    84

    76

    72

    62

    60

    56

    50

    46

    26

    24

    Keep vigilant track of new issues, vulnerability

    and threats

    The version of each critical asset is up-to-date

    Integration with IT infrastructure management

    processes

    IT infrastructure is homogeneous

    An architectural treatment is given to threat and

    vulnerability management

    Mechanism to test the relevance of issues

    swiftly, without delays

    Scope of the function is extended to mobile

    computing devices etc

    Collaborates with agencies like CERT-In and

    other knowledge sources

    IT infrastructure is heterogeneous

    Compatibility of business application & cost

    hinder to make the asset up to date

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    While

    organizations keep

    a close eye on

    threats and

    vulnerabilities,

    they lag in swift

    response.

    40 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    48/56

    Threat & vulnerability management

    Solutions adopted for data protection

    The survey reveals that organizations are tracking threats and vulnerabilities. However,

    most of them do not have a mechanism in place that is capable of swiftly testing the

    relevance of these issues in their environment. Majority of the organizations ensure

    that version of each critical asset is up-to-date to make the asset free of vulnerabilities.

    However, 24 percent of the organizations face compelling reasons such as

    compatibility of business application and cost escalation hindering version upgrades.

    Further, heterogeneous nature of IT infrastructure poses challenge to around 26

    percent of respondents in managing threats and vulnerabilities.

    Organizations have adopted solutions related to encryption and have started to

    develop fraud management and forensic capabilities internally. In the wake of data

    protection regulations, more than 50 percent of the organizations have deployed or are

    planning to deploy the following solutions:

    ?Hard Disk Encryption

    ?Email Encryption

    ?Data Loss Prevention (DLP)

    ?Security Incident and Event Monitoring (SIEM)

    ?Mobile Data Protection

    ?Legal and Compliance Management.

    Solutions deployed or planning to deploy (% respondents)

    78

    72

    66

    62

    52

    52

    46

    44

    42

    36

    34

    28

    6

    Hard Disk Encryption

    Email Encryption

    Data Loss Prevention (DLP)

    Security Incident and Event Monitoring (SIEM)

    Mobile Data Protection

    Legal and Compliance Management

    Database Activity Monitoring

    Data Masking

    Fraud Management

    Compliance Notification Services

    Threat Management for mobile computing devices

    Computer Forensic

    Do not have sufficient budget

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    41 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    49/56

    Background screening

    Employee background screening is one of the key controls in terms of security,

    especially when employees have access to critical / confidential information of clients.

    Background screening is also important from the fact that a majority of the

    organizations see internal threats as one of the key drivers for data security.

    Background screening is one of the basic controls for ensuring security; this is evident

    from that fact that 72 percent of the organizations follow this process for all their

    employees. Realizing that background screening is not their core competency, 80

    percent of the organizations have outsourced it to third party vendors.

    Realizing the importance of background screening, NASSCOM started the initiative

    called National Skills Register (NSR), to have a credible information repository about all

    personnel working in the IT and BPO industry. Most of the participants are aware of

    NSR and its value. However, the adoption of NSR as an exclusive source for employee

    background screening has been limited.

    Background screening is conducted for(% respondents)

    14 10 72

    Selected relationships Selected Lines of Service

    All employees

    Background screening is conducted by(% respondents)

    18

    80

    12

    Internally

    By Third party

    Both

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    Source: DSCI-KPMG Survey 2010

    42 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    50/56

    Security Incident Management

    Most organizations state that they have formal security incident management in place.

    Most of the respondents have established mechanism for internal employees and

    customers to report incidents, define detect & investigative requirements and

    proactively detect anomalies. The survey reveals that 71 percent of the organizations,

    incident management supports data breach notification requirements of clients.

    Further, the incident management process is integrated with IT processes for remedial

    rdactions and almost 2/3 of the organizations have extended the scope of security

    monitoring to all critical log sources. Organizations have formal processes for reporting

    security incidents, but only 29 percent of them extend the scope of incident

    management to third parties.

    Security incident management (% respondents)

    84

    78

    71

    69

    67

    67

    63

    59

    57

    55

    53

    47

    41

    37

    33

    29

    Mechanism exists for internal employees and customers to report incidents

    Logs are securely managed and archived in accordance to compliance

    requirements

    Incident management supports data breach notification requirements

    (regulatory) of clients

    There is a formal reporting mechanism to report incident to the management,

    client and regulatory authorities

    There is a mechanism to define detective and investigative requirements

    Incident management mechanism is integrated with organization IT

    processes for remedial actions

    Scope of security monitoring is extended to all the critical log sources

    Real time monitoring mechanisms exist that can proactively detect anomalies

    Business rules are defined to identify incidents

    There is an inventory of all the possible scenarios that can lead to an incident

    Effective solution is implemented for log management, security monitoring

    and incident management mechanism

    Incident management mechanism takes inputs from external knowledge

    sources on vulnerabilities, anomalous patterns and threats

    There is a mechanism that generate an incident based on patterns and

    business rules

    Incident management mechanisms supports forensic capabilities

    Collaborate with CERT-IN for incident reporting and response

    Scope of the incident management is extended to third parties

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    43 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    51/56

    Business Continuity / Disaster Recovery Planning

    The survey revealed that respondents have a mature BC/DR planning process in place

    wherein the scope of BCP/DRP covers strategies for client business processes and

    recovery objectives of each client relationship being defined. The scope of BCP/DRP

    for most organizations, also cover scenarios like city outage and externally provisioned

    systems, applications and networks. Organizations also realize that the knowledge

    around BCP/DRP is important, therefore emphasis is given to providing cross-

    functional training and BC/DR drills being conducted frequently. Though significant

    level of automation exists for DR operations, organizations are yet to adopt automation

    tools for the entire BCP/DRP. This is evident from that fact that more than 40 percent

    of the organizations follow manual processes and do not have operational metrics to

    help take routing decisions. The survey further revealed that though the processes for

    many organizations around BCP/DRP are matured, only 50 percent of organizations

    have realized that third parties should also be mandated to meet BCP/DRPrequirements.

    The scope of BCP/DRP (% respondents)

    78

    76

    74

    66

    Covers the strategies for client business processes

    Extended to cover scenarios like city outage

    Recovery objectives for each client relationships

    Covers the externally provisioned systems, application and network

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    For BCP/DRP there exists (% respondents)

    80

    58

    56

    28

    Mapping of each of business operation with associated Infrastructure

    component

    Significant level of automation for DR operations

    Operational metrics to help take routing decisions

    Automated tool to perform BCP/DR process

    Source: DSCI-KPMG Survey 2010

    For BCP/DRP (% respondents)

    73

    73

    70

    66

    64

    50

    Adequate technical measures are deployed to migrate or route business

    processes from one operational location to other

    Drill is conducted frequently

    The knowledge is managed effectively

    Emphasis given on providing cross functional training to employees

    Architectural treatment given to availability preparedness that drives

    redundancy of infrastructure components

    Contracts with third parties include obligation to meet our BCP / DR

    requirements

    Source: DSCI-KPMG Survey 2010

    BC/DR plans cover

    most elements of

    organizations

    internal

    boundaries, but

    few include

    aspects relating to

    third parties.

    44 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    52/56

    Physical Security

    The respondents realize that risk of data leakage increases once a person has physical

    access to the operational facility. Therefore, organizations have established strong

    physical security controls for perimeter, entry points and interior areas along with

    mechanisms for identification & authorization of employee. Organizations also ensure

    significant level of collaboration between physical security, information security and

    other functions. However, in most of the organizations physical security is not

    integrated with IT Security.

    Physical security (% respondents)

    98

    98

    96

    88

    88

    86

    84

    82

    78

    76

    72

    70

    48

    48

    6

    Adequate controls exists for perimeter, entry points and interior areas

    There exists a mechanism for identification and authorization of employee

    Entry to the delivery centers is restricted to authorized persons only

    A process exists for the movement of assets into the operating areas

    Physical security function is owned by the Admin department

    A process exists for provisioning and de-provisioning access of visitors,

    partners, and support services

    Physical security operation is driven by stringent and consistent processes

    Significant level of collaboration exists between physical security, information

    security and other functions of the organization

    Segregation of duties is maintained in shared facilities

    The scope of security testing is extended to cover physical security controls

    The scope of the security monitoring and incident management mechanism

    is extended to integrate the physical security components

    An architectural treatment given to the physical security countermeasures

    Physical security is integrated with IT security through competent solutions

    There is centralized monitoring of physical security across various locations

    by Physical Security Operations Center (PSOC)

    Physical security function is owned by the IT department

    State of Data Secutiry and Privacy in the Indian BPO Industry

    Source: DSCI-KPMG Survey 2010

    In the times of digital convergence, physical security and digital

    security controls remain disintegrated.

    45 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    53/56

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    54/56

    Over time, the Indian BPO Industry has withstood significant customer and regulatory

    scrutiny, and has been able to demonstrate that it is able to embrace data security and

    privacy governance processes that are required as a minimum baseline for providing

    outsourcing services in a high trust mode. While customers have largely driven

    consciousness of risks and requisite controls, most organizations in the industry have

    developed frameworks that aid them in first line defense, detection, and reacting in an

    appropriate manner to events that threaten this high trust environment. The industry

    also continually expands its horizons to newer markets, and has gained a reputation in

    understanding its exposure to legislation and regulation in varying markets. C-level

    executives of the BPO industry are well conversant with their responsibilities and

    liabilities from a data security and privacy standpoint, and implications of risks

    emanating from these topics regularly underpin the strategic priorities and decision

    making processes of such executives.

    One of the themes emerging from the survey is that while the BPO industry has

    attained a high level of maturity on data security, business continuity preparedness,

    background screening of employees, etc., there are many emerging issues that require

    its attention. These issues are majorly attributed to the rapidly evolving security and

    regulatory landscape.

    Global regulations require organizations to protect the privacy of end customers. Theinterpretation of these regulations is becoming a significant challenge, requiring a

    dedicated effort. This will lead to the emergence of a privacy function in a BPO, moving

    away from the current practice of positioning privacy within the ambit of security. The

    privacy function will have to bring the necessary regulatory intelligence that supports

    the geographical expansion of organizations. On the other hand, it will have to

    reengineer organizations processes to demonstrate compliance to the regulations.

    The ever changing threat landscape is driving organizations to redefine their security

    strategies and programs. The rising complexity and heterogeneous nature of

    underlying infrastructure pose a significant challenge in doing so. They need to build

    the right capabilities for maintaining their security posture and responding swiftly to

    the new threats.

    Over the years, BPOs have witnessed substantial growth and have penetrated into

    new Lines of Service. In doing so, they are challenged with protection of sensitive

    client data. A particular Line of Service is characterized by a specific set of security

    concerns and liabilities. To sustain its growth, BPO industry should pay close attention

    to understanding of the risks and liabilities associated with the Lines of Service it is

    serving.

    To overcome the challenges identified by the survey, it is important for the

    organizations to adopt a data-centric approach to manage security & privacy risks and

    review all processes, functions and client relations from the data perspective.

    BPO as an industry is facing unique challenges and there is a strong case for

    collaboration between organizations. The industry treats security as hygiene rather

    than a competitive advantage. The entire industry can learn from its experiences, andprovide a consistent and unified message of a high trust environment at the industry

    level.

    Way forward

    State of Data Secutiry and Privacy in the Indian BPO Industry

    47 2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    55/56

    DSCI Core Team

    KPMG Core Team

    KPMG Survey Team

    DSCI Project Advisory Group

    Vinayak Godse Director Data Protection

    Vikram Asnani Senior Consultant Security Practices

    Rahul Jain Senior Consultant Security Practices

    Navin Agrawal Executive Director

    Nitin Khanapurkar Executive Director

    Atul Gupta Director

    Vijay Subramanyam Director

    Vidur Gupta Associate Director

    Deepak Agarwal Consultant

    Abhijit Varma

    Ankit Goel

    Arihant Garg

    Jignesh Oza

    Lekha Ragupathi

    Nayab Kohli

    Nitin Shah

    Rahul Gupta

    Rahul Singhal

    Sundar Ramaswamy

    Syamala Raju Peketi

    N. Balakrishnan Chairman, DSCI and Associate Director, IISc Bangalore

    BJ Srinath Senior Director, Cert-In

    Anjali Kaushik MDI Gurgaon

    Akhilesh Tuteja Executive Director, KPMG

    Kartik Shahani Country Manager, India and SAARC, RSA

    Satish Das CSO, Cognizant

    Baljinder Singh Global Head of Technology, InfoSec & BCM, EXL Service

    Vishal Salvi CISO, HDFC Bank

    Ashwani Tikoo CIO, CSC

    PVS Murthy Global Head Information Risk Management Advisory, TCS

    Deepak Rout CISO, UninorSeema Bangera DGM Information Security, Intelenet Global

    Acknowledgments

    State of Data Secutiry and Privacy in the Indian BPO Industry

    2010 KPMG, an Indian Partnership and a member frm o the KPMG network o independent member frms

    afliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved.

  • 8/7/2019 KPMG_DSCI_Data_Security_Privacy_Survey_2010

    56/56

    KPMG Contact

    Director, IT Advisory Services

    KPMG in India

    T: +91 124 307 4134

    E: [email protected]

    Atul Gupta

    www.kpmg.com/in

    DSCI Contact

    Director - Data Protection

    DSCI

    T: +91 11 2615 5071

    E: [email protected]

    Vinayak Godse

    www.dsci.in