offshore outsourcing - dealing with compliance issues ken d. nguyen, pmp, cissp, cism, mcse svp...
TRANSCRIPT
Offshore Outsourcing - Dealing with Compliance Issues
Ken D. Nguyen, PMP, CISSP, CISM, MCSESVP & CTO
SourceSentry, [email protected]
©SourceSentry 2004
Agenda
Compliance Landscape
Current & Pending (Federal & State) Bills
Corporate Governance
Binding Corporate Rules (BCR)
Vendor Governance
Q/A
©SourceSentry 2004
The Compliance Landscape
* Meta Group, Inc. 2004
©SourceSentry 2004
SOX Implications on Outsourcing
Regulatory clarification lagging: 2H04 is too late for many
What about Sec 409 and PCAOB Audit No 2?
Sarbanes-Oxley (SOX) does not differentiate between insourced and outsourced processes
SAS 70 audits: Good enough?
The Compliance Landscape
©SourceSentry 2004
What You Still Need to be thinking about for HIPAA Service Providers Contracts on the whole
Individual rights issues – Are we rally supposed to check with every business associate?
What do they want you to do with the Security Rule?
Monitoring issues – an emerging issue for everyone
The Compliance Landscape
©SourceSentry 2004
US Patriot Act
Information Sharing
Anti-Money Laundering Program– Section 352(a)
Suspicious Activity Reporting
Customer Identification Program– Section 326
Concerns about US companies violating privacy law of other countries
The Compliance Landscape
©SourceSentry 2004
Basel II Basel II includes three mutually reinforcing pillars:
– Pillar 1: Minimum Capital RequirementPillar 2: Supervisory Review Process
– Pillar 3: Market Discipline
Offshoring Outsourcing affects Pillar 1 particular the Operational Risk aspect
Regulatory review practices will spread to bank’s key suppliers, third-party outsourcing service providers, offshore processing services, and providers of key systems and tools
US Federal Reserve expects only the top 11 US banks to comply - although a further 10 or more are expected to opt in.
The Compliance Landscape
©SourceSentry 2004
State of New Offshore Legislation
42 separate bills introduced in 22 states addressing state contracting and the use of foreign labor
Another 13 bills in 12 states requiring individuals to identify themselves, their location, and the company they work for
Other bills prohibit financial data from leaving the U.S.
Changes to tax policy “Buy Home State” provisions
The Compliance Landscape
©SourceSentry 2004
Federal Bills S. 2090 – (WARN Act) – Same as federal plant closure laws
– Notice to be given before operations go offshore, – Make trade adjustment assistance available to workers
S. 1873 – Call centers to ID location of call S. 2094 – No Federal contracts to offshore providers S. 2143, S. 2157 and H.R. 3881 would extend trade adjustment
assistance for displaced workers S. 2148 – Similar to S. 2094 S. 2312 – Consent from customers for transferring personal, medical or
financial data (H. Clinton) S1232 – Safeguarding Americans From Exporting Identification Data Act
(SAFE-ID) S1637 - (Senator Dodd Amendment) Senate has already passed
Amendment to prohibit companies from fulfilling federal contracts using offshore outsourced labor
The Compliance Landscape
©SourceSentry 2004
State Bills – For Example California AB 1829 - Prohibits state agency or local government
from contracting out services unless the company certifies that all work will be performed solely by workers in the US
AB 3021 - Requires CA employers to determine the amount of offshore outsourcing they do by reporting the number of workers employed outside CA
AB 2517 - Requires call center employees to give (honest) disclosure of their location
SB 888 - Prevents offshore transmittal of info "important to homeland security” (broad definition)
SB 1492 - Prevents medical records from being shipped overseas, unless prior consent received from individual
The Compliance Landscape
©SourceSentry 2004
Other Challenges Security of Information Potential Liability under US/EU Privacy/Data
Laws Poor IP Rights Regimes in Developing
Countries
Enforcing Judgments Abroad Jurisdictional Challenges Enforcing Damages and Limitations of
Liability No Uniformity
Overlapping Laws and Conflicts Conflict between US and Local Laws Overlapping regulations and ambiguities
The Compliance Landscape
©SourceSentry 2004
Impact of Compliance
Impact regulations will have on the likelihood to outsource IT in the interests of compliance or to outsource business process/functions
* Meta Group, Inc. 2004
©SourceSentry 2004
Crafting a Corporate Governance
Corporate Governance Framework
Organizations must develop global and integrated corporate governance strategies, practices, and processes
COBIT, COSO, BizSentry, others?
COBIT - Control Objectives for
Information and related Technology
COSO - Committee of Sponsoring
Organizations
FRAP - Facilitated Risk Assessment
Process
CRAMM - The CCTA’s (Central
Computer and Telecommunications
Agency) Risk Analysis and Management
Method
OCTAVE - Operationally Critical
Threat, Asset, and Vulnerability
Evaluation
ITIL – IT Infrastructure Library
BizSentry – Offshore Outsourced Activities
Frameworks
What can be done?
©SourceSentry 2004
Binding Corporate Rules
BCRs– Consistent with company’s compliance structure and
practices– Harmonized global guidelines ensure a consistent, strong
protection– Binding on company’s entities and employees– Policies are alive and visible to our employees– Language is user-friendly for data handlers and employees
Alternative - Contracts
Alternative - Safe Harbor
What can be done?
©SourceSentry 2004
Establish Vendor Governance Program
Partnership / Communication
Govern by contract, then be friends
Use a dashboard: Then watch it!
Industry Solution? – SVR, BITS, etc
What can be done?
©SourceSentry 2004
Use external independent assessment in the offshore location
Scrutinize regulatory compliance mandates
Integrate services sourcing and management processes within overall corporate governance framework
Don’t procrastinate…act now
Additional Recommendations
What can be done?
©SourceSentry 2004
Offshoring/Outsourcing Resources Outsourcing/Offshoring Knowledge
– SourceSentry: http://www.sourcesentry.com – ISACA: http://www. isaca.org – FDIC: Offshore Outsourcing of Data Services by Insured
Institutions and Associated Consumer Privacy Risks: http://www.fdic.gov/regulations/examinations/offshore/toc.html
– IT Compliance Institute: http://www.itcinstitute.com/index.aspx
– Ponemon Institute: http://www.ponemon.org– Outsourcing Institute: http://www.outsourcing.com– Outsourcing Journal: http://www.outsourcingjournal.com– NASSCOM: http://www.nasscom.org– Philippines: http://www.outsourcephilippines.org – Global: www.witsa.org
©SourceSentry 2004
Questions
Ken D. Nguyen, PMP, CISSP, CISM, MCSE
SVP & CTO
SourceSentry, Inc.