Академический Документы
Профессиональный Документы
Культура Документы
It gives me great pleasure to see the results of the survey of BPO companies,
conducted by DSCI through KPMG in India with the active support of DIT. I’m
sure, this survey will help the industry understand the areas that need focus in
order to improve its practices, and present to its clients the best practices
approach for trusted business partnership.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
We present the results of the BPO industry in this report. The depth of questions
may perhaps lead one to conclude that the survey is an attempt at assessment
rather than merely a high-level information capture. At DSCI, we felt that this was
important with a view to understand the data protection trends, underlying issues
and concerns that may be unique and specific to the BPO industry. The focus, in
general is on positioning of security and privacy in organizations; maturity and
characteristics of key security disciplines such as Threat & Vulnerability
Management, Incident Management, among others. Such in-depth questionnaire
was expected to bring out the BPO responses to the rising data breaches
globally.
I am pleased to state that the in-depth approach has resulted in findings that are
more promising. For the BPO industry, while the survey suggests that employee
awareness of data protection continues to be a challenge, the managements are
alive to privacy requirements of clients since many BPOs have established a
privacy team that is distinct from security. Security organization itself is maturing
with CISOs being involved in strategic tasks. An interesting result is the
awareness among BPOs that they may be liable for breaches arising from
vulnerabilities in clients’ environment unless they are vigilant enough to negotiate
a suitable contract. Among the areas that need attention of management, the
following are worth mentioning: employee security awareness should be
increased, need for compliance with amended IT Act should be understood, and
Lines of Business should be involved in data security initiatives.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
The BPO industry in India has always been under significant influence of data
protection regulations. In its initial years of growth phase, corporations have gone
through fairly intense scrutiny of customer audits, which sometimes have been
considered to be crossing the boundary of reasonable controls expectations. In
any case, most CISOs have privately admitted that those audits helped them
learn the tricks of the trade and made them better every time they underwent
such an audit.
The industry has also been conscious that managing adequate level of
information protection is essential for the survival. There have been instances of
penalties being charged for non-compliance to information security safeguards. In
a few extreme cases, clients have renegotiated contracts with their service
providers at lower rates just because the security controls have been found to be
weak. Some experts believe that information security issues can easily become
non-tariff barriers, if the industry as a whole does not embrace appropriate risk
mitigation measures. Given this context and the current global economic
scenario, it couldn’t have been a better time for the industry to demonstrate that
it has the right strategies in place to manage and mitigate the risks of information
security breaches.
The survey validates that the industry understands these implications very well
and have put in place the baseline measures to manage the risk. The survey is
aimed at identifying protection measures of information security in general and
those specific for personally identifiable information (privacy). While the industry
participants have developed frameworks for addressing the information security
concerns, the aspects relating to privacy haven’t matured as much. The survey
highlights current state of the industry and attempts to identify future direction
for a holistic information protection program.
It is argued that surveys conducted through the owners of process many a times
produce more optimistic results and portray the realities better than what it really
is. However, the purpose of the survey being more directional than quantitative
assessment, it serves the purpose of identifying trends and priorities of the
industry. This survey should act as a useful guide for senior executives of BPO
companies in formulating their future positions and will be a good tool for many
CISOs in developing business cases for comprehensive information security
programs. We hope that the companies, which use the services of Indian BPO
industry will also benefit from this survey as it will help them reposition their
compliance monitoring efforts in right direction.
Akhilesh Tuteja
Executive Director, KPMG in India
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Contents
Introduction 02
Extended Boundaries 24
Regulations 30
Internal Processes 36
Way Forward 47
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Introduction
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 02
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry 00
Highlights
The survey provides insights into the data security and privacy
environment of Indian BPO industry. There is evidence that validates
general perceptions about security and privacy practices and then
there are some outliers that do not align to the seemingly obvious.
03 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Summary
Indian BPO industry has grown nine times from USD 1.6 billion to USD 14.7
billion in just a decade and is expected to witness robust growth in years to
come. By 2020, Indian outsourcing industry (IT and BPO) which is currently at
USD 60 billion is expected to reach USD 225 billion. During the same period, the
growth in ‘domestic BPO’ revenue is expected to expand seven- folds to reach
USD 15 to USD 17 billion, while ‘export revenue’ is expected to reach USD 50
billion. To sustain this phenomenal growth, the Indian BPO industry needs to
overcome one of the major challenges facing the industry today – addressing
Data Security and Privacy concerns of their stakeholders.
Data Security Council of India (DSCI) and KPMG in India, under the aegis of CERT-
In (DIT), jointly conducted a survey to assess current state of data security and
privacy practices being adopted by the Indian BPO industry and to gain insights
into how the Indian BPO industry is addressing clients concerns.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 04
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
In order to ensure that the survey results represent the Indian BPO industry at
large, we interviewed CISOs and their equivalents in organizations across BPO
industry segments and sizes.
The survey results highlight trends and insights into the state of data security and
privacy in the Indian BPO industry – many ‘generally known’ practices are
validated, yet certain unexpected insights are revealed.
The maturity of the Indian BPO industry with respect to data security and privacy,
is reflected in the fact that most organizations treat security more as a hygiene
factor rather than a point of differentiation to gain competitive advantage. End
customers in client geographies are concerned about their personal data in the
trans-border data flow. Indian BPO industry realizes this and is equally concerned
about any bad publicity in media, which may result from a data breach. Even the
clients have made a note of such concerns and demand BPO organizations to
undertake privacy initiative and have exclusive mention of data privacy clause in
their contracts. The first section of the report – ‘Data Security & Privacy’ – reveals
these and other such trends in detail.
The information security function in general has been formalized with most
organizations having a designated CISO. However, no standardization with
respect to reporting alignment exists as it varies significantly within the
responding organizations. CISOs are also moving away from security related
operational tasks and are becoming more involved in strategic activities. The
survey reveals that industry needs to increase involvement of business managers
for understanding security requirement of the business.
05 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Extended boundaries
As the industry has been expanding across geographies to serve global clients,
they continue to face a challenge in meeting multiple regulatory or client
requirements. These organizations being well aware of the liabilities arising from
any data breach have been re-negotiating contracts with clients to ensure that any
liability arising from vulnerabilities in the client’s environment is borne by the
client. Similar focus needs to be given to third party service providers since they
have access to client/organization confidential information.
Regulations
Industry’s focus on global clients is all the more evident from the fact that its data
security and privacy related technological investments are driven by global
regulatory requirements. However, with introduction of Information Technology
(Amendment) Act, 2008 (ITAA 2008), organizations are starting to realize the
liabilities arising from it and have also started revising their security policy to
incorporate ITAA 2008 requirements. As awareness of ITAA 2008 is low, there is
a risk of underestimating the liabilities arising from non-compliance to regulatory
obligations.
Internal processes
There are clear indicators that internal processes have been designed to meet the
best practices. However, the implementation and continuous testing/ monitoring
varies across the organizations.
The findings indicate the level of maturity the industry has achieved when it
comes to processes such as threat & vulnerability management, employee
screening, security incident management, BCP/DRP and physical security
controls.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Data Security
and Privacy
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 08
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 10
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Security function
11 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
73 24 2 Reputational damage
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 12
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Privacy function
While primary drivers for data security and data privacy are the same, the controls and
capabilities required for ensuring them are quite different. Realizing this, organizations are
moving towards deploying dedicated personnel for privacy. This is evident from the fact that
41 percent of the organizations have a dedicated privacy function with a team strength of
more than two members.
13 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
• understand different roles & entities that exist for data protection,
However, not all of these organizations have extended the scope of audit charter to
include privacy and nor do they perform privacy impact assessment whenever new
initiatives are undertaken. Organizations can achieve a much better state of privacy, if
they take a step towards establishing a privacy function with required empowerment.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Information
security governance
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 16
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
The survey results indicate that organizations have come to realize the
significance of CISO and his/her role. CISOs have started to get involved in
strategic tasks, moving away from operational activities.
The survey reveals that organizations have not come to consensus on ‘whom should
the CISO report to?’ This is evident from the fact that there is no standardization on
reporting alignment of CISOs. Further, CISOs have multiple reporting lines, resulting in
a lack of focus and accountability. The survey also revealed that 30 percent of
organization’s CISOs are reporting to CIO/CTO, highlighting the concerns with respect
to independence of security function.
Audit Committee 2
Others 8
Role of CISO
The survey reveals that CISOs of nearly 65 percent of the organizations are spending
significant amount of their time on activities like:
This clearly indicates that CISOs are spending significant amount of time on strategic
tasks instead of operational tasks. However, standardization in CISOs role is lacking.
This is evident from the survey results - 29 percent of CISOs spend significant amount
of time on reviewing & approving change requests; at the same time 22 percent
CISOs do not consider it as part of their responsibility. Similarly, more than 50 percent
CISOs spend significant amount of time on ‘reviewing state of security in service
delivery channels’ & ‘reviewing security reports’. However, nearly 15 percent believe
they are not responsible for reviewing these tasks.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 18
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
19 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Business Manager 15
Corporate Compliance 12
Corporate Compliance 15
CISO 52
CISO 64
68
IT Security
IT Security 38
IT Infra Team 16
IT Infra Team 9
Source: DSCI-KPMG Survey 2010
Audit Team 36
External Consultant 15
IT Security 58
IT Infra Team 18
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 20
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Security tasks
Security Monitoring
10 10 38 72 30 12 4 4 8
21 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Extended
boundaries
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 24
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Overcoming challenges
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
The survey also highlights the fact that 70 percent of the organizations are facing
challenges with respect to ensuring data security and privacy at the client’s
environment. The respondents found to be concerned about relatively moderate
controls implemented at client’s environment. Managing security becomes even more
challenging when employees are highly involved with client organization or could
connect to client‘s environment through public networks.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 26
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
There is an increasing realization about the risks associated with access to the client
data systems. Seventy five percent of the respondents have extended the scope of
risk management processes to include the risks introduced by client’s environment.
Organizations are making their employees aware of the risks that arise from client’s
environment and are also deploying additional technical and organizational controls to
mitigate these risks. Further, organizations have started negotiating contracts to
ensure that any liability arising from vulnerabilities in the client’s environment is borne
by the client.
Organizations realize that with the increasing use of third party service providers, the
risk of data breach increases especially when these service providers have access to
confidential information. Therefore, most of the organizations sign Non Disclosure
Agreements / Confidentiality Agreements with the third party service providers and
use contract as an instrument to make the third party service providers liable for any
security breaches. Beyond that, 48 percent organizations have controls deployed as
per ‘Third Party Risk Assessment Framework’ and 52 percent conduct ‘Vendor Risk
Management’ exercises.
Mitigating third party risk (% respondents) Third party risk management (% respondents)
27 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Regulations
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 30
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Staying compliant
The survey results reveal that although organizations have started to create
awareness on ITAA 2008, the level of awareness still needs to be
strengthened.
Legal and compliance requirements and liabilities for each type of data
50
element are well known
The survey highlights that more than 3/4th of the organizations involve legal department
in the initial stages of contract negotiation and maintain an inventory of contractual /
regulatory requirements for each client relationship. However, only 50 percent of the
organizations are well aware of legal & compliance requirements for each type of data
element. Further, only 30 percent of the organizations use enterprise level tool to help
manage compliance. These could be the possible reasons why organizations continue
to face challenge in managing regulatory/client requirements.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 32
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
While there is • creating awareness within the organization and third parties.
greater awareness
of global
regulations, the
My Organization can be sued under ITAA 2008 by (% respondents)
implications of
ITAA 2008 remain 60
50
largely unknown. 40
30
44 49
20
31 33
10 22 16 2 2
0
Yes No Not Sure ITAA 2008 is not
applicable
End Customers Employees
Source: DSCI-KPMG Survey 2010
33 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Since most of the organizations have not even involved their legal function to interpret
and suggest necessary safeguards to comply with ITAA 2008, they don’t realize the
impact of the breach. This is highlighted by the fact that 67 percent organizations have
not extended the scope of the security and privacy program to cover employee
personal data.
Organizations’ lack of focus towards ITAA 2008 could be related to the fact that more
than 2/3rd of the organizations consider global regulations as a primary driver for their
technology investments to enhance information security and regulatory compliance.
80
70
60
50
40 72
30
20
10 19 26
11
0
ITAA 2008 is Global regulations ITAA 2008 has ITAA 2008 does not
significant as a primary driver recently acquired a have any bearings
investment driver place in the on investment
discussion decision
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Internal
processes
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 36
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Key findings
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Being prepared
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 38
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Payroll Processing 66 24 10
Legal Processing 54 27 19
Billing Management 46 46 8
Business Analytics 41 44 16
Knowledge Services 39 45 16
Procurement Services 22 61 17
Global regulations could be the prime reason why organizations perceive business
processes involving personal information as high risk. More than 2/3rd of the
organizations perceive the following business processes as high risk:
Payroll accounting.
?
39 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Keep track of evolving threats & Keep track of evolving threats & vulnerabilities
(% respondents)
vulnerabilities
services so that appropriate controls could be Security research reports of product and
implemented in a timely manner. 46
professional organizations
a close eye on
Integration with IT infrastructure management
threats and processes
72
vulnerabilities,
IT infrastructure is homogeneous 62
they lag in swift
response. An architectural treatment is given to threat and
60
vulnerability management
IT infrastructure is heterogeneous 26
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 40
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
The survey reveals that organizations are tracking threats and vulnerabilities. However,
most of them do not have a mechanism in place that is capable of swiftly testing the
relevance of these issues in their environment. Majority of the organizations ensure
that version of each critical asset is up-to-date to make the asset free of vulnerabilities.
However, 24 percent of the organizations face compelling reasons such as
compatibility of business application and cost escalation hindering version upgrades.
Further, heterogeneous nature of IT infrastructure poses challenge to around 26
percent of respondents in managing threats and vulnerabilities.
Email Encryption 72
Data Masking 44
Fraud Management 42
Computer Forensic 28
41 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Background screening
14 10 72
All employees
Internally 18
By Third party 80
Both 12
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 42
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Real time monitoring mechanisms exist that can proactively detect anomalies 59
There is an inventory of all the possible scenarios that can lead to an incident 55
Most organizations state that they have formal security incident management in place.
Most of the respondents have established mechanism for internal employees and
customers to report incidents, define detect & investigative requirements and
proactively detect anomalies. The survey reveals that 71 percent of the organizations,
incident management supports data breach notification requirements of clients.
Further, the incident management process is integrated with IT processes for remedial
actions and almost 2/3rd of the organizations have extended the scope of security
monitoring to all critical log sources. Organizations have formal processes for reporting
security incidents, but only 29 percent of them extend the scope of incident
management to third parties.
43 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
The survey revealed that respondents have a mature BC/DR planning process in place
wherein the scope of BCP/DRP covers strategies for client business processes and
BC/DR plans cover recovery objectives of each client relationship being defined. The scope of BCP/DRP
most elements of for most organizations, also cover scenarios like city outage and externally provisioned
organization’s systems, applications and networks. Organizations also realize that the knowledge
internal around BCP/DRP is important, therefore emphasis is given to providing cross-
functional training and BC/DR drills being conducted frequently. Though significant
boundaries, but level of automation exists for DR operations, organizations are yet to adopt automation
few include tools for the entire BCP/DRP. This is evident from that fact that more than 40 percent
aspects relating to of the organizations follow manual processes and do not have operational metrics to
third parties. help take routing decisions. The survey further revealed that though the processes for
many organizations around BCP/DRP are matured, only 50 percent of organizations
have realized that third parties should also be mandated to meet BCP/DRP
requirements.
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms 44
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Adequate controls exists for perimeter, entry points and interior areas 98
A process exists for the movement of assets into the operating areas 88
Physical Security
The respondents realize that risk of data leakage increases once a person has physical
access to the operational facility. Therefore, organizations have established strong
physical security controls for perimeter, entry points and interior areas along with
mechanisms for identification & authorization of employee. Organizations also ensure
significant level of collaboration between physical security, information security and
other functions. However, in most of the organizations physical security is not
integrated with IT Security.
45 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Way forward
Over time, the Indian BPO Industry has withstood significant customer and regulatory
scrutiny, and has been able to demonstrate that it is able to embrace data security and
privacy governance processes that are required as a minimum baseline for providing
outsourcing services in a high trust mode. While customers have largely driven
consciousness of risks and requisite controls, most organizations in the industry have
developed frameworks that aid them in first line defense, detection, and reacting in an
appropriate manner to events that threaten this high trust environment. The industry
also continually expands its horizons to newer markets, and has gained a reputation in
understanding its exposure to legislation and regulation in varying markets. C-level
executives of the BPO industry are well conversant with their responsibilities and
liabilities from a data security and privacy standpoint, and implications of risks
emanating from these topics regularly underpin the strategic priorities and decision
making processes of such executives.
One of the themes emerging from the survey is that while the BPO industry has
attained a high level of maturity on data security, business continuity preparedness,
background screening of employees, etc., there are many emerging issues that require
its attention. These issues are majorly attributed to the rapidly evolving security and
regulatory landscape.
Global regulations require organizations to protect the privacy of end customers. The
interpretation of these regulations is becoming a significant challenge, requiring a
dedicated effort. This will lead to the emergence of a privacy function in a BPO, moving
away from the current practice of positioning privacy within the ambit of security. The
privacy function will have to bring the necessary regulatory intelligence that supports
the geographical expansion of organizations. On the other hand, it will have to
reengineer organization’s processes to demonstrate compliance to the regulations.
The ever changing threat landscape is driving organizations to redefine their security
strategies and programs. The rising complexity and heterogeneous nature of
underlying infrastructure pose a significant challenge in doing so. They need to build
the right capabilities for maintaining their security posture and responding swiftly to
the new threats.
Over the years, BPOs have witnessed substantial growth and have penetrated into
new Lines of Service. In doing so, they are challenged with protection of sensitive
client data. A particular Line of Service is characterized by a specific set of security
concerns and liabilities. To sustain its growth, BPO industry should pay close attention
to understanding of the risks and liabilities associated with the Lines of Service it is
serving.
BPO as an industry is facing unique challenges and there is a strong case for
collaboration between organizations. The industry treats security as hygiene rather
than a competitive advantage. The entire industry can learn from its experiences, and
provide a consistent and unified message of a high trust environment at the industry
level.
47 © 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
State of Data Secutiry and Privacy in the Indian BPO Industry
Acknowledgments
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
KPMG Contact DSCI Contact
www.kpmg.com/in www.dsci.in
© 2010 KPMG, an Indian Partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are registered trademarks
or trademarks of KPMG International Cooperative (“KPMG International”), a Swiss
entity.