Information Security in ITES & BPO I T S E R V I C E S B P O S O L U T I O N S

Transcription

1 Information Security in ITES & BPO I T S E R V I C E S B P O S O L U T I O N S 1

2 Agenda Gaps in Information Security Information Security Risk Governance Standards Industry Regulation Information security incident Impact Metrics driven approach Provisioning and Identity management

3 Gaps in Security New vulnerabilities resulting from the widespread use of new technologies Lack of maintenance to assure all patches are made promptly Increased networking and mobile working Lack of security awareness Insufficient discipline and innovation when applying controls New and determined efforts of hackers, fraudsters, criminals and even terrorists Increased legislative, legal and regulatory security requirements Lack of metrics driven approach for continous improvement

4 Information Security Risk Governance Information Security Risk Framework Vision, Guiding Principles (BS7799-2:2002) Risk Identification, Assessment and Mitigation Risk Monitoring/ Embedding Risk Measurement 5. Quantification of Risk 1. Gap Analysis 2. Ongoing Risk and Control Self Assessments 3. Document Statement of Applicability 4. Controls implementation 6. Scorecard 7. Monitor Ongoing Audits Client / BS7799 Requirements 8. Issue Management & Log Database

5 Information Security Risk Scorecard - Sample Number of Deviations / Non Compliances from Information Security Management System ( BS7799-2:2002)

6 The Role of Executive Governance BS7799: strengthen internal control boards need to set strategic aims, provide leadership, supervise management and report to shareholders on their stewardship. This requires adoption to a continous improvement model rather than being dependent on the 36 control objectives and 128 controls COBIT: board to assure appropriate and effective processes to monitor risk and effectiveness of the system of internal control broader corporate governance role for audit committees...monitor and report on risks...

7 Industry Regulatory Bodies Regulation Mandating Organization Security Requirements Affected Companies Indian - IT ACT 2000 MINISTRY OF LAW, JUSTICE AND COMPANY AFFAIRS (Legislative Department) Authentication, access controls, credential lifecycle management, non-repudiation ( Digital certificates) and data integrity controls. All companies Sarbanes-Oxley US Securities and Exchange Commission (SEC) CobiT framework--authentication, access controls, user account management, credential lifecycle management, nonrepudiation and audit controls Companies publicly traded on US exchanges Gramm-Leach- Bliley US Office of the Comptroller of the Currency (OCC) Authentication, access controls, encryption, data integrity controls, and audit controls All financial institutions regulated by the OCC HIPAA Security US Department of Health and Human Services (DHHS) Authentication, access controls, transmission security, audit controls, and data integrity Healthcare organizations in the US 21 CFR Part 11 US Food and Drug Administration (FDA) Authentication, access controls, data integrity controls, audit controls, encryption and digital signatures Companies regulated by FDA (i.e. pharmaceuticals) Basel II Basel Committee on Banking Supervision FFIEC framework--access rights administration, authentication, network access, operating system access, application access, remote access, logging and data collection Global financial service organizations 95/46/EC Data Protection Directive European Union (EU) Measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access Companies conducting business in EU member nations

8 Information security incident IMPACT Consequences: Competitive disadvantage Business loss Reputation loss Morale damage Fraud Disruption Legal liability Privacy loss Safety risk Wrong management decisions Courtesy: COBIT & ISACA.ORG

9 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Control Objectives Metrics Control Objective Metrics Manage Security Measures Identification, Authentication and Access Security of Online Access to Data User Account Management Management Review of User Accounts User Control of User Accounts Security Surveillance Data Classification Central Identification and Access Rights Management Violation and Security Activity Reports Incident Handling Firewall Architectures and Connections with Public Networks

10 Compliance Monitoring Implementation Awareness Strategy Policy 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Process Metrics

11 User Provisioning as an effective control mechanism Risk Reduction: Risk Of unauthorized access to or misuse of enterprise resources Compliance risk Enforce consistent policies Centralized account management Reduce complexity and errors Cost Efficiency Productivity Increase by reducing idle time Administrative overhead Free up helpdesk resources Integrate with current and future Infrastructure Establish A Competitive Differentiator, Efficiency and Cost

12 What User Provisioning offers? Policy Based Resource Provisioning. Delegated Administration User Self Service Password Management Password Synchronization Reverse Synchronization Reconciliation & Auditing Reporting

13 Common Threads Common threads among the regulations include: Authentication Access Control Essence of User Provisioning Audit Control Conducting a Risk Analysis Developing and Enforcing a Security Policy Implementing Best Practices

14 Provisioning process Employee On-boarding process (Agents) HRMS WFM Transportation ACD QMS Oracle Financials BAM ADS, & Client Application Admin Agent Logs in to Client ACD Initiate Joining formalities from Process Team to Client Joining Process Quality Scores Input Quality scores of agent Create Agent ID into Oracle Initiate Recruitment Request Reschedule Resources Add name to the trip sheet Payroll Inputs like Emp. details, leave, Incentive, etc. from Process Team to Client Update MIS Recruitment MIS Trip Sheets ACD Activation Resource Dashboard Creating user ID s For Applications access Access Card Activation On-boarding an agent or a UM to a new process - provisioning and resourcing FTE = Full Time Employee; an agent

15 OnePass Simplified OnePass Admin Console OnePass Self-Service OnePass Reports Target Systems Badges HR Management System OnePass Engine Active Dir Xellerate from THOR ACD / CMS BIOMETRICS PHASE I B2E PHASE II Portals

16 Business Benefits Tangible costs*: Typical cost per call for user ID and password reset problem is $10 to $30. Total direct costs Identity management of users can be as high as $500 per user per year 15% of IT staff at Fortune 1000 companies devote 35% of their time to user identity and access management activities Intangible costs Security risks due to diverse administration model Ill-defined process resulting in inefficiency. *PriceWaterhouse Coopers, Meta Group and Forrester Research

17 Recent Incident MphasiS is distressed by the identity theft leading to the bank fraud in Pune, involving three of its former employees and a current employee. MphasiS considers data protection and data security of our clients and their customers to be of utmost importance. MphasiS has proactively instituted elaborate security systems and processes, which are constantly reviewed and upgraded. We are, and have always been, compliant with the highest standards of security in the industry. While there is no evidence so far of a breach or audit failure in the processes employed by MphasiS and its client, in the light of this incident, we are conducting full external audits on processes and compliance. We will implement the required steps to further strengthen security and dissemination of information to customers as to how they should protect their data. MphasiS is working very closely with the cyber branch of the Pune police, NASSCOM and the client bank in support of the investigation. MphasiS will spare no effort to bring to justice the employees, past or present, involved in this incident. In addition, we re working with NASSCOM to further enhance the thoroughness of staff background checks.

18 Thank you