Data Security & Privacy in

Offshore Operations

1

May 7, 2009

www.eMids.com 2

Agenda

• Setting the Context• Outlining potential risks• Mitigating the risk– Understanding existing laws and regulations– NASSCOM’s role in the Indian IT market– Looking at vendor best practices– Drafting contracts for success

• Question and Answer• References

www.eMids.com 3

Setting the Context

Engaging offshore resources has evolved into a best practice for delivering Information Technology and product engineering across several industries.

The very nature of the work involves sharing of data and intellectual property. A security breach under these circumstances is a high risk with potentially unpleasant consequences.

Differences in law, culture, time zone, and communication seem to amplify the perceived impact of this already inherent risk.

This presentation attempts to separate perception from reality and offers an executive overview of data privacy and security in offshore delivery centers.

www.eMids.com

Potential Risks

•Suspension of business activity

•Loss of rights to use data

•Adverse publicity

•Damage to brand/image

•Loss of trade secrets and intellectual property

•Civil suits – individual and class action

•Regulatory enforcement actions

4

Mitigating the Risk

5

May 7, 2009

www.eMids.com 6

Understanding Existing Laws and Regulations• Indian IT Act of 2000 (cyber law)

– makes punishable cyber crimes like hacking, damage to computer source code, and breach of confidentiality and privacy

• Indian Copyright Act– provides protection for intellectual property

• Indian Penal Code Act– provides criminal punishment for cyber crimes

• Indian Contract Act– provides for the enforcement of international contracts

• World Trade Organization (WTO)– WTO-GATS (General Agreement on Trade in Services) provides

for internet privacy and gives structure to the regulatory environment in e-business

• United Nations Commission on International Trade (UNCITRAL)– protects international electronic transactions

www.eMids.com 7

NASSCOM’s Role in the Indian IT Market• NASSCOM is both the face of India’s burgeoning software

industry and a key arm in catalyzing its growth. It is committed to monitoring the security of data and intellectual capital, helping companies deliver at a high level of quality, and coordinating seamless delivery across geographic and political boundaries.

• 4 E Initiatives – Engagement – Works across geographic boundaries with

organizations such as: Department of Homeland Security, Treasury – Infrastructure Compliance, Federal Reserve Board – NY, Heritage, Foundation, CSIS, IPI, academia

– Education - Research reports, model contracts, SLAs examples, best practices, educational collateral for Indian law enforcement, media around security and privacy

– Enactment – Lobbies for the enactment of legislation supporting the IT Industry (such as the IT Act 2000)

– Enforcement – joint efforts with Police, lawyers and industry bodies ensures enforcement and constant checks to recognize and initiate action against security infringements

www.eMids.com 8

NASSCOM’s Role in the Indian IT Market• India Cyber Lab

– evolved as a unique public-private partnership project for cyber safety

• Initiation of Data Security Council of India – Develop data privacy standards – Adoption of best practices – Focus on code of conduct – Promote and encourage voluntary compliance of the code– Provide certifications to organizations

• Campaign Against Piracy– Significant contribution towards ending software piracy across India

www.eMids.com 9

Vendor Best Practices

VendorEmployeeAwareness

VendorFramework

Client-CentricActivities

Third PartyEntities

Vendor Employee Awareness

Background checks Whistle blower policies Workplace awareness Internal/external training and certification Exit agreements

Third Party Entities Independent audits Independent penetration testing

Inspection by client’s customers

Client-Centric Activities Customer driven audits Sharing of internal audit results Reporting of perceived threats and breaches

Vendor Framework Adherence

ISO 27001 SAS 70 CMMi HIPAA / PCI Legal business entity Security scope & mission statement

InformationSecurity

Best Practice

www.eMids.com 10

Vendor Framework Adherence ISO 27001 SAS 70 CMMi HIPAA / PCI Legal business entity Security scope & mission statement

www.eMids.com 11

Vendor Employee Awareness

Background checks Whistle blower policies Workplace awareness Internal/external training

and certification Exit agreements

www.eMids.com 12

Client-Centric Activities

Customer driven audits Sharing of internal audit

results Reporting of perceived

threats and breaches

www.eMids.com 13

Third Party Entities

Independent audits Independent penetration testing Inspection by client’s customers

www.eMids.com 14

Drafting Contracts for Success

• Make security as important in the contracting process as scope, deliverables, and pricing

• Common contract clauses to consider– Confidentiality– IP Ownership– Return of project materials– Non-Disclosure Agreements (NDAs)– Physical Security / Isolation– Security Audits– Network Security

www.eMids.com 15

Question and Answer

www.eMids.com 16

References

• WTO – www.wto.org• CMMi – www.sei.cmu.edu/cmmi• ISO 27001 – www.iso27001security.com• NASSCOM – www.nasscom.org