service provider assessment framework

7/29/2019 Service Provider Assessment Framework

1/68

Service Provider

Assessment FrameworkA Platform for Building Synergies between Clients and

Service Providers for Trusted Global Sourcing

A Study Report

Data Security Council of India in collaboration with Ernst & Young

December 2010

Under Cyber Security Awareness Program,

Department of Information Technology, Government of India


2/68

Data Security Council of India (DSCI) is a section 25, not-for-prot company, setup by NASSCOM as

an independent Self Regulatory Organization (SRO) to promote data protection, develop security andprivacy codes & standards, and encourage the IT/BPO industry to implement the same.

For more information about DSCI or this report, please contact:

Data Security Council of India

Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi 110057, India

Phone: +91-11-26155070

Fax: +91-11-26155072

Email: [email protected]

2010 DSCI. All rights reserved.

About DSCI

DisclaimerThis document contains information that is Intellectual Property of DSCI.

DSCI expressly disclaims to the maximum limit permissible by law, all

warranties, express or implied, including, but not limiting to implied warranties

of merchantability, tness for a particular purpose and non-infringement. DSCI

disclaims responsibility for any loss, injury, liability or damage of any kind resulting

from and arising out of use of this material/information or part thereof. Views

expressed herein are views of DSCI and/or its respective authors and should not

be construed as legal advice or legal opinion. Further, the general availability of

information or part thereof does not intend to constitute legal advice or to create a

Lawyer/ Attorney-Client relationship, in any manner whatsoever.


3/68

3

Service Provider Assessment Framework


4/68


The IT (Amendment) Act, 2008 has established a strong data protection regime in the country,

by requiring body corporates to implement reasonable security practices to protect sensitivepersonal information. What is reasonable security though? An organization is expected to have

a comprehensive information security program, with appropriate controls that are commensurate

with its information assets and risk assessment. In the event of a security breach, it should be able

to demonstrate that its practices were in conformance with its written security policy, and that its

controls were adequate. It is, however not that easy, since enterprises are outsourcing some of their

work, and they must manage information risk across a vast global network of Service Providers.

Outsourcing thus brings into focus the practices followed by Service Providers, and

their accountability.

Service Providers are subjected to ongoing assessments and on-site audits, which are labor-

intensive and costly for both the sides. Likewise, Service Providers with hundreds of Clientsdistributed in various geographies must submit themselves to several audits by the Clients.

Moreover, the multiple assessments are based on different frameworks, questionnaires and audit

approaches clearly they result in wasted effort and time; and, of course, higher costs. It is the wish

of both - Clients and Service Providers - that third-party evaluations that are standards-based, or

framework-based, may ease the assessment burden. But how do they view the implementation of

a standard, or best practices for security; and an assessment framework to validate that this has

indeed made the organization secure? Again both of them will have a different perspective on this.

Can enterprises take a methodical approach to assessing and managing the risks through

frameworks like ISO 27001; BITS Shared Assessment Program, Moodys Vendor Information Risks

ratings, Information Security Forum, COSO, NIST or COBIT? Will attestation of a Service Providerspractices necessarily be in the form of a third-party certication, or a maturity rating of its practices?

Foreword


5/68

With DSCI best practices and data-centric methodology, weve rolled out a solution for adoption by

Service Providers to make them secure. DSCI Security Framework (DSF) is based on a number ofsecurity principles, that help make the security program of an organization dynamic, instead of a static

checklist approach that relies on bulky documentation. We wanted to review the available assessment

frameworks, to see how DSF could t into them, and how rating of practices may give a sense of

security to organizations, and also show them the direction for improvements. In short, itll help realize

an effective security program, and transparent assessment framework, that may address the concerns

of both Clients and Service Providers. In the process, reasonable security practices will

get implemented.

It is with this in view that DSCI partnered with Ernst & Young Pvt. Ltd. (EY) in this study, which required

extensive knowledge and experience in the domain, to review the existing frameworks and think

through the advantages of certication/ratings. Survey of Clients and Service Providers, based on anin-depth questionnaire gives key pointers to the concerns of both the groups, and points towards a

possible third-party ratings approach that may be useful and acceptable to both, namely Clients and

Service Providers.

I would like to acknowledge the great team effort of DSCI and EY in conducting this study, and creating

a useful analysis. I hope this report will generate sufcient interest among Clients, Service Providers,

and even governments and regulators that will help DSCI arrive at the right decisions in taking the next

steps in certication/rating of Service Providers.

Kamlesh Bajaj

CEO, DSCI


6/68


The study teamData Security Council of India

Mr. Vinayak Godse Director Data Protection

Mr. Vikram Asnani Senior Consultant Security Practices

Mr. Rahul Jain Senior Consultant Security Practices

Ernst & Young Pvt. Ltd.

Ms. Nity Singh Manager Advisory Services

Mr. Taslimm Quraishi Manager Advisory Services

Mr. Lalit Kalra Consultant Advisory Services

DSCI Project Advisory Group

Prof. N. Balakrishnan Chairman DSCI and Associate Director, Indian Institute

of Science (IISc), Bangalore

Mr. B.J. Srinath Senior Director, Indian Computer Emergency Response

Team (CERT-In)

Prof. Anjali Kaushik Management Development Institute, Gurgaon

Mr. Akhilesh Tuteja Executive Director, KPMG

Mr. Kartik Shahani Country Manager, India & SAARC, RSA

Mr. Satish Das CSO, CognizantMr. Baljinder Singh Global Head of Technology, Information Security &

Business Continuity, EXL Service (I) Pvt. Ltd.

Mr. Vishal Salvi CISO, HDFC Bank Pvt. Ltd.

Mr. Ashwani Tikoo CIO, Computer Sciences Corporation India Pvt. Ltd.

Mr. PVS Murthy Global Head Information Risk Management

Advisory, TCS

Mr. Deepak Rout CISO, Uninor

Ms. Seema Bangera DGM Information Security, Intelenet Global


7/68


Executive summaryBusinesses today are global, complex and fast evolving, and technology has made

business transactions independent of space and time. This has enabled businesses tofocus on its core competencies and outsource non-core business operations to Service

Providers, who are capable of providing services to the businesses from around the

world round the clock. Information Security and Privacy becomes crucial when it comes

to outsourcing as technology enables free ow of information across borders between

Clients and Service Providers. This information could be business sensitive information

and / or sensitive personal information of the Clients end customers including but not

limited to health related information, credit card details, social security number, etc.

Also, stringent global data protection regulations make the businesses liable for loss,

misuse, wrongful disclosure of any personal information of any citizen irrespective

whether the failure is at outsourcers end or Service Providers end.

The Indian IT/BPO Service Providers are striving hard to ensure that security and

privacy of data is well maintained. They follow stringent security controls specied by

the Clients through contractual obligations. The Clients conduct regular Information

Security and Privacy assessments of the Service Providers to ensure compliance

with the contractual obligations and / or regulatory requirements or to simply assess

the security posture of Service Providers. In this outsourcing ecosystem, many

Clients have developed and applied their own proprietary assessment frameworks for

evaluating their Service Providers. Service Providers, on the other hand, strain their

resources to respond to diverse client information requests. This isolated approach

proves to be an inefcient and costly affair, both for the Clients and the Service

Providers. Inconsistencies arising from use of different assessment methodologies

cause delays, resulting in inefcient use of time and resources. Aggravating the

problem is the unavailability of generally accepted standard for Service Provider

assessments. To overcome these issues and challenges, DSCI as an industry initiative

seeks to establish a well dened Service Provider Assessment Framework in order to

have a common assessment approach that can be used to assess different

Service Providers.

This study especially through its survey attempts to understand the perspective of

Client and Service Provider organizations with respect to Service Provider assessments

and takes inputs to dene a Service Provider Assessment Framework.


8/68


The survey results reveal that:

DSCI should play a vital role in conducting Service Provider assessments and sharingthe outcome in the ecosystem. It should:

have an Service Provider assessment program that comprises of framework, processes,

and methodology for assessments

provide an organization wide security and privacy maturity rating, and domain specic

maturity rating that may be shared in the ecosystem after taking the due permission of the

Service Providers

A new standard mapped to prevalent standards should be considered as a potential

assessment standard for third party assessments of Service Providers

DSCI as an industry initiative and a Self Regulatory Organization having

representation from both the Client and Service Provider organizations should

empanel auditing rms for conducting independent third party assessments of

Service Providers

The study also focused on understanding of various assessment models which included

Malcolm Baldrige Framework, Capability Maturity Model Integration (CMMI), CRISIL

Ratings, BITS framework, e-Sourcing Capability Model (eSCM), Moodys assessment

framework. The study of assessment models reveals that:

Service Provider Assessment Framework should be easy to comprehend and

adaptable regardless of size of the organization and nature/ complexity of its

processes

The framework assessment areas should be outlined in the form of best practices

rather than a stringent set of controls. This would provide an opportunity to

organizations for implementing / performing the control activities according to the

needs of the organization specic environment

The framework should follow a process-approach and outline measurable

assessment areas

It should be reviewed and updated (if required) on a periodic basis

The maturity criteria should be transparent, and should help in assigning a formal

maturity rating to a Service Provider

Overall, DSCI may develop a Service Provider Assessment Framework that is aligned

to DSF Best Practices & the maturity criteria dened for each of its sixteen security

disciplines and the study results elucidated in this report; and make it popular in the

ecosystem by performing pilot runs. The framework may follow a CMMI-like rating

methodology which is assessment of the security and privacy practices at both the

layers capability/ maturity of the business processes, and maturity of the organization.


9/68

Introduction.................................................................................................................. 1Survey Highlights......................................................................................................... 5

Detailed Survey Results ...............................................................................................7

Key drivers for Service Provider assessments....................................................7

Scale of Service Provider assessments.............................................................. 9

Current assessment program/ mechanism ....................................................... 11

Focus on Data Privacy in Service Provider assessments .................................13

Types of Service Provider assessments ........................................................... 14

Level of perceived risk IT services .................................................................15

Level of perceived risk BPO services .............................................................17

Risk proling of Service Providers..................................................................... 18

Frequency of Service Provider assessments ....................................................19

Budget and cost for Service Provider assessments..........................................21

Modes of Service Provider assessments ..........................................................23

Service Provider assessment challenges..........................................................25

Service Provider assessments solutions and future landscape .....................27

Inuence of IT (Amendment) Act, 2008 on Service Provider assessments ......29

Third party assessments ...................................................................................31

Third party assessors ........................................................................................33

Standards for Service Provider assessments ...................................................35

Role of DSCI in Service Provider assessments ................................................37

Outcome of Service Provider assessments ......................................................39

Sharing of Service Provider assessment results...............................................41

Recommendations......................................................................................................43

Annexure .................................................................................................................... 45

Glossary .....................................................................................................................57

References .................................................................................................................57

Content


10/68

1


Background

As buyers of Information Technology (IT) and Business Process

Outsourcing (BPO) services become increasingly sophisticated

and demanding, Service Providers are challenged to achieve

new levels of efciency, agility and transparency in service

delivery and protection of information. Clients increasingly

expect real evidence of robust process management, continuous

improvement, effective governance, and measures adopted for

ensuring Information Security and Privacy.

Objective

DSCI engaged EY to study the current landscape of Service

Provider (IT/BPO organizations) assessments conducted by the

Client organizations, and assist in documenting the assessment

approach that may be adopted in order to minimize the challenges

of both, Client and Service Provider organizations, with an intent

of evaluating and reporting on Information Security and Privacy

posture of the Service Providers.

Approach

In order to achieve the project objectives, the joint study team

undertook the following steps:

Primary research : A survey of Client and Service Provider

organizations was undertaken to gain an insight into the currentService Provider assessment program. The survey covered the

following aspects:

Business drivers for Client organizations to conduct Service

Provider Assessments

Introduction


11/68

2

The value that various Service Provider assessments conducted by

Client organizations bring to the Service Providers

Investments made, and challenges faced by the Service Provider

and Client organizations in driving such assessments

Possible solutions for overcoming the current challenges

Role of DSCI and third parties in Service Provider assessments

Secondary research : A study was undertaken to document

the pros and cons of prevalent assessment frameworks likeCapability Maturity Model Integration (CMMI), BITS sharedassessment program, Carnegie Mellon University e-Sourcing

Capability Model (eSCM), etc. The list of assessment frameworkswas documented on the basis their widespread use, and

international recognition in performing assessments. The studyareas included the following:

Assessment areas / ease of use by the organization being

assessed

Assessment methodology / scoring pattern / process of sharing

assessment results

Acceptability / popularity of the framework

Independence of examiners

Frequency of framework update to cater to future requirements

The team also studied DSCI Security Framework (DSF)

Best Practices and maturity rating criteria for each of its sixteen

disciplines to gather inputs (in addition to the inputs provided by

primary and secondary research) for dening Service Provider

Assessment Framework.


12/68

3


Prole of participantsThe survey respondents were a set of Client and Service

Provider organizations. The respondents were majorly from

Information Technology (IT), Business Process Outsourcing (BPO),

Telecommunications and Financial Services verticals. Correspondingly,

the survey results have been divided into two perspectives Clients

perspective and Service Providers perspective, and may be

read accordingly.

Industry wise distribution

KPOBPO IT Services

42.00%

50.00%

8.00%

Client organizations

Service Provider organizations

37.00%

18.00%

36.00%

9.00%

Industry wise distribution

Telecommunication Banking

Technology Financial Services


13/68

4


6$ 1 billion to $ 9 billion

4$ 100 million to $ 249 million

1$ 10 billion to $ 24 billion

1Less than $ 100 million

Number of Service Providers

Number of Client organizations

3

3

1

2

More than $ 24 billion

$ 1 billion to $ 24 billion

$ 100 million to $ 249 million

Less than $ 100 million


Service Provider organizations

The sample size selected for the survey was limited and this should betaken into consideration when interpreting the survey results.


14/68

5


Service Provider assessments are conducted by Client organizationsin order to protect business sensitive information, and mitigate security

& privacy risks while outsourcing work to Indian IT/ BPO companies.These assessments help Service Provider organizations to align

security & privacy initiatives to their Clients requirements and build onthe existing relationship with the Clients

Comprehensive risk based assessments covering all the domains ofsecurity are carried out annually by majority of Client organizations.

Vulnerability assessments and penetration testing continue to display

strong acceptance (100%) by Client organizations in Service Providerassessment programs

Most of the Service Provider organizations reported that ISO 27001controls checklist is used as a mechanism by their Clients for

conducting assessments. On the other hand, Client organizationsrevealed that a proprietary Service Provider assessment program has

been developed to conduct Service Provider assessments

Provisions of the IT (Amendment) Act, 2008 (ITAA 2008) need to beappropriately incorporated in the Client-Service Provider contracts

High number of assessments around the year is the most critical

challenge faced by Service Providers at the time of assessments,followed by meeting diverse & varied assessment. Whereas for

Clients, rising legal liabilities, regulatory requirements, level of securityawareness in the Service Providers, ensuring compliance by Service

Providers, and Service Provider commitment to ensure InformationSecurity & Privacy are some of the critical challenges faced in

assessing Service Providers

Survey highlights


15/68

6

Currently, Service Provider assessments are majorly conductedonsite by Clients internal staff. Majority of the Client organizations

indicated that auditing rms empanelled by a joint industry consortiumof outsourcers and the Service Providers could act as the third party

assessors for conducting independent Service Provider assessments

More than half of the Service Provider respondents suggested thatDSCI should have a Service Provider assessment program that

comprises of framework, processes, methodology for assessments

Clients and Service Providers reveal that third parties should conductService Provider assessments, based on a standardized assessmentmethodology. This would save costs and efforts by avoiding the need

for conducting assessments of multiples Service Providers

Both Client and Service Provider respondents suggested a newstandard mapped to ISO 27001, NIST SP, COBIT, ITIL etc. that meets

all the regulatory requirements like GLBA, HIPAA, PCI DSS etc., as apotential assessment standard for third party assessments of

Service Providers

DSCI should provide organization wide security and privacy maturityrating, and also domain specic maturity rating


16/68

7


Key drivers for Service Provider assessments

The survey results reect that majority of the Clients consider

protecting business sensitive information, and mitigating security

& privacy risks as the critical business drivers for conducting

Service Provider assessments. On the other hand, Service

Providers report that Clients corporate policy requirements, and

achieving end customer condence are the main reasons which

drive their Clients to conduct assessments.

Detailed survey

results

Clients perspective

Business drivers for conducting Service Provider assessments

88.89%

88.89%

77.78%

77.78%

55.55%

44.44%

33.33%

Protecting business sensitive information including

intellectual property

Mitigating security and privacy risks that exist in

outsourcing arrangements

To address the security and privacy concerns of

some of the key stakeholders within our organization

Strengthening of data protection regime in the

geographies where we operate, stipulating stringent

requirements and heavy fines for a data breach

Use Service Provider assessments as a mechanism to

foster a culture of compliance at all Service Providers and

introducing a sense of competition among them with regards

to fulfillment of their data security and data privacy needs

Addressing security and privacy risks that arise

from use of emerging technologies

Data protection regulations demand our

organization to undertake regular assessments of

third parties

44.44%Our corporate policies require us to undertake a

comprehensive vendor risk assessment

Achieving end customer confidence and preventing

loss of reputation by mitigating risks of privacy/

information leakage that may arise at Service Provider end

55.55%


17/68

8

Service Provider assessment as a mechanism to foster a culture

of compliance was selected by the least number (thirty three

percent) of Clients while the same response was selected by fty

percent of the Service Provider organizations, as a reason for

conducting assessments.

Reasons that drive Clients to conduct Service Provider assessments

66.67%

66.67%

58.33%

58.33%

50.00%

50.00%

41.67%

41.67%To address the security and privacy concerns of

some of the key stakeholders in Client organization

Protecting business sensitive information including

intellectual property

Clients use Service Provider assessments as a mechanism

to foster a culture of compliance at all its Service Providers

and introducing a sense of competition among them with

regards to fulfillment of their data security and data privacy needs

Clients corporate policies require them to

undertake a comprehensive vendor risk assessment

Achieving end customer confidence and preventing

loss of reputation by mitigating risks of privacy/

information leakage that may arise at Service Provider end

Mitigating security and privacy risks that exist in

outsourcing arrangements

Data protection regulations demand Client organization

to undertake regular assessments of third parties.

Strengthening of data protection regime in the

Client geographies that stipulate stringent

requirements and heavy fines for a data breach

Service Providers perspective

Protecting business

sensitive information

and mitigating security

and privacy risks are

the major drivers for

conducting Service

Provider assessments


18/68

9


Scale of Service Provider assessmentsThe survey results show that the number of Service Provider

assessments is directly proportional to the number of Clients or Service

Providers that an organization is engaged with. This is proven by the

fact that Clients working with 500 Service Providers conduct more

than 100 Service Provider assessments annually, and those with 200

& 300 Service Providers conduct 10-50 and 50-100 Service Provider

assessments respectively. Also, Service Providers engaged with 800

Clients undergo 100-200 assessments annually, and those with 700 &

600 Clients undergo 50-100 assessments respectively 50-100

assessments respectively.

Number of Service Providers the organization is engaged with

0

100

200

300

400

500

600

1 2 3 4 5 6 7 8 9

Numberof

S

eviceProviders

Clients

11.11%0-5

22.22%5-10

44.44%10-50

Number of Service Provider assessments conducted

11.11%

11.11%Above 100

um

ero

annualassessments

50-100

Clients perspective


19/68

10



Number of Clients serviced by the organization

0

100

200

300

400

500

600

700

800

900

1 2 3 4 5 6 7 8 9 10 11 12

NumberofClients

Service Providers

Number of Service Provider assessments faced

9.09%

Numberofan

nualassessments

36.36%50-100

Above 400

27.27%200-400

9.09%100-200

18.18%10-50

0.00%0-10


20/68

11


Current assessment program/ mechanismProprietary Service Provider assessments followed by SAS 70 and ISO

27001 checklist are the most commonly adopted assessment programs/

mechanisms by Client organizations.

On the other hand, more than ninety percent Service Providers reported

that their Clients use ISO 27001 checklist for conducting assessments.

This is closely followed by proprietary assessment programs and

assessment programs of Client appointed external auditors (sixty seven

percent each).

The survey further revealed that majority of the Client organizationsdo not consider ISO 27001 certication as an alternative to conducting

Service Provider assessments.

Interestingly, the survey also highlighted that BITS Shared Assessment

Program is not used by any of the Client organizations for conducting

Service Provider assessments.

77.78%

44.44%

44.44%

33.33%

22.22%

22.22%

11.11%

0.00%

ISO 27001 controls checklist

BITS shared assessment program

Assessment program developed by our

organization (proprietary)

Reliance on Statement on Auditing Standards

(SAS) No. 70 report provided by the auditing

firm assessing your Service Providers

Asking the Service Providers to get ISO 27001

certified thereby eliminating the need for

getting assessed

Use pre-defined controls list provided by an

assessment tool

Asking the Service Providers to provide self

declaration/attestation for compliance to oursecurity policies/requirements

Assessment program of the appointedexternal auditor

Service Provider assessment program/mechanism used by the organization

Clients perspective


21/68

12


78% Clientorganizations use

proprietary assessment

programs for conducting

Service Provider

assessments. However,

the Service Providers

report that their

Clients use ISO 27001

checklist for conducting

security and privacy

assessments

Programs / mechanisms used by Clients for conducting assessments

91.67%

66.67%

66.67%

41.67%

25.00%

16.67%

16.67%

0.00%

ISO 27001 controls checklist

BITS shared assessment program

Others

Use pre-defined controls list provided by

an assessment tool

Providing self declaration / attestation forcompliance to client security policies/

requirements

Getting ISO 27001 certification

eliminates the need for getting assessed

Assessment program of the client

appointed external auditor

Assessment program developed by the

client (proprietary)



22/68

13


Focus on Data Privacy in Service Provider assessmentsThe survey reveals that majority of the Client organizations cover

privacy during Service Provider assessments. Contrastingly, majority

of the Service Providers report that privacy is not covered as part of

the assessments.

Eleven percent of the Client organizations also revealed that privacy

is not covered as part of Service Provider assessments. Also, Client

organizations seem to be satised with the current focus on privacy as

no Clients foresee the need for a change in the privacy focus in Service

Provider assessment programs.

Privacy is not covered

11.00%

56.00%33.00%

Coverage of privacy in Service Provider assessments

Strongly

Moderately Needs improvement (0%)

Coverage of privacy in Service Provider assessments

41.67%

25.00%

33.33%

Minority of clients Service Providers

assessment programs cover PrivacyMajority of clients Service Providers

assessment programs cover Privacy

Nearly half of the clients assessment

programs cover Privacy

None of the clients Service Provider

assessment programs cover Privacy (0%)

Clients perspective


Majority of the Service

Providers report that

their Clients do not

cover Privacy during

assessments while

Clients stronglyperpetuate the coverage

of Privacy in Service



23/68

14


Clients perspective


Types of Service Provider assessmentsVulnerability Assessment and Penetration Testing as a methodology of

Service Provider assessments has a strong acceptance (100%) from

Client organizations.

While only twenty ve percent of Service Providers reveal line of service

specic assessments is considered important by

their Clients, Client organizations give more importance to

these assessments.

Service Providers reveal that

Client organizations display

a strong propensity towards

undertaking comprehensive

risk-based assessments,

and compliance basedassessments

Different types of Service Provider assessments conducted by

the organization

100.00%

88.89%

77.78%

77.78%

Risk based assessments

Lines of Service specific assessment (e.g.

conducting application security assessment forapplication development services)

Technical: vulnerability assessment and

penetration testing

Regulatory / Compliance: Assessments to check

compliance with applicable regulations (e.g. HIPAA,

GLBA) or Assessments based on compliance to

Standards like ISO 27001 and PCI DSS

Different types of assessments conducted by Client organizations

100.00%

83.33%

75.00%

75.00%

25.00%

Comprehensive risk based assessmentcovering all the domains of security

Assessment based on well-known

standards like ISO 27001

Comprehensive compliance based

assessment

Line of Service specific assessment (e.g.

conducting application security assessment for

application development services)

Technical assessment of the IT systems including

vulnerability assessment and penetration testing


24/68

15


Level of perceived risk IT servicesResults indicate that Client organizations perceive that outsourcing

Custom Application Development services (seventy eight percent)

involves high risk. This is distantly followed by Infrastructure, Network

and Desktop Outsourcing and Software Deployment and Support at

sixty seven percent each.

Service Providers cited Infrastructure Outsourcing followed by Network

and Desktop Outsourcing as the critical risk areas for Service Provider

assessments.

Clients as well as Service Provider organizations do not attachimportance to IT Education and training services for assessments.

33.33% 11.11% 33.33%Hardware deployment and support

Level of perceived risks in the services outsourced by

Client organizations: IT services

High Medium Low

77.78% 11.11%Custom application development

55.56% 33.33%Application management

66.67% 11.11% 11.11%Infrastructure services outsourcing

66.67% 11.11% 11.11%Software deployment and support

44.44% 22.22% 22.22%System integration

44.44% 44.44%Software testing

66.67% 22.22%Network and desktop outsourcing

44.44% 33.33%Hosted application management

44.44% 33.33%Hosted infrastructure services

33.33% 22.22% 22.22%Network consulting and integration

11.11% 22.22% 44.44%IT education and training

22.22% 22.22% 33.33%IT consulting

Custom Application

Development,

Network and Desktop

Outsourcing together

with Infrastructure

outsourcing are currentwatchwords in the

context of Service


Clients perspective


25/68

16


41.67%

33.33%

25.00%

25.00%

25.00%

16.67%

8.33%

8.33%

8.33%

16.67%

8.33%

33.33%

8.33%

16.67%

8.33%

Infrastructure services outsourcing

Level of perceived risks in the services outsourced by Client

organizations: IT services

Network and desktop outsourcing

Application management

Hosted application management

Hosted infrastructure services

System integration

Software testing

Custom application development

8.33% 16.67%Software deployment and support

8.33% 16.67%Hardware deployment and support

16.67% 8.33%Network consulting and integration

8.33% 16.67%IT education and training

16.67% 8.33%IT consulting

High Medium Low



26/68

17


Level of perceived risk BPO servicesThe survey results indicate that sixty seven percent of Client

organizations and forty two percent of Service Provider organizations

consider that Finance and Accounting services involve high risk.

66.67% 11.11%Finance and accounting

44.44% 22.22%Customer interaction and support

44.44% 33.33% 11.11%Human resource management

44.44% 22.22% 11.11%Knowledge services

44.44% 22.22% 11.11%Vertical specific BPO services

22.22% 33.33% 11.11%Procurement services

High Medium

Level of perceived risks in the service outsourced by Client

organizations: BPO services

Low

41.67%

25.00%

25.00%

25.00%

16.67%

8.33%

8.33%

8.33%

16.67%

16.67%

8.33%

8.33%

8.33%

8.33%

Finance and accounting

Level of perceived risks in the service outsourced by Client

organizations: BPO services

Customer interaction and support

Human resource management

Knowledge services

Vertical specific BPO services

Procurement services

High Medium Low

Clients perspective


Finance and Accounting

services are considered

important by majority

of the organizations in

the context of Service



27/68

18


Clients perspective

Risk proling of Service ProvidersThe growing awareness of the risk management in the Indian IT/

BPO industry was clearly evident from the survey, which displayed

that almost ninety percent of the Client organizations undertake a risk

proling for their Service Providers.

The survey results also emphasize the importance of Information

Security and Privacy with nature and criticality of the business

outsourced along with sensitivity of the data exported to Service

Providers being given the most important criterion for risk proling.

Undertake risk profilingDo not undertake risk profiling

11.00%

89.00%

88.89%

88.89%

88.89%

66.67%

55.56%

44.44%

44.44%

Sensitivity of data exported to the Service Providers

Type of connectivity with the Service Providers

Dependency on the Service Providers

Size and maturity of the Service Providers

ISMS certification achieved by the Service Providers

Nature & criticality of the business/

services outsourced

Security incidents/breaches in the past

Criteria used for risk profiling of Service Providers

89% of the Client

organizations relyon risk proling to

determine the frequency

of Service Provider

assessments


28/68

19


Frequency of Service Provider assessmentsThe fact established in the previous question gets reestablished

by the frequency of Service Provider assessments undertaken by

Client organizations that perform risk proling; the survey results

show that the Service Providers identied under critical risk

category undergo quarterly assessments.

A similar trend is observed for the Service Providers identied

under Medium and Low risk categories, undergoing half

yearly and yearly assessments by fty six and forty ve percent

respondents respectively.

Organizations that do not undertake risk proling, yearly

assessments are preferred by almost twenty three percent of the

organizations. Also eleven percent of Client organizations believe

that the frequency depends on the trust and relationship between

Client and Service Providers.

Frequency of assessing the Service Providers

33.33%

22.22%

11.11%

22.22%

55.56%

22.22%

11.11%

22.22%

22.22%

11.11%

44.44%

33.33%

Critical risk

High risk

Medium risk

Low risk

Negligible

Quarterly Half yearly Yearly

Clients perspective

The Service Providers

with critical risk undergo

quarterly assessments

as per thirty three

percent of Client

organizations


29/68

20



30/68

21


Clients perspective

The cost of periodic

Service Provider

assessments is built into

the service delivery cost

of Service Providers,

and is a part of the

contractual terms

Budget and cost for Service Provider assessmentsThis question was aimed at identifying the cost impact of Service

Provider assessments on Clients and Service Providers.

Results highlight that majority of the Client organizations allocate only

a small portion of IT security budget for Service Provider assessments.

Only one of the respondents indicated that the organization

allocates signicant portion of IT security budget for Service Provider

assessments. On the other hand, majority of the Service Providers

allocate a considerable portion of the IT security budget towards

assessments. This is because the cost for periodic Service Provider

assessments is built into the service delivery cost of Service Providersand is part of the contract with the Service Providers.

Service Provider respondents in the Others category indicated that cost

of the assessment could be borne by either party, and it depends on the

relationship and understanding between the Client and the

Service Provider.

Portion of the IT security budget allocated for conducting Service


44.44%

22.22%

22.22%

11.11%

Small

Considerable

Negligible

Significant

Cost of Service Provider assessments

55.56%

44.44%

22.22%

22.22%

11.11%

11.11%

11.11%The cost is borne at the time of the Service

Provider assessments by the Service Provider

Efforts spent by the Service Provider resources

in coordinating / facing the assessments are

billed by the Service Providers

Significant cost of the Service Provider assessments

comprises of overhead expenses like travel, etc

for our assessors

The cost is borne at the time of the Service

Provider assessments and is shared between

Client and Service Provider as per the contract

The cost is borne at the time of the Service

Provider assessments by the Client

We allocate a portion of our IT security budget

for conducting Service Provider assessments

The cost for periodic Service Provider assessments

is a part of the contract


31/68

22


Portion of IT security budget allocated for facing assessments

66.67%

25.00%

8.33%

0.00%

Considerable

Small

Significant

Negligible

Cost of Service Provider assessments

66.67%

33.33%

33.33%

25.00%

16.67%

8.33%

8.33%

16.67%Others

The cost for periodic Service Provider assessments is a

part of the contract

The cost is borne at the time of the Service Provider

assessments by the Client

Efforts spent on Service Provider assessments

is billed to the clients

The cost is borne at the time of the Service Provider

assessments and is shared between Client and Service

Provider as per the contractThe cost is borne at the time of the Service Provider

assessments by the Service Provider

Significant cost of the assessments comprises of

overhead expenses like travel,and stay arrangements

for clients and/ or their sourced assessors

We allocate a portion of our IT security budget for

Service Provider assessments



32/68

23


Modes of Service Provider assessmentsClient organizations prefer conducting onsite assessments post a

self assessment by the Service Provider organizations either by

their internal staff or by sourced assessors.

The survey results highlight that higher the risk perceived during

risk proling, more is the focus on assessments. Majority of the

respondents conduct onsite assessments for critical, high and

medium risk Service Providers. For low risk category of Service

Providers, majority of the Client organizations adopt offshore self

assessments.

Client organizations that do not perform the risk proling of their

Service Providers prefer to undertake onsite assessment by

sourced assessors from auditing rms.

Type Self

Assessment(offshore)

Telephonic

(offshore)

Onsite

by OrgInternal

staff

Onsite by org

internal staffand sourced

assessors

from auditing

rms

Onsite by

sourcedassessors

Third Party

AssessmentsCategory

Critical risk 2 2 6 4 3 3

High risk 2 2 6 3 4 3

Medium risk 4 2 6 3 1 2

Low risk 5 3 4 1 0 0

Negligible 3 2 4 1 0 0

Clients perspective

*For Client organizations that undertake risk proling of

Service Providers

*This data table is for eight Clients. Eight out of nine Clients interviewed undertake risk proling.


33/68

24


Modes adopted by Clients for conducting Service Provider assessments

100.00%

75.00%

66.67%

66.67%

25.00%

25.00%

8.33%

8.33%

Onsite assessments are conducted by

clients internal staff


sourced assessors


an independent Third party

Telephonic assessments are conducted by

sourced assessors hired by client organization

Telephonic assessments are conductedby clients internal staff

Self assessment questionnaire are provided in

an assessment tool available online; we directly

upload our responses and evidences in

the tool without any intervention of the client

Onsite assessments jointly conducted

by sourced assessors and clients internal staff

Self assessment questionnaire are sent through

email and we revert with the filled questionnaire and

evidences without any intervention of the client


Onsite assessments byClients internal staff or

sourced assessors is

the preferred mode of

assessment by Clients


34/68

25


Service Provider assessment challengesThe survey results provide insight into the factors that inuence

Information Security and Privacy assessments in IT/BPO organizations.

Subcontracting by Service Providers and comfort provided by

certications like ISO 27001 are the critical challenges faced by Client

organizations in assessing Service Providers on Information Security &

Privacy according to forty four percent of Client organizations. This is

one of the reasons why Client organizations do not consider ISO 27001

certication as an alternative to Service Provider assessments.

44.44%

44.44%

33.33%

22.22%

22.22%

22.22%

22.22%

22.22%

11.11%

11.11%

11.11%

11.11%

11.11%

11.11%

11.11%

33.33%

11.11%

33.33%

44.44%

33.33%

55.56%

22.22%

55.56%

44.44%

22.22%

22.22%

22.22%

22.22%

33.33%

55.56%

44.44%

44.44%

11.11%

44.44%

22.22%

11.11%

33.33%

55.56%

11.11%

22.22%

55.56%

55.56%

44.44%

55.56%

44.44%

11.11%

44.44%

44.44%

Comfort/ assurance provided by

certifications like ISO 27001

Challenges faced by Client organizations

Subcontracting by the Service Providers

Inadequate budget

Auditor accreditation and

Auditors management

Service Provider commitment

Meeting multiple customer requirements

Quantum of assessments

Rising legal liabilities/

regulatory requirements

Level of security awareness in


Ensuring compliance by your

Service Provider

Sensitizing key resources of

Service Providers

High direct and indirect costs

Nature of outsourced work

Tracking and closure of

assessment findings

High Medium Low

Adoption of Non standardized Information

Security and Privacy framework

Availability of skilled resources forconducting the assessments

Multiple Service Providers for differentlines of services in multiple geographies

Clients perspective

Subcontracting by

the Service Providersand comfort provided

by certications like

ISO 27001 are most

signicant assessment

challenges faced by



35/68

26



Factors such as cost, quantum of assessments were the least importantchallenges as perceived by Client organizations. Whereas, majority of

Service Providers perceive high number of assessments around the

year as one of the most signicant challenges.

This difference in opinion regarding the challenges faced by Client

and Service Provider organizations clearly indicates development of a

robust assessment solution that meets the requirements of both parties.

50.00%

33.33%

33.33%

25.00%

16.67%

8.33%

33.33%

41.67%

25.00%

50.00%

33.33%

8.33%

8.33%

33.33%

33.33%

16.67%

25.00%

High number of assessments around the year

High Medium Low

Meeting diverse and varied assessment

requirements of different clients

Closing the findings by providing evidences and

satisfying the client / auditors

High direct and indirect costs associated with

getting assessed multiple times

Ensuring availability of time and resources for

coordinating/facing the assessments

Aligning to different areas of assessment/assessment methodologies adopted by

different clients High number of

assessments around

the year, and meeting

diverse Client

requirements are critical

challenges faced by

most of the Service

Providers


36/68

27


Service Provider assessments solutions andfuture landscape

An attempt was made to identify the possible solutions for the

challenges faced by organizations. The survey results reveal that

approximately thirty three percent of Clients and forty two percent of

Service Provider organizations prefer the development and adoption of

an international standard for Service Provider assessment. Also, usage

of BITS shared assessment program was selected by forty four Client

Organizations as a rst preference among solutions.

Results indicate that more than forty percent of Service Providers regard

development and adoption of an internal standard as a rst preference.Independent third party assessments conducted by Self Regulatory

Organizations (SRO) promoted by the Service Providers tops the chart

for Service Providers as a second preference.

Clients perspective

Possible solution to overcome identified challenges

44.00%

33.00%

22.00%

22.00%

11.00%

11.00%

11.00%

11.00%

33.00%

22.00%

11.00%

11.00%

11.00%

11.00%

First reference Second preference Third preference

Industry & Service Provider promoted and

standardized third party assessmentprograms like BITS

Development and adoption of international

standards for Service Provider

Assessment

There is no need for Service Provider

assessments as data security and privacy

risks are already addressed through contracts

Self declaration by Service Providers for complying /

fulfilling clients security requirements, therebymaking them liable for any security incident/data

breach / violation shoul d suffi ce

ISO 27001 certification should be accepted globally

as a seal of trust and assurance; eliminating

the need for Service Provider assessments

Independent third party assessments

conducted by Self Regulatory

Organizations (SRO) promoted by the

Service Providers

As per Client

organizations,industry and Service

Provider promoted and

standardized third party

assessment program can

be used for assessments.

This is closely followed

by development

and adoption of an

international standard


37/68

28


Development and

adoption of an

international standard

is the rst preferencechosen by Service

Providers

Possible solution to overcome identified challenges

41.67%

33.33%

25.00%

8.33%

8.33%

0.00%

8.33%

25.00%

8.33%

41.67%

25.00%

8.33%

8.33%

33.33%

8.33%

16.67%

First preference Second preference Third preference

Development and adoption of international

standards for Service Provider assessment

ISO 27001 certification should be accepted by all

the clients globally as a seal of trust and

assurance; eliminating the need for Service


Industry & Service Provider promoted and

standardized third party assessment programs

like BITS

Independent Third Party assessments conducted

by Self Regulatory Organizations (SRO)

promoted by the Service Providers

There is no need for Service Provider

assessments as data security and privacy risks

are already addressed through contracts

Self declaration by Service Providers for complying/

fulfilling clients security requirements, thereby

making them liable for any security incident/

data breach/violation should suffice



38/68

29


Inuence of IT (Amendment) Act, 2008 on ServiceProvider assessments

There is widespread awareness about IT (Amendment) Act, 2008

in the industry.

More than fty percent of Service Provider and thirty three percent

of Client organizations report that IT (Amendment) Act, 2008 will

assist in strengthening the data protection initiatives of Indian

Service Providers, and would provide greater assurance to the

Clients. Approximately thirty three percent of Client organizations

believe that IT (Amendment) Act, 2008 will have no impact on

their Information Security and Privacy needs as they need tocomply with their countrys regulations outside of India.

A similar number of Service Provider organizations revealed that

they were not sure about the impact/ inuence of IT (Amendment)

Act, 2008 on Clients assessment strategy.

Influence of IT (Amendment) Act, 2008 on Service Provider

assessment strategy

66.67%

33.33%

33.33%

11.11%

0.00%

Provisions of IT (Amendment) Act, 2008

need to be appropriately incorporated in

the client-Service Provider contracts

IT (Amendment) Act, 2008 will have no

impact as we need to comply with regulations

we are subjected to

IT (Amendment) Act, 2008 will strengthen

the data protection initiatives of Indian

Service Providers and therefore will help

provide greater assurance to us for

outsourcing our work to India

Im not aware of IT (Amendment) Act, 2008

Self declaration by Service Providers for

complying/fulfilling clients security requirements,

thereby making them liable for any security

incident/data breach/violation should suffice

IT (Amendment) Act,

2008 needs to be

incorporated in Client-

Service Provider

contracts this would

assist in strengthening

the data protection

initiatives of Service

Providers

Clients perspective


39/68

30



Influence of IT (Amendment) Act, 2008 on Service Provider

assessment strategy

58.33%

33.33%

0.00%

8.33%Others

Not sure what will be the impact of IT

(Amendment) Act, 2008

IT (Amendment) Act, 2008 will strengthen the data

protection initiatives of Indian Service Providers and

therefore will help provide greater assurance to the

clients outsourcing their work to India

IT (Amendment) Act, 2008 will have no impact

as clients need to comply with regulations

they are subjected to


40/68

31


Third party assessmentsThird party assessments have gained importance in the Indian IT/BPO

industry. Both Clients and Service Providers revealed that third parties

should conduct Service Provider assessments based on a standardized

assessment methodology.

Majority of respondents emphasized that use of third parties would

not only help in ensuring transparency and independence of the

assessments but also save cost and efforts.

A few Clients also reported that their organizations Executive

Management may not approve/ recognize third party assessments.

Options for third party assessments

66.67%

66.67%

55.56%

55.56%

55.56%

55.56%

22.22%

11.11%

11.11%

Third parties can conduct assessments of the

Service Providers, based on a standardized

assessment methodology, at a defined frequency

Third Party assessments would save costs and

efforts by avoiding the need for conducting

assessments of multiple Service Providers

Our regulators / customers may not approve or

recognize Third Party assessments

Third party assessments can be successful only

if it is accepted by the outsourcing community

and regulators

Third Party assessments will bring transparency

and independence

Adopting Third Party assessments may raise

trust and accountability issues

My organizations Executive Management

may not approve or recognize Third

Party assessments

The Third Party assessments will ensure that

our resources are able to focus on improving security

& privacy posture

hird Party assessments may not be able to addressthe specific assessment requirements arising out

of a particular Client-Service Provider relationship

Majority of Clients

and Service Providers

report that third parties

should conduct Service

Provider assessments,

based on a standardized

assessment

methodology at a

dened frequency

Clients perspective


41/68

32


Third party assessments

would save cost and

efforts by avoiding

multiple assessments

from different Clients


Options for third party assessments

66.67%

41.67%

41.67%

41.67%

33.33%

16.67%

16.67%

Third party assessments may not be able to address

the specific assessment requirements arising out

a particular client Service Provider relationship

Adopting Third Party assessments may raise

trust and accountability issues

Third parties can conduct assessments of the

Service Providers, based on a standardized

assessment methodology, at a defined frequency

Third Party assessments would save costs and

efforts by avoiding multiple assessments fromdifferent clients

Third Party assessments will bring transparency

and independence

Third party assessments can be successful only if

all our clients accept it, irrespective of industry,

geography, Line of Service, etc.

The Third Party assessments will ensure that our

resources are able to focus on improving security &

privacy posture instead of supporting multiple assessments

Thirty three percent of Service Providers expressed their concernsregarding the use of third party assessments stating that they third party

assessments could be helpful if their Clients accept these.


42/68

33


Third party assessorsThe survey highlighted that the auditing rms empanelled by a

joint industry consortium of outsourcers and the Service Providers

are the most potential third party assessors for conducting

independent Service Provider assessments, seemingly

acceptable to both the Client and Service Provider organizations.

This option was selected by sixty six and fty percent of the Client

and Service Provider organizations respectively. Such an industry

consortium will represent the interests and challenges of both the

sides the Clients and Service Providers.

Potential entity acting as third party for conducting independent


66.67%

55.56%

33.33%

0.00%

Auditing firms empanelled by a joint

industry consortium of outsourcers and the

Service Providers

Auditing firms empanelled by the

outsourcers industry consortium

Self Regulatory Organizations (SRO)promoted by the Service Providers

Auditing firms empanelled by


Clients perspective

Auditing rms

empanelled by a jointindustry consortium

of Client and Service

Providers can serve as

third party assessors

for conducting Service



43/68

34



Potential entity acting as third party for conducting independent


58.33

50.00%

25.00%

8.33%

Self Regulatory Organizations (SRO)

promoted by the Service Providers

Auditing firms empanelled by a joint

industry consortium of outsourcers and the

Service Providers

Auditing firms empanelled by the

outsourcers industry consortium

Auditing firms empanelled by



44/68

35


Standards for Service Provider assessmentsNew domains of Information Security and Privacy have evolved. The

domains which were not perceived to be critical are now among the

most important security domains. Organizations have to comply with

various models/standards/frameworks to adhere to the changing

domains/rules and regulations. The organizations do no prefer to

comply with so many standards and frameworks and this perception of

the organizations was clearly evident from the survey results.

The survey results highlighted that Client organizations are keen

on adopting a new standard mapped to ISO 27001, NIST Special

Publications, COBIT, ITIL etc. that meets all the regulatory requirementslike GLBA, HIPAA, PCI DSS etc., as a potential standard for third

party assessments. While this view was common amongst Client

organizations and Service Provider organizations with eighty nine and

sixty seven percent respondents respectively selecting this option, in

reality Clients may be more inclined towards new standard than the

Service Providers because they demonstrate compliance to different

regulations. Though this has an indirect impact on Service Providers but

they are primarily driven by contractual obligations.

Both Client and Service Provider organizations have similar number of

respondents who selected ISO 27001 (sixty six percentages). It seemedthat organizations are satised with the acceptance of ISO 27001 as a

A new standard mapped

to ISO 27001, NIST-SP,COBIT, ITIL etc. that

meets all the regulatory

requirements like GLBA,

HIPAA, PCI DSS etc. as

a standard for third party

assessments

Potential assessment standards for third party assessments of

Service Providers

88.89%

66.67%

22.22%

22.22%

11.11%

ISO 27001 standard

A new standard mapped to ISO 27001, NIST

SP, COBIT, ITIL, etc. that meets

all the regulatory requirements like GLBA,

HIPAA, PCI DSS, etc.

Others

Security and Privacy practices defined

by SRO

BITS shared assessment framework

Clients perspective


45/68

36


Potential assessment standards for third party assessments of

Service Providers

66.67%

66.67%

16.67%

8.33%

ISO 27001 standard

Security and Privacy practices defined by SRO

BITS shared assessment framework

A new standard mapped to ISO 27001,

NIST-SP, COBIT, ITIL, etc. that meets all the regulatory

requirements like GLBA, HIPAA, PCI DSS, etc.


standard bearing in mind the challenge faced by Client organizations withrespect to the comfort/ assurance provided by Service Providers through

ISO 27001 certication.

Respondents in the Others category also suggested the use of a unied

compliance framework for assessments.


46/68

37


Role of DSCI in Service Provider assessmentsThe question aimed to identify the role that DSCI could play as

a Self Regulatory Organization (SRO), representative of both

Client and Service Provider organizations, for conducting Service

Provider assessments.

Majority of the Client organizations (sixty seven percent) indicated

that DSCI should create a panel of competent auditors to conduct

Service Provider assessments on behalf of DSCI, develop code of

practices for Data Security and Privacy that should be adopted by

the industry and dene some criteria for assessing the maturity of

the Service Providers.

Fifty eight percent of the Service Provider organizations

indicated that DSCI should develop a Service Provider

assessment program that comprises of framework, processes

and methodology for conducting Service Provider assessments.

This option was also highlighted by a similar number of Client

organizations (fty six percent).

Clients perspective

Role of DSCI in Service Provider assessments

66.67%

66.67%

66.67%

55.56%

55.56%

55.55%

33.33%

11.11%

DSCI should establish a mechanism to manage

the assessment results including sharing of results

with clients and respective Service Providers

Others

DSCI should have code of practices for security

and privacy that need to adopted by its members

The code of practices should have some

criteria for assessing the maturity of the

Service Providers

Code of practices should take a note of existing

preparedness and initiatives of Service

Providers in the areas of security and privacy

DSCI should have mechanism to review

the Service Provider assessments results

on a regular basis

DSCI should have a Service Provider assessment

program that comprises of framework, processes,

methodology for the assessment

DSCI should create a panel of competent

auditors who will conduct the assessments on

behalf of DSCI

Majority of Clients

and Service Providersperpetuated that DSCI

should have a Service

Provider assessment

program that consists of

framework, processes

and methodology of

assessments


47/68


Role of DSCI in Service Provider assessments

58.33%

33.33%

25.00%

25.00%

25.00%

8.33%

8.33%

8.33%Others

DSCI should have a Service Provider assessment

program that comprises of framework, processes,

methodology for the assessments

DSCI should create a panel of competent

auditors who will conduct the assessments

on behalf of DSCI

DSCI should have code of practices for security and

privacy that need to adopted by its members

The code of practices should have some criteria for

assessing the maturity of the Service Providers

DSCI should have mechanism to review the Service

Provider assessments results on a regular basis

DSCI should establish a mechanism to manage the

assessment results including sharing of results with

clients and respective Service Providers

Code of practices should take a note of existing

preparedness and initiatives of Service Providers

in the areas of security and privacy



48/68

39


Outcome of Service Provider assessmentsThe survey results have unequivocally established that there

should be organization-wide Security and Privacy maturity ratings,

and domain specic ratings.

It was also indicated that the both Client organizations as well as

Service Provider organizations prefer ratings over certications.

Outcome of Service Provider assessments Data Security

77.78%

55.56%

44.44%

DSCI should provide organization

wide security maturity rating

DSCI should provide domain specific

maturity rating (e.g. Application

security maturity rating)


wide security certification to

Service Providers

Outcome of Service Provider assessments Data Privacy

88.89%

44.44%


wide privacy certification to

Service Providers


wide privacy maturity rating

Clients perspective

Organization-wide security

and privacy maturity ratingsmay be provided as a

result of Service Provider

assessments


49/68

40



Outcome of Service Provider assessments Data Security

58.33%

33.33%

16.67%

DSCI should provide organization wide

security maturity rating


security certification to Service Providers

DSCI should provide domain specific maturity

rating (e.g. Application security maturity rating)

Outcome of Service Provider assessments Data Privacy

75.00%

50.00%


privacy maturity rating


privacy certification to Service Providers


50/68

41


Sharing of Service Provider assessment resultsMajority of Client organizations (sixty seven percent) conrm that

if DSCI assumes the role of a third party assessor, DSCI should

conduct the assessment of the targeted Service Provider and

share the report with the Client. Client organizations are also in

favor of DSCI conducting assessments of the Service Providers

and sharing the report with Service Providers Clients based upon

the authorization of Service Provider (thirty three percent), while

only eleven percent of the Client organizations suggested DSCI

conducting the assessment of the Service Provider and submitting

its report to the Service Provider.

In case DSCI assumes

the role of a third-party assessor,

Client and Service

Provider organizations

strongly support

DSCI conducting

the assessments of

the targeted Service

Provider and sharing the

report with the Client onreceiving requests from

the Client

Most suitable assessment process in case DSCI assumes the role of a

third party assessor

66.67%

33.33%

11.11%

11.11%

On receiving request from the client, DSCI

conducts the assessment of the targeted

Service Provider and shares the report

with the client

On receiving request from the Service

Provider, DSCI conducts the assessment of the

Service Provider and based on theauthorization of Service Provider, DSCI shares

the report with Service Providers clients

On receiving request from the Service Provider,

DSCI conducts the assessment of the Service

Provider and submits its report to the Service Provider.

Service Provider then shares this report with his

clients when requested or otherwise

Based on DSCI assessments, Service

Providers are benchmarked against defined

parameters and the report is made public

Clients perspective


51/68

42


Most suitable assessment process in case DSCI assumes the role of a

third party assessor

41.67%

41.67%

33.33%

8.33%

8.33%Others

Based on DSCI assessments, Service Providers are

benchmarked against defined parameters and

the report is made public

On receiving request from the Service Provider, DSCI

conducts the assessment of the Service Provider and

based on the authorization of Service Provider,

DSCI shares the report with SPs clients

On receiving request from the client, DSCI conducts

the assessment of the targeted Service Provider and

shares the report with the client

On receiving request from the Service Provider, DSCI

conducts the assessment of the Service Provider and

submits its report to the Service Provider. Service

Provider then shares this report with his clients


More than forty percent of the Service Provider respondents suggestedthat in case DSCI assumes the role of a third party assessor, DSCI should

conduct the assessment of the targeted Service Provider on receiving

request from the Client and share the report with the Client. Same number

of Service Provider organizations also supports the process of DSCI

conducting the assessment on receiving request from the Service Provider

and submitting the report to Service Providers Clients upon authorization.


52/68

43


The survey revealed some interesting ndings and facts, bothfrom Client and Service Provider perspective which were further

validated by the secondary research. Based on the study of

different assessment frameworks and ndings of the survey,

following are some of the salient preliminary recommendations for

developing a Service Provider Assessment Framework:

DSCI should play a vital role in conducting Service Providerassessments and sharing the outcome in the ecosystem. It

should:

Have an Service Provider assessment program that comprises of

framework, processes, and methodology for assessmentsProvide an organization wide security and privacy maturity rating,

and domain specic maturity rating that may be shared in the

ecosystem after taking the due permission of the Service Providers

A new standard mapped to prevalent standards should be

considered as a potential assessment standard for third partyassessments of Service Providers

DSCI as an industry initiative and a Self Regulatory Organization

having representation from both the Client and Service Providerorganizations should empanel auditing rms for conductingindependent third party assessments.

The advantages of prevalent assessment frameworks likeadaptability, exibility, comprehensibility of assessment areas,process-driven, and measurement-based assessment process

should be the characteristics of the Service Provider assessmentframework that may be developed.

Recommendations


53/68

44

The assessment model should not become an overhead for an

organization. It should be able to provide specic improvementopportunities that an organization should be able to imbibe. The

assessment criteria should be transparent to the extent possible.The framework should be reviewed at least on an annual basis

by a competent set of technical and process experts, preferablycomprising DSCI members, members from third party assessors,

and the industry.

The assessment framework should be applicable regardless ofsize of the organization and nature/ complexity of its processes.

For this purpose, the assessment methodology adopted should

contain a preliminary set of questions that can be self-assessedby an organization.

The Service Provider assessment framework should provideopportunities to organizations for implementing / performing thecontrol activities according to the needs of the organizations

specic environment.

The framework should follow a process-approach and outlinemeasurable assessment areas. The assessment areas that

would link to specic business processes in an organization willbe easy to align with overall business goals and objectives.

The framework should provide both assessment area/ domain

based maturity rating and organization-wide security and privacymaturity rating that summarizes the appraisal results and permit

comparison amongst organizations.

The assessment model should be easy to comprehend andcompanies should be able to adopt on their own. All assessment

areas should be broken down into a detailed list of specicand measureable steps that are easy to comprehend for

assessment purposes.


54/68

45


Annexures

The study team analysed the shortlisted assessment frameworksfor their advantages and disadvantages when applied to Client-

driven Service Provider assessments. A summary of each

framework is provided below:

Malcolm Baldrige National Quality Program

The Malcolm Baldrige National Quality Award program uses

Malcolm Baldrige Assessment framework to assess the Quality of

applying organization on seven critical areas for an organization.

The framework is based on the processes implemented and

the results achieved. The assessment methodology requires a

self-assessment by the company applying for the award whichassists in dissolving the disparities between small, medium and

large sized companies, and the way the control is implemented

at the organization level. The framework has assigned separate

weights to each individual area. However, the framework does not

provide quantitative requirements for the criteria laid down. The

requirements are subjective, and there are chances that

the results when examined by different examiners may not

be reproducible.

Capability Maturity Model Integration (CMMI)The framework was developed by Software Engineering

Institute (SEI) in an attempt to integrate several disciplines

such as Process and Product development, Acquisition and

Supplier Sourcing. The framework is focused towards software

development organization however the framework can be

implemented across various organizations. The framework can

be implemented using Staged or Continuous representation.

The Staged representation provides the Maturity level for

organizations and the Continuous representation provides

Capability Levels for as a measure assigned individuallyagainst each process area. The framework is exible and

provides opportunities to organizations for undertaking the


55/68

46

activities according to their organization specic environment.For assessments the framework undertakes a Process based

approach thereby adding value to the organization in the process

of being assessed for maturity.

BITS Shared Assessment Program

The nancial services industry increasingly relies on information

technology (IT) Service Providers to support the delivery of

nancial services. The BITS shared assessment framework

was developed by BITS IT Service Providers Working Group

to address the concerns, arising out of increased regulatory

scrutiny of nancial institution risk assessment and management

of outsourced IT services. The framework adopts a risk based

approach for conducting the assessments. The framework can

be used as a reference by to create a common understanding of

the nancial services industrys needs among Service Providers

and help to address known control weaknesses in outsourced IT

services, resulting in more consistent and appropriate levels of

management by nancial services companies that outsource IT

services.

The eSourcing Capability Model for Client Organizations(eSCM-CL)

The eSCM was developed by a consortium led by Carnegie

Mellon Universitys Information Technology Service Qualication

Center (ITSqc). The eSCM is best practices capability models

with two purposes (1) to give Client organizations guidance that

will help them improve their capability across the sourcing life-

cycle, and (2) to provide Client organizations with an objective

means of evaluating their sourcing capability. The model aims

at assisting Client organizations to continuously evolve, andimprove their capabilities to develop stronger, enduring and more


56/68

47


trusting relationships with other Service Providers, and to meet

the dynamic demands of business. The eSCM model provides

the organizations the exibility to choose from framework based

(using the framework as best practices) or evaluation based

(using the framework to undertake a formal assessment). The

eSCM for Client organizations is composed of 95 practices

covered under three dimensions Sourcing Life-cycle, Capability

Area, and Capability Level.

Crisil Rating Methodology

CRISIL rates companies in variety of sectors. Since each sector

has its own nuances, CRISIL has customized rating criteria and

methodology for each sector to make the ratings exercise apt and

meaningful. Extensive research is undertaken by Crisil before

assigning rating to an organization. The rating methodology

adopts a risk-based approach thereby helping the organization

to al

service provider assessment framework

Documents