DSCI Approach Standards and Regulations Kamlesh Bajaj CEO, DSCI

1. DSCI Approach Standards and Regulations Kamlesh Bajaj CEO, DSCI Indo-Australia Conference April 1st, 2009 Delhi

2. Agenda • Security Drivers • Outsourcing Risks • DSCI Views on Data Protection & Approach to Self Regulation • Data Security Practices- • CISCO report • NASSCOM, DSCI & KPMG Report • 5. DSCI SRO

3. Security drivers • Expanding threat landscape – external & internal • Data and Privacy Breaches • Identity theft Threats • Ever increasing compliance regime • Complex business relationships • Multiple jurisdictions • Data protection in outsourcing • Globalization • Critical dependence on IT • Information assets – central to business operations • Security - a business enabler Information Security Enterprise Ecosystem Regulatory Compliance Market • Security for competitive advantage • Emerging Security Products /Solutions

4. Risk of Outsourcing - As Perceived by Customers

5. Securing the Service Provider Information Security – Strategic View Information Security – Operational View • Threat Management Perimeter, internal network, applications security; VoIP, Web services, and storage networks, Wireless and mobile security ; Application layer protection • Secure Content Management Spam, Spyware, Adware, Web content • Security and Vulnerability Management • Risk management , Application and software security vulnerability mgmt • Identity and Access Management • Access control, Identity confirmation, User provisioning • Information Security Service • Threat focus, Application security, MSS • Security Conscious People • Outer layer in defense-in-depth strategy • Infrastructure Protection: keep the unauthorized users out – FW, IDS, IPS, AV, SCM, MSS • Secure Business Enablement: let the genuine users in – IAM, strong authentication, access controls, digital rights management • Security Administration: keep the wheels going – security operations, security awareness, information security organization, BCP/DR IS strategic view suitably mapped into operational view to address security concerns

6. Outsourcing offshore is a real risk, but manageable Secure Outsourcing operations DSCI- Data Security & Privacy protection • Use of best practices and standards for managing security • Control Principles- Scenario based control selection, security requirement translations into controls, • Security controls- Employee Background check, Hardened desktop- SOE, Secured communication channels, Infrastructure security- Layered defense, Physical security, Logical access control, Data Security, Security Officers, DR /BCP • Establishment of Assurance mechanisms- Security coordination, Risk Management framework, Security Processes, Security Assessment, Security monitoring & reporting and Incident Management • Dedicated standards for building and operating outsourcing locations- Outsourced Delivery Centres [ODC] • Compliance support processes- Active compliance support, compliance reporting Outsourcing Objective Consistent data security Low-cost resources Security at Affordable cost Quality & diversity Scale up & expanding Establishment of rules & standards Promote ethics, quality and best practices Self-Regulation: Adoption of best global practices Independent Oversight: Focused Mission: Enforcement Mechanism: • As an increasing number of organizations take the decision to send more and more mission critical work offshore, Security best practices and following some tactical steps may help to address security issues in global sourcing… Gartner’s Outsourcing &  IT Services Summit, 2007

7. DSCI View of Data Protection Security Mgmt System Security Organization Security Processes Management Threat & Vulnerability Management People Security Strategy • Perimeter Network System Application Data Enterprise Security Architecture Security Monitoring Operational Strategic Security Policy, Procedures Security Testing Technical Infrastructure Security Application Security Data Security

8. DSCI Approach to Self Regulation Security Market Research Legal Forums Academic Collaborations Data Protection Authorities Privacy Regulations Knowledge Collaboration Security Technology Trends EU Privacy Directives • DSCI- A Self Regulatory Org. • Data Protection • Best Practices • Capacity building • Independent oversight • Enforcement • Dispute Resolution • Cyber Crime Speedier trial Technology Forums UK- Data Protection Act 1998 Architecture Principles US- FTC directives, Patriot Act Solution Categories Canada- PIPEDA Legal & Regulatory Requirements Technology and Vendor interactions Product, solution trends Aus- Privacy Act 1988 Technology advancement JAPAN- JPIPA Compliance Regulations Security Vendor Collaboration GLBA Vendor forums, interactions HIPAA Industry best practices PCI-DSS Security Management ISO 27001 Risk Management OCTAVE | COSO | FMEA IT Governance CoBIT Security Standards ITU-T X.1051 Security Practices NIST SP 800 Infrastructure Mgmt ITIL | ISO 20000

9. Outsourced Delivery Center: Data Protection Practices … Sample list Environment security Security Monitoring Physical Security Devices: Camera, sensors, Enclosed area Security personal CCM: Physical, n/w, workstn Print/fax restriction Perimeter security Log monitoring- SOC Cell phone restriction Entry security Biometric access control Interior security Incident management Anti pass back/ Dead man door Personnel security Incident detection- IDS Employee check Incident notification/report Workstation security Activity monitoring IM Workflow Hardened OS Integration- SIM/SOC Restricted local permissions Total ODC Ext. Media restriction Assurance mechanism Security coordination On boarding processes Network Security Risk Mgmt framework Asset movement IP-IP, port, service config Asset, Change, Config Mgmt Solutions, Tools Internet, email restriction Security Authorization Data analysis, fingerprinting Security Metrics Channel Security Client desktop monitoring Channel encryption Security Audit/ test Activity monitoring Dedicated line Process automation

10. DSCI Security and Privacy Best Practices Framework Restricted system access Pre Employment Traffic, service & connection restrictions Strong authentication In Employment Personal Security Network zoning/ isolation Access Management Secure Network User access management Post Employment Secure access path Password management Attack prevention Secure extended org.- Mobile, wireless Restricted Internet access Content Monitoring & Filtering Download & execution restriction Antivirus Program for- host, gateway, messaging Restricted Public Mail/ Messenger Threat & Vulnerability Management Patch Management mechanism Secure deployment- Appl., Infrastructure, DB Secure Area/location Security control- Perimeter, Entry & Interior Physical Security Inventory of data elements- structured & unstructured Data collection & sharing Security Audit plan Recovery Capability xxx Testing program- VA/PT of Application & Infrastructure Recovery Plan & Processes Security controls for- DIM, DAR, DIU Data Privacy Monitoring & Testing Continuity Management Data Security Security Processes Security Policy Security Mgmt System Security Organization Security Architecture Risk Mgmt Plan Security Operations Incident Mgmt Business Continuity plan xxx Intrusion detection Data Access control Emergence Response Continuous monitoring program xxx Data management Data Protection Authorities Privacy Directives/ Acts Compliance- HIPAA, GLBA, PCI-DSS Reference ITU X.1051 OWSAP CoBIT NIST SP 800 ITIL OCTAVE | COSO | FMEA

11. India and other countries: Data Leakage For Businesses & Employees Source- Survey The Challenge of Data Leakage For Businesses and Employees Around the World, Cisco, Sept 08

12. NASSCOM DSCI Survey…. Through KPMG 1 Security as “Beforethought” 6 Competitive Views The IT/ITeS industry wants to proactively address security. From a reactive model, we have seen security become more analytical and more predictable. The organizations feel that having security certification such certifications is more of a competitive necessity than a business enabler. 2 Evolving models 7 A Matter of Size From being the esoteric domain of a few hardcore specialists, it has increasingly become a board level issue All Indian IT companies have implemented Information Security policies, majority of the category C companies have enhanced security focus in the last 1 or 2 years. 3 Right Skilling 8 Privacy Perceptions While there is an abundance of people to manage parts of the solutioning for Information Security, it is getting increasingly difficult to hire personnel who have overall understanding of security and governance Twenty-four percent of the respondents have a privacy policy. All organizations surveyed have a security policy and 31% of the respondents include some aspects of data privacy within their security policy. Most contracts for companies specify privacy related compliance as security controls, and therefore many organizations implement controls from a privacy standpoint 4 Putting People First An overwhelming majority of the respondents feel that people remain the key challenge in the Information Security environment of their organization 5 Right Structure 9 Industry View on Self Regulation Every organization has a Chief Information Security Office (CISO) role supported by an Information Security function, which has a structure and mandate approved by the executive management of these organizations The service providers are encouraged by the establishment of DSCI, by NASSCOM as an industry initiative, to focus on Data Protection. IT/ITES companies are looking up to DSCI to enable them to provide assurance to their clients

13. Data Security Council of IndiaSelf Regulatory Organization • An independent body that facilitates the culture of security and privacy in the Indian IT industry; will propose a basic set of security and privacy standards, to which companies can choose to adhere. • Board of Directors - industry leaders as well as representatives from the academic, government, and/or consumer communities. • Chairman of DSCI – from outside the industry and independent • Steering Committee comprising eminent experts from industry, academia, law enforcement and government • Develop, establish, monitor and enforce necessary minimum standards for privacy and security including best practices • Advocacy with government on data protection framework • Key objective: Raise the floor when it comes to strengthening India as a secure outsourcing destination, across the IT Industry • Not-for-Profit, Self Regulatory Organization in Data Security and Privacy Protection • Diversified Membership including companies in IT, and BPO Sector • DSCI Certification to Members

14. DSCI Mission • What: • Message to clients worldwide that India is a secure destination for outsourcing where privacy and protection of customer data are enshrined in the best practices followed by the industry • Create an accountability framework • Monitor and enforce compliance through promotion of self regulation of industry, and to act as a self regulatory organization (SRO) • How: • Create awareness - Organizations and individuals • Build capacity • Provide certification services • Create a common platform for sharing knowledge • Inform external stakeholders

15. DATA SECURITY COUNCIL OF INDIA - SRO DSCI Certification GOVT. OF INDIA DSCI AUDITOR ESCALATION SELF CHECKS IT and BPO Companies • Awareness Creation • Data Security • Data Privacy • ----------------- • IT/BPO Companies • Law-Enforcement Standards / Best Practices • Education • Training • Surveys • Guidelines for Contracts FEEDBACK COMPLAINTS CLIENTS / CLIENT CUSTOMERS

16. Thank You kamlesh.bajaj@dsci.in