offshore outsourcing dealing with compliance issues l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Offshore Outsourcing - Dealing with Compliance Issues PowerPoint Presentation
Download Presentation
Offshore Outsourcing - Dealing with Compliance Issues

Loading in 2 Seconds...

play fullscreen
1 / 18

Offshore Outsourcing - Dealing with Compliance Issues - PowerPoint PPT Presentation


  • 191 Views
  • Uploaded on

Offshore Outsourcing - Dealing with Compliance Issues. Ken D. Nguyen, PMP, CISSP, CISM, MCSE SVP & CTO SourceSentry, Inc. knguyen@sourcesentry.com. Agenda. Compliance Landscape Current & Pending (Federal & State) Bills Corporate Governance Binding Corporate Rules (BCR)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Offshore Outsourcing - Dealing with Compliance Issues' - dianthe


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
offshore outsourcing dealing with compliance issues

Offshore Outsourcing - Dealing with Compliance Issues

Ken D. Nguyen, PMP, CISSP, CISM, MCSE

SVP & CTO

SourceSentry, Inc.

knguyen@sourcesentry.com

agenda
Agenda
  • Compliance Landscape
  • Current & Pending (Federal & State) Bills
  • Corporate Governance
  • Binding Corporate Rules (BCR)
  • Vendor Governance
  • Q/A

©SourceSentry 2004

the compliance landscape
The Compliance Landscape

* Meta Group, Inc. 2004

©SourceSentry 2004

sox implications on outsourcing

The Compliance Landscape

SOX Implications on Outsourcing
  • Regulatory clarification lagging: 2H04 is too late for many
  • What about Sec 409 and PCAOB Audit No 2?
  • Sarbanes-Oxley (SOX) does not differentiate between insourced and outsourced processes
  • SAS 70 audits: Good enough?

©SourceSentry 2004

what you still need to be thinking about for hipaa

The Compliance Landscape

What You Still Need to be thinking about for HIPAA
  • Service Providers Contracts on the whole
  • Individual rights issues – Are we rally supposed to check with every business associate?
  • What do they want you to do with the Security Rule?
  • Monitoring issues – an emerging issue for everyone

©SourceSentry 2004

us patriot act

The Compliance Landscape

US Patriot Act
  • Information Sharing
  • Anti-Money Laundering Program
    • Section 352(a)
  • Suspicious Activity Reporting
  • Customer Identification Program
    • Section 326
  • Concerns about US companies violating privacy law of other countries

©SourceSentry 2004

basel ii

The Compliance Landscape

Basel II
  • Basel II includes three mutually reinforcing pillars:
    • Pillar 1: Minimum Capital RequirementPillar 2: Supervisory Review Process
    • Pillar 3: Market Discipline
  • Offshoring Outsourcing affects Pillar 1 particular the Operational Risk aspect
  • Regulatory review practices will spread to bank’s key suppliers, third-party outsourcing service providers, offshore processing services, and providers of key systems and tools
  • US Federal Reserve expects only the top 11 US banks to comply - although a further 10 or more are expected to opt in.

©SourceSentry 2004

state of new offshore legislation

The Compliance Landscape

State of New Offshore Legislation
  • 42 separate bills introduced in 22 states addressing state contracting and the use of foreign labor
  • Another 13 bills in 12 states requiring individuals to identify themselves, their location, and the company they work for
  • Other bills prohibit financial data from leaving the U.S.
  • Changes to tax policy
  • “Buy Home State” provisions

©SourceSentry 2004

federal bills

The Compliance Landscape

Federal Bills
  • S. 2090 – (WARN Act) – Same as federal plant closure laws
    • Notice to be given before operations go offshore,
    • Make trade adjustment assistance available to workers
  • S. 1873 – Call centers to ID location of call
  • S. 2094 – No Federal contracts to offshore providers
  • S. 2143, S. 2157 and H.R. 3881would extend trade adjustment assistance for displaced workers
  • S. 2148 – Similar to S. 2094
  • S. 2312 – Consent from customers for transferring personal, medical or financial data (H. Clinton)
  • S1232 – Safeguarding Americans From Exporting Identification Data Act (SAFE-ID)
  • S1637 - (Senator Dodd Amendment) Senate has already passed Amendment to prohibit companies from fulfilling federal contracts using offshore outsourced labor

©SourceSentry 2004

state bills for example california

The Compliance Landscape

State Bills – For Example California
  • AB 1829 - Prohibits state agency or local government from contracting out services unless the company certifies that all work will be performed solely by workers in the US
  • AB 3021 - Requires CA employers to determine the amount of offshore outsourcing they do by reporting the number of workers employed outside CA
  • AB 2517 - Requires call center employees to give (honest) disclosure of their location
  • SB 888 - Prevents offshore transmittal of info "important to homeland security” (broad definition)
  • SB 1492 - Prevents medical records from being shipped overseas, unless prior consent received from individual

©SourceSentry 2004

other challenges

The Compliance Landscape

Other Challenges

Enforcing Judgments Abroad

  • Jurisdictional Challenges
  • Enforcing Damages and Limitations of Liability
  • No Uniformity

Security of Information

  • Potential Liability under US/EU Privacy/Data Laws
  • Poor IP Rights Regimes in Developing Countries

Overlapping Laws and Conflicts

  • Conflict between US and Local Laws
  • Overlapping regulations and ambiguities

©SourceSentry 2004

impact of compliance
Impact of Compliance

Impact regulations will have on the likelihood to outsource IT in the interests of compliance or to outsource business process/functions

* Meta Group, Inc. 2004

©SourceSentry 2004

crafting a corporate governance

What can be done?

Crafting a Corporate Governance

Frameworks

COBIT - Control Objectives for

Information and related Technology

COSO - Committee of Sponsoring

Organizations

FRAP - Facilitated Risk Assessment

Process

CRAMM - The CCTA’s (Central

Computer and Telecommunications

Agency) Risk Analysis and Management

Method

OCTAVE - Operationally Critical

Threat, Asset, and Vulnerability

Evaluation

ITIL – IT Infrastructure Library

BizSentry – Offshore Outsourced Activities

  • Corporate Governance Framework
  • Organizations must develop global and integrated corporate governance strategies, practices, and processes
  • COBIT, COSO, BizSentry, others?

©SourceSentry 2004

binding corporate rules

What can be done?

Binding Corporate Rules
  • BCRs
    • Consistent with company’s compliance structure and practices
    • Harmonized global guidelines ensure a consistent, strong protection
    • Binding on company’s entities and employees
    • Policies are alive and visible to our employees
    • Language is user-friendly for data handlers and employees
  • Alternative - Contracts
  • Alternative - Safe Harbor

©SourceSentry 2004

establish vendor governance program

What can be done?

Establish Vendor Governance Program
  • Partnership / Communication
  • Govern by contract, then be friends
  • Use a dashboard: Then watch it!
  • Industry Solution? – SVR, BITS, etc

©SourceSentry 2004

additional recommendations

What can be done?

Additional Recommendations
  • Use external independent assessment in the offshore location
  • Scrutinize regulatory compliance mandates
  • Integrate services sourcing and management processes within overall corporate governance framework
  • Don’t procrastinate…act now

©SourceSentry 2004

offshoring outsourcing resources
Offshoring/Outsourcing Resources
  • Outsourcing/Offshoring Knowledge
    • SourceSentry: http://www.sourcesentry.com
    • ISACA: http://www. isaca.org
    • FDIC: Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks: http://www.fdic.gov/regulations/examinations/offshore/toc.html
    • IT Compliance Institute: http://www.itcinstitute.com/index.aspx
    • Ponemon Institute: http://www.ponemon.org
    • Outsourcing Institute: http://www.outsourcing.com
    • Outsourcing Journal: http://www.outsourcingjournal.com
    • NASSCOM: http://www.nasscom.org
    • Philippines: http://www.outsourcephilippines.org
    • Global:www.witsa.org

©SourceSentry 2004

questions
Questions

Ken D. Nguyen, PMP, CISSP, CISM, MCSE

SVP & CTO

SourceSentry, Inc.

knguyen@sourcesentry.com

©SourceSentry 2004