2. Agenda
• Setting the Context
• Outlining potential risks
• Mitigating the risk
– Understanding existing laws and regulations
– NASSCOM’s role in the Indian IT market
– Looking at vendor best practices
– Drafting contracts for success
• Question and Answer
• References
2
www.eMids.com
3. Setting the Context
Engaging offshore resources has evolved into a best practice
for delivering Information Technology and product
engineering across several industries.
The very nature of the work involves sharing of data and
intellectual property. A security breach under these
circumstances is a high risk with potentially unpleasant
consequences.
Differences in law, culture, time zone, and communication
seem to amplify the perceived impact of this already inherent
risk.
This presentation attempts to separate perception from reality
and offers an executive overview of data privacy and security
in offshore delivery centers.
3
www.eMids.com
4. Potential Risks
• Suspension of business activity
• Loss of rights to use data
• Adverse publicity
• Damage to brand/image
• Loss of trade secrets and intellectual property
• Civil suits – individual and class action
• Regulatory enforcement actions
4
www.eMids.com
6. Understanding Existing Laws and Regulations
• Indian IT Act of 2000 (cyber law)
– makes punishable cyber crimes like hacking, damage to computer
source code, and breach of confidentiality and privacy
• Indian Copyright Act
– provides protection for intellectual property
• Indian Penal Code Act
– provides criminal punishment for cyber crimes
• Indian Contract Act
– provides for the enforcement of international contracts
• World Trade Organization (WTO)
– WTO-GATS (General Agreement on Trade in Services) provides for
internet privacy and gives structure to the regulatory environment in e-
business
• United Nations Commission on International Trade (UNCITRAL)
– protects international electronic transactions
6
www.eMids.com
7. NASSCOM’s Role in the Indian IT Market
• NASSCOM is both the face of India’s burgeoning software industry and
a key arm in catalyzing its growth. It is committed to monitoring the
security of data and intellectual capital, helping companies deliver at a
high level of quality, and coordinating seamless delivery across
geographic and political boundaries.
• 4 E Initiatives
– Engagement – Works across geographic boundaries with organizations such as:
Department of Homeland Security, Treasury – Infrastructure Compliance, Federal
Reserve Board – NY, Heritage, Foundation, CSIS, IPI, academia
– Education - Research reports, model contracts, SLAs examples, best
practices, educational collateral for Indian law enforcement, media around security
and privacy
– Enactment – Lobbies for the enactment of legislation supporting the IT Industry
(such as the IT Act 2000)
– Enforcement – joint efforts with Police, lawyers and industry bodies ensures
enforcement and constant checks to recognize and initiate action against security
infringements
7
www.eMids.com
8. NASSCOM’s Role in the Indian IT Market
• India Cyber Lab
– evolved as a unique public-private partnership project for cyber safety
• Initiation of Data Security Council of India
– Develop data privacy standards
– Adoption of best practices
– Focus on code of conduct
– Promote and encourage voluntary compliance of the code
– Provide certifications to organizations
• Campaign Against Piracy
– Significant contribution towards ending software piracy across India
8
www.eMids.com
9. Vendor Best Practices
Vendor Framework Adherence Client-Centric Activities
ISO 27001 Customer driven audits
SAS 70 Sharing of internal audit
CMMi results
HIPAA / PCI Reporting of perceived
Client-Centric
Legal business entity threats and breaches
Activities
Security scope & mission
statement
Information Vendor
Vendor Security Employee
Framework Best Practice Awareness
Third Party
Third Party Entities Vendor Employee Awareness
Independent audits Background checks
Entities
Independent penetration Whistle blower policies
Workplace awareness
testing
Inspection by client’s Internal/external training and
customers certification
Exit agreements
9
www.eMids.com
10. Vendor Framework Adherence
ISO 27001
SAS 70
CMMi
HIPAA / PCI
Legal business entity
Security scope & mission statement
10
www.eMids.com
12. Client-Centric Activities
Customer driven audits
Sharing of internal audit
results
Reporting of perceived
threats and breaches
12
www.eMids.com
13. Third Party Entities
Independent audits
Independent penetration
testing
Inspection by client’s
customers
13
www.eMids.com
14. Drafting Contracts for Success
• Make security as important in the contracting
process as scope, deliverables, and pricing
• Common contract clauses to consider
– Confidentiality
– IP Ownership
– Return of project materials
– Non-Disclosure Agreements (NDAs)
– Physical Security / Isolation
– Security Audits
– Network Security
14
www.eMids.com
Regulatory enforcement actions (fines, outsourcing restrictions et.al.)Civil suits – individual and class action (data transfer issues, joint & several liability, 3rd party beneficiary suit in data subject country)
IT ACT 2000 has provisions for respecting and incorporating the state laws of the client location.