Virtual Trade Mission: Exploring Opportunities in India May 7, 2009

1. Data Security & Privacy
in
Offshore Operations
May 7, 2009
1

2. Agenda
• Setting the Context
• Outlining potential risks
• Mitigating the risk
– Understanding existing laws and regulations
– NASSCOM’s role in the Indian IT market
– Looking at vendor best practices
– Drafting contracts for success
• Question and Answer
• References
2
www.eMids.com

3. Setting the Context
Engaging offshore resources has evolved into a best practice
for delivering Information Technology and product
engineering across several industries.
The very nature of the work involves sharing of data and
intellectual property. A security breach under these
circumstances is a high risk with potentially unpleasant
consequences.
Differences in law, culture, time zone, and communication
seem to amplify the perceived impact of this already inherent
risk.
This presentation attempts to separate perception from reality
and offers an executive overview of data privacy and security
in offshore delivery centers.
3
www.eMids.com

4. Potential Risks
• Suspension of business activity
• Loss of rights to use data
• Adverse publicity
• Damage to brand/image
• Loss of trade secrets and intellectual property
• Civil suits – individual and class action
• Regulatory enforcement actions
4
www.eMids.com

5. Mitigating the Risk
May 7, 2009
5

6. Understanding Existing Laws and Regulations
• Indian IT Act of 2000 (cyber law)
– makes punishable cyber crimes like hacking, damage to computer
source code, and breach of confidentiality and privacy
• Indian Copyright Act
– provides protection for intellectual property
• Indian Penal Code Act
– provides criminal punishment for cyber crimes
• Indian Contract Act
– provides for the enforcement of international contracts
• World Trade Organization (WTO)
– WTO-GATS (General Agreement on Trade in Services) provides for
internet privacy and gives structure to the regulatory environment in e-
business
• United Nations Commission on International Trade (UNCITRAL)
– protects international electronic transactions
6
www.eMids.com

7. NASSCOM’s Role in the Indian IT Market
• NASSCOM is both the face of India’s burgeoning software industry and
a key arm in catalyzing its growth. It is committed to monitoring the
security of data and intellectual capital, helping companies deliver at a
high level of quality, and coordinating seamless delivery across
geographic and political boundaries.
• 4 E Initiatives
– Engagement – Works across geographic boundaries with organizations such as:
Department of Homeland Security, Treasury – Infrastructure Compliance, Federal
Reserve Board – NY, Heritage, Foundation, CSIS, IPI, academia
– Education - Research reports, model contracts, SLAs examples, best
practices, educational collateral for Indian law enforcement, media around security
and privacy
– Enactment – Lobbies for the enactment of legislation supporting the IT Industry
(such as the IT Act 2000)
– Enforcement – joint efforts with Police, lawyers and industry bodies ensures
enforcement and constant checks to recognize and initiate action against security
infringements
7
www.eMids.com

8. NASSCOM’s Role in the Indian IT Market
• India Cyber Lab
– evolved as a unique public-private partnership project for cyber safety
• Initiation of Data Security Council of India
– Develop data privacy standards
– Adoption of best practices
– Focus on code of conduct
– Promote and encourage voluntary compliance of the code
– Provide certifications to organizations
• Campaign Against Piracy
– Significant contribution towards ending software piracy across India
8
www.eMids.com

9. Vendor Best Practices
Vendor Framework Adherence Client-Centric Activities
 ISO 27001  Customer driven audits
 SAS 70  Sharing of internal audit
 CMMi results
 HIPAA / PCI  Reporting of perceived
Client-Centric
 Legal business entity threats and breaches
Activities
 Security scope & mission
statement
Information Vendor
Vendor Security Employee
Framework Best Practice Awareness
Third Party
Third Party Entities Vendor Employee Awareness
 Independent audits  Background checks
Entities
 Independent penetration  Whistle blower policies
 Workplace awareness
testing
 Inspection by client’s  Internal/external training and
customers certification
 Exit agreements
9
www.eMids.com

10. Vendor Framework Adherence
 ISO 27001
 SAS 70
 CMMi
 HIPAA / PCI
 Legal business entity
 Security scope & mission statement
10
www.eMids.com

11. Vendor Employee Awareness
 Background checks
 Whistle blower policies
 Workplace awareness
 Internal/external training
and certification
 Exit agreements
11
www.eMids.com

12. Client-Centric Activities
 Customer driven audits
 Sharing of internal audit
results
 Reporting of perceived
threats and breaches
12
www.eMids.com

13. Third Party Entities
 Independent audits
 Independent penetration
testing
 Inspection by client’s
customers
13
www.eMids.com

14. Drafting Contracts for Success
• Make security as important in the contracting
process as scope, deliverables, and pricing
• Common contract clauses to consider
– Confidentiality
– IP Ownership
– Return of project materials
– Non-Disclosure Agreements (NDAs)
– Physical Security / Isolation
– Security Audits
– Network Security
14
www.eMids.com

15. Question and Answer
15
www.eMids.com

16. References
• WTO – www.wto.org
• CMMi – www.sei.cmu.edu/cmmi
• ISO 27001 – www.iso27001security.com
• NASSCOM – www.nasscom.org
16
www.eMids.com