DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
-
Upload
infinobaptista -
Category
Documents
-
view
218 -
download
0
Transcript of DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
1/19
A NASSCOM Initiative
DSCI and Data Protection
Kamlesh Bajaj
RISESeminar on Biometrics &Ethics
Delhi, 24th Sep, 2009
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
2/19
A NASSCOM Initiative2
Agenda
Data Protection
Compliance regulations
Privacy Perception in India
Data Protection u/s 43A amended IT Act, 2008
Outsourcing- a real risk, but manageable
Best Practices Framework for Data Protection
DSCI as SRO
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
3/19
A NASSCOM Initiative
Data Security Forrester Survey, Q3-2008, Europe
DSCI SRO
DSCI Program
DSCI Chapters
DSCI Services
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
4/19
A NASSCOM Initiative4
Privacy regulations
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
5/19
A NASSCOM Initiative
Fast climbing individualism ladder
New emerging segment 25-35 years
Transformation from Joint to Nuclear family
structure
Emergence of personalized services
Quantum jump in the use of technological
solutions for delivery of financial services
Phenomenal increase in the number of creditcards issued by the banks
Privacy Perceptions in India- Changing Landscape
Increasing e-Commerce applications & emergence
of m-Commerce
Huge investment in e-Governance projects
Travel, Airline & Hospitality industry goes online
Adoption of Web 2.0 services, social networking
Expansion of telecom & mobile connectivity
Annoyance over telemarketing calls and messages
Increased awareness of personal information being collected
Rising concerns over computer and internet security
Increased exposure of IT/ITES industry to global data protection regulations
Media coverage of national & international data breaches
Leading to issues like
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
6/19
A NASSCOM Initiative
Do Not Call Registry
the LICENSEE condition to take necessary steps to safeguard the
privacy and confidentiality of any information about athird party & its business to whom it provides the SERVICE
Ethical Guidelines for Biomedical
ResearchBy Indian Council of Medical
Research, 2000
Identity & records of the human subjects of research or experiment
are, as far as possible, kept confidential;
No details about identity of said human subjects are disclosed without
valid scientific and legal reasons, without the specific consent inwriting of the human subject concerned,
The Telecom Unsolicited
Commercial Communication
(UCC) Regulations, 2007,By TRAI
How Compliance Authorities are responding?
Banks/NBFCs/ their agents should not resort to invasion of privacy viz.,
reveal any information relating to customers, to any other person or
organization without obtaining their specific consent
recognizes the purpose for which the information will be used, andthe organizations with whom the information will be shared.
Banks/NBFCs would be solely responsible for the correctness ofinformation, In case of providing information relating to credit history /
repayment, the bank/NBFC may explicitly bring to the notice ofthecustomer.
The staff of, both the banks and their DSA/DMAs, should be properly
briefed and trained in privacy of customer information
Reserve Bank of India, Master
Circular, July 2007
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
7/19
A NASSCOM Initiative
IT (Amendment) Act, 2008- Sections 43A and 72A
Section 43 modified: The existing Act provides for penalty
for damage to computers, computer systems under the title
Penalty and Adjudication in section 43 that is widelyinterpreted as a clause to provide data protection in the
country- This section has been improved to include
stealing of computer source code for whichcompensation can be claimed. (Computer source has been
defined)
New Section 43A: Data protection has now been mademore explicit through insertion of a new clause 43A that
provides for compensation to an aggrieved
person whose personal data including sensitive personaldata may be compromised by a company, during the time it
was under processing with the company, for failure to
protect such data whether because of negligence inimplementing or maintaining reasonable security practices
Penalty for breach of confidentiality and privacy: 72A-
punishment for disclosure of information in breach of a
lawful contract is prescribed
Improvement to include stealing of
computer source code
Data Protection- explicit new clause
43 A -Compensation to an
aggrieved person whose personal
data including sensitive personal
data may be compromised by a
company
Compromised because of
negligence in implementing or
maintaining reasonable security
practices
72 A- Punishment for disclosure of
information in breach of a lawfulcontract
Disclosure without the consent
of the subject person will
constitute a breach
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
8/19
A NASSCOM Initiative
Outsourcing offshore is a real risk, but manageable
Use of best practices and standards formanaging security
Control Principles- Scenario based controlselection, security requirement translationsinto controls,
Security controls- Employee Backgroundcheck, Hardened desktop- SOE, Securedcommunication channels, Infrastructuresecurity- Layered defense, Physical security,Logical access control, Data Security,Security Officers, DR /BCP
Establishment of Assurance mechanisms-Security coordination, Risk Managementframework, Security Processes, SecurityAssessment, Security monitoring &
reporting and Incident Management Dedicated standards for building andoperating outsourcing locations-Outsourced Delivery Centres [ODC]
Compliance support processes- Activecompliance support, compliance reporting
Low-cost resources
Quality & diversity
Scale up & expanding
Consistent data security
Security at Affordable cost
Establishment of rules & standardsPromote ethics, quality and best practices
Self-Regulation
Adoption of best global practices
Independent Oversight
Focused Mission
Enforcement Mechanism
Outsourcing Objective
DSCI- Data Security & Privacy protectionSecure Outsourcing operations
Privacy for customer confidence
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
9/19
A NASSCOM Initiative
As an increasing number of organizations take the decision
to send more and more mission critical work offshore,
Security best practices and following some
tactical steps may help to address security issues inglobal sourcing
Gartners Outsourcing & IT Services Summit, 2007
Security Best Practices and Tactical Steps
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
10/19
A NASSCOM Initiative
IT Act (Amendment) 2008- Sections 43A and 72A
The need for data protection was reinforced with the notification of the IT
(Amendment) Act, 2008
Service providers in India will be required to implement reasonable
security practices to prevent unauthorized access to personal data ofcustomers being processed by them
DSCI Security Framework DSCI Privacy Framework
DSCI Security Practices DSCI Privacy Practices
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
11/19
A NASSCOM Initiative
Approach towards CAP
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
12/19
A NASSCOM Initiative12
DSCI Privacy Principles
# Principle
Applicability
Data
Controller
Data Processor
(or Service Provider)
1Preventing DataMisuse
2 Notice
3 Choice and Consent
4Collection Limitation
5 Accuracy
6 Use and Retention
7Access and Correction *
8Disclosure to third
parties
9 Security
10Monitoring and
Enforcement
11Regulatory
Compliance
12 Accountability
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
13/19
A NASSCOM Initiative
DSCI Security
Framework
DSCI Security
Practices
DSCI Privacy
Framework
DSCI Privacy
Practices
DSCI- Data Protection Practices
AS
CS OSSP
V
AP
D
DSC
S
P
I S
SA
I
P
S
APS SC
VPI PPP PCM
PI
PATMIM
POR RCI
IUA
D CI ecurity Framework (D F)
D CI Privacy Framework (DPF)
16 Best Practice areas
Based on I O 27001
Draws upon the tactical
recommendations
Takes note of new approaches,technology and tactical mechanisms
evolved
9 BestP
ractices and 12P
rivacyP
rinciplesPrivacy Policy Guidelines
Privacy Impact Assessment
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
14/19
A NASSCOM Initiative
ASM GRCSEOSSP
T M UAP BDM
DSC
TSMPEN
INS
SAT
Data Security
Physical &
Personnel, Third
Party Security
Security Processes,
Monitoring &
TestingSecurity Strategy,
Technical
Security
MIM
PES
APS SCM
SSP Security Strategy &Policy
SEO Security Organization ASM AssetManagement
GRC Governance, Risk &Compliance
INS Infrastructure
Security
APS Application Security SCM Security Content
Management
T M Threat &
Vulnerability Management
UAP ser, Access &
Privilege Management
BDM Business Continuity
& Disaster Management
SAT Security Audit &
Testing
MIM Monitoring &
Incident Management
PEN Physical &Environment Security TSM Third Party SecurityManagement PES PersonnelSecurity DSC Data Security
DSCI Security Framework (DSF)
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
15/19
A NASSCOM Initiative
VPI PPP PCM
PIS
PATMIM
POR
Personal Information
Security
Privacy Access
Controls,
Monitoring &
Training
RCI
IUA
VPI Visibility Over Personal
Information
P R Privacy Organization &
Relations
PPP Privacy Policy &
Processes
RCI Regulatory Compliance
Intelligence
PCM Privacy Contract
Management
PIM Privacy Incident
Management
IUA Information Usage &
Access
PAT Privacy Awareness &
Training
PIS Personal Information
Security
Privacy
Strategy &
Processes
DSCI- Privacy Framework
DSCI Privacy Framework
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
16/19
A NASSCOM Initiative
DSCI Stakeholders
Board of DirectorsNASSCOM representation
Independent directors
Eminent Academics
IT/ ITES Industry All NASSCOM
members
Steering CommitteeSenior security & privacy
professionals
IT/ITES, BFSI companies
Client companies, Captive
BPOs, MNC, Foreign Banks
Working Groups Education
Contract guidelines
Surveys
Business Model
Physical Security & BCMSub working
groupsContent vetting
DSCI ChaptersBangalore, Delhi, MumbaiPune, Kolkatta, Hyderabad,
Chandigarh
Will connect to 300 to 500
security professionals from
industry
Legal & Regulatory
Authorities
Data Protection Auth.
EC
FTC
Client Big ticketoutsourcers
Security
Professionals
Independent
security professionals
Government of
India
CERT-In
DIT
Other IndustryBanks, Financial
Institutions, Telecom
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
17/19
A NASSCOM Initiative
AUDITOR
IT & BPOCompanies
SELFCHECKS
DSCICertification /
Ratings
Awareness Creation Data Security Data Privacy----------------- IT/BPO Companies Law-Enforcement
DSCI
Education Training Surveys Guidelines for Contracts
Standards / Best
PracticesFEEDBACK
COMPLAINTS
DISPUTE RESOLUTION
ESCALATIONTO
GOVT. OF INDIA
CLIENTS
DSCI SRO FRAMEWORK
ONGOING BASIS
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
18/19
A NASSCOM Initiative
Biometric Passports in India by 2010
Biometric PAN card using iris scan
Planning use of Biometric card for
beneficiaries of NREG, SSP
Integrated Prisons Management Systems
Health Management Information Systems
[HMIS]
E-Governace Roadmap- $ 6 Billion investment
Use of Biometrics
Total projects- 26 mission mode + 6 support
se of Biometrics
Private
Organizations
Data Center Access
Ecommerce transactions
Critical system access
Ethics standards for biometric use by
NISG (National Institute of Smart
Governance)
Incorporate biometric data as a
personal information rules for IT Act
(Amendment) 2008
Awareness campaign for users, vendors,
organizations and policy makers
Promotion of Biometrics ethics
-
8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj
19/19
A NASSCOM Initiative
Thank You
Kamlesh Bajaj
CEO, DSCI