RISE Presentation, DSCI

A NASSCOM® Initiative

DSCI and Data Protection

Kamlesh Bajaj

RISE Seminar on Biometrics & Ethics

Delhi, 24th Sep, 2009

A NASSCOM® Initiative 2

Agenda

Data Protection

Compliance regulations

Privacy Perception in India

Data Protection u/s 43A amended IT Act, 2008

Outsourcing- a real risk, but manageable

Best Practices Framework for Data Protection

DSCI as SRO


Data Security – Forrester Survey, Q3-2008, Europe

•DSCI SRO•DSCI Program•DSCI Chapters•DSCI Services


Privacy regulations


Fast climbing individualism ladder

New emerging segment – 25-35 years

Transformation from Joint to Nuclear family structure

Emergence of personalized services

Quantum jump in the use of technological solutions for delivery of financial services

Phenomenal increase in the number of credit cards issued by the banks

Privacy Perceptions in India- Changing Landscape

Increasing e-Commerce applications & emergence of m-Commerce

Huge investment in e-Governance projects

Travel, Airline & Hospitality industry goes online

Adoption of Web 2.0 services, social networking

Expansion of telecom & mobile connectivity

Annoyance over telemarketing calls and messages

Increased awareness of personal information being collected

Rising concerns over computer and internet security

Increased exposure of IT/ITES industry to global data protection regulations

Media coverage of national & international data breaches

Leading to issues like


• Do Not Call Registry

• the LICENSEE condition to take necessary steps to safeguard the

privacy and confidentiality of any information about a third party & its business to whom it provides the SERVICE

Ethical Guidelines for Biomedical Research

By Indian Council of Medical Research, 2000

• Identity & records of the human subjects of research or experiment

are, as far as possible, kept confidential; • No details about identity of said human subjects are disclosed without

valid scientific and legal reasons, without the specific consent in writing of the human subject concerned,

The Telecom Unsolicited Commercial Communication (UCC) Regulations, 2007,

By TRAI

How Compliance Authorities are responding?

• Banks/NBFCs/ their agents should not resort to invasion of privacy viz., reveal any information relating to customers, to any other person or

organization without obtaining their specific consent • recognizes the purpose for which the information will be used, and

the organizations with whom the information will be shared.

• Banks/NBFCs would be solely responsible for the correctness of information, In case of providing information relating to credit history /

repayment, the bank/NBFC may explicitly bring to the notice of the customer.

• The staff of, both the banks and their DSA/DMAs, should be properly briefed and trained in privacy of customer information

Reserve Bank of India, Master Circular, July 2007


IT (Amendment) Act, 2008- Sections 43A and 72A• Section 43 modified: The existing Act provides for penalty

for damage to computers, computer systems under the title ‘Penalty and Adjudication’ in section 43 that is widely interpreted as a clause to provide data protection in the country- This section has been “improved “to include stealing of “computer source code” for which compensation can be claimed. (Computer source has been defined)

• New Section 43A: Data protection has now been made more explicit through insertion of a new clause 43A that provides for “compensation to an aggrieved person whose personal data including sensitive personal data may be compromised by a company, during the time it was under processing with the company, for failure to protect such data whether because of negligence in implementing or maintaining reasonable security practices

• Penalty for breach of confidentiality and privacy: 72A- punishment for disclosure of information in breach of a lawful contract is prescribed

Improvement to include “stealing of computer source code”

Data Protection- explicit new clause 43 A -“Compensation to an aggrieved person” whose personal data including “sensitive personal data” may be compromised by a company

Compromised because of “negligence in implementing or maintaining reasonable security practices”

72 A- Punishment for “disclosure of information in breach of a lawful contract”

“Disclosure without the consent“ of the subject person “will constitute a breach”


Outsourcing offshore is a real risk, but manageable

Use of best practices and standards for managing security

Control Principles- Scenario based control selection, security requirement translations into controls,

Security controls- Employee Background check, Hardened desktop- SOE, Secured communication channels, Infrastructure security- Layered defense, Physical security, Logical access control, Data Security, Security Officers, DR /BCP

Establishment of Assurance mechanisms- Security coordination, Risk Management framework, Security Processes, Security Assessment, Security monitoring & reporting and Incident Management

Dedicated standards for building and operating outsourcing locations- Outsourced Delivery Centres [ODC]

Compliance support processes- Active compliance support, compliance reporting

Low-cost resources

Quality & diversity

Scale up & expanding

Consistent data security

Security at Affordable cost

Establishment of rules & standardsPromote ethics, quality and best practices

Self-Regulation

Adoption of best global practices

Independent Oversight

Focused Mission

Enforcement Mechanism

Outsourcing Objective

DSCI- Data Security & Privacy protection Secure Outsourcing operations

Privacy for customer confidence


As an increasing number of organizations take the decision to send more and more mission critical work offshore, “Security best practices and following some tactical steps” may help to address security issues in global sourcing

… Gartner’s Outsourcing & IT Services Summit, 2007

Security Best Practices and Tactical Steps


IT Act (Amendment) 2008- Sections 43A and 72A

The need for data protection was reinforced with the notification of the IT (Amendment) Act, 2008

Service providers in India will be required to implement “reasonable security practices” to prevent unauthorized access to personal data of customers being processed by them

DSCI Security Framework DSCI Privacy Framework

DSCI Security Practices DSCI Privacy Practices


Approach towards CAP

164.310(d)(2)(iv) backup & storage Back-Up

164.310(d)(2)(i) Disposal Physical Sec

164.3122(a)(2)(i) User identification Access Cntrl

Privilege Account ManagementAccess to personal informationControls against Mobile codeReporting security eventsAccess Control

Mapping of Compliance Regulations

Control Identification

ISO 27001OECD Principles

Best Practice Framework

Security Privacy

Best Practices Industry Standards

Global Best Practices

Privacy PrinciplesTechnology Trends

APEC Privacy Framework

EUData Protection Directive

NIST SP800-53


DSCI Privacy Principles# Principle

Applicability

Data Controller

Data Processor (or Service Provider)

1Preventing Data Misuse

2 Notice

3 Choice and Consent

4Collection Limitation

5 Accuracy

6 Use and Retention

7Access and Correction *

8Disclosure to third parties

9 Security

10Monitoring and Enforcement

11Regulatory Compliance

12 Accountability


DSCI Security Framework

DSCI Security Practices

DSCI Privacy Framework

DSCI Privacy Practices

DSCI- Data Protection Practices

ASM GRCSEOSSP

TVM UAP BDM

DSC

TSMPEN

INS

SAT MIM

PES

APS SCM

VPI PPP PCM

PIS

PATMIM

POR RCI

IUA

DSCI Security Framework (DSF©)

DSCI Privacy Framework (DPF©)

16 Best Practice areas

Based on ISO 27001

Draws upon the tactical recommendations

Takes note of new approaches, technology and tactical mechanisms evolved

9 Best Practices and 12 Privacy Principles

Privacy Policy Guidelines

Privacy Impact Assessment


ASM GRCSEOSSP

TVM UAP BDM

DSC

TSMPEN

INS

SAT

Data Security

Physical & Personnel, Third

Party SecuritySecurity Processes,

Monitoring & Testing

Security Strategy, Technical Security

MIM

PES

APS SCM

SSP – Security Strategy & Policy

SEO – Security Organization ASM – Asset Management

GRC – Governance, Risk & Compliance

INS – Infrastructure Security

APS – Application Security SCM – Security Content Management

TVM – Threat & Vulnerability Management

UAP – User, Access & Privilege Management

BDM – Business Continuity & Disaster Management

SAT – Security Audit & Testing

MIM – Monitoring & Incident Management

PEN – Physical & Environment Security

TSM – Third Party Security Management

PES – Personnel Security

DSC – Data Security

DSCI Security Framework (DSF©)


VPI PPP PCM

PIS

PATMIM

POR

Personal Information Security

Privacy Access Controls,

Monitoring & Training

RCI

IUA

VPI – Visibility Over PersonalInformation

POR – Privacy Organization & Relations

PPP – Privacy Policy & Processes

RCI – Regulatory Compliance Intelligence

PCM – Privacy ContractManagement

PIM – Privacy Incident Management

IUA – Information Usage & Access

PAT – Privacy Awareness &Training

PIS– Personal Information Security

Privacy Strategy & Processes

DSCI- Privacy Framework

DSCI Privacy Framework


DSCI Stakeholders

Board of Directors•NASSCOM representation•Independent directors•Eminent Academics

IT/ ITES Industry •All NASSCOM members

Steering Committee•Senior security & privacy professionals• IT/ITES, BFSI companies• Client companies, Captive BPOs, MNC, Foreign Banks

Working Groups •Education•Contract guidelines•Surveys•Business Model•Physical Security & BCM

Sub working groups

•Content vetting

DSCI Chapters•Bangalore, Delhi, Mumbai•Pune, Kolkatta, Hyderabad, Chandigarh•Will connect to 300 to 500 security professionals from industry

Legal & Regulatory Authorities

•Data Protection Auth.•EC•FTC

Client •Big ticket outsourcers

Security Professionals

•Independent security professionals

Government of India

•CERT-In•DIT

Other Industry •Banks, Financial Institutions, Telecom


AUDITOR

IT & BPOCompanies

SELF CHECK

S

DSCI Certification /

Ratings

Awareness Creation Data Security Data Privacy----------------- IT/BPO Companies Law-Enforcement

DSCI

Education Training Surveys Guidelines for Contracts

Standards / Best Practices

FEEDBACK

COMPLAINTS

DISPUTE RESOLUTION

ESCALATIONTO

GOVT. OF INDIA

CLIENTS

DSCI SRO FRAMEWORK

ONGOING BASIS


Biometric Passports in India by 2010

Biometric PAN card using iris scan

Planning use of Biometric card for beneficiaries of NREG, SSP

Integrated Prisons Management Systems

Health Management Information Systems [HMIS]

E-Governace Roadmap- $ 6 Billion investment

Use of Biometrics

Total projects- 26 mission mode + 6 support

Use of Biometrics

Private Organizations

Data Center Access

Ecommerce transactions

Critical system access

Ethics standards for biometric use by NISG (National Institute of Smart Governance)

Incorporate biometric data as a personal information – rules for IT Act (Amendment) 2008

Awareness campaign for users, vendors, organizations and policy makers

Promotion of Biometrics ethics


Thank You

Kamlesh BajajCEO, DSCI

[email protected]

RISE Presentation, DSCI

Documents

Transcript of RISE Presentation, DSCI