A NASSCOM® Initiative
DSCI and Data Protection
Kamlesh Bajaj
RISE Seminar on Biometrics & Ethics
Delhi, 24th Sep, 2009
A NASSCOM® Initiative 2
Agenda
Data Protection
Compliance regulations
Privacy Perception in India
Data Protection u/s 43A amended IT Act, 2008
Outsourcing- a real risk, but manageable
Best Practices Framework for Data Protection
DSCI as SRO
A NASSCOM® Initiative
Data Security – Forrester Survey, Q3-2008, Europe
•DSCI SRO•DSCI Program•DSCI Chapters•DSCI Services
A NASSCOM® Initiative 4
Privacy regulations
A NASSCOM® Initiative
Fast climbing individualism ladder
New emerging segment – 25-35 years
Transformation from Joint to Nuclear family structure
Emergence of personalized services
Quantum jump in the use of technological solutions for delivery of financial services
Phenomenal increase in the number of credit cards issued by the banks
Privacy Perceptions in India- Changing Landscape
Increasing e-Commerce applications & emergence of m-Commerce
Huge investment in e-Governance projects
Travel, Airline & Hospitality industry goes online
Adoption of Web 2.0 services, social networking
Expansion of telecom & mobile connectivity
Annoyance over telemarketing calls and messages
Increased awareness of personal information being collected
Rising concerns over computer and internet security
Increased exposure of IT/ITES industry to global data protection regulations
Media coverage of national & international data breaches
Leading to issues like
A NASSCOM® Initiative
• Do Not Call Registry
• the LICENSEE condition to take necessary steps to safeguard the
privacy and confidentiality of any information about a third party & its business to whom it provides the SERVICE
Ethical Guidelines for Biomedical Research
By Indian Council of Medical Research, 2000
• Identity & records of the human subjects of research or experiment
are, as far as possible, kept confidential; • No details about identity of said human subjects are disclosed without
valid scientific and legal reasons, without the specific consent in writing of the human subject concerned,
The Telecom Unsolicited Commercial Communication (UCC) Regulations, 2007,
By TRAI
How Compliance Authorities are responding?
• Banks/NBFCs/ their agents should not resort to invasion of privacy viz., reveal any information relating to customers, to any other person or
organization without obtaining their specific consent • recognizes the purpose for which the information will be used, and
the organizations with whom the information will be shared.
• Banks/NBFCs would be solely responsible for the correctness of information, In case of providing information relating to credit history /
repayment, the bank/NBFC may explicitly bring to the notice of the customer.
• The staff of, both the banks and their DSA/DMAs, should be properly briefed and trained in privacy of customer information
Reserve Bank of India, Master Circular, July 2007
A NASSCOM® Initiative
IT (Amendment) Act, 2008- Sections 43A and 72A• Section 43 modified: The existing Act provides for penalty
for damage to computers, computer systems under the title ‘Penalty and Adjudication’ in section 43 that is widely interpreted as a clause to provide data protection in the country- This section has been “improved “to include stealing of “computer source code” for which compensation can be claimed. (Computer source has been defined)
• New Section 43A: Data protection has now been made more explicit through insertion of a new clause 43A that provides for “compensation to an aggrieved person whose personal data including sensitive personal data may be compromised by a company, during the time it was under processing with the company, for failure to protect such data whether because of negligence in implementing or maintaining reasonable security practices
• Penalty for breach of confidentiality and privacy: 72A- punishment for disclosure of information in breach of a lawful contract is prescribed
Improvement to include “stealing of computer source code”
Data Protection- explicit new clause 43 A -“Compensation to an aggrieved person” whose personal data including “sensitive personal data” may be compromised by a company
Compromised because of “negligence in implementing or maintaining reasonable security practices”
72 A- Punishment for “disclosure of information in breach of a lawful contract”
“Disclosure without the consent“ of the subject person “will constitute a breach”
A NASSCOM® Initiative
Outsourcing offshore is a real risk, but manageable
Use of best practices and standards for managing security
Control Principles- Scenario based control selection, security requirement translations into controls,
Security controls- Employee Background check, Hardened desktop- SOE, Secured communication channels, Infrastructure security- Layered defense, Physical security, Logical access control, Data Security, Security Officers, DR /BCP
Establishment of Assurance mechanisms- Security coordination, Risk Management framework, Security Processes, Security Assessment, Security monitoring & reporting and Incident Management
Dedicated standards for building and operating outsourcing locations- Outsourced Delivery Centres [ODC]
Compliance support processes- Active compliance support, compliance reporting
Low-cost resources
Quality & diversity
Scale up & expanding
Consistent data security
Security at Affordable cost
Establishment of rules & standardsPromote ethics, quality and best practices
Self-Regulation
Adoption of best global practices
Independent Oversight
Focused Mission
Enforcement Mechanism
Outsourcing Objective
DSCI- Data Security & Privacy protection Secure Outsourcing operations
Privacy for customer confidence
A NASSCOM® Initiative
As an increasing number of organizations take the decision to send more and more mission critical work offshore, “Security best practices and following some tactical steps” may help to address security issues in global sourcing
… Gartner’s Outsourcing & IT Services Summit, 2007
Security Best Practices and Tactical Steps
A NASSCOM® Initiative
IT Act (Amendment) 2008- Sections 43A and 72A
The need for data protection was reinforced with the notification of the IT (Amendment) Act, 2008
Service providers in India will be required to implement “reasonable security practices” to prevent unauthorized access to personal data of customers being processed by them
DSCI Security Framework DSCI Privacy Framework
DSCI Security Practices DSCI Privacy Practices
A NASSCOM® Initiative
Approach towards CAP
164.310(d)(2)(iv) backup & storage Back-Up
164.310(d)(2)(i) Disposal Physical Sec
164.3122(a)(2)(i) User identification Access Cntrl
Privilege Account ManagementAccess to personal informationControls against Mobile codeReporting security eventsAccess Control
Mapping of Compliance Regulations
Control Identification
ISO 27001OECD Principles
Best Practice Framework
Security Privacy
Best Practices Industry Standards
Global Best Practices
Privacy PrinciplesTechnology Trends
APEC Privacy Framework
EUData Protection Directive
NIST SP800-53
A NASSCOM® Initiative 12
DSCI Privacy Principles# Principle
Applicability
Data Controller
Data Processor (or Service Provider)
1Preventing Data Misuse
2 Notice
3 Choice and Consent
4Collection Limitation
5 Accuracy
6 Use and Retention
7Access and Correction *
8Disclosure to third parties
9 Security
10Monitoring and Enforcement
11Regulatory Compliance
12 Accountability
A NASSCOM® Initiative
DSCI Security Framework
DSCI Security Practices
DSCI Privacy Framework
DSCI Privacy Practices
DSCI- Data Protection Practices
ASM GRCSEOSSP
TVM UAP BDM
DSC
TSMPEN
INS
SAT MIM
PES
APS SCM
VPI PPP PCM
PIS
PATMIM
POR RCI
IUA
DSCI Security Framework (DSF©)
DSCI Privacy Framework (DPF©)
16 Best Practice areas
Based on ISO 27001
Draws upon the tactical recommendations
Takes note of new approaches, technology and tactical mechanisms evolved
9 Best Practices and 12 Privacy Principles
Privacy Policy Guidelines
Privacy Impact Assessment
A NASSCOM® Initiative
ASM GRCSEOSSP
TVM UAP BDM
DSC
TSMPEN
INS
SAT
Data Security
Physical & Personnel, Third
Party SecuritySecurity Processes,
Monitoring & Testing
Security Strategy, Technical Security
MIM
PES
APS SCM
SSP – Security Strategy & Policy
SEO – Security Organization ASM – Asset Management
GRC – Governance, Risk & Compliance
INS – Infrastructure Security
APS – Application Security SCM – Security Content Management
TVM – Threat & Vulnerability Management
UAP – User, Access & Privilege Management
BDM – Business Continuity & Disaster Management
SAT – Security Audit & Testing
MIM – Monitoring & Incident Management
PEN – Physical & Environment Security
TSM – Third Party Security Management
PES – Personnel Security
DSC – Data Security
DSCI Security Framework (DSF©)
A NASSCOM® Initiative
VPI PPP PCM
PIS
PATMIM
POR
Personal Information Security
Privacy Access Controls,
Monitoring & Training
RCI
IUA
VPI – Visibility Over PersonalInformation
POR – Privacy Organization & Relations
PPP – Privacy Policy & Processes
RCI – Regulatory Compliance Intelligence
PCM – Privacy ContractManagement
PIM – Privacy Incident Management
IUA – Information Usage & Access
PAT – Privacy Awareness &Training
PIS– Personal Information Security
Privacy Strategy & Processes
DSCI- Privacy Framework
DSCI Privacy Framework
A NASSCOM® Initiative
DSCI Stakeholders
Board of Directors•NASSCOM representation•Independent directors•Eminent Academics
IT/ ITES Industry •All NASSCOM members
Steering Committee•Senior security & privacy professionals• IT/ITES, BFSI companies• Client companies, Captive BPOs, MNC, Foreign Banks
Working Groups •Education•Contract guidelines•Surveys•Business Model•Physical Security & BCM
Sub working groups
•Content vetting
DSCI Chapters•Bangalore, Delhi, Mumbai•Pune, Kolkatta, Hyderabad, Chandigarh•Will connect to 300 to 500 security professionals from industry
Legal & Regulatory Authorities
•Data Protection Auth.•EC•FTC
Client •Big ticket outsourcers
Security Professionals
•Independent security professionals
Government of India
•CERT-In•DIT
Other Industry •Banks, Financial Institutions, Telecom
A NASSCOM® Initiative
AUDITOR
IT & BPOCompanies
SELF CHECK
S
DSCI Certification /
Ratings
Awareness Creation Data Security Data Privacy----------------- IT/BPO Companies Law-Enforcement
DSCI
Education Training Surveys Guidelines for Contracts
Standards / Best Practices
FEEDBACK
COMPLAINTS
DISPUTE RESOLUTION
ESCALATIONTO
GOVT. OF INDIA
CLIENTS
DSCI SRO FRAMEWORK
ONGOING BASIS
A NASSCOM® Initiative
Biometric Passports in India by 2010
Biometric PAN card using iris scan
Planning use of Biometric card for beneficiaries of NREG, SSP
Integrated Prisons Management Systems
Health Management Information Systems [HMIS]
E-Governace Roadmap- $ 6 Billion investment
Use of Biometrics
Total projects- 26 mission mode + 6 support
Use of Biometrics
Private Organizations
Data Center Access
Ecommerce transactions
Critical system access
Ethics standards for biometric use by NISG (National Institute of Smart Governance)
Incorporate biometric data as a personal information – rules for IT Act (Amendment) 2008
Awareness campaign for users, vendors, organizations and policy makers
Promotion of Biometrics ethics
Top Related