Studies have shown that security controls deployed by the BPM industry in India are much more stringent as compared to controls deployed even by their clients. The industry has to comply with various regulatory requirements across different geographies along with customer-specific requirements.
Security strategy and governance: While defining the security strategy, BPM companies are not only considering specific security requirements of clients but also international standards and regulatory requirements. The security strategy takes into account all components of the ecosystem including employees, third parties, business partners and suppliers. Organisations are also trying to integrate their security framework with the enterprise risk management (ERM) and business continuity management (BCM) framework in order to optimise the efforts and have an integrated framework for better sustenance. Most companies have ensured that their security strategy is aligned with business requirements. Organisations have taken various measures such as ensuring business representation during the formulation, review and feedback of the security strategy, which is derived from the business plan. Integrated framework comprising information security, enterprise risk management and business continuity are deployed to optimise the effort.
Compliance: The compliance function in this sector is a dedicated and separate function in the organisation. The scope of compliance revolves around legal and regulatory compliances, contractual compliances, policies and procedures, code of conduct, licences and ethics management. Some organisations have a dedicated compliance manager aligned to specific functions or process to oversee and manage compliance requirements. Compliance with ISO 27001 requirements is a basic norm followed across the industry. Knowledge management relating to compliance is done in a structured manner and compliance reports are published on a regular basis, with circulation amongst relevant stakeholders. Internal audits, metric collection and analysis, dashboard reviews and management reviews are undertaken using compliance and GRC tools to monitor the effectiveness and compliance status.
Awareness and culture: Awareness is the critical component of the security strategy. Various measures are implemented to create security awareness among stakeholders using both pull and push techniques. Such techniques include an induction programme for new joinees, e-learning modules, portal, mailers, screensavers, posters and focused discussion groups. KPI based assessment is also done for assessing the effectiveness of awareness programmes. Deserving candidates are rewarded. Various security contests and quizzes are organised where winners are announced to the entire organisation in order to create visibility
Security organisation: Most companies have drafted a layered security organisation model with clearly defined strategic, tactical and operational layers to operationalise the security strategy. Roles and responsibilities are clearly defined for all three layers and stakeholders from different functions are part of the security organisation. In most cases, the BCP, information security and the data privacy team make sure that the security organisation is aligned to business goals. Together they form part of a holistic risk and compliance team. Relevant information security certifications and external training are stressed upon and skill up-gradation programmes are carried out with proper monitoring mechanisms for the security team. Some of the organisations have gone further in setting up a centre of excellence to assist various business units for risk management. External participation with nodal agencies such as CERTIn and industry bodies such as NASSCOM, DSCI, etc forms an integral part of the security strategy for BPOs.
Data-centric initiatives: The information security programme of BPM companies mostly focuses on clearly identified and prioritised critical data in order to protect it with appropriate controls. Most organisations prefer having a data-centric security framework and methodology. Process owners are responsible for ensuring that information is classified as per the defined guidelines and deployed controls in the organisation. Companies have started deploying comprehensive privacy policies as per the various regulatory requirements such as the IT Act, DPA and HIPAA requirements. Conventional control mechanisms are placed such as restricted access to the work floor, physical assets, printing, internet and signing of confidentiality agreements.They have also deployed advanced technical controls such as masking of confidential data, deployment of DLP and DRM tools to reduce the risk associated with the breach and exposure of sensitive data. Encryption solutions have been deployed for mobile devices, production, non-production systems, external media and archival data. Some of these companies have defined comprehensive privacy principles based on the IT Act (Clause 43 A), DPA and HIPAA requirements.
Domain specific security initiatives: Most companies stress upon information security and data privacy across all projects. They prefer having a common approach framework for engagement executions, with a baseline of different international standards such as ISO 27001 and acts such as HIPAA. Client-specific requirements are implemented for particular functions and processes. These include compliance with PCI-DSS, DPA or any client-specific security requirements. Notable approaches deployed by some of these organisations include implementation of policy for mobile devices (for recording, storage and transmission), portable media declaration and encryption, aiding forensic investigation, shifting of users from role-based access to command-based access.
To know more about leading security practices across the industry, download the DSCI Report