Outsourcing is a growing reality in the business community. Critical customer information and data are shared today, along with a lot of other specialized information as part of most outsourcing engagements. There is a high concern with clients and prospects regarding data security during the outsourcing initiative and vendor evaluation and providing a secure environment is extremely critical for a service provider.
Within a service provider’s organization, security should not be a closed-door function involving just the IT or the information security team. Security should be addressed as a top-down approach, combined with user awareness. Security should be recognized as a management initiative, and should involve broad based participation. The information security policy and implementation should cover information security, quality, audit and compliance, network security, physical security, personnel security, identity management, and business continuity/disaster recovery.
Some of the suggested methods to secure a global service delivery center are as under:
Processes
- Well guided, defined policies and procedures, based on international standards
- Risk Assessment (RA) and Risk Treatment Plan (RTP) to identify, prioritize and mitigate risk at the organization level and at the client program level
- Reference checks and background checks for all employees. Employees should sign an NDA and an accepted use policy
- Biometric identification and Access Control of all employees, visitors and contractors
- Documented Security Policy mandated for all the employees
- Periodic Audits - internal, client, and external to monitor compliance
- Certifications for Information Security that ensure compliance with security procedures through periodic external audits. These could be based on the structure or location of an organization. Some currently applicable standards include BS 7799, US SAS70 and ISO/IEC 27001: 2005 certification
Information Technology & Software
- VLANs, internal firewalls and perimeter firewalls, intrusion detection and prevention systems, desktop and server hardening procedures, anti-virus, anti-spyware, URL filtering server, anti-spam solutions and gateway-antivirus, patch management, etc.
- No Internet access to specific users
- Encryption of links with 3DES encryption, server-based encryption directly from customer sites in case of online service delivery platforms
- Network Operations Centre (NOC) must have smart cards for access control
- Door access, enforced through the use of swipe cards to prevent unauthorized access to strategic locations in the organization
Physical Security
On the physical side, ideally, each client program should have an exclusive operations area separated by access doors. Color coded lanyards and ID cards for employees, contractors, vendors, guests and visitors along with a CCTV surveillance system.
IT Audits and Incident Reporting
An organization aiming for a certification, undergoes periodic audits, including internal and external audits. Surprise audits should be carried out to ensure adherence to policies and procedures. Customer comfort levels should be established through additional client audits.
Motif has been audited by Bureau Veritas Certification for ISO/IEC certification and accredited by UKAS, London. The ISO (International Organization for Standardization) cooperates closely with the International Electrotechnical Commission (IEC), which is responsible for standardization of electrical equipment. The ISO/IEC 27001:2005 outlines the rules for defining, establishing, implementing, operating, reviewing, monitoring and improving documented ISMS within the context of an organization’s overall business risks. The standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets of clients.
An incident reporting module should be implemented over the company’s Intranet, allowing any employee to report a security incident online and the security team to quickly act upon the incident. All instances of non-compliance or reports should be documented and brought to the management’s notice.
Towards user awareness
Organizations should consider thinking and acting with security in mind, to ensure an information security cognizant environment from the grounds up. A key challenge faced by most organizations is to ensure that information security ownership rests in the right hands.
Coaching employees, third party contractors, and vendors, acts as the best method for protection against misuse of sensitive information. Hence, the most important security tool is security awareness. To create a security conscious culture within the organization, frequent Information Security Awareness Programs for employees go a long way. This should be achieved through various methods such as security orientations, quizzes, posters, etc.
Bhavesh Patel
The author is the Senior Manager, Information Technology at Motif, Inc.,(www.motifinc.com),
a specialized BPO (Business Process Outsourcing) company providing back office transaction processing services which require decision making and personalized customer support services to Fortune 500 clients with a five plus year track record of 100% client retention. Bhavesh has been with Motif for the last 3 years, during which he has led and set up successful Information Technology and Information Security infrastructure in multiple geographies, along with related procedures and policies for the company. He has steered Motif’s recent upgrade from the BS 7799-2:2002 information security standard to the ISO/IEC 27001:2005 IS certification.
|
