National Association of Software and Service Companies (NASSCOM) is the premier global trade body and the chamber of commerce of the IT software and services industry in India. Its 1050 member companies are in the business of software development, software services, software products and IT-enabled/BPO services. Mr. Sunil Mehta, vice president, NASSCOM responded to a few questions raised by Radheika Mittal concerning BPO data security and the future of this budding industry.
1) What is the current scenario of Internet security in Indian BPO's, especially in view of some of the current information leaks like the case of Mphasis?
Indian companies are known for their quality deliverables. International certifications like ISO 9000 went a long way in establishing this reputation. Likewise following international standards in information security will also help companies build credibility in the minds of their customers. Currently, the information security environment in India is:
Indian companies have robust security practices comparable to those followed by western companies. Indian companies primarily comply with BS 7799-a global standard that covers all domains of security
Companies sign Service Level Agreements (SLA), which have very strict confidentiality and security clauses built into them at the network and data level. Such SLAs also cover all relevant laws that the companies want its offshore providers to comply with and actions that can be taken in case of breaches
Laws such as the IT Act 2000, Indian Copyright Act, Indian Penal Code Act and the Indian Contract Act, 1972 provide adequate safeguards to companies offshoring work to US and UK
Most of the BPO companies providing services to UK clients ensure compliance with UK Data Protection Act 1998 (DPA) through contractual agreements
Companies dealing with US clients require compliance depending upon the industry served. Eg Healthcare requires compliance with HIPAA, Financial services require compliance with GLBA
Many companies in India are undergoing/have undergone SAS 70 Audit. SAS-70 assignments help service companies operating from India to implement and improve internal controls, ensure minimal disruptions to business from clients' auditors.
NASSCOM has been working closely with the ITES BPO industry to create an information security culture within these segments. Indian companies have raised their quality standards in recent years to meet international demands.
2) How is the internet security vis-a-vis other countries like China, Philippines, Malaysia etc who are also a threat to Indian outsourcing industry?
NASSCOM has not conducted any research on this, but here are a few links, which you may want to independently evaluate and draw conclusions
However as per some independent studies.
The total number of records containing sensitive personal information involved in security breaches in the US since February 2005 are 93,679,867
2006 disclosures of US data incidents in USA-at least 148 incidents have been disclosed, potentially affecting nearly 9.3 million individuals
Information Security Breaches Survey 2006, managed by PricewaterhouseCoopers on behalf of the UK Department of Trade and Industry (DTI): This survey of UK businesses, carried out every two years, is UK's leading source of information on security incidents suffered by businesses, both large and small.
3) What is the kind of additional security needed for high-end outsourcing undertaken by BPO's especially in the finance sector? What is the road that needs to be covered from here for India to be considered a safe outsourcing destination?
NASSCOM and its member companies are strong upholders of data privacy and have been continuously strengthening both the legal and enforcement framework for data protection.
The problem of data security is not unique to any single nation-it is one that can affect any country-and each of us has a responsibility to take on the criminals. India has a strong legal system and with its independent judiciary is a country that takes this responsibility extremely seriously. We have seen a few cases in the past year, where almost all the accused have been arrested within 24-48 hours of the crime being reported.
We are also conscious that there is no cent percent proofing that we can enable for the industry and hence we are aware and determined to raise standards even further.
As of today, the Indian IT industry, under the auspices of NASSCOM, is:
1. Working with the government to introduce amendments to the Indian IT Act that will make life even more difficult for criminals
2. Training and supporting Indian law enforcement agencies to ensure that they are well equipped to tackle cyber crime
3. Creating a register of IT professionals to ensure that only suitable staffs are employed in the industry.
The Indian IT companies do not want to merely match worldwide standards in security. They want to set the highest standards.