The Hindu Business Line : The give-away guys

Besides ensuring network security, keep an eye out for breaches at the individual level, for instance a call centre agent sharing his password with a `friend'.

THE Nasscom India ITES-BPO Strategy Summit 2004 in Bangalore recently witnessed some sage-speak on information security issues faced by Indian players and the strategies in dealing with them. eWorld offers a snapshot of the action.

Given the anti-outsourcing moves in a number of markets, Nasscom is understandably keen that there are no slip-ups by Indian industry that could fuel the anti-outsourcing sentiment in the US and EU. Information security issues are real and breaches can have serious repercussions, according to Kiran Karnik, President, Nasscom. "Such breaches will receive disproportionate media coverage and could harm the $3.6-billion ITES/BPO (IT-enabled services and business process outsourcing) industry,'' Karnik says.

Nasscom initiated a `Trusted Sourcing' initiative recently to retain India's position as the world's top offshoring destination and as part of this, recently conducted a study on the information security environment in the country.

The results of the survey show that Indian companies do have robust security practices, be it self-initiated or as a part of contractual obligation and the number of `incidents' is lower or on a par with the outsourcing industry elsewhere, according to Karnik.

Security slips

But there are several weak spots in the security fabric that need immediate attention, acknowledged several companies at the Summit. While network security is pretty much taken care of, it is at the cultural and individual level that most of the weak spots exist. The Indian ITES/BPO industry needs to strengthen its information security blanket with a little network security, tightening its security culture, and a lot of commonsense.

According to Ashish Gupta, COO and Country Head, e-Valueserve, which conducted the survey jointly with Nasscom, security breaches at the individual level could include one call centre agent sharing his password with a `friend' to an instance of a potential employee offering the recruiter a project report prepared for the client of a former employer as reference for the quality of his work.

Information security best practices should be the starting point for information security, says Sanjiv Dalal, CTO, ICICI OneSource. I-One works with customers to develop threat models, clearly identifying activities or processes that could have the maximum impact on the client's business. By making business managers accountable at every stage, the company creates a model for management strategy that manages information assets. Dalal says raw data is brought in through an information funnel and the company invests in infrastructure to enforce and create granular controls. However, Dalal agrees that promoting awareness is a crucial part of the information security enforcement strategy and that security briefing for an employee is started right from the induction stage itself.

All in the industry are agreed that it is the rapid expansion in the industry that has left behind legislative and practice issues. These could cause an information security breach - one that Indian industry cannot afford.

Gupta says that the Nasscom eValueserve survey showed most Tier-I Indian companies with established, even pioneering information security processes and practices while a number of Tier-II companies still had a lot of catching up to do. For instance, T-I companies had dedicated security audit teams and perform an annual or biannual security audits, unlike the T-2 companies.

Background checks on potential employees are not very thorough, says Gupta whose study found that fudged resumes were higher by a factor of four among Indian ITES/BPO employees compared to their counterparts in the West.

The 4-E framework

Information security issues need to be addressed by issues at the company, industry and government level and Nasscom is pushing ahead with its 4-E framework. That of Engagement with clients, regulators and other companies, of Education in the industry and of the workforce, of Enactment of legislation that meets international security climate, and Enforcement, by establishing a mechanism for ensuring compliance.

It is unfortunate that the typical understanding about infosecurity involves `hard controls' says R. Muralidharan, Chief Security Officer, Transworks. "Many companies do not address the softer issues of handling information - even the simplest of tasks such as the waste disposal process and shredding are not incorporated in most organisations."

Companies must put in place control mechanisms as well as review procedures to enable information security.

PricewaterhouseCoopers, which conducted a survey together with CII, found that 83 per cent of Indian companies had security breaches during the last year and that about half of them did not know where the breach originated or its cause.

Says Jaideep Ganguli, Executive Director, PwC, there is need for focus on incident management, detection and reporting to enable a better information security culture in organisations. "Security must be integrated into normal business practice and compliance ensured.''

"Visionary companies will not wait until clients start insisting on security compliance procedures,'' says Ganguli.

Senior decision-makers need to get involved in the company right now, if the Indian ITES/BPO industry is to retain its competitive advantage.

priya@thehindu.co.in

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
The game has begun

It is no more NEGATIVE

Quiz

Cartoon