dsci rise presentation - final - 24sept09_kamlesh bajaj

8/8/2019 DSCI RISE Presentation - Final - 24Sept09_Kamlesh Bajaj

1/19

A NASSCOM Initiative

DSCI and Data Protection

Kamlesh Bajaj

RISESeminar on Biometrics &Ethics

Delhi, 24th Sep, 2009


2/19

A NASSCOM Initiative2

Agenda

Data Protection

Compliance regulations

Privacy Perception in India

Data Protection u/s 43A amended IT Act, 2008

Outsourcing- a real risk, but manageable

Best Practices Framework for Data Protection

DSCI as SRO


3/19


Data Security Forrester Survey, Q3-2008, Europe

DSCI SRO

DSCI Program

DSCI Chapters

DSCI Services


4/19


Privacy regulations


5/19


Fast climbing individualism ladder

New emerging segment 25-35 years

Transformation from Joint to Nuclear family

structure

Emergence of personalized services

Quantum jump in the use of technological

solutions for delivery of financial services

Phenomenal increase in the number of creditcards issued by the banks

Privacy Perceptions in India- Changing Landscape

Increasing e-Commerce applications & emergence

of m-Commerce

Huge investment in e-Governance projects

Travel, Airline & Hospitality industry goes online

Adoption of Web 2.0 services, social networking

Expansion of telecom & mobile connectivity

Annoyance over telemarketing calls and messages

Increased awareness of personal information being collected

Rising concerns over computer and internet security

Increased exposure of IT/ITES industry to global data protection regulations

Media coverage of national & international data breaches

Leading to issues like


6/19


Do Not Call Registry

the LICENSEE condition to take necessary steps to safeguard the

privacy and confidentiality of any information about athird party & its business to whom it provides the SERVICE

Ethical Guidelines for Biomedical

ResearchBy Indian Council of Medical

Research, 2000

Identity & records of the human subjects of research or experiment

are, as far as possible, kept confidential;

No details about identity of said human subjects are disclosed without

valid scientific and legal reasons, without the specific consent inwriting of the human subject concerned,

The Telecom Unsolicited

Commercial Communication

(UCC) Regulations, 2007,By TRAI

How Compliance Authorities are responding?

Banks/NBFCs/ their agents should not resort to invasion of privacy viz.,

reveal any information relating to customers, to any other person or

organization without obtaining their specific consent

recognizes the purpose for which the information will be used, andthe organizations with whom the information will be shared.

Banks/NBFCs would be solely responsible for the correctness ofinformation, In case of providing information relating to credit history /

repayment, the bank/NBFC may explicitly bring to the notice ofthecustomer.

The staff of, both the banks and their DSA/DMAs, should be properly

briefed and trained in privacy of customer information

Reserve Bank of India, Master

Circular, July 2007


7/19


IT (Amendment) Act, 2008- Sections 43A and 72A

Section 43 modified: The existing Act provides for penalty

for damage to computers, computer systems under the title

Penalty and Adjudication in section 43 that is widelyinterpreted as a clause to provide data protection in the

country- This section has been improved to include

stealing of computer source code for whichcompensation can be claimed. (Computer source has been

defined)

New Section 43A: Data protection has now been mademore explicit through insertion of a new clause 43A that

provides for compensation to an aggrieved

person whose personal data including sensitive personaldata may be compromised by a company, during the time it

was under processing with the company, for failure to

protect such data whether because of negligence inimplementing or maintaining reasonable security practices

Penalty for breach of confidentiality and privacy: 72A-

punishment for disclosure of information in breach of a

lawful contract is prescribed

Improvement to include stealing of

computer source code

Data Protection- explicit new clause

43 A -Compensation to an

aggrieved person whose personal

data including sensitive personal

data may be compromised by a

company

Compromised because of

negligence in implementing or

maintaining reasonable security

practices

72 A- Punishment for disclosure of

information in breach of a lawfulcontract

Disclosure without the consent

of the subject person will

constitute a breach


8/19


Outsourcing offshore is a real risk, but manageable

Use of best practices and standards formanaging security

Control Principles- Scenario based controlselection, security requirement translationsinto controls,

Security controls- Employee Backgroundcheck, Hardened desktop- SOE, Securedcommunication channels, Infrastructuresecurity- Layered defense, Physical security,Logical access control, Data Security,Security Officers, DR /BCP

Establishment of Assurance mechanisms-Security coordination, Risk Managementframework, Security Processes, SecurityAssessment, Security monitoring &

reporting and Incident Management Dedicated standards for building andoperating outsourcing locations-Outsourced Delivery Centres [ODC]

Compliance support processes- Activecompliance support, compliance reporting

Low-cost resources

Quality & diversity

Scale up & expanding

Consistent data security

Security at Affordable cost

Establishment of rules & standardsPromote ethics, quality and best practices

Self-Regulation

Adoption of best global practices

Independent Oversight

Focused Mission

Enforcement Mechanism

Outsourcing Objective

DSCI- Data Security & Privacy protectionSecure Outsourcing operations

Privacy for customer confidence


9/19


As an increasing number of organizations take the decision

to send more and more mission critical work offshore,

Security best practices and following some

tactical steps may help to address security issues inglobal sourcing

Gartners Outsourcing & IT Services Summit, 2007

Security Best Practices and Tactical Steps


10/19


IT Act (Amendment) 2008- Sections 43A and 72A

The need for data protection was reinforced with the notification of the IT

(Amendment) Act, 2008

Service providers in India will be required to implement reasonable

security practices to prevent unauthorized access to personal data ofcustomers being processed by them

DSCI Security Framework DSCI Privacy Framework

DSCI Security Practices DSCI Privacy Practices


11/19


Approach towards CAP


12/19


DSCI Privacy Principles

# Principle

Applicability

Data

Controller

Data Processor

(or Service Provider)

1Preventing DataMisuse

2 Notice

3 Choice and Consent

4Collection Limitation

5 Accuracy

6 Use and Retention

7Access and Correction *

8Disclosure to third

parties

9 Security

10Monitoring and

Enforcement

11Regulatory

Compliance

12 Accountability


13/19


DSCI Security

Framework

DSCI Security

Practices

DSCI Privacy

Framework

DSCI Privacy

Practices

DSCI- Data Protection Practices

AS

CS OSSP

V

AP

D

DSC

S

P

I S

SA

I

P

S

APS SC

VPI PPP PCM

PI

PATMIM

POR RCI

IUA

D CI ecurity Framework (D F)

D CI Privacy Framework (DPF)

16 Best Practice areas

Based on I O 27001

Draws upon the tactical

recommendations

Takes note of new approaches,technology and tactical mechanisms

evolved

9 BestP

ractices and 12P

rivacyP

rinciplesPrivacy Policy Guidelines

Privacy Impact Assessment


14/19


ASM GRCSEOSSP

T M UAP BDM

DSC

TSMPEN

INS

SAT

Data Security

Physical &

Personnel, Third

Party Security

Security Processes,

Monitoring &

TestingSecurity Strategy,

Technical

Security

MIM

PES

APS SCM

SSP Security Strategy &Policy

SEO Security Organization ASM AssetManagement

GRC Governance, Risk &Compliance

INS Infrastructure

Security

APS Application Security SCM Security Content

Management

T M Threat &

Vulnerability Management

UAP ser, Access &

Privilege Management

BDM Business Continuity

& Disaster Management

SAT Security Audit &

Testing

MIM Monitoring &

Incident Management

PEN Physical &Environment Security TSM Third Party SecurityManagement PES PersonnelSecurity DSC Data Security

DSCI Security Framework (DSF)


15/19


VPI PPP PCM

PIS

PATMIM

POR

Personal Information

Security

Privacy Access

Controls,

Monitoring &

Training

RCI

IUA

VPI Visibility Over Personal

Information

P R Privacy Organization &

Relations

PPP Privacy Policy &

Processes

RCI Regulatory Compliance

Intelligence

PCM Privacy Contract

Management

PIM Privacy Incident

Management

IUA Information Usage &

Access

PAT Privacy Awareness &

Training

PIS Personal Information

Security

Privacy

Strategy &

Processes

DSCI- Privacy Framework

DSCI Privacy Framework


16/19


DSCI Stakeholders

Board of DirectorsNASSCOM representation

Independent directors

Eminent Academics

IT/ ITES Industry All NASSCOM

members

Steering CommitteeSenior security & privacy

professionals

IT/ITES, BFSI companies

Client companies, Captive

BPOs, MNC, Foreign Banks

Working Groups Education

Contract guidelines

Surveys

Business Model

Physical Security & BCMSub working

groupsContent vetting

DSCI ChaptersBangalore, Delhi, MumbaiPune, Kolkatta, Hyderabad,

Chandigarh

Will connect to 300 to 500

security professionals from

industry

Legal & Regulatory

Authorities

Data Protection Auth.

EC

FTC

Client Big ticketoutsourcers

Security

Professionals

Independent

security professionals

Government of

India

CERT-In

DIT

Other IndustryBanks, Financial

Institutions, Telecom


17/19


AUDITOR

IT & BPOCompanies

SELFCHECKS

DSCICertification /

Ratings

Awareness Creation Data Security Data Privacy----------------- IT/BPO Companies Law-Enforcement

DSCI

Education Training Surveys Guidelines for Contracts

Standards / Best

PracticesFEEDBACK

COMPLAINTS

DISPUTE RESOLUTION

ESCALATIONTO

GOVT. OF INDIA

CLIENTS

DSCI SRO FRAMEWORK

ONGOING BASIS


18/19


Biometric Passports in India by 2010

Biometric PAN card using iris scan

Planning use of Biometric card for

beneficiaries of NREG, SSP

Integrated Prisons Management Systems

Health Management Information Systems

[HMIS]

E-Governace Roadmap- $ 6 Billion investment

Use of Biometrics

Total projects- 26 mission mode + 6 support

se of Biometrics

Private

Organizations

Data Center Access

Ecommerce transactions

Critical system access

Ethics standards for biometric use by

NISG (National Institute of Smart

Governance)

Incorporate biometric data as a

personal information rules for IT Act

(Amendment) 2008

Awareness campaign for users, vendors,

organizations and policy makers

Promotion of Biometrics ethics


19/19


Thank You

Kamlesh Bajaj

CEO, DSCI

[email protected]

dsci rise presentation - final - 24sept09_kamlesh bajaj

Documents