Service Provider Assessment Framework

The IT (Amendment) Act, 2008 has established a strong data protection regime in the country, by requiring body corporates to implement ‘reasonable security practices’ to protect ‘sensitive personal information’. What is ‘reasonable security’ though? An organization is expected to have a comprehensive information security program, with appropriate controls that are commensurate with its information assets and risk assessment. In the event of a security breach, it should be able to demonstrate that its practices were in conformance with its written security policy, and that its controls were adequate. It is, however not that easy, since enterprises are outsourcing some of their
work, and they must manage information risk across a vast global network of Service Providers. Outsourcing thus brings into focus the practices followed by Service Providers, and their accountability.

Service Providers are subjected to ongoing assessments and on-site audits, which are laborintensive and costly for both the sides. Likewise, Service Providers with hundreds of Clients distributed in various geographies must submit themselves to several audits by the Clients. Moreover, the multiple assessments are based on different frameworks, questionnaires and audit approaches – clearly they result in wasted effort and time; and, of course, higher costs. It is the wish of both – Clients and Service Providers – that third-party evaluations that are standards-based, or framework-based, may ease the assessment burden. But how do they view the implementation of a standard, or best practices for security; and an assessment framework to validate that this has indeed made the organization secure? Again both of them will have a different perspective on this.

It is with this in view that DSCI partnered with Ernst & Young Pvt. Ltd. (EY) in this study, which required extensive knowledge and experience in the domain, to review the existing frameworks and think through the advantages of certification/ratings. Survey of Clients and Service Providers, based on an in-depth questionnaire gives key pointers to the concerns of both the groups, and points towards a possible third-party ratings approach that may be useful and acceptable to both, namely Clients and Service Providers.

• Category: Survey and Study Reports

• Download:
• • Service Provider Assessment Framework.pdf

• Tags:
  • Assessments
  • Audit
  • Best Practices
  • Clients
  • COBIT
  • DPF
  • DSF
  • ISO 27001
  • Service Providers