Surveys and Studies
DSCI organizes surveys to understand the state of security preparedness of the industry. During the last two years DSCI conducted these surveys with the help of KPMG, with the active guidance of CERT-In.
DSCI-KPMG survey aim was to assess the trends in the area of information security and data privacy in the Indian industry and gain insights into how the Indian industry is addressing such concerns. The survey was conducted using a structured questionnaire, which was administered through mailers, telephonic and in-person meetings.
The objective of the Information Security Questionnaire is to:
- assess the importance given to information security and data privacy in organizations operating in India.
- capture the leading practices and/or standards adopted towards information security and data privacy in organizations.
- identify the major sources of data leakage, compromising data privacy, in organizations within established verticals or as a whole.
- study the status of Information and Physical Security Convergence.
- assess data privacy trends and Information Technology Act awareness along with CERT-In interface.
DSCI-KPMG Survey 2010:
This survey is again with the active guidance of CERT-In. It focuses on the following:
1. DSCI KPMG BPO Security and Privacy Survey 2010
As part of the survey, 50 Organizations were surveyed with the following objectives:
- Positioning of Data Security and Privacy in the BPO Organizations – analyzing CISO’s role and the task performed by the Security Organization
- Maturity and key characterstics of key security disciplines such as ‘Threat & Vulnerability Management’ and ‘Incident Management’ in the wake of rising data breaches globally
- Level of perceived risks in different Lines of services (e.g. Customer Interaction and Support, Payroll, Finance & Accounting, etc.)
- Managing risks arising from clients’ environement
- Mechanisms adopted for conducting employee background screening
- Strategic options adopted for Business Continuity and Disaster Recovery management
- Impact of IT (Amendment) Act, 2008 on the Industry
- Evolution of Physical Security and its integeration with Data Security
Click here to download BPO Survey Report 2010.
2. DSCI KPMG Banking Security and Privacy Survey 2010
As part of this initiative, 20 banks were surveyed covering the following areas:
- Positioning of security and privacy in the banking organizations – analyzing CISO’s role and the tasks performed by the security organization
- Transaction security, customer centric security and privacy, emerging threats, card security & payment gateway security
- Maturity and characteristics of key security disciplines such as ‘Threat & Vulnerability Management’, ‘Application Security’ and ‘Incident Management’ in the wake of rising cyber crimes
- Strategic options adopted by banks in Business Continuity and Disaster Recovery
- Impact of IT (Amendment) Act, 2008 on the Banking industry
- Evolution of Physical Security and its integration with Information Technology
Click here to download Banking Survey Report 2010.
3. DSCI- Telecom Industry security and privacy executive briefing report (presently underway)
DSCI-KPMG Survey 2009
State of Data Security and Privacy in the Indian Industry , as part of the survey, covered around 150 organizations spread across different Indian industries, namely, IT/BPO, Banks, Telecom, Public Sector, E-commerce, etc.
Click here to download Survey Report 2009.
DSCI has started a number of Study Reports that address some important issues of data protection. An Advisory Group was also constituted to review the objectives and the deliverables of this project. It is comprised of industry experts – their guidance makes the results meaningful and useful for the industry. DSCI expects identifiable outcomes from these projects, which can be converted into best practices for use by the industry. Some of these reports were released during the Information Security Summit 2010.
1. Service Provider Assessment Frameworks
The Indian IT/BPO Service Providers are striving hard to ensure that security and privacy of data is well maintained. They follow stringent security controls specified by the Clients through contractual obligations. The Clients conduct regular Information Security and Privacy assessments of the Service Providers to ensure compliance with the contractual obligations and / or regulatory requirements or to simply assess the security posture of Service Providers. In this outsourcing ecosystem, many Clients have developed and applied their own proprietary assessment frameworks for evaluating their Service Providers. Service Providers, on the other hand, strain their resources to respond to diverse client information requests. This isolated approach proves to be an inefficient and costly affair, both for the Clients and the Service Providers. Inconsistencies arising from use of different assessment methodologies cause delays, resulting in inefficient use of time and resources. Aggravating the problem is the unavailability of generally accepted standard for Service Provider assessments. To overcome these issues and challenges, DSCI as an industry initiative seeks to establish a well defined Service Provider Assessment Framework in order to have a common assessment approach that can be used to assess different Service Providers
DSCI partnered with Ernst & Young in conducting this study especially through its survey attempts to understand the perspective of Client and Service Provider organizations with respect to Service Provider assessments and takes inputs to define a Service Provider Assessment Framework.
Click here to download Study Report on Service Provider Assessment Framework .
2. Reasonable Security Practices
The enactment and notification of the IT (Amendment) Act, 2008 [ITAA 2008] has significantly strengthened the data protection regime in India. Section 43A of ITAA 2008 mandates ‘body corporates’ to implement ‘reasonable security practices’ for protecting the ‘sensitive personal information’ of any individual, failing which they are liable to pay damages to the aggrieved person. The Indian Government is expected to come out with detailed rules and regulations under the Act that will explicitly define terms such as ‘reasonable security practices’ and ‘sensitive personal information’ amongst others. In doing so, it has been actively engaged with the IT/BPO industry; and this study on ‘reasonable security practices’ is part of the consultation process. Data Security Council of India (DSCI) partnered with Tata Consultancy Services Ltd. (TCS) in conducting a review of the data protection regulations in select countries with a view to understand the definition of practices adopted by them, since invariably all the data protection laws talk about reasonable, adequate or appropriate practices. It is the rule that has to provide sufficient guidance to the businesses on what is reasonable in a given context. This report attempts to present different approaches for defining ‘reasonable security practices’
Click here to download Study Report on Reasonable Security Practices under IT (Amendment) Act, 2008.
3. Cloud Computing
Data Security and Privacy in Cloud Computing are engaging the attention of user organizations and Cloud service providers alike. Regulators also are not far behind. What are the security risks of Cloud Computing? How to protect data against data-leaks: intentional or unintentional? If a data breach does occur, who’s liable? And how does one convince the regulators that a business does indeed conduct due diligence of a Cloud service provider much the same way it would do inside its own perimeter. These are some of the important security and compliance concerns confronting the users and providers alike.
DSCI partnered with Wipro in carrying out this study to understand the Data Protection Challenges in Cloud Computing
Click here to download Study Report on Data Protection Challenges in Cloud Computing.
5. Insider Threats
Security breaches and the compromise of sensitive information are very real concerns for any organisation today. Studies have shown that though the likelihood of the attack from insiders may be very low as compared to external threats, the magnitude of the impact is at least 10 times more than that of the total impact an external attacker can cause. This is because an insider attack is committed by people who know the organisation’s most sensitive secrets and vulnerabilities and have access to its systems. In most cases, breaches by insiders are committed by individuals who have no intention of doing anything wrong and then there are some who are motivated by greed, selfishness, or antagonism towards the management.(Click here to know more)
4. FAQs of Global Regulations EU Directives, HIPAA, GLBA, UK DPA, IT (Amendment) Act, 2008
The IT (Amendment) Act, 2008 (ITAA 2008) has established a strong data protection regime in India. It addresses industry’s concerns on data protection, and creates a more predictive legal environment for the growth of e-commerce that includes data protection and cyber crimes measures, among others. Sensitive personal information of consumers, held in digital environment, is required to be protected through reasonable security practices by the corporates. Additionally, ITAA 2008 makes it obligatory for them to protect data under lawful contracts by providing for penalty for breach of confidentiality and privacy. Privacy protection, a long felt need of consumers in India, and of clients overseas who are outsourcing their operations to Indian service providers, is now on a sound footing. It will go a long way in promoting trust in transborder data-flows to India.(Click here to know more)