Companies depend on information to operate their business processes. Much of this information is stored and processed electronically, and is exchanged with business partners over computer networks, many of which are public.
The security of this information -- or data -- may be at risk owing to vulnerabilities, with potentially serious consequences to the business of a company or individual.
Data security addresses staff at a business process outsourcing centre who handle the data and put in place systems which guard against careless/criminal agents. It also involves putting in place laws that make it an offence to steal and misuse data.
As BPO involves job losses and has become very emotive, what the people in the US are saying is not so much that the networks extending to India are technically insecure but that 'God knows what those guys do with our tax and social security info; they won't even go to jail if they filch something'.
A key solution is to get the organisation certification for information security management systems or ISMS.
Extensive guidance on organisational aspects of risk assessment and control is given by the British Standards Institution code of practice for ISMS.
The certification is called BS7799-2.2002. It holds the key to mitigating the problem of "identity theft" while offshoring finance and accounts processes even before it arises.
|BS7799-2.2002 IN A NUTSHELL|
The certification gives recommendations to information security management for initiating, documenting, implementing, and maintaining security.
It is intended to provide a common basis for developing individual organisational security processes and documenting them as security policy.
It is valid normally for three years, subject to satisfactory maintenance of the system, which will be checked during surveillance visits at least annually. Thereafter, certificates will typically be renewed for three years at a time.
How to get the certification:
The state governments in the US are under pressure from the opponents of offshoring to act against finance and accounts offshoring to countries like India on the ground that such personal data is at risk as there is no law in India protecting such data. BS7799-2 sets the standards for ISMS.
Arjun Avtar Sethi of consultant AT Kearney says: "It takes only 2-3 incidents to spoil the BPO party in India. As finance and accounts outsourcing has raised a few eyebrows in the US, it is important that companies comply with BS7799-2. In fact, a very small fraction of our major clients are actually BS7799-2-certified. We do not say that this is the only solution. But it definitely provides a better chance to overcome the problem."
Finance and accounts outsourcing requires the customer to disclose details like salaries, social security number, Income Tax returns among others.
As these details are provided to BPO operations located in India, some sections in the US have alleged that instances of "identity thefts" in the US are actually taking place in India where there are no laws against it. As a result, the government of California has set up a committee to study the issue.
According to Sethi, BS7799 covers each element of security like network security, data sanctity and terms of data utilisation (what you can and cannot do with the data). Most importantly, "it lays out clear guidelines to companies on deploying processes which ensure these," adds Sethi.
According to him, these security guidelines have to be incorporated under the Indian Penal Code. TransWorks, a leading call center, which is controlled by the Aditya Birla Group, is already ISO 17799 compliant, which is an equivalent of BS7799 certification.
Says Prakash Gurbaxani, CEO, TransWorks, "When you work in a global environment, it is important that domestic laws comply globally. A client who outsources must enjoy protection of information in a foreign location, just as he enjoys such a measure in a domestic environment. Data security is just one part of the story. The comfort level with the company, which takes up the actual outsourcing job is also important. Protection of IP, privacy, confidentiality etc., must comply globally.
"If domestic laws are not stringent enough, then companies must have the necessary processes as substitutes."
A T Kearney is in the process of doing a benchmarking survey to enlighten companies on the importance of BS7799 as well as protection of information in general. "Most of the companies with whom we have initiated discussions believe that this is vital," adds Sethi.
According to S Nagarajan, co-founder, 24/7 Customer, "Proactive compliance to standards such as BS 7799, which protects 127 data points across the entity, is normally asked for by financial services companies.
"Stringent data protection and security audits are conducted by clients who outsource processes that contain confidential data such as social security number, credit card number, etc. These audits are done before the start of the engagement and also during the course of the engagement. They are very thorough and the customer audit team has to be satisfied on compliance."
"In the better interest of the industry we think it is essential that any company dealing with sensitive data comply to security standards," says Nagarajan.