Steadily, more and more enterprises are exploring the outsourcing strategy, primarily to increase profitability by cutting costs. However, this seemingly attractive strategy comes with certain inbuilt risks, which if not complemented with a mitigation strategy does create uncertainty for success in long run.
The key question that all organisations, especially the banking and insurance industry, face is: 'How will the secure information be guided tightly preventing any free flow, leading to any misuse?'
Information security raises concerns of:
- Internal misuse of information;
- Intellectual property right infringement;
- Regulatory compliance;
- Industrial espionage, and.
- IT security concerns of virus attack, etc.
One of the earliest matters of internal abuse came to light in 1995, where a system administrator at a bank in the United States hacked the bank's user-IDs and passwords to set up accounts with the leading banks involving transfer of millions of dollars.
In light of such frauds, the US came up with regulations -- Sarbanes-Oxley Act of 2002, Gramm Leach Bliley Act, US Patriot Act, Bank Secrecy Act, HIPAA, Computer Fraud and Abuse Act, Computer Security Act, etc -- to ensure safety.
Ensuring effective security methods require a combination of integrity, availability, and confidentiality along with a robust compliance framework and monitoring system. It needs consistent enforcement with reasonable oversight, awareness and continuous training on the part of the management.
Information security is a journey not a destination. Compliance policies and procedures are the foundation of effective information security posture.
You are as strong as your weakest link
The global sourcing model in a single process leverages the efficiencies across companies, geographies, and workforce to deliver the optimum results in cost and quality. With the increase in risks associated with the complexity of the delivery model - and the process involves giving access to vital IP assets -- security is a major concern.
The success of secure information dissemination within these units lies with the offshore management structure. The processes followed should be mature and well documented and should have strict adherence that can be verified through 'surprise audits.'
Leading outsourcing companies providing services to financial organisations are getting reviewed and audited by OCC and OTS (US federal agencies for regulation and supervision of banks). This is a major step to ensure that outsourced operations follow policies and procedures of clients and behave as an extended arm of the company's operations.
Information security is not so much an issue of technology as of governance. A comprehensive information security needs a complete solution involving governance, technology and people. It also requires defining a security behaviour in the company to establish confidence in security systems.
Governance will encompass:
- Top management's commitment;
- Security architecture and design with policy framework involving disaster recovery, business continuity, risk mitigation, business process workarounds;
- Clear business objectives with realistic expectations;
- Regular revision and training on active policies and procedures;
- Rigorous and regular auditing( physical and electronic) and monitoring process; and
- Appropriate back-ups with back-up facilities provision; Stringent standards for information storage and data disposal (electronic & physical).
Technology will encompass:
- Appropriate firewalls/access protocols/restrictions defined and implemented for controlling access to the network, workstations and other equipment;
- Application-specific network access security measures, encryption;
- Restricted Internet access and removable storage mediums like floppy, CD-ROM/ USB drives etc. disabled;
- Monitoring of system procedures and areas of risk, logging and reviewing events, clock synchronisation, event logging process;
- Screen savers with passwords, power on passwords to ensure boot protection; and
- Restricted access based entry/exit, compulsory logging all the entries, incessant supervision round the clock by security personnel using CCTV cameras.
- Frisking of Employees during entry/exit;
- Appropriate training to security policies and procedures;
- User authentication by means of a user ID and password;
- Compulsory reference and background checks for employees; and
- Dedicated resources approved by customers with non-disclosure and confidentiality agreement signed with each employee.
The threat to security can be internal or external. The risk of external threat can be mitigated by ensuring good systems and strict implementation of the security policy. Companies lay down procedure and norms and follow them through the induction of an employee.
But what if a person decides to commit an act of fraud? We have been seeing instances of such frauds which are not limited to just the outsourced service providers but happen within the company by the company's own trusted employees. Is honesty still the best policy?
Ultimately all operations are handled by humans and human values play a far greater part in day-to-day behaviour of an individual.
The governing mantra
'Swadharme nidhan shreya para dharmo bhayapaha.' The Bhagvad Gita says that it is better to die than give up ones own dharma. Perhaps we may have to go down to the roots of negative behaviour which lies in anger, greed, hatred, etc. Human values and beliefs are the basis of Hindu philosophy of dharma.
While pre-emptive security procedures and policies are essential to blunt security concerns, the litmus test of security deals with the integral part of an organization: the human factor.
How well we address this will ensure the key to the success of an organization, and the macroeconomic effects of such behaviour impacts the progress of the country as well.
The author manages marketing for iSeva Systems Ltd., a leading financial BPO company. The views expressed here are personal and not of the company she works with.