WIXLIB

Data Protection Practices ofIndian IT/ITES industryNASSCOM-DSCI-KPMG Survey2008

About the surveyNASSCOM, and DSCI have conducted this survey on DataProtection practices of IT/ITES industry through KPMG. A total 42companies were selected, with a mix of A, B and C categories ofcompanies. Category A companies are those, which have aturnover of more than Rs. 1000 crores; Category B have aturnover that is between Rs. 500 and 1000 crores whereasCategory C companies are those that have a turnover of lessthan Rs. 500 crores. Selection of companies was done with aview to have equitable representation of IT and ITES companiesas also of the categories. Out of 42, Category A companies are13, Category B are 10 where as Category C companies are 19.The survey was designed to elicit response from topmanagement in the form of IT and/or Security leadership, andalso from security operations of the company. Two separatequestionnaires were designed to capture the response from thetwo levels. The process of information gathering at a companywas completed with an interview of IT or Security leadership suchas CIO, CTO and CSO.This survey provides a glimpse into the practices followed by theindustry for protecting data while servicing their global clients. Itunveils key information on maturity of security practices followedby the industry, the gaps that exist, and the roadmap for industryto enhance its trustworthiness. The pointers will be of great helpto DSCI in its endeavor for establishing itself as a self-regulatoryorganization for data protection.ByDr. Kamlesh BajajChief Executive Officer, DSCI5

Executive SummaryWe at KPMG are pleased to be associated with DSCI forconducting this survey on current information security and dataprivacy practices being followed across a cross-section ofIT/ITES companies operating in India.Information security practices in India are at a point of inflexionwith respect to organization maturity. Our survey indicates thatinformation security is no longer a function working out of the ITteam but is now a board level concern. All respondents feel thatinformation security is critical at the very least.Two thirds of the companies surveyed agree that informationsecurity is a business enabler and all companies surveyed hadaligned their security policy to leading information securitystandards.Data privacy is an area where companies are now increasingfocus. Our survey indicates that some companies aredifferentiating between “confidential” and “personal” information.People as expected remain a challenge both in terms ofavailability of skilled personnel and acceptance of securitypolicies.We feel that companies should look at adopting secure SDLCstandards, integrate their client specific BCP with enterprisewide BCP and build data privacy policy.Akhilesh TutejaExecutive Director KPMG7

Information Security –Management ThoughtsApproval of Security Policy85%15%CISOIndependent of the CISO FunctionEighty five percent of respondents state that the securitypolicy has been approved by an official other than the CISO.This demonstrates a strong segregation between policyformulation and implementation monitoring function. This alsohelps to eliminate any potential conflict of interest andindicates management commitment.Belief on Self Regulation83%17%LawAloneBelief in Self RegulationEighty three percent of the respondents believe thatenforcement of Information Security through legislation maynot lead to better controls implementation. The belief in selfregulation and its positive impact is very high.Monitoring of Security FunctionKPI Framework for Security Effectiveness100%All respondents have put in place a system to monitor theeffectivenesssurveyedof securityclaimedimplementation.showsa highAll companiesto haveThisdefinedkeydegree of managementon the securityfunction.performanceindicators forfocusInformationSecurity.8

Trend # 1BeforeTHOUGHTBeforeAt the risk of sounding Orwellian, we arecoining a new phrase “Beforethought,” todescribe the key trend we have observed asan outcome of the survey. To capture theessence of this phrase, one must think throughthe evolution of security in an outsourcingenvironment. From a reactive model, we haveseen security become more analytical and morepredictable. All companies surveyedunanimously state that a formal risk assessmentbased on a “what-can-go-wrong” kind of analysisleads security direction and policy making in theirorganizations.It is also interesting to observe that the IT/ITeSindustry wants to proactively address security,whereas only a limited number of respondentsfeel that legislation alone would help compliance.There is a balance between the companies,which want to be only self-regulated, and thosewhich feel a combination of legislation and selfregulation will help achieve compliance. There issignificant belief in self regulation 9

Information Security –Management ThoughtsRating for Information Security40%Top PrioritySecurity has the highest priorityall organizations. Fortypercent of the respondentsbelieve that security is top priorityand none of the respondentshave given it a rating ofimportant, average or low.Critical60% forImportantAverageLow45%Security OmbudsmanNoForty-fivepercentoftherespondents have a separatesecurity ombudsman for dealingwith security related issues. Thisshows management commitmenttowards security monitoring anddemonstrates that reporting isnot limited to policy making.Yes55%Role of Information Security45%A businessenabler55%10Necessity dueto competitivepressureForty-five percent companiesbelieve that Information Securityis important for getting business.A major part of the industry looksat it as a business enabler.

Trend # 2Evolving MODELSodels of security business case haveevolved over a period of time. From beingthe esoteric domain of a few hardcorespecialists, it has increasingly become a boardlevel issue. Security direction making, if not aglobal mandate as in the case of mostmultinational companies, has become thedomain of the chief executive, the InformationSecurity steering committee in the organization,or the CISO. All organizations felt that securityand privacy are either “Top Priority” or “Critical”on their list of to-dos with overcompanies rating securityas “Top Priority”.COMPETITIVEM40%ADVANTAGEReactive atBestThe Age ofInnocenceLearning toCopeGrowingPainsFrameworkEvolutionThe Age ofLearningCompetitiveBaselineThe MaturingOrganizationNow - A PRIMEMOVER11

Security SkillsSecurity training to employees100%Training ProvidedAll companies surveyed provide basic Information Security training to allemployees at the time of joining. These are mostly a part of inductionprograms and/or held by IT teams as a separate session.Certification for security teamNoneof the companies surveyed makes it mandatory for thesecurity team to be certified. The security team personnel are advised toobtain certifications with the cost being borne by companies. Mostcompanies have separate budget for training/certification.12

Trend # 3Right SKILLINGMajority of the companies surveyed do nothave a formalized or mandatoryrequirement for their security teampersonnel to obtain security relatedqualifications. However, most of them mentionthat they actively encourage their employees toobtain specialized certifications.While there is an abundance of people tomanage parts of the solutions andimplementations of Information Security, it isgetting increasingly difficult to hire personnel whohave overall understanding of security andgovernance.13

Personnel SecurityBackground checks performed93%7%YesNoNinety-three percent of companies perform background checks formajority of the employees. Most of the companies that do notperform background checks are in category C. Companies havestarted using the National Skills Registry to perform these checks.NDA and confidentiality agreements100%YesAll companies have made it mandatory for employees to signnon-disclosure agreements or confidentiality agreements aspart of their on-boarding processes.14

Trend # 4Putting PEOPLE FIRSTAn overwhelming majority of respondentsfeel that people remain the key challenge inthe Information Security environment of theirorganization. Attrition, different operatingenvironments across teams, all contribute to anever-ending challenge of increasing InformationSecurity awareness and incident response withinorganizations.While almost all organizations carry out basicbackground checks, require their employees tosign a confidentiality agreement, impart trainingon Information Security, perform a number ofactivities pertaining to awareness building, this isone area where a differentiated strategy can beused to increase awareness at an industry level,so that baselines are observed regardless of theorganization a particular employee works for.Companies feel that the National SkillsRegistry (NSR) is an important tool forbackground checks.15

Security GovernanceDefined security budget55%Yes45%NoFifty-five percent of all respondents said that they have aseparate security budget. In other cases, security budget is apart of IT and administrative budgets. Planning for IT spendingis ad-hoc in some instances.Formal security organization100%YesAll companies surveyed have a separate InformationSecurity team. However, in some cases the Technology are blurred.16

Trend # 5Right STRUCTURERespondents have unanimously endorsedand are actively following right-structuring ofthe Information Security function. Everyorganization has a Chief Information SecurityOffice (CISO) role supported by an InformationSecurity function, which has a structure andmandate approved by their executivemanagement. This function/role has the charterto manage the implementation of securityprocesses in compliance with enterprise securitypolicies. All organizations also have an internalaudit function to independently measurecompliance to organizational policies.55%of the organizations surveyedhave defined Information Security budgets. Theother organizations carve out budgets from eitherInformation Technology or administrativebudgets.17

Security ViewImplementation of SecurityMost organizations have security policies and processes thatcover various domains. The following seven domains haveemerged across all companies surveyed: Asset Management Secure Work Area Infrastructure Security Review CCTV Monitoring Anti-virus Change Management Physical Security controlsAll organizations have an implemented Information Securitypolicy that covers at a minimum the above seven domains.However, when it comes to trusting peers, 50% of therespondents don’t believe that peers have implementedsecurity procedures adequately.50%45%YesNo5%Can’tSayPeers have implemented securityBothNecessity due tocompetitive pressure40%36%24%Business enablerPerception of Security18Almost two-thirds of the companiessurveyedagreethatInformationSecurity works as a business enabler insome way.

Trend # 6Competitive VIEWSIt is interesting to note that almost half of theorganizations feel that their competitors whohave achieved Information Securitycertifications may not have robust InformationSecurity practices. The security function hasbecome a customer-facing entity, and acompetitive differentiator and this view couldprobably stem from the fact that each securityfunction tries to outperform the competitors.36%It is interesting to also note thatof the organizations feel that havingsuch certifications is more of a competitivenecessity than a business enabler.What comes out stronglyfrom these findings is that“it is more important toadopt the essence ofthese standards, ratherthan aim for thecertification alone.”19