Chaos to Compliance http://chaostocompliance.com Compliance and IT security observations Tue, 17 Oct 2006 22:09:22 +0000 http://wordpress.org/?v=2.2.1 en Outsourcing risks, security in India http://chaostocompliance.com/?p=1 http://chaostocompliance.com/?p=1#comments Sat, 09 Sep 2006 20:23:06 +0000 Jim http://chaostocompliance.com/?p=1 I came across several items recently that (taken together) confirm my belief that the privacy breaches we have seen here in the US are just the tip of the iceberg. First, a UK news outlet did an undercover investigation of outsourcers in India, the IT Compliance Institute has a brief summary here. And a news story on the investigation is here.

The findings are pretty frightening- security is so lax at many of the call centers in India that a black market for identity data is apparently flourishing there. Companies affected that are mentioned in the investigation include some large financials, Barclays and HSBC. Couple this with some findings in a CSO Magazine article that show Indian IT organizations lagging behind their US counterparts in adoption of every key security practice.The takeaway from this is that if you are an organization outsourcing business processes to India (or anywhere really), you need to carefully assess risks inherited from your service provider. You need to understand which of your service providers are storing sensitive data (EPHI, NPI) on your behalf, and what security controls they have in place. And if you are responsible for IT security and are not on top of this in your organization, you need to get on top the risk management for vendors situation quickly.Jim

]]> http://chaostocompliance.com/?feed=rss2&p=1