I came across several items recently that (taken together) confirm my belief that the privacy breaches we have seen here in the US are just the tip of the iceberg. First, a UK news outlet did an undercover investigation of outsourcers in India, the IT Compliance Institute has a brief summary here. And a news story on the investigation is here.
The findings are pretty frightening- security is so lax at many of the call centers in India that a black market for identity data is apparently flourishing there. Companies affected that are mentioned in the investigation include some large financials, Barclays and HSBC. Couple this with some findings in a CSO Magazine article that show Indian IT organizations lagging behind their US counterparts in adoption of every key security practice. The takeaway from this is that if you are an organization outsourcing business processes to India (or anywhere really), you need to carefully assess risks inherited from your service provider. You need to understand which of your service providers are storing sensitive data (EPHI, NPI) on your behalf, and what security controls they have in place. And if you are responsible for IT security and are not on top of this in your organization, you need to get on top the risk management for vendors situation quickly.
Jim
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
Blog: www.compliancefocus.com
Twitter: http://twitter.com/jim_hietala
LinkedIn: http://www.linkedin.com/in/jimhietala
Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
