I came across several items recently that (taken together) confirm my belief that the privacy breaches we have seen here in the US are just the tip of the iceberg. First, a UK news outlet did an undercover investigation of outsourcers in India, the IT Compliance Institute has a brief summary here. And a news story on the investigation is here.
The findings are pretty frightening- security is so lax at many of the call centers in India that a black market for identity data is apparently flourishing there. Companies affected
that are mentioned in the investigation include some large financials, Barclays and HSBC. Couple this with some findings in a CSO Magazine article that show Indian IT organizations lagging behind their US counterparts in adoption of every key security practice. The takeaway from this is that if you are an organization outsourcing business processes to India (or anywhere really), you need to carefully assess risks inherited from your service provider. You need to understand which of your service providers are storing sensitive data (EPHI, NPI) on your behalf, and what security controls they have in place. And if you are responsible for IT security and are not on top of this in your organization, you need to get on top the risk management for vendors situation quickly.
Jim
Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University. Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
