Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Lost Hard Drive with PII + Tardy Notification = Upset Alumns | Main | Another Privacy Breach Caused By a Mistake: Republican Party Donor PII Exposed »

Point/Counterpoint: Outsourcing to India - Secure or Not Secure?

It was with great coincidental irony that I read two stories back-to-back today discussing whether or not outsourcing business processes to India was or was not secure.  One was a personal opinion article, and the other was based upon a study.  Both are good to consider, and make some serious points.

The Financial Express story claimed, "Security concerns unwarranted."  The Daily Telegraph reported, "Secrets for Sale."

So...does this point to these stories as ad hominem arguments, or do they each make some truly valid points? 

With that question in mind I was taken back in time (imagine retrospective music now playing...perhaps Carly Simon...or Five for Fighting...) to when I was but a wee, very young toddler...and the 60-Minutes segments, Point/Counterpoint, were on each Sunday with James Kirkpatrick and Shana Alexander ...which of course then brought to mind Saturday Night Live's take of it with Dan Aykroyd and Jane Curtin spoofing the roles...which was hilarious!  Yes, I should not have been staying up that late when I was but a wee, very young toddler, but usually no one realized I was up watching from the depths of the dark hall in the back of the living room... :)

I wonder; how would these stories work by intertwining the reports?  Hmmm...Let's give it a try...

The part of Dan will be played by the Financial Express story that all outsourcing to India is secure; the Jane part will be played by the Daily Telegraph story about widespread fraud with outsourced organizations in India.  Let's see how this works with actual excerpts from the reports...

Dan (Financial Express):  "...complex outsourcing businesses have moved to technical support centres located in countries such as Mexico, China, South Africa and India."

Jane (Daily Telegraph): "ANZ employs hundreds of workers in Indian call centres and NAB is also looking to shift 160 data processing jobs for India."

Dan (Financial Express):  "The Indian ITeS-BPO industry has also become the favourite hunting ground for the Western tabloid press. These publications have started conducting ‘sting’ operations to investigate and highlight the ‘rot’ in the Indian BPO companies. In an already tense situation, these press articles often paint the entire Indian ITeS-BPO industry with the same brush. The ground reality, however, is different. There have been isolated instances of breach of privacy by some individuals. Once detected, both the companies and the Indian authorities have acted swiftly and promptly to investigate and prosecute the con-cerned individuals."

Jane (Daily Telegraph): "CALL centre fraud is flourishing in India with confidential details of bank and mobile phone customers readily available for sale."

Dan (Financial Express): "Indian BPO companies as well as trade bodies such as NASSCOM and CII have also put their weight behind industry-wide initiatives to strengthen the screening of employees, monitor and report adherence to accepted worldwide security best practices and lobby with the Indian government to amend and update the Indian IT Act."

Jane (Daily Telegraph): "The Dispatches documentary The Data Theft Scandal claims the fraud is widespread and exists in major Indian cities including Calcutta, Delhi, Hyderabad and Bangalore."

Dan (Financial Express): "I believe that the security concerns are being blown a bit out of proportion, given the ‘high decibel’ visibility and hype surrounding the outsourcing industry, particular in India."

Jane (Daily Telegraph): "One former call centre worker told the Channel 4 program: "The potential for fraud was very, very high. "I mean, security where I worked was non-existent. It's really that easy to take anything you want out of the buildings." A middleman admitted the information he was selling for $20 per set was obtained from an Indian call centre selling mobile phones - and boasted he could provide the records of 100,000 customers each month."

Dan Aykroyd (RH*): Jane, you ignor...oops...sorry; the SNL sketches became a bit too vivid...

Jane (Daily Telegraph): "One call centre consultant showed off the illegal data he was offering for sale from his laptop. His database of about 200,000 identities included some passport and licence details obtained from customers who bought mobile phones via an Indian call centre. Data protection lawyer Stewart Room said the program proved the fraud was systematic. "What I've seen here is the best evidence you could give me ... of wholesale disregard for fair and lawful practices in information processing,'' he said.  "You couldn't scare me more. This is as bad as it gets. This is evidence of serious criminal offences.""

Dan (Financial Express): "The government and industry in India have taken some important measures to address the issue of data security and the associated perceptions. These initiatives, if implemented in letter and spirit, would go a long way in promoting the Indian ITeS-BPO sector."

Jane (Daily Telegraph): "Another middleman offered details for as little as $12.50 per customer. He said the data was mined by agents posing as technical support staff, who carried the sensitive data away using computer memory sticks. One seller who feared he was being set up agreed call centre fraud was bad for India's economy because foreign companies might pull out and leave thousands unemployed."

Dan (RH): Jane, you ignorant, misguided sl*t! Once again, you missed the point entirely.  Why should...

Jane (RH): Thank you, Dan!  Hoping your news is good news. Good night, and have a pleasant tomorrow.
 

Thank you for indulging my attempted levity...I just finished working another 14-hour day, so I thought it would be good to lighten up a bit...ahh...I needed that!  :)

The outsourcing of business processes and the caretaking of sensitive data *IS* a huge risk to organizations, no matter to what country or to what other organization, and ensuring the security of that data entrusted to the outsourced entities is very important.  I spend much of my time researching and investigating the information security claims of my clients' business process outsourced vendors; such due diligence is not only a good idea in today's environment, but it is also important for showing due diligence, as well as required by various laws, regulations and contractual agreements.

* RH: Rebecca Herold

Technorati Tags







 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 11, 2006 10:12 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/202

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.