Service Provider Assessment Framework

Size: px
Start display at page:

Download "Service Provider Assessment Framework"

Transcription

1 Service Provider Assessment Framework A Platform for Building Synergies between Clients and Service Providers for Trusted Global Sourcing A Study Report Data Security Council of India in collaboration with Ernst & Young December 2010 Under Cyber Security Awareness Program, Department of Information Technology, Government of India

2 About DSCI Data Security Council of India (DSCI) is a section 25, not-for-profit company, setup by NASSCOM as an independent Self Regulatory Organization (SRO) to promote data protection, develop security and privacy codes & standards, and encourage the IT/BPO industry to implement the same. For more information about DSCI or this report, please contact: Data Security Council of India Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi , India Phone: Fax: DSCI. All rights reserved. Disclaimer This document contains information that is Intellectual Property of DSCI. DSCI expressly disclaims to the maximum limit permissible by law, all warranties, express or implied, including, but not limiting to implied warranties of merchantability, fitness for a particular purpose and non-infringement. DSCI disclaims responsibility for any loss, injury, liability or damage of any kind resulting from and arising out of use of this material/information or part thereof. Views expressed herein are views of DSCI and/or its respective authors and should not be construed as legal advice or legal opinion. Further, the general availability of information or part thereof does not intend to constitute legal advice or to create a Lawyer/ Attorney-Client relationship, in any manner whatsoever.

3 3 Service Provider Assessment Framework

4 Foreword The IT (Amendment) Act, 2008 has established a strong data protection regime in the country, by requiring body corporates to implement reasonable security practices to protect sensitive personal information. What is reasonable security though? An organization is expected to have a comprehensive information security program, with appropriate controls that are commensurate with its information assets and risk assessment. In the event of a security breach, it should be able to demonstrate that its practices were in conformance with its written security policy, and that its controls were adequate. It is, however not that easy, since enterprises are outsourcing some of their work, and they must manage information risk across a vast global network of Service Providers. Outsourcing thus brings into focus the practices followed by Service Providers, and their accountability. Service Providers are subjected to ongoing assessments and on-site audits, which are laborintensive and costly for both the sides. Likewise, Service Providers with hundreds of Clients distributed in various geographies must submit themselves to several audits by the Clients. Moreover, the multiple assessments are based on different frameworks, questionnaires and audit approaches clearly they result in wasted effort and time; and, of course, higher costs. It is the wish of both - Clients and Service Providers - that third-party evaluations that are standards-based, or framework-based, may ease the assessment burden. But how do they view the implementation of a standard, or best practices for security; and an assessment framework to validate that this has indeed made the organization secure? Again both of them will have a different perspective on this. Can enterprises take a methodical approach to assessing and managing the risks through frameworks like ISO 27001; BITS Shared Assessment Program, Moody s Vendor Information Risks ratings, Information Security Forum, COSO, NIST or COBIT? Will attestation of a Service Provider s practices necessarily be in the form of a third-party certification, or a maturity rating of its practices?

5 With DSCI best practices and data-centric methodology, we ve rolled out a solution for adoption by Service Providers to make them secure. DSCI Security Framework (DSF ) is based on a number of security principles, that help make the security program of an organization dynamic, instead of a static checklist approach that relies on bulky documentation. We wanted to review the available assessment frameworks, to see how DSF could fit into them, and how rating of practices may give a sense of security to organizations, and also show them the direction for improvements. In short, it ll help realize an effective security program, and transparent assessment framework, that may address the concerns of both Clients and Service Providers. In the process, reasonable security practices will get implemented. It is with this in view that DSCI partnered with Ernst & Young Pvt. Ltd. (EY) in this study, which required extensive knowledge and experience in the domain, to review the existing frameworks and think through the advantages of certification/ratings. Survey of Clients and Service Providers, based on an in-depth questionnaire gives key pointers to the concerns of both the groups, and points towards a possible third-party ratings approach that may be useful and acceptable to both, namely Clients and Service Providers. I would like to acknowledge the great team effort of DSCI and EY in conducting this study, and creating a useful analysis. I hope this report will generate sufficient interest among Clients, Service Providers, and even governments and regulators that will help DSCI arrive at the right decisions in taking the next steps in certification/rating of Service Providers. Kamlesh Bajaj CEO, DSCI

6 The study team Data Security Council of India Mr. Vinayak Godse Mr. Vikram Asnani Mr. Rahul Jain Director Data Protection Senior Consultant Security Practices Senior Consultant Security Practices Ernst & Young Pvt. Ltd. Ms. Nity Singh Mr. Taslimm Quraishi Mr. Lalit Kalra Manager Advisory Services Manager Advisory Services Consultant Advisory Services DSCI Project Advisory Group Prof. N. Balakrishnan Mr. B.J. Srinath Prof. Anjali Kaushik Mr. Akhilesh Tuteja Mr. Kartik Shahani Mr. Satish Das Mr. Baljinder Singh Mr. Vishal Salvi Mr. Ashwani Tikoo Mr. PVS Murthy Mr. Deepak Rout Ms. Seema Bangera Chairman DSCI and Associate Director, Indian Institute of Science (IISc), Bangalore Senior Director, Indian Computer Emergency Response Team (CERT-In) Management Development Institute, Gurgaon Executive Director, KPMG Country Manager, India & SAARC, RSA CSO, Cognizant Global Head of Technology, Information Security & Business Continuity, EXL Service (I) Pvt. Ltd. CISO, HDFC Bank Pvt. Ltd. CIO, Computer Sciences Corporation India Pvt. Ltd. Global Head Information Risk Management Advisory, TCS CISO, Uninor DGM Information Security, Intelenet Global

7 Executive summary Businesses today are global, complex and fast evolving, and technology has made business transactions independent of space and time. This has enabled businesses to focus on its core competencies and outsource non-core business operations to Service Providers, who are capable of providing services to the businesses from around the world round the clock. Information Security and Privacy becomes crucial when it comes to outsourcing as technology enables free flow of information across borders between Clients and Service Providers. This information could be business sensitive information and / or sensitive personal information of the Clients end customers including but not limited to health related information, credit card details, social security number, etc. Also, stringent global data protection regulations make the businesses liable for loss, misuse, wrongful disclosure of any personal information of any citizen irrespective whether the failure is at outsourcers end or Service Provider s end. The Indian IT/BPO Service Providers are striving hard to ensure that security and privacy of data is well maintained. They follow stringent security controls specified by the Clients through contractual obligations. The Clients conduct regular Information Security and Privacy assessments of the Service Providers to ensure compliance with the contractual obligations and / or regulatory requirements or to simply assess the security posture of Service Providers. In this outsourcing ecosystem, many Clients have developed and applied their own proprietary assessment frameworks for evaluating their Service Providers. Service Providers, on the other hand, strain their resources to respond to diverse client information requests. This isolated approach proves to be an inefficient and costly affair, both for the Clients and the Service Providers. Inconsistencies arising from use of different assessment methodologies cause delays, resulting in inefficient use of time and resources. Aggravating the problem is the unavailability of generally accepted standard for Service Provider assessments. To overcome these issues and challenges, DSCI as an industry initiative seeks to establish a well defined Service Provider Assessment Framework in order to have a common assessment approach that can be used to assess different Service Providers. This study especially through its survey attempts to understand the perspective of Client and Service Provider organizations with respect to Service Provider assessments and takes inputs to define a Service Provider Assessment Framework.

8 The survey results reveal that: DSCI should play a vital role in conducting Service Provider assessments and sharing the outcome in the ecosystem. It should: have an Service Provider assessment program that comprises of framework, processes, and methodology for assessments provide an organization wide security and privacy maturity rating, and domain specific maturity rating that may be shared in the ecosystem after taking the due permission of the Service Providers A new standard mapped to prevalent standards should be considered as a potential assessment standard for third party assessments of Service Providers DSCI as an industry initiative and a Self Regulatory Organization having representation from both the Client and Service Provider organizations should empanel auditing firms for conducting independent third party assessments of Service Providers The study also focused on understanding of various assessment models which included Malcolm Baldrige Framework, Capability Maturity Model Integration (CMMI), CRISIL Ratings, BITS framework, e-sourcing Capability Model (escm), Moody s assessment framework. The study of assessment models reveals that: Service Provider Assessment Framework should be easy to comprehend and adaptable regardless of size of the organization and nature/ complexity of its processes The framework assessment areas should be outlined in the form of best practices rather than a stringent set of controls. This would provide an opportunity to organizations for implementing / performing the control activities according to the needs of the organization specific environment The framework should follow a process-approach and outline measurable assessment areas It should be reviewed and updated (if required) on a periodic basis The maturity criteria should be transparent, and should help in assigning a formal maturity rating to a Service Provider Overall, DSCI may develop a Service Provider Assessment Framework that is aligned to DSF Best Practices & the maturity criteria defined for each of its sixteen security disciplines and the study results elucidated in this report; and make it popular in the ecosystem by performing pilot runs. The framework may follow a CMMI-like rating methodology which is assessment of the security and privacy practices at both the layers capability/ maturity of the business processes, and maturity of the organization.

9 Content Introduction... 1 Survey Highlights... 5 Detailed Survey Results...7 Key drivers for Service Provider assessments...7 Scale of Service Provider assessments...9 Current assessment program/ mechanism...11 Focus on Data Privacy in Service Provider assessments...13 Types of Service Provider assessments...14 Level of perceived risk IT services...15 Level of perceived risk BPO services...17 Risk profiling of Service Providers...18 Frequency of Service Provider assessments...19 Budget and cost for Service Provider assessments...21 Modes of Service Provider assessments...23 Service Provider assessment challenges...25 Service Provider assessments solutions and future landscape...27 Influence of IT (Amendment) Act, 2008 on Service Provider assessments...29 Third party assessments...31 Third party assessors...33 Standards for Service Provider assessments...35 Role of DSCI in Service Provider assessments...37 Outcome of Service Provider assessments...39 Sharing of Service Provider assessment results...41 Recommendations...43 Annexure...45 Glossary...57 References...57

10 Introduction Background As buyers of Information Technology (IT) and Business Process Outsourcing (BPO) services become increasingly sophisticated and demanding, Service Providers are challenged to achieve new levels of efficiency, agility and transparency in service delivery and protection of information. Clients increasingly expect real evidence of robust process management, continuous improvement, effective governance, and measures adopted for ensuring Information Security and Privacy. Objective DSCI engaged EY to study the current landscape of Service Provider (IT/BPO organizations) assessments conducted by the Client organizations, and assist in documenting the assessment approach that may be adopted in order to minimize the challenges of both, Client and Service Provider organizations, with an intent of evaluating and reporting on Information Security and Privacy posture of the Service Providers. Approach In order to achieve the project objectives, the joint study team undertook the following steps: Primary research: A survey of Client and Service Provider organizations was undertaken to gain an insight into the current Service Provider assessment program. The survey covered the following aspects: Business drivers for Client organizations to conduct Service Provider Assessments 1

11 The value that various Service Provider assessments conducted by Client organizations bring to the Service Providers Investments made, and challenges faced by the Service Provider and Client organizations in driving such assessments Possible solutions for overcoming the current challenges Role of DSCI and third parties in Service Provider assessments Secondary research: A study was undertaken to document the pros and cons of prevalent assessment frameworks like Capability Maturity Model Integration (CMMI), BITS shared assessment program, Carnegie Mellon University e-sourcing Capability Model (escm), etc. The list of assessment frameworks was documented on the basis their widespread use, and international recognition in performing assessments. The study areas included the following: Assessment areas / ease of use by the organization being assessed Assessment methodology / scoring pattern / process of sharing assessment results Acceptability / popularity of the framework Independence of examiners Frequency of framework update to cater to future requirements The team also studied DSCI Security Framework (DSF ) Best Practices and maturity rating criteria for each of its sixteen disciplines to gather inputs (in addition to the inputs provided by primary and secondary research) for defining Service Provider Assessment Framework. 2

12 Profile of participants The survey respondents were a set of Client and Service Provider organizations. The respondents were majorly from Information Technology (IT), Business Process Outsourcing (BPO), Telecommunications and Financial Services verticals. Correspondingly, the survey results have been divided into two perspectives Clients perspective and Service Providers perspective, and may be read accordingly. Client organizations Industry wise distribution 9.00% 37.00% 36.00% 18.00% Telecommunication Banking Technology Financial Services Service Provider organizations Industry wise distribution 8.00% 42.00% 50.00% BPO IT Services KPO 3

13 The sample size selected for the survey was limited and this should be taken into consideration when interpreting the survey results. Client organizations More than $ 24 billion $ 1 billion to $ 24 billion 3 3 $ 100 million to $ 249 million 1 Less than $ 100 million 2 Number of Client organizations Service Provider organizations $ 10 billion to $ 24 billion 1 $ 1 billion to $ 9 billion 6 $ 100 million to $ 249 million 4 Less than $ 100 million 1 Number of Service Providers 4

14 Survey highlights Service Provider assessments are conducted by Client organizations in order to protect business sensitive information, and mitigate security & privacy risks while outsourcing work to Indian IT/ BPO companies. These assessments help Service Provider organizations to align security & privacy initiatives to their Client s requirements and build on the existing relationship with the Clients Comprehensive risk based assessments covering all the domains of security are carried out annually by majority of Client organizations. Vulnerability assessments and penetration testing continue to display strong acceptance (100%) by Client organizations in Service Provider assessment programs Most of the Service Provider organizations reported that ISO controls checklist is used as a mechanism by their Clients for conducting assessments. On the other hand, Client organizations revealed that a proprietary Service Provider assessment program has been developed to conduct Service Provider assessments Provisions of the IT (Amendment) Act, 2008 (ITAA 2008) need to be appropriately incorporated in the Client-Service Provider contracts High number of assessments around the year is the most critical challenge faced by Service Providers at the time of assessments, followed by meeting diverse & varied assessment. Whereas for Clients, rising legal liabilities, regulatory requirements, level of security awareness in the Service Providers, ensuring compliance by Service Providers, and Service Provider commitment to ensure Information Security & Privacy are some of the critical challenges faced in assessing Service Providers 5

15 Currently, Service Provider assessments are majorly conducted onsite by Client s internal staff. Majority of the Client organizations indicated that auditing firms empanelled by a joint industry consortium of outsourcers and the Service Providers could act as the third party assessors for conducting independent Service Provider assessments More than half of the Service Provider respondents suggested that DSCI should have a Service Provider assessment program that comprises of framework, processes, methodology for assessments Clients and Service Providers reveal that third parties should conduct Service Provider assessments, based on a standardized assessment methodology. This would save costs and efforts by avoiding the need for conducting assessments of multiples Service Providers Both Client and Service Provider respondents suggested a new standard mapped to ISO 27001, NIST SP, COBIT, ITIL etc. that meets all the regulatory requirements like GLBA, HIPAA, PCI DSS etc., as a potential assessment standard for third party assessments of Service Providers DSCI should provide organization wide security and privacy maturity rating, and also domain specific maturity rating 6

16 Detailed survey results Key drivers for Service Provider assessments The survey results reflect that majority of the Clients consider protecting business sensitive information, and mitigating security & privacy risks as the critical business drivers for conducting Service Provider assessments. On the other hand, Service Providers report that Client s corporate policy requirements, and achieving end customer confidence are the main reasons which drive their Clients to conduct assessments. Clients perspective Business drivers for conducting Service Provider assessments Protecting business sensitive information including intellectual property Mitigating security and privacy risks that exist in outsourcing arrangements 88.89% 88.89% To address the security and privacy concerns of some of the key stakeholders within our organization Achieving end customer confidence and preventing loss of reputation by mitigating risks of privacy/ information leakage that may arise at Service Provider end Strengthening of data protection regime in the geographies where we operate, stipulating stringent requirements and heavy fines for a data breach Data protection regulations demand our organization to undertake regular assessments of third parties Our corporate policies require us to undertake a comprehensive vendor risk assessment 77.78% 77.78% 55.55% 55.55% 44.44% Addressing security and privacy risks that arise from use of emerging technologies Use Service Provider assessments as a mechanism to foster a culture of compliance at all Service Providers and introducing a sense of competition among them with regards to fulfillment of their data security and data privacy needs 44.44% 33.33% 7

17 Service Provider assessment as a mechanism to foster a culture of compliance was selected by the least number (thirty three percent) of Clients while the same response was selected by fifty percent of the Service Provider organizations, as a reason for conducting assessments. Service Providers perspective Reasons that drive Clients to conduct Service Provider assessments Achieving end customer confidence and preventing loss of reputation by mitigating risks of privacy/ information leakage that may arise at Service Provider end Clients corporate policies require them to undertake a comprehensive vendor risk assessment Mitigating security and privacy risks that exist in outsourcing arrangements Data protection regulations demand Client organization to undertake regular assessments of third parties % 66.67% 58.33% 58.33% Protecting business sensitive information and mitigating security and privacy risks are the major drivers for conducting Service Provider assessments Strengthening of data protection regime in the Client geographies that stipulate stringent requirements and heavy fines for a data breach Clients use Service Provider assessments as a mechanism to foster a culture of compliance at all its Service Providers and introducing a sense of competition among them with regards to fulfillment of their data security and data privacy needs 50.00% 50.00% Protecting business sensitive information including intellectual property 41.67% To address the security and privacy concerns of some of the key stakeholders in Client organization 41.67% 8

18 Scale of Service Provider assessments The survey results show that the number of Service Provider assessments is directly proportional to the number of Clients or Service Providers that an organization is engaged with. This is proven by the fact that Clients working with 500 Service Providers conduct more than 100 Service Provider assessments annually, and those with 200 & 300 Service Providers conduct and Service Provider assessments respectively. Also, Service Providers engaged with 800 Clients undergo assessments annually, and those with 700 & 600 Clients undergo assessments respectively assessments respectively. Clients perspective Number of Service Providers the organization is engaged with 600 Number of Sevice Providers Clients Number of Service Provider assessments conducted Above % Number of annual assessments % 22.22% 44.44% % 9

19 Service Providers perspective Number of Clients serviced by the organization Number of Clients Service Providers Number of Service Provider assessments faced Number of annual assessments Above % 9.09% 9.09% 18.18% 27.27% 36.36% 10

20 Current assessment program/ mechanism Proprietary Service Provider assessments followed by SAS 70 and ISO checklist are the most commonly adopted assessment programs/ mechanisms by Client organizations. On the other hand, more than ninety percent Service Providers reported that their Clients use ISO checklist for conducting assessments. This is closely followed by proprietary assessment programs and assessment programs of Client appointed external auditors (sixty seven percent each). The survey further revealed that majority of the Client organizations do not consider ISO certification as an alternative to conducting Service Provider assessments. Interestingly, the survey also highlighted that BITS Shared Assessment Program is not used by any of the Client organizations for conducting Service Provider assessments. Clients perspective Service Provider assessment program/mechanism used by the organization Assessment program developed by our organization (proprietary) 77.78% ISO controls checklist Reliance on Statement on Auditing Standards (SAS) No. 70 report provided by the auditing firm assessing your Service Providers Asking the Service Providers to get ISO certified thereby eliminating the need for getting assessed Assessment program of the appointed external auditor Asking the Service Providers to provide self declaration/attestation for compliance to our security policies/requirements Use pre-defined controls list provided by an assessment tool 44.44% 44.44% 33.33% 22.22% 22.22% 11.11% BITS shared assessment program 0.00% 11

21 Service Providers perspective Programs / mechanisms used by Clients for conducting assessments ISO controls checklist 91.67% Assessment program developed by the client (proprietary) Assessment program of the client appointed external auditor 66.67% 66.67% Getting ISO certification eliminates the need for getting assessed Providing self declaration / attestation for compliance to client security policies/ requirements BITS shared assessment program Use pre-defined controls list provided by an assessment tool Others 41.67% 25.00% 16.67% 0.00% 16.67% 78% Client organizations use proprietary assessment programs for conducting Service Provider assessments. However, the Service Providers report that their Clients use ISO checklist for conducting security and privacy assessments 12

22 Focus on Data Privacy in Service Provider assessments The survey reveals that majority of the Client organizations cover privacy during Service Provider assessments. Contrastingly, majority of the Service Providers report that privacy is not covered as part of the assessments. Eleven percent of the Client organizations also revealed that privacy is not covered as part of Service Provider assessments. Also, Client organizations seem to be satisfied with the current focus on privacy as no Clients foresee the need for a change in the privacy focus in Service Provider assessment programs. Clients perspective Coverage of privacy in Service Provider assessments Majority of the Service Providers report that their Clients do not cover Privacy during assessments while Clients strongly perpetuate the coverage of Privacy in Service Provider assessments 11.00% 33.00% 56.00% Privacy is not covered Strongly Moderately Needs improvement (0%) Service Providers perspective Coverage of privacy in Service Provider assessments 25.00% 41.67% 33.33% Minority of clients Service Providers assessment programs cover Privacy Nearly half of the clients assessment programs cover Privacy Majority of clients Service Providers assessment programs cover Privacy None of the clients Service Provider assessment programs cover Privacy (0%) 13

23 Types of Service Provider assessments Vulnerability Assessment and Penetration Testing as a methodology of Service Provider assessments has a strong acceptance (100%) from Client organizations. While only twenty five percent of Service Providers reveal line of service specific assessments is considered important by their Clients, Client organizations give more importance to these assessments. Clients perspective Different types of Service Provider assessments conducted by the organization Technical: vulnerability assessment and penetration testing Risk based assessments Lines of Service specific assessment (e.g. conducting application security assessment for application development services) Regulatory / Compliance: Assessments to check compliance with applicable regulations (e.g. HIPAA, GLBA) or Assessments based on compliance to Standards like ISO and PCI DSS % 88.89% 77.78% 77.78% Service Providers reveal that Client organizations display a strong propensity towards undertaking comprehensive risk-based assessments, and compliance based assessments Service Providers perspective Different types of assessments conducted by Client organizations Comprehensive risk based assessment covering all the domains of security % Assessment based on well-known standards like ISO Comprehensive compliance based assessment Technical assessment of the IT systems including vulnerability assessment and penetration testing Line of Service specific assessment (e.g. conducting application security assessment for application development services) 25.00% 83.33% 75.00% 75.00% 14

24 Level of perceived risk IT services Results indicate that Client organizations perceive that outsourcing Custom Application Development services (seventy eight percent) involves high risk. This is distantly followed by Infrastructure, Network and Desktop Outsourcing and Software Deployment and Support at sixty seven percent each. Service Providers cited Infrastructure Outsourcing followed by Network and Desktop Outsourcing as the critical risk areas for Service Provider assessments. Clients as well as Service Provider organizations do not attach importance to IT Education and training services for assessments. Clients perspective Custom Application Development, Network and Desktop Outsourcing together with Infrastructure outsourcing are current watchwords in the context of Service Provider assessments Level of perceived risks in the services outsourced by Client organizations: IT services Custom application development Network and desktop outsourcing Infrastructure services outsourcing Software deployment and support Application management Software testing Hosted application management 77.78% 11.11% 66.67% 22.22% 66.67% 11.11% 11.11% 66.67% 11.11% 11.11% 55.56% 33.33% 44.44% 44.44% 44.44% 33.33% Hosted infrastructure services System integration Network consulting and integration Hardware deployment and support IT consulting IT education and training 44.44% 33.33% 44.44% 22.22% 22.22% 33.33% 22.22% 22.22% 33.33% 11.11% 33.33% 22.22% 22.22% 33.33% 11.11% 22.22% 44.44% High Medium Low 15

DATA SECURITY COUNCIL OF INDIA

DATA SECURITY COUNCIL OF INDIA Data Security Council of India (DSCI) is a section 25, not-for-profit company, setup by NASSCOM as an independent Self Regulatory Organization (SRO) to promote data protection, develop security and privacy

More information

Data Security Council of India (DSCI) Response to

Data Security Council of India (DSCI) Response to Data Security Council of India (DSCI) Response to A Comprehensive Approach on Personal Data Protection in the European Union Communication from the Commission to the European Parliament, The Council, The

More information

Security and Privacy in Cloud Computing

Security and Privacy in Cloud Computing Security and Privacy in Cloud Computing - Study Report Sai Lakshmi General Manager Enterprise Security Solutions 2 Agenda Background & Objective Current Scenario & Future of Cloud Computing Challenges

More information

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix

More information

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Management System for Microsoft s Cloud Infrastructure Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview

More information

How to Protect Intellectual Property While Offshore Outsourcing?

How to Protect Intellectual Property While Offshore Outsourcing? WHITE PAPER [Type text] How to Protect Intellectual Property While Offshore Outsourcing? In an era of increasing data theft, it is important for organizations to ensure that the Intellectual Property related

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

Securing the Microsoft Cloud

Securing the Microsoft Cloud Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and consumers to fully embrace and benefit from

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Securing the Cloud Infrastructure

Securing the Cloud Infrastructure EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy

More information

State of Data Security and Privacy in the Indian Banking Industry

State of Data Security and Privacy in the Indian Banking Industry PROMOTING DATA PROTECTION A NASSCOM Initiative State of Data Security and Privacy in the Indian Banking Industry DSCI-KPMG Survey 2010 In association with Handling Computer Security Incidents Under the

More information

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources EXECUTIVE STRATEGY BRIEF Securing the Cloud Infrastructure Cloud Resources 01 Securing the Cloud Infrastructure / Executive Strategy Brief Securing the Cloud Infrastructure Microsoft recognizes that trust

More information

Western Australian Auditor General s Report. Information Systems Audit Report

Western Australian Auditor General s Report. Information Systems Audit Report Western Australian Auditor General s Report Information Systems Audit Report Report 10 June 2012 Auditor General s Overview The Information Systems Audit Report is tabled each year by my Office. It summarises

More information

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath

WHITE PAPER Leveraging GRC for PCI DSS Compliance. By: Chris Goodwin, Co-founder and CTO, LockPath WHITE PAPER Leveraging GRC for PCI DSS Compliance By: Chris Goodwin, Co-founder and CTO, LockPath The Payment Card Industry Data Security Standard ( PCI DSS ) is set forth by a consortium of payment card

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy PCI Policy Compliance Information Shield Page 1 PCI Policy Compliance Using Information Security Policies Made Easy By David J Lineman

More information

Securing the Microsoft Cloud

Securing the Microsoft Cloud Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed

More information

Governance, Risk, and Compliance (GRC) White Paper

Governance, Risk, and Compliance (GRC) White Paper Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:

More information

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC. Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies

More information

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)

SOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT) INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT THE FIFTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT Sponsored by October 2015

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients

Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Security and Compliance Play Critical Roles in Protecting IT Assets of Law Firms and Their Clients Executive Overview Within the legal sector, IT system security and compliance have changed dramatically

More information

Information Security in Telecom Sector. kpmg.com/in

Information Security in Telecom Sector. kpmg.com/in Information Security in Telecom Sector kpmg.com/in Foreword Telecom industry has gone through significant expansion phase and industry is committed to remain on growth path exploring new avenues. Data

More information

IT Insights. Managing Third Party Technology Risk

IT Insights. Managing Third Party Technology Risk IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing

Key Speculations & Problems faced by Cloud service user s in Today s time. Wipro Recommendation: GRC Framework for Cloud Computing Contents Introduction Why GRC Assessment Benefits of Cloud computing and Problem Statement Key Speculations & Problems faced by Cloud service user s in Today s time Threats, Vulnerabilities and related

More information

Open Certification Framework. Vision Statement

Open Certification Framework. Vision Statement Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption

More information

Process Compliance to Business Excellence A Journey

Process Compliance to Business Excellence A Journey Process Compliance to Business Excellence A Journey November 2010 This paper discusses the approach to Quality in India s BPO s from the inception years to the current scenario and also offers an insight

More information

Achieving Data Privacy in the Cloud

Achieving Data Privacy in the Cloud Achieving Data Privacy in the Cloud Study of Information Technology Privacy and Compliance of Small to Medium-Sized Organizations in germany Sponsored by microsoft Independently Conducted by Ponemon Institute

More information

Past vs. Present: Third Party Risk

Past vs. Present: Third Party Risk Past vs. Present: Third Party Risk Kevin O Sullivan and Hicham Chahine 3 rd Party Risk, Crowe Horwath LLP April 30th, 2015 Agenda Drivers pushing Third Party Risk Past vs. Present Events and Trends Vendor

More information

Standardization in the Outsourcing Industry

Standardization in the Outsourcing Industry Standardization in the Outsourcing Industry November 2010 Outsourcing provides rapid business transformation and cost reductions through labor arbitrage and consolidation of business processes spread across

More information

The Future of Investment Compliance for Asset Owners: The Next Great Transformation

The Future of Investment Compliance for Asset Owners: The Next Great Transformation The Future of Investment Compliance for Asset Owners: The Next Great Transformation By: State Street Global Services Performance Services December 2014 STATE STREET CORPORATION 1 Contents Introduction

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

The State Of PCI Compliance

The State Of PCI Compliance September 2007 The State Of PCI Compliance A commissioned study conducted by Forrester Consulting on behalf of RSA, the Security Division of EMC Table Of Contents Executive Summary...3 Introduction...4

More information

Executive Briefing Outsourcing your Enterprise Management Services - IT Challenge or Business Opportunity?

Executive Briefing Outsourcing your Enterprise Management Services - IT Challenge or Business Opportunity? Executive Briefing Outsourcing your Enterprise Management Services - IT Challenge or Business Opportunity? Contents Introduction Outsourcing Opportunities Challenges SAP Outsourcing Models Selecting the

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

Security in the Cloud: Visibility & Control of your Cloud Service Providers

Security in the Cloud: Visibility & Control of your Cloud Service Providers Whitepaper: Security in the Cloud Security in the Cloud: Visibility & Control of your Cloud Service Providers Date: 11 Apr 2012 Doc Ref: SOS-WP-CSP-0412A Author: Pierre Tagle Ph.D., Prashant Haldankar,

More information

Securing Critical Information Assets: A Business Case for Managed Security Services

Securing Critical Information Assets: A Business Case for Managed Security Services White Paper Securing Critical Information Assets: A Business Case for Managed Security Services Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved.

More information

Service Catalog Management: A CA Service Management Process Map

Service Catalog Management: A CA Service Management Process Map TECHNOLOGY BRIEF: SERVICE CATALOG MANAGEMENT Catalog : A CA Process Map JULY 2009 Enrico Boverino SR PRINCIPAL CONSULTANT, TECHNICAL SALES ITIL SERVICE MANAGER ITAC CERTIFIED Table of Contents Executive

More information

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview Data protection and compliance In the cloud and in your data center 1 November 2013 Agenda 1 Introduction 2 Data protection overview 3 Understanding the cloud 4 Where do I start? 5 Wrap-up Page 2 Data

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

Application of King III Corporate Governance Principles

Application of King III Corporate Governance Principles APPLICATION of KING III CORPORATE GOVERNANCE PRINCIPLES 2013 Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have

More information

Can security conscious businesses really adopt the Cloud safely?

Can security conscious businesses really adopt the Cloud safely? Can security conscious businesses really adopt the Cloud safely? January 2014 1 Phone: 01304 814800 Fax: 01304 814899 info@ Contents Executive overview The varied Cloud security landscape How risk assessment

More information

2014 HIMSS Analytics Cloud Survey

2014 HIMSS Analytics Cloud Survey 2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation

More information

Adopting the Right Software Test Maturity Assessment Model

Adopting the Right Software Test Maturity Assessment Model Cognizant 20-20 Insights Adopting the Right Software Test Maturity Assessment Model To deliver world-class quality outcomes relevant to their business objectives, IT organizations need to choose wisely

More information

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe 2/1/2012 Assessor: J. Doe Disclaimer This report is provided as is for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

White Paper. Managed Services. Part 2: True Value Creation Partnership. February 2013. ISO 9001 No. FS 28117

White Paper. Managed Services. Part 2: True Value Creation Partnership. February 2013. ISO 9001 No. FS 28117 White Paper Managed Services Part 2: True Value Creation Partnership February 2013 ISO 9001 No. FS 28117 Managed Services Preface 01 Introduction 01 Transition to Managed Services 05 Telecom domain knowhow

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

IBM Rational AppScan: enhancing Web application security and regulatory compliance.

IBM Rational AppScan: enhancing Web application security and regulatory compliance. Strategic protection for Web applications To support your business objectives IBM Rational AppScan: enhancing Web application security and regulatory compliance. Are untested Web applications putting your

More information

Feature. Vendor Due Diligence

Feature. Vendor Due Diligence Feature Vendor Due Diligence Jennifer Bayuk, CISA, CISM, CGEIT, is an independent consultant on topics including information security policy, process, management and metrics. For 10 years she managed information

More information

Certification Report

Certification Report Certification Report EAL 3+ Evaluation of RSA envision platform v4.0 SP 1 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification

More information

Security is a Partnership

Security is a Partnership Security is a Partnership Written by J.R. Arredondo Director, Product Marketing Security is a Partnership Cover Table of Contents 1. Introduction 2 2. The Increasing Complexity of Security 3 and Compliance

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

A Guide to the Cyber Essentials Scheme

A Guide to the Cyber Essentials Scheme A Guide to the Cyber Essentials Scheme Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jane Frankland, Managing Director, Jane

More information

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used

More information

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14 www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

More information

QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS

QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS World Green Building Council Rating Tools Task Group: QUALITY ASSURANCE GUIDE FOR GREEN BUILDING RATING TOOLS Version 1.0 _ 2013 /(DRAFT_01 /Sept_13) INTRODUCTION This guide has been developed as a part

More information

Third-Party Cybersecurity and Data Loss Prevention

Third-Party Cybersecurity and Data Loss Prevention Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management

More information

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance

3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014. Straightforward Security and Compliance 3rd Party Assurance & Information Governance 2014-2016 outlook IIA Ireland Annual Conference 2014 Continuous Education Services (elearning/workshops) Compliance Management Portals Information Security

More information

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance

More information

Company Name Query Response. Systems Pvt. Ltd. the Bid in spite of neither being an ISO 9001:2008 nor a CMMI L3 certified company with a valid

Company Name Query Response. Systems Pvt. Ltd. the Bid in spite of neither being an ISO 9001:2008 nor a CMMI L3 certified company with a valid Following are the queries received from different companies with regard to the RFP for School Quality Assessment and Accreditation Management Solution : Company Name Query Response Orion India 1. Can Orion

More information

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

More information

IBM asset management solutions White paper. Using IBM Maximo Asset Management to manage all assets for hospitals and healthcare organizations.

IBM asset management solutions White paper. Using IBM Maximo Asset Management to manage all assets for hospitals and healthcare organizations. IBM asset management solutions White paper Using IBM Maximo Asset Management to manage all assets for hospitals and healthcare organizations. September 2007 2 Contents 2 Executive summary 3 Introduction

More information

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK Executive Summary Core statements I. Cyber security is now too hard for enterprises The threat is increasing

More information

Innovation & Quality for Higher Competitiveness of Companies

Innovation & Quality for Higher Competitiveness of Companies Innovation & Quality for Higher Competitiveness of Companies www.wipro.com DEVENDER MALHOTRA & SHALABH SRIVASTAVA WIPRO BPO Table of Contents Introduction...1 Understanding Innovation...2 Enablers of Innovation...2

More information

Third Party Supplier Security

Third Party Supplier Security Third Party Supplier Security Managing risk and compliance through external due diligence audits. Presented by: Stephen Higgins 6 th December 2012 To cover When third party supplier security goes wrong...

More information

Jenny Obee, Head of Information Management jenny.obee@barnet.gov.uk, Tel: 020 8359 4859. Micailah Fleming, IT Director micailah.fleming@capita.co.

Jenny Obee, Head of Information Management jenny.obee@barnet.gov.uk, Tel: 020 8359 4859. Micailah Fleming, IT Director micailah.fleming@capita.co. Performance and Contract Management Committee 7 January 2016 Title Report of Wards Status ICT Operations ITIL Methodology Assessment Chief Operating Officer All Public Urgent Key No No Enclosures None

More information

Achieving Enterprise Software Success

Achieving Enterprise Software Success Achieving Enterprise Software Success A study of buyer and seller perspectives on the drivers of enterprise software success 2008 Table of Contents Executive Summary... 2 What is Success?... 3 A New Study

More information

Peer Research Desktop Virtualization Insights for IT Strategic Planning

Peer Research Desktop Virtualization Insights for IT Strategic Planning SEPTEMBER 2011 Peer Research Desktop Virtualization Insights for IT Strategic Planning Why you should read this document: This report describes key findings from a survey of 200 IT professionals that can

More information

LEGAL ALERT. August 9, 2011. Outsourcing: India Adopts New Privacy and Security Rules for Personal Information

LEGAL ALERT. August 9, 2011. Outsourcing: India Adopts New Privacy and Security Rules for Personal Information LEGAL ALERT August 9, 2011 Outsourcing: India Adopts New Privacy and Security Rules for Personal Information Effective with their publication on April 11, 2011, 1 the Central Government of India (GOI)

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

PAYMENT CARD PROCESSING

PAYMENT CARD PROCESSING CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Bakersfield Audit Report 15-42 October 13, 2015 EXECUTIVE SUMMARY OBJECTIVE

More information

Insights: Data Protection and the Cloud North America

Insights: Data Protection and the Cloud North America Insights: Data Protection and the Cloud North America Survey Report May 2012 Table of Contents Executive Summary Page 3 Key Findings Page 4 Investment in data protection & DR operations Page 4 Data and

More information

Image Area. View Point. Transforming your Metrics Program with the right set of Silver Bullets. www.infosys.com

Image Area. View Point. Transforming your Metrics Program with the right set of Silver Bullets. www.infosys.com Image Area View Point Transforming your Metrics Program with the right set of Silver Bullets www.infosys.com Introduction Today s organizations are competing in a fast-paced marketplace driven by new technologies,

More information

MANAGING CYBER RISK IN THE SUPPLY CHAIN

MANAGING CYBER RISK IN THE SUPPLY CHAIN MANAGING CYBER RISK IN THE SUPPLY CHAIN How.trust simplifies the validation of trusted supply partners Author: Gunter Ollmann, CTO INTRODUCTION In today s highly competitive business world the speed at

More information

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Enabling Compliance Requirements using ISMS Framework (ISO27001) Enabling Compliance Requirements using ISMS Framework (ISO27001) Shankar Subramaniyan Manager (GRC) Wipro Consulting Services Shankar.subramaniyan@wipro.com 10/21/09 1 Key Objectives Overview on ISO27001

More information

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive

More information

Auditing Outsourcing Arrangements

Auditing Outsourcing Arrangements Auditing Outsourcing Arrangements Eileen Healy Enterprise Risk Services Director 16 April 2015 Contact Details: - Email: - ehealy@deloitte.ie Mobile: - 086 164 3082 Session Objectives To provide an understanding

More information

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements isl Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements DataGuardZ White Paper Forti5 BNP Paribas [Pick the date] What is the history behind FFIEC compliance?

More information

UK ICT Outsourcing Service Provider Performance and Satisfaction (SPPS) Study: 2013

UK ICT Outsourcing Service Provider Performance and Satisfaction (SPPS) Study: 2013 A STUDY BY KPMG UK ICT Outsourcing Service Provider Performance and Satisfaction (SPPS) Study: 2013 A study of the UK Information and Communication Technology (ICT) Outsourcing Market and its Service Providers

More information

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards Paul de Graaff Chief Strategy Officer Vanguard Integrity Professionals March 11, 2014 Session

More information

W H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s

W H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s W H I T E P A P E R I m p a c t o f C y b e r s e c u r i t y A t t a c k s a n d N e w - A g e S e c u r i t y S t r a t e g i e s IDC Middle East, Africa, and Turkey, Al Thuraya Tower 1, Level 15, Dubai

More information

Information Security Management System and Certification for VAS and Data Provider in Telecom Industry: A Case Study

Information Security Management System and Certification for VAS and Data Provider in Telecom Industry: A Case Study CASE STUDY Information Security Management System and Certification for VAS and Data Provider in Telecom Industry: A Case Study 1 Information Security Certification for a premier VAS and Data Solution

More information

The Seven Deadly Myths of Software Security Busting the Myths

The Seven Deadly Myths of Software Security Busting the Myths The Seven Deadly Myths of Software Security Busting the Myths With the reality of software security vulnerabilities coming into sharp focus over the past few years, businesses are wrestling with the additional

More information

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link

CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com Background CASRO and Standards CASRO takes

More information

Outsourcing RESEARCH PAPER

Outsourcing RESEARCH PAPER Written by Maxine Holt, March 2002 INFRASTRUCTURE Research and Advisory Services Outsourcing RESEARCH PAPER Infosys Outsourcing Services Abstract Infosys provides a range of IT outsourcing services to

More information

AlienVault for Regulatory Compliance

AlienVault for Regulatory Compliance AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have

More information

SAS 70 Type II Audits

SAS 70 Type II Audits Thinking from IntraLinks SAS 70 Type II Audits SAS 70 Type II Audits Ensuring Data Security, Reliability and Integrity If your organization shares sensitive data over the Internet, you need rigorous controls

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information