Data security remains a top priority for Indian BPO companies in their current operating scenario, which is where ISO 27001 certification helps companies tide over this concern smoothly (while keeping customers satisfied). e-care India, a healthcare outsourcing services company based out of Chennai, often used to hear customer concerns related to data security. The company specializes in medical billing facility.
e-care India's technology infrastructure
e-care India's premises are manned and monitored 24/7 by security personnel and CCTV cameras. Photo identity access screening as well as biometrics access screening is employed. Access to servers is governed by an additional layer of restrictions, and this access is granted only to authorized personnel. Confidentiality and non-disclosure agreements are signed with customers (as well as employees) and third party who accesses information.
Managed switches are used to create multiple VLANs with defined security policies. USB ports are disabled to ensure external media such as pen drives are not used to copy data. Internet access is restricted. Antivirus software is configured for automatic updates to ensure that they are capable of handling even the latest virus threats. Other measures in place include individual employee log-ins for accessing the systems/network and Windows log-in; antivirus protection, as well as auditing, reporting and monitoring at every stage of the business process.
In the course of its business, e-care India clearly sensed that security and safe handling of data being sent offshore for processing are major concerns in the US, the market from where it gets most of its customers. The need to protect customer's private and confidential information led e-care India to consider ISO 27001 certification. "The client agreements clearly demand privacy and secrecy of the information. Protection of client data is our primary concern. We realized that ISO 27001 certification can address this concern, and provide greater confidence to our US clients, thus enhancing our business prospects in that market," says M S Rajagopal, the vice president of operations and head of ISMG at e-care India.
e-care India's management itself drove the decision to adopt ISO 27001, and the project kick-started in mid-2008. The company decided to hire Guardian Independent Certification (India) as its consulting partner. The consultancy firm had earlier helped e-care India to achieve ISO 9001 certification; therefore, it was easier to choose them as partners for ISO 27001 certification.
Guardian Independent Certification recommended conducting a GAP analysis for e-care India. During this process, e-care India identified every asset and threat, vulnerabilities for the assets, likelihood of security incident occurrences, and finally, defined the different levels of risk for each asset as high, medium or low.
Prior to achieving ISO 27001 certification, e-care India had become a Health Insurance Portability and Accountability Act (HIPAA) certified company. Therefore, the company's earlier investments in security controls and strict procedures came in handy during ISO 27001 certification. "We were already addressing most of the identified risks. However, we needed to document them for ISO 27001 certification," explains Rajagopal. After the GAP analysis, the company was asked to implement new firewalls, as the existing firewalls did not provide logs (which need to be monitored as per ISO 27001 certification rules). e-care India also used to face frequent power problems due to the location of its office. To combat this, generators were recommended for power backups in order to ensure 24/7 business continuity and availability.
As far as process changes are concerned, e-care India did not have proper vulnerability assessment regimes. Since this is among the critical ISO 27001 certification requirements, the consultant firm suggested that the company have regular vulnerability assessment practices in place. Besides, the company did not handle any original data, it always used copies of data for processing, which were also destroyed after use.
ISO 27001 certification has actually become a good marketing tool for us to prove our mettle in the area of information security
M S Rajagopal
The vice president of operations and head of ISMGe-care India.
It took e-care India around a year to get the ISO 27001 certification. The audit process was implemented in two phases; the first audit was conducted within five months of the GAP analysis, while the second phase was implemented at the end of the year. Each time the company conducted an audit, it found certain lacunae, a majority of which were in the area of documentation. Rajagopal stresses now that documentation is one of the most critical requirements of the ISO 27001 certification process. "ISO 27001 certification has actually become a good marketing tool for us to prove our mettle in the area of information security," he says. The company has been successful in improving customer satisfaction levels after achieving the certification.
As ISO 27001 certification presses on continuous improvement and maintenance of security systems, the company has set up a separate ISO team, which has representation from the top management as well as every department. This team handles the responsibility of performing regular audits on security controls and compliance procedures on a weekly basis to ensure constant feedback.
Rajagopal feels that a company looking to achieve ISO 27001 certification should consider people awareness as a very crucial aspect in the whole process. In fact, this aspect scores even higher than infrastructure. "There should be continuous awareness training on what data security is all about and the implications of data security violation. The measures put in place for ISO 27001 certification become effective, only when these are achieved," he signs off.