First DSCI security framework pilot underway at TCS BPO

ITES player TCS BPO becomes first organization to conduct pilot project testing of data security council of India's (DSCI) data security framework.

Leading Indian ITES player Tata Consultancy Services (TCS) BPO has announced its pilot implementation of Data security Council of India (DSCI)'s Data Security Framework (DSF). This announcement was made yesterday during the DSCI Best Practice Meet held in Bengaluru. The event focused on the implementation methodology for DSCI's DSF and Data Privacy Framework (DPF).

DSCI DSF implementation's constituents
The DSCI data security framework comprises of a set of 16 best practices for achieving data protection. Some of these areas include application security, infrastructure security, monitoring and incident management.

DSCI's implementation methodology (currently a single methodology is used for both frameworks) starts with a visibility exercise, which provides consolidated view of data at a central level. The DSCI framework identifies as well as analyzes the integrated view of data flows (within and outside the organisation). This methodology focuses on recent trends and applies current security controls in the organisation, creating a data-centric risk profile.

 TCS BPO serves 150 customers across 40 countries and conducts more than 1.5 billion transactions per year. The company handles extremely sensitive information including IPR, financial, personal and health information. As a result, it also needs to comply with regulations of different countries (resulting in further complexity to its security matrix). Although TCS BPO is an adopter of ISO 27001 and has fairly robust information security practices, it was open to improvise their practices by evaluating the best practices that were newly designed by DSCI. Pranav Dasnurkar, the head of information security for TCS BPO informed, “We were open to have a bottom-up approach that can unearth risks hidden in processes.”

TCS is a member of the executive council of DSCI and considering the scale of its operations offered to be a pilot for DSF and DPF framework.  DSCI launched the DSF and DPF frameworks in 2009. Around March 2010 TCS BPO chose to experiment with a pilot project of DSCI's data security framework on certain F&A, HR and pharmaceutical processes (which handles financial personal and health information respectively). In association with DSCI, TCS BPO has developed an Excel-based tool which captures these data-centric elements. TCS BPO plans to build more intelligence into the tool as it progresses. The pilot also brought clarity on the portfolios like the data controller and data processor.

According to Dasnurkar, this pilot implementation has brought revelations for TCS BPO in terms of hidden risks. Risks identified by the Excel tool can be classified into two—risks pertaining to the client and those affecting TCS BPO. This helps TCS BPO to get a distinct demarcation of liabilities for security risks. Besides these, now TCS BPO has gained the confidence to renegotiate security service level agreements with its clients. It will continue with DSCI’s DSF pilot, with plans to feed the output of DSF into its existing risk management framework. Depending on the success of data security framework, TCS BPO will also look at adoption of DSCI's data privacy framework.

Read more on IT risk management