In the last week of July 2010, the Data Security of Council of India (DSCI) presented the implementation methodology for its two frameworks, the Data Security Framework (DSF) and the Data Privacy Framework (DPF). DSCI has come up with a single methodology for the DSF and DPF frameworks.
According to DSCI, data is of supreme importance in its frameworks and implementation methodology. The DSCI framework implementation methodology basically creates a data-centric risk profile. The framework implementation’s first stage involves a visibility exercise which tracks movement of data within and outside the organization. It helps to create a data view on acquisition, processing, transfer, storage and archival of information. This data-centric approach of the DSCI framework tries to identify and mitigate risks even at the sub-process level.
Vinayak Godse, the director for data protection at DSCI has been closely involved in developing the frameworks’ implementation methodology. He points out that every organization has different ways of collecting, processing and accessing data. An example that Godse cites is that of a bank which directly gathers information about customers, whereas a service provider gets access to certain information due to the outsourcing relationship. Based on this understanding, the DSCI framework implementation identifies three different kinds of portfolios.
Any organization which directly collects information and processes it can be termed as a data controller; this is the first portfolio in the DSCI frameworks’ implementation. The second is a relationship portfolio which essentially indicates that information is being accessed due to a particular relationship; for example, a BPO which accesses client information due to an outsourcing relationship. The third is an employee information portfolio which basically indicates that every organization collects certain personal information about its employees which needs to be protected.
These portfolios help to create a consolidated view of data flow. For instance, if a BPO serves a client from the healthcare industry in Britain, it will have to identify and ensure that it meets the geographical, vertical as well as functional-specific regulations. This is critical to maintain data security and privacy. In order to establish this data flow, DSCI has developed a spreadsheet tool which tracks the security and privacy requirements of these different portfolios.
Once the portfolio is created, the organization gets an exact idea of what information it is processing and in what environment. “It reflects many issues and loopholes in the way the data is handled or processed. This can be taken into consideration while forming the enterprise risk management strategy,” says Godse. At this point of time, an organization may have to manually enter these inputs into the information risk management (IRM) program. DSCI plans to come up with a full-fledged application which will provide an automatic feed to the IRM program.
Along with the DSCI framework implementation methodology, DSCI has made amendments to its DSF and DPF frameworks. It has also come up with maturity criteria for certain principles under these frameworks. “We have 16 best practices under DSF, and we have defined the maturity levels for nine of these. The remaining seven best practices will be launched soon,” says Godse.
DSCI presented the initial pilot implementation of DSF at TCS BPO and DPF at Tech Mahindra. According to observations during the pilots, implementation of the respective DSCI frameworks brought revelations in terms of hidden risks at sub-process levels. Besides, these pilots revealed that despite the mature security practices, privacy focus is lagging in Indian organizations.