Data Security at Offshore:
Taking a Responsible Approach. Providing proper safeguards for applications and data components in an offshore environment is essential for banks, government bodies and other security-conscious institutions.
Safeguarding Applications and Data
The increasing globalization and evolution of disruptive technologies are forcing companies across industries to provide superior customer service, reduce the cost of operations across the board and place continued focus on rapid implementation of IT projects. However, with the rise of cross-border technology projects, security surrounding company assets is becoming increasingly crucial. Providing proper safeguards for applications and data components in an offshore environment is essential for banks, government bodies and other security-conscious institutions. Broadly speaking, in a technology project, security implications have two main components:
- Data and infrastructure security
- Personnel-based security
Data and infrastructure security:
When choosing a technology delivery organization for offshoring, companies must ensure that comprehensive data and infrastructure security policies and procedures are in place. Specific areas of coverage include compliance, system development, communications management and asset classification controls. The policies and procedures should provide coverage around “business as usual” activities such as data backup and restore, information risk assessment and system change control guidelines. Additionally, disaster recovery and business continuity planning policies should also be well established. There are a number of examples of approaches to implementing data and infrastructure security:
- Client data need not move offshore. Application construction can be carried out offshore using dummy/test data or scrambled data. This ensures that client data will be secure in company managed locations.
- Network elements on client projects can be physically or virtually separate from the service provider’s networks.
- Computer floppy drives, share drives and USB connectors can be disabled across the organization.
- Offshore projects may be conducted within physically enclosed areas accessible only to client-approved personnel.
Personnel issues are among the factors driving the increase in offshoring as developed nations face a shortage of skilled IT workers and rising employee costs. At the same time, there has been a significant growth in recent years of highly skilled IT personnel in several low-cost developing regions, including Eastern Europe, China and especially India. However, many companies worry about the quality and reliability of offshore personnel. A strict policy of background checks and screening of potential candidates should be part of a service provider’s standard procedures. Most will conduct basic selection and reference checks, but some clients, particularly those in the financial services industry and government and public sector, have higher personnel-based security requirements. The defense industry, for example, has the most stringent physical and data security sensitivities and compliance demands. In these situations, a third-party agency may be used to carry out additional checks. This approach helps ensure that only approved and certified staff will work on a client’s projects.
The employee and applicant pre-employment screening process should consist of three steps (see accompanying diagram):
- Verification of educational and professional qualifications
- Verification of employment history
- Public record searches
A third-party agency will use numerous databases to aggregate regulatory, criminal and compliance information from around the region and the world. These may include enhanced “due diligence” database systems that incorporate all the major international proscribed lists (such as Office of Foreign Assets Control, FBI, UN and terrorism lists), as well as regional databases such as Asian Fraud and Corruption, Asian Money Laundering, Asian Fraud Risk and Asian Stolen Passports.
This approach mitigates the risks that exist due to the inaccessibility and inadequacy of centralized criminal record databases in many parts of the world. These checks provide the necessary information to weed out potential fraudsters and criminals who might join the company and gain access to any sensitive client data.
Employee and Applicant Pre-Employment Screening Process
Denovo Security Measures:
Following a stringent security audit, Denovo India facility included the following aspects:
- Physical and environmental security
- Network security for the secure VPN (Virtual Private Network) tunnel setup
- System build and maintenance
- Access control within the project network and password protection policies
- Project equipment change control
- Communication and operations management
- Personnel security with respect to background verifications by an external agency
- Recruitment and termination policies and processes for Denovo employees
- Business continuity management
- Overall Denovo security measures
Based on this measure, we suggest that any application “build” and system test would be delivered from Denovo India. Deliverables included technical design and code for interfaces, forms and reports; system documentation; and unit test results.
A critical aspect of the project involved addressing security issues.
- For example, real-life data is not part of the build process, which incorporates rigorous security features such as the use of unclassified data and/or fictional data, terminal connectivity with client site via VPN and unit testing to be done in India with “approved” data.
All Denovo India team members (onsite and offshore) are security cleared by the external verification agency appointed by the Client.