|
By: International Association of Outsourcing Professionals (IAOP)
One of the biggest assets of IAOP is the wealth of knowledge and experience of its members, individually and collectively. One of my goals, as the newly appointed Managing Director of Thought Leadership, is to harness this knowledge and create a fountain of experience for us all. I have noticed that the IAOP network, when active, is a valuable resource and means for dialog, and I’d like to encourage members to get involved. For some of us more senior people, perhaps we can learn from our kids how to use networking tools to gather information and share knowledge! (IAOP network tool is only the beginning of Outsourcing You Tube tm or MySpace tm)!
Let me start this dialog with a discussion on the topic of Privacy of Information and how to protect it. I plan to address this topic in the next 2 issues and hope that members will pick up the discussion among themselves.
This issue-protecting private information- is receiving tremendous media attention especially as it concerns the politically hot topic of outsourcing. The truth is that an enormous amount of private information has been shared in offshore agreements for decades. Data entry of private information has been around as long as keypunching has existed. Checks were “keyed in” long before imaging processes existed, airline tickets were data entered prior to computerized “e-tickets”, and medical records were input into billing programs before the federal HIPPA Act was passed. Over the years, much of this work was outsourced and even outsourced offshore. Caribbean and Central American nations, as well as India, have been destinations for this type of data entry for years. In fact, several giant IT services companies in India got their start by providing just such data entry services. So, is the issue of protecting the privacy of information based on a new threat or just a new spotlight on the work process?
Before we discuss the protection of privacy of information, let’s briefly examine the legal issues involved.
Privacy Issue – Legal Basis
Privacy protection is widely understood as the right of individuals to control the collection, use and dissemination of personal information that is held by others.
This central principle has been adopted in U.S. law, in privacy laws outside of the United States and in many international agreements such as the 1980 OECD (Organization for Economic Cooperation and Development) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Privacy Guidelines and privacy laws are based on a set of Fair Information Practices that describe the obligations of organizations that collect personally identifiable information and the rights of individuals who give up their personal information.
There are multiple US federal acts that govern the privacy of information:
• Privacy Act of 1974 (5 U.S.C. § 552a )
• Graham-Leach-Bailey act for financial institution
• Health Insurance Portability and Accountability Act (HIPPA) of 1996
• Telecommunications Act of 1996 – Section 222 dealing with Customer Proprietary Network Information (CPNI)
Additionally, the European Economic Union has passed several laws regulating data protection and transmission of information and has extended these laws to non-EEU countries conducting business with member states. The so-called “Safe Harbor Act” requires non-EEU countries and individual businesses to implement policies and procedures that comply with requirements of the act in order to obtain a “safe harbor” designation. Ironically, the United States, as well as offshore processing destinations such as India and China, have not yet complied with this regulation. However, individual businesses have taken steps to comply with the act.
Protecting Privacy of Information in an Outsourced Environment
Protecting the privacy of information is the legal obligation of the entity that is collecting and processing the information. If work is outsourced, it is still the legal responsibility of the company outsourcing the work to protect that information. This requires that outsourcing arrangements be structured (legally and process-wise) to assure that the data is properly identified as “private” and processes are put in place to protect it. In subsequent articles (and I am hoping that on going dialog through the network), we will examine the best practices in assuring those arrangements. However, if the outsourcer is processing information within the US, all applicable US laws are extended to the outsourced company. This is one of the fundamental tenets of the Graham-Leach-Bailey act.
Additional Considerations in an Offshore Outsourced Environment
Since the jurisdiction of US privacy acts does not extend to offshore locations, additional steps must be taken, first legally, and then through effective governance, to extend the principles and practices of these acts to the foreign locations and service providers. The contractual agreement and due diligence must also assure that there are no foreign legal barriers that would prohibit extension of these legal principles to those specific businesses and countries.
Let the dialog begin... In the next issue, I will talk about a framework for managing information, followed by a discussion on discipline it takes to establish environments where privacy of information is protected.
Framework for protecting Private information
The below figure outlines the framework for protecting the privacy of information in an outsourced environment:
Policy:
Policy must exist that defines the privacy requirements-data that must be protected and the consequences for not protecting the information. This policy will be the basis for the legal agreement between the business and the off shore service provider.
Processes:
Processes must be pre-defined by which the transfer of information will take place and protected while under the jurisdiction of the service provider. The IT environment, physical security requirements, and workforce background checks are some of the processes that should be defined and contractually binding for the service provider. Later, as a part of the on-going governance, these processes must be tested for compliance and weaknesses addressed.
Practices:
Practices are the instructions and procedures that ensure day-to-day compliance of policy and operations. These include on going training of new staff, refresher training for team leaders, employees and security staff. Public display of policy and processes also assists in ensuring that employees are constantly reminded of their responsibilities in securing the work environment and protecting the information available to them.
Persistence:
As in any business, constant vigilance and discipline are important in assuring compliance with policy and processes. Violations must be reviewed and root-cause analysis completed so that the policy, processes and practices are revised for greater effectiveness in protecting the information.
Protection Processes and Practices
The below figure shows how the security environment is created and the processes and practices defined for each of the environments. Industry best practices have shown that a well-defined structure, such as the one shown in the figure, will assure that there is a holistic view of information protection. Actually, creation of a secure information environment requires that the processes and practices are defined and compliance created from the outer circle in. In other words, if there is not an adequate physical environment security, it won’t matter, how tightly the IT environment is created and managed. Due diligence and on going governance needs to make sure that evaluation and corrective actions are performed from outer circles.
Physical environment
The physical environment deals with the center’s structure as well as the staff working in the center. The following checklist of items is generally addressed when defining the physical environment:
• Is the center located in a “safe” part of the country and appropriate risk identification/mitigation done for the location and if necessary, included in the business continuity plan?
• Is the center’s physical environment protected through ingress/egress locks, positive proof management and search for items being brought in and taken out? Is the physical environment monitored vigilantly on a 7x24x365 basis? Are there provisions made for backup environment for electricity, water, voice and data connections?
• Are the people working in the center identified through positive proof and have approved reasons to be at the center? Are their backgrounds checked to the appropriate level of scrutiny based on their job functions and access to private information? Is there a process to assure that such checks are periodically repeated?
• Is there a defined, tested and current disaster recovery and business continuity plan for the center and work being done at the center? Are the plans being tested at least annually – preferably every quarter and corrective actions identified and implemented in a reasonable time period?
IT Environment
The IT environment provides for protection of the systems and data being processed by the service provider and how they are integrated into the overall business-processing environment. Checklist items for the IT environment include:
• Are the computing systems environment designed, approved and maintained according to the requirements of the business and information being processed? Are the center’s workers properly trained in the use of systems and applications and aware of the security checks-balances implemented?
• Is the network securely designed and implemented? If required, is the sub-network within the center isolated from other center networks; including providing a separate wiring scheme? Are there well-defined and managed “firewalls” and the criteria for firewall tunneling protected from general disclosure?
• Are the systems, applications, security requirements and procedures for protection defined, documented and the center staff trained in them?
• Are there built in tools, applications and steps to prevent “hacking” and access to unauthorized use of the systems?
Database Environment
The database environment is designed to provide for easy separation of protected information from other related information. This is necessary so that the protected information can be handled differently from the rest of the information. For example, if the social security number is considered “private” information, the record locator key must not use it as an identifier; otherwise, it will force the entire database to be classified as “protected” information. Checklist for securing the database includes:
• Does the application provide for application level, database level and data element level security checking and compliance? Is it designed for multiple password protected steps and are the passwords periodically (and randomly) modified?
• Are there adequate protections provided so as not to be able to “hack” into the database; even if the IT environment is somehow violated?
Protected Information
Protected information must be fully identified, defined and the level of security established. In some instances, this information is either scrambled (coded) or masked from the database before transmitting to the outsourcing service provider for processing.
Checklist:
• Is the information clearly identified as “protected”? Are the related information fields either classified as “protected” or the relationship structure is “scrambled”, making it difficult to deduce the protected information?
• Is the need for level of masking and/or scrambling pre-defined and programmed in the application?
Companies have been processing information off shore for many years, and business processes and IT have been successfully outsourced offshore for over two decades. Although, there have been some instances of abuse and misuse of protected information, generally, our experience has shown that there are very few breaches of privacy in outsourced offshore processing. Outsourcing providers be they on shore or off shore, are most vigilant when it comes to protecting information and providing for security in general. Protecting their reputation in the marketplace is the main driver for this vigilance. Clients must have trust and confidence in their ability to manage and maintain a secure environment and comply with regulations. Their very survival depends upon it. The last thing any provider wants is to have the company name splashed across CNN or a newspaper story involving fraud or abuse.
I also believe that generally, there is a far greater degree of compliance with the 4 P’s (Policy, Processes, Practices and Persistence) in off shore center. This is not just because of concern for reputation but the result of a greater propensity to be disciplined and compliant to rules and laws. Off shore centers generally have a greater commitment to the Quality Program that requires discipline and continuous compliance to processes and practices. The following are some of the lessons learned we have observed regarding the overall protection of information in an outsourced environment – off or on shore:
• Failure to create and maintain a well defined policy for the protection of information
One of the most important aspects of establishing any discipline is to define the policy at the time of commencement, so as not to create any misinformation and to set appropriate expectations. A key lesson learned has been that offshore service providers fail to establish a policy and training based on that policy document. Many wait until the clients demand such a document and/or first violation. It is important that like any important management document, it is reviewed periodically and adjusted for changes that may have occurred.
• Not providing adequate identification of the “protected” information
Even with the establishment of the policy document, employees must have a single source of information where the protected information elements are defined. Sometimes even those providers who have established a policy and training program do not identify which information is “private” and therefore covered under the policy. This defeats the purpose of the policy statement.
Additionally, we have seen where there is no visible, identifiable tag on the protected information. This is usually done with marked documents; for example, color coded, for physical documents or scrambled and/or highlighted field for digital information.
• Insufficient preparation prior to entering into an agreement and subsequently not defining all of the aspects of security of private information in the contract with the service provider
One of the most common problems identified has been that both businesses and service providers do not spend required up front time to define the privacy issues associated with the agreement before entering into a contract. This leaves a lot of opportunity for mishandling the private information and can cause future disputes. Many outsourcing agreements do not adequately address the process by which the private information is identified by the two parties as well as the obligation of the two parties to assure that there is a clear definition and acceptance of terms and conditions for handling such information. Often, such items are buried as part of the general security and confidentiality agreement clauses.
• Not conducting a thorough due diligence and performing risk analysis before the contract is completed, so that the contractual provisions can directly address weaknesses and inadequacies in the service provider’s environment
Another lesson learned has been that protection of private information is not included as part of the due diligence by both businesses and providers. It is difficult to establish a baseline for protection as well as agree on terms of protection if both parties are not fully aware of the existing conditions and requirements. We have rarely seen a joint risk analysis done by both the parties as part of due diligence and inclusion of mitigating and avoidance actions as part of the transition and/or governance plans.
• Not implementing a governance program that assures periodic evaluation and degree of compliance to all aspects of the information security
Finally, one of the most important lessons learned has been that the governance program must include management of the private information. A solid governance program would include compliance checklists and risk management exercises that cover all aspects of anticipated failure in compliance. Since, there is a large business impact of mishandling private information (much as security and disaster recovery would be); it should be one of the key aspects of the governance process.
In the three articles on Protecting the Privacy of Information, we have reviewed the requirements of the information that must be protected, a framework for establishing a solid protection program and finally, some of the lessons learned. Although most service providers (and businesses alike) are taking the protection of private information seriously, not enough investment is made in creating and managing the protection environment. Without this, there will continue to be negative public stories about mishandling of private information and in some cases; it will be attributed to the concepts of outsourcing rather than to mismanagement.
|
