DSCI Framework- Pilot Implementation

Operational Locations

Different project groups

Different client Geographies

Different servicesExposes PI through different means

Privacy Organization

New Project- Exposure to Personal information

Training and Awareness

Report

Visibility over Personal Information

Exposure to different compliance regulations

Regulatory Compliance Intelligence

Privacy Policies, processes

Enforce

Contract, Service Agreement

Guide

Privacy Contract Management

Monitoring & Incident Management

Privacy breach

Detect

Information Usage & Access

Personal Information Security

DSCI Privacy Approach

(POR)

(PPP) VPI)

(RCI)

(PCM)

(MIM)

(PIS)

(IUA)

(PAT)

VPI PPP PCM

PIS

PATMIM

POR

Personal Information Security

Information Usage & Access,

Monitoring & Training

RCI

IUA

VPI – Visibility Over Personal Information

POR – Privacy Organization & Relations

PPP – Privacy Policy & Processes

RCI – Regulatory Compliance Intelligence

PCM – Privacy Contract Management

MIM – Privacy Monitoring & Incident Management

IUA – Information Usage & Access

PAT – Privacy Awareness & Training

PIS– Personal Information Security

Privacy Strategy & Processes

DSCI- Privacy Framework

DPF© - DSCI Privacy Framework

A NASSCOM® Initiative

What brings the data to you? What the data brings to you?

Business processes that involve transactions with the end customer

Business relationships that involve transactions in the data

Business functions that deal with employee data

Conc

erns

Retail BusinessCustomer Services

Business PartnersRetailers

CRMSales & Marketing

OutsourcingService Agents

HR ManagementFinance

Travel Admin

Dat

a Pr

otec

tion

requ

irem

ents

End Customer

Client / Partner

Employee

Governments

Privacy Principles

Technology Measures

Com

plia

nce

Requ

irem

ents

Security & Safeguards

Service (MSA) Agreements

Geographical regulations (UK DPA, US California Data Sec)

Vertical specific regulations(HIPAA/HITECH: Health)

Functional regulations(GLBA- Finance Products)

Organizational Measures

Data Centric Approach DSCI Framework Implementation

A NASSCOM® Initiative

DC Role for Employee Data Protection

Data Processor Role

Data Controller Role

Data Elements

Data Fields

Data Access Points

Data Operations

Application Access

Underlying Infrastructure

Physical Environment

Personnel security

Client environment

Type of Data

US, California State

HealthFinancial Processing D

ata

Orig

in Client: xyz

MSASB 1386HIPAA/ HITECHGLBA

Client Relations Process Sub-process

BusinessFunctions

Process Sub-process

Business Services

Process Sub-process

Business Process Portfolio

Relationship Portfolio

Business Function Portfolio

1

2

3

DSCI Framework ImplementationData Centric ApproachPortfolio from Data Perspective

Example

Com

plia

nce

MSA Requirements

Geographical regulations

Vertical regulations

Functional regulations

A NASSCOM® Initiative

Client Relationship, Processes, Sub Processes,

Gives insight into the data associated with the process/sub-process

Process Portfolio: Data Perspective

Data View

Data Field, Form, File

View of data in all processes

Access, Process, Transmits, Storage

View of operations performed on the data element

Data Access Data Env

Client & Offshore Env, Infrastructure Physical Env

View of underlying infrastructure that process data

Compliance

MSA, Geography), Domain Specific, Special Legislation

View of compliance reqds mapped to the Data

Visibility Exercise

Visibility

Vigilance

Coverage & Accuracy

Discipline in defense

Compliance demonstration Enab

lers

DSCI Framework: DSF& DPF

DSCI Best Practices

DSCI- Document Ecosystem (Strategic Options, Guidance Notes etc)

Framework Implementation

Strategic, tactical & operational View

DSCI Principles

DSCI Framework Implementation

Identify Problem

Strategic Options

Security Program

Implementation

Operationalization

DSCI Best Practices DSF & DPF or Any Security Program- ISO, PCIDSS, etc.

A NASSCOM® Initiative

Pilot Implementation

DSCI Contribution

DSCI Approach & Methodology

Visibility tool (spreadsheet)

Data capture guidance

Data analysis & presentation

Phase I: Visibility Exercise

Service Provider Contribution

Identify function/ LOS is to be covered, define sample size

Data capture

Help in data analysis

Create case study

Client relationship portfolio from data security perspectiveConsolidated view of data, & underlying environment Granular risk map, revealing real issuesRisk classification - reveals client, as well as, SP accountability

DeliverablesRoles & Responsibility

Scope

Scope restricted to a mutually agreed sample size. Depends on the LOBs to, no of client relationships, & number of processes or sub processes under each relationship

Future directions & plan

No involvement of third party

Lean exercise, avoiding bulkiness

Enablers

DSCI Best Practices

Data Controller

Data Processor

DSCI Framework - DPF | DSF Visibility Exercise Tools

A NASSCOM® Initiative

Brings data centric approach in the security initiatives

Creates a portfolio of business processes from data perspective

Focus on scenarios that may lead to data breach, identify the issues in environments both at client and service provider

Reach to the granularities of risks, which help fix accountability of process and project owners,

Revitalize security operations, compliances and reporting to incorporate data centric elements

Rely on visibility that identifies where the data is residing and how it is transacting

Provides assurance over security over the specific data element in the wake of emerging data protection regulations

Data Centric Approach

Visibility as a fundamental Principle

Portfolios from Data perspective

Granularity of risks

Scenario based evaluation

Revitalization of security operations

Assurance in the wake of regulations

Framework Implementation Benefits

A NASSCOM® Initiative

Thank You