Upload
candice-lane
View
214
Download
0
Embed Size (px)
Citation preview
DSCI Framework- Pilot Implementation
Operational Locations
Different project groups
Different client Geographies
Different servicesExposes PI through different means
Privacy Organization
New Project- Exposure to Personal information
Training and Awareness
Report
Visibility over Personal Information
Exposure to different compliance regulations
Regulatory Compliance Intelligence
Privacy Policies, processes
Enforce
Contract, Service Agreement
Guide
Privacy Contract Management
Monitoring & Incident Management
Privacy breach
Detect
Information Usage & Access
Personal Information Security
DSCI Privacy Approach
(POR)
(PPP) VPI)
(RCI)
(PCM)
(MIM)
(PIS)
(IUA)
(PAT)
VPI PPP PCM
PIS
PATMIM
POR
Personal Information Security
Information Usage & Access,
Monitoring & Training
RCI
IUA
VPI – Visibility Over Personal Information
POR – Privacy Organization & Relations
PPP – Privacy Policy & Processes
RCI – Regulatory Compliance Intelligence
PCM – Privacy Contract Management
MIM – Privacy Monitoring & Incident Management
IUA – Information Usage & Access
PAT – Privacy Awareness & Training
PIS– Personal Information Security
Privacy Strategy & Processes
DSCI- Privacy Framework
DPF© - DSCI Privacy Framework
A NASSCOM® Initiative
What brings the data to you? What the data brings to you?
Business processes that involve transactions with the end customer
Business relationships that involve transactions in the data
Business functions that deal with employee data
Conc
erns
Retail BusinessCustomer Services
Business PartnersRetailers
CRMSales & Marketing
OutsourcingService Agents
HR ManagementFinance
Travel Admin
Dat
a Pr
otec
tion
requ
irem
ents
End Customer
Client / Partner
Employee
Governments
Privacy Principles
Technology Measures
Com
plia
nce
Requ
irem
ents
Security & Safeguards
Service (MSA) Agreements
Geographical regulations (UK DPA, US California Data Sec)
Vertical specific regulations(HIPAA/HITECH: Health)
Functional regulations(GLBA- Finance Products)
Organizational Measures
Data Centric Approach DSCI Framework Implementation
A NASSCOM® Initiative
DC Role for Employee Data Protection
Data Processor Role
Data Controller Role
Data Elements
Data Fields
Data Access Points
Data Operations
Application Access
Underlying Infrastructure
Physical Environment
Personnel security
Client environment
Type of Data
US, California State
HealthFinancial Processing D
ata
Orig
in Client: xyz
MSASB 1386HIPAA/ HITECHGLBA
Client Relations Process Sub-process
BusinessFunctions
Process Sub-process
Business Services
Process Sub-process
Business Process Portfolio
Relationship Portfolio
Business Function Portfolio
1
2
3
DSCI Framework ImplementationData Centric ApproachPortfolio from Data Perspective
Example
Com
plia
nce
MSA Requirements
Geographical regulations
Vertical regulations
Functional regulations
A NASSCOM® Initiative
Client Relationship, Processes, Sub Processes,
Gives insight into the data associated with the process/sub-process
Process Portfolio: Data Perspective
Data View
Data Field, Form, File
View of data in all processes
Access, Process, Transmits, Storage
View of operations performed on the data element
Data Access Data Env
Client & Offshore Env, Infrastructure Physical Env
View of underlying infrastructure that process data
Compliance
MSA, Geography), Domain Specific, Special Legislation
View of compliance reqds mapped to the Data
Visibility Exercise
Visibility
Vigilance
Coverage & Accuracy
Discipline in defense
Compliance demonstration Enab
lers
DSCI Framework: DSF& DPF
DSCI Best Practices
DSCI- Document Ecosystem (Strategic Options, Guidance Notes etc)
Framework Implementation
Strategic, tactical & operational View
DSCI Principles
DSCI Framework Implementation
Identify Problem
Strategic Options
Security Program
Implementation
Operationalization
DSCI Best Practices DSF & DPF or Any Security Program- ISO, PCIDSS, etc.
A NASSCOM® Initiative
Pilot Implementation
DSCI Contribution
DSCI Approach & Methodology
Visibility tool (spreadsheet)
Data capture guidance
Data analysis & presentation
Phase I: Visibility Exercise
Service Provider Contribution
Identify function/ LOS is to be covered, define sample size
Data capture
Help in data analysis
Create case study
Client relationship portfolio from data security perspectiveConsolidated view of data, & underlying environment Granular risk map, revealing real issuesRisk classification - reveals client, as well as, SP accountability
DeliverablesRoles & Responsibility
Scope
Scope restricted to a mutually agreed sample size. Depends on the LOBs to, no of client relationships, & number of processes or sub processes under each relationship
Future directions & plan
No involvement of third party
Lean exercise, avoiding bulkiness
Enablers
DSCI Best Practices
Data Controller
Data Processor
DSCI Framework - DPF | DSF Visibility Exercise Tools
A NASSCOM® Initiative
Brings data centric approach in the security initiatives
Creates a portfolio of business processes from data perspective
Focus on scenarios that may lead to data breach, identify the issues in environments both at client and service provider
Reach to the granularities of risks, which help fix accountability of process and project owners,
Revitalize security operations, compliances and reporting to incorporate data centric elements
Rely on visibility that identifies where the data is residing and how it is transacting
Provides assurance over security over the specific data element in the wake of emerging data protection regulations
Data Centric Approach
Visibility as a fundamental Principle
Portfolios from Data perspective
Granularity of risks
Scenario based evaluation
Revitalization of security operations
Assurance in the wake of regulations
Framework Implementation Benefits
A NASSCOM® Initiative
Thank You