|
Ensuring Security - Enhancing Trust |
| Our Information Assurance Journey and compliance programs |
PSBPSI’s Information Assurance Journey started with the implementation of the ISO9001:2002 Quality management system in December 2002 and later BS7799:Part2 2002 information security management system certification was also achieved. We have successfully migrated to the new ISO 27001 – Information Security Standard which is a replacement / upgraded ISO version for BS 7799: Part 2 with additional controls and control clauses. We have undergone a SAS70 Type II assessment and a clean, no-adverse remark Type II report was issued for the internal controls and information security environment by Ernst and Young. The graphic below illustrates our quality journey. |
|
| |
Perot Systems Business Process Solutions
India Assurance Journey |
Audit of our Information Security and compliance practices is done by our team of internal auditors and subject matter experts on a periodic basis. The audit findings are reported using an application tool and deviations to procedures already laid down and documented are reported as non-conformances (NCs) or Opportunities for Improvement (OI).
Reports from these applications helped us keep a track of where each process in the organization was in terms of not just complying with laid down processes but also with respect to the pursuit of the transformation agenda mandated by the leadership of the organization. As discussed earlier, Perot Systems Business Process Solutions India has implemented best-of-the-breed information security measures and internal controls which have been validated by our BS7799 Part 2: 2002 and later by ISO 27001 certification and SAS70 type II Assessment.
|
| ISO 27001 certification for Information Security Management System |
Perot Systems Business Process Solutions India operations are certified to be compliant with the norms of ISO 27001. The ISO 27001 standard is a cross-industry, information security platinum standard for information security management system of an organization. All our offshore facilities and the business process services performed at these centers have been audited and certified as complying to the norms of ISO 27001 / BS7799. Further, the certification applies to 10 key information security domains such as Access control, personnel security etc. Organizations adopting the ISO 27001 certification are audited for compliance to guidelines against these 11 domains. The BS7799 Part 2:2002 has now evolved as ISO 27001 with a few additional controls. PSBPS has successfully completed its migration journey to the new standard for Information Security - ISO 27001 on June 7th 2006.
In essence, BS7799 / ISO 27001 describes information security risks to be any activity or event which threatens the achievement of identified business objectives by compromising the availability, confidentiality or integrity of business information. |
Confidentiality |
- Ensuring that information is accessible only to those authorized to have access
|
| Integrity |
- Safeguarding the accuracy and completeness of information and processing methods
|
| Availability |
- Ensuring that authorized users have access to information and associated assets when required
|
In the implementation of our ISO 27001 - ISMS, we have analyzed different regulatory requirements pertaining to insurance, healthcare and other industries that we operate in and strived to create a best practice information security environment meeting or exceeding the norms of these regulatory guidelines. This certification comes up for renewal every six months.
|
| |
| Eleven key Control Clauses under ISO 27001 |
The ISO 27001 framework stipulates guidelines for compliance to 11 key domains outlined in the figure below: |
Key domains under ISO 27001 Information Security Management System |
| |
| Domain |
Focus Area |
| Information Security Policy |
This provides management direction and support for information security |
| Internal Organization |
To help you manage information security within the organization |
| Asset Management |
To help you identify your assets and appropriately protect them |
| Human Resources Security |
To reduce the risks of human error, theft, fraud or misuse of facilities |
| Physical & Environmental Security |
To prevent unauthorized access, damage and interference to business premises and information |
Communication and Operations Management
|
To ensure the correct and secure operation of information processing facilities |
Access Control
|
To control access to information |
Information Systems acquisition, development and maintenance
|
To ensure that security is built into information systems |
| Information Security Incident Management |
To ensure that process is available for a robust incident management system and to analyze the reasons for incident through a root cause analysis and procedure exists for learning from the incidents |
| Business Continuity Management |
To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters |
Compliance
|
To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirement |
|
|
| |
| Information Security Policy |
Detailed policies, procedures and guidelines have been compiled in line with our ISMS best practices and have been implemented in our technology environment. The scope and highlight of our Perot Systems Business Process Solutions India’s information security policy is provided below: |
| |
The Information Security Management System covers all critical systems, applications, networks, telecommunication links, human resources and information assets owned and operated from the Perot Systems Business Process Solutions offices at all locations in relation to all services facilitating secured sourcing and continuous delivery to our valuable clients. The scope covers and ensures the protection of all information assets including physical and intellectual property and establishes assurance for organization-wide security across locations and covers People, Process and Technology. The scope of ISMS includes assets and operations of PEROT SYSTEMS BPS at all the three locations at Chennai, Tamil Nadu , India . |
|
| |
Some of the key policies and operating guidelines pertaining to information security are: |
| |
| Key Policies and Operating guidelines under ISMS |
| Removable media Access |
Remote Access |
| Protection against hacking |
Network security |
| Laptop security policy |
Security of Client data |
| Data backup planning |
Workflow and application software security |
| Folder Access Audit and Review Policy |
Anti-Virus Policy |
| FTP Policy |
Contingency planning |
| Segregation of Duties |
Return of Assets |
| Physical Entry Controls |
Change Management |
|
|
| |
| PSBPSI Information Security management System |
PSBPSI has established its Information Security Management System as the framework governing the organization, development and management of different aspects of information security. The program is driven by the information security vision of our leadership and business requirement of our Operations. Perot Systems BPS India has adopted the BS7799 Part2:2002 as the framework for our information security management system and now migrated to ISO 27001 which is the new standard for Information Security.
The key components of our ISMS program include:
|
- Asset Identification and Evaluation – All business critical assets have been identified and evaluated for criticality and adequate measures have been put in place to protect the same. For instance, these assets including our IT infrastructure, systems , server storages, and application environment have been evaluated for criticality to the performance of our business.
- Threat Listing and Classification – A thorough understanding of potential security risks pertaining to our business environment has been achieved through building of scenarios of probable security breaches and the examination of the likely threats and information security risks. A severity ranking has been allocated to all probable threats for both internal and external threats.
- Risk Assessment – Assessment of risks, quite naturally, precedes the identification of different control requirements and the implementation of these control requirements. Depending upon the severity of each threat and the likelihood of the occurrence of the threats and the potential impact of these threats, the costs associated with repairing these security breaches have been computed. PSBPSI information security assessment involved assessing risks from People, Process, Technology, infrastructural, location/geographic and other external risk sources. Vulnerabilities and threats are mapped with the CIA (Confidentiality, Integrity, and Availability) values and based on the probability of occurrence and impact, a risk value is arrived for working on Controls and mitigation measures. All process owners / custodians carryout the task of assessing vulnerabilities and threats for the respective assets managed by them on a periodical basis.
- Security Organization – Perot Systems Business Process Solutions-India has defined our Information Security Organization to oversee the implementation of various controls, documentation of policies, procedures and practices in accordance with identified risks and mitigation of such risks. The key members of our security organization includes the business heads, Sr. leadership of our India organization, Human Resources heads, media & PR committee members apart from a core group to oversee the governance of information security practices. Detailed organization-wide policies and guidelines, awareness campaigns to educate users about information security risks and control techniques, testing of controls (ad-hoc and periodic tests) are part of our Security organization’s responsibilities.
- Information Security Policy Formulation – Further, our security organization has formalized an information security policy to address information security risks. The Information security policy points to various documents including guidelines, policies, procedures, user responsibilities, organization structure, key committee members and teams and their contact information.
- Information Security Program and implementation – During the implementation of our BS7799 based ISMS program, we identified and established objectives for our information security program by evaluating the overall business risks and the ways to mitigate these risks. The program implementation involved spreading the awareness to each associate in the organization, and clearly outlining the responsibilities of each associate in the program. The implementation project required process owners to classify their information assets and responsibilities in the context of
Regulatory requirements: How their specific processes are impacted by regulatory guidelines and the potential consequences for non-compliances and establishment of clear procedures for ensuring compliance.
Responsibilities – While each associate was part of the organization-wide awareness campaigns, functional and operational heads were made as direct owners for their respective processes and teams. Care was taken not to appoint the same individuals as the owners and reviewers to avoid any conflict of interest.
|
Information Security Environment Implementation
|
Information Security Leadership organization |
Perot Systems Business Process Solutions India has created a team of Security experts, internal auditors and a management team to oversee the governance of our security policies, procedures and practices. The operational leadership of PSBPSI is actively involved in the ISMS governing committees. |
| |
| Information Security and Compliance Manager |
| |
Our Information security Manager, Mr. Raman Narasimhan, is leading the certification initiative. Mr. Raman brings with him rich experience in consulting on information security engagements and holds certification in the following areas:
|
| |
- CISA (Certified Information Systems Auditor)
- CISM (Certified Information Security Manager)
- CHFI (Computer Hacking and Forensic Investigator)
- CFE (Certified Fraud Examiner)
- ISO 27001 Lead Auditor
- Member, Institute of Internal Auditor – USA
- Member, Project Management Institute – USA
- Member, Business Continuity Institute, UK
|
Mr. Raman Narasimhan has implemented the ISO 27001 controls and we are certified through BSI assessment. We have mapped the requirements of HIPAA through the existing and applicable ISO 27001 controls and implemented additional controls and best practices as required for HIPAA Security compliance.
Mr. Raman has also initiated and completed the type II SAS 70 assessment as under AICPA standard. SAS 70 stands for Statement on Auditing Standard from AICPA – the premier body in USA and a renowned global practice for assurance on internal controls. |
| |
| |
