Monday, 25 April 2016

Strategic Models in Outsourcing done by Software outsourcing companies

software outsourcing companies in India

Outsourcing is considered as a way to acquire skilled labor at a lower rate than it is available in developed economies. The transfer of manufacturing functions from developed nations like the United States to developing nations started way back in 1950. Technological advances have accelerated the ability of firms to procure and source products across the globe.

The concept of outsourcing began when large companies decided to eliminate routine work that could be performed by third parties like software outsourcing companies in India at a lower cost. Initially, many businesses started outsourcing everything except core business activities to other companies within the same national boundaries. But as the global economy started to evolve, businesses in developing countries began offering services to perform functions that companies had been outsourcing domestically. Transferring an organization's internal functions to a foreign country is known as Global Outsourcing, while the entities that are set up to perform these functions are part of what's called offshoring.

Outsourcing Strategies

Generally, there are two basic models used in outsource strategies: The outsource model and the captive model.

The Outsource Model

Within the outsource model, functions are transferred overseas and performed mostly by third-party providers such as software outsourcing companies. There are two subgroups within the outsource model: Information technology outsourcing and business process outsourcing.

• Information technology outsourcing, or ITO, is the transfer of the development and processing of information technology systems such as help desk functions, systems administration, network management and web development.
Business process outsourcing, or BPO, is the transfer of the management and processes of certain business operations like accounting, human resource functions (in particular payroll processing and health benefits management), and customer service call centers.

ITO transfers do not require an organization to establish a presence in a foreign country since third-party providers normally perform these functions. BPO transfers, however, sometimes require a company to establish an overseas subsidiary in order to control the functions being transferred. In addition to establishing a foreign subsidiary, some companies may opt to invest in an overseas company to which functions are being transferred. An investment of 10% or more in a foreign enterprise is considered direct foreign investment.

The Captive Model

BPO and direct foreign investments form the basis for yet another method — the captive model. Under this model, the software outsourcing company in India establishes a foreign subsidiary, bypassing reliance on a third party. Under this model, a company maintains control of the operations being transferred, as well as the hiring process and management of the workers performing the work. Because there is less risk for a company to establish a foreign subsidiary, a larger percentage of global outsourcing occurs following this method.

Global outsourcing has also caused a ripple effect on labor markets throughout the world. As jobs shift overseas, permanent jobs disappear, giving way to an increase in part-time, temporary and freelance workers.

When a business decides to enter the global outsourcing market, there are a number of factors that contribute to that decision. These include, but are not limited to: Risk, cost, and market opportunity.


Some of the risks involved in outsourcing are geopolitical and economic. In certain "hot spot" areas where there is a great deal of conflict and political turmoil, transferring functions to these regions can pose a threat to the health and safety of the employees as well as the economic well-being of the organization . The terrorist attacks on certain subsidiaries of oil companies and service providers in Saudi Arabia is evidence of the geopolitical risks just as the nationalization of the oil industry in Venezuela is evidence of economic risk. Other risk factors that a business must consider are quality of service, loss of operations control and security of data and stored information.


In addition to understanding the risks associated with a particular outsource market, organizations must also consider the cost of outsourcing and must be familiar with foreign wage structures before outsourcing the work to software outsourcing companies. To be sure, there are skilled workers in many areas of the world who are willing to work for lower wages than workers in the U.S., but as companies tap into these markets, competition eventually results in turnover as workers in those markets seek higher wages. Other costs include infrastructure costs, taxes and regulatory fees. Finally, a company needs to determine market opportunity and identify those countries that provide workers in their particular industry. A skilled workforce and established infrastructure will allow a company to expediently bring products and services to a market without sacrificing quality. Conversely, a company needs to also be ready to cease the operation in the event that the demand for the outsourced product or service declines.

Market Opportunity

Before entering a global outsourcing market, a business needs to determine what types of products and services are best suited for outsourcing. When global outsourcing first came into play, the production of labor-intensive products and manufactured goods was transferred abroad. At the time, labor-intensive products and manufactured goods were some of the only products that could be produced more efficiently by outsourcing companies in those countries. However, as time went on, advancements in the overseas economies and technologies made it possible to outsource products and services that required more advanced technology and know-how. This constant shifting and advancement allows for the creation and emergence of other outsource markets that specialize in different types of production. For example, consumer goods and textile manufacturing were some of the first products to be outsourced to China. However, as that market matured and economic development expanded, China as well as other Asian markets became outsource locations for products and services that required more advanced technology. In particular, electronic components, telecommunications equipment, microchips, and computer boards were produced in China, Taiwan and Hong Kong. This left the textile and other labor-heavy markets for other countries where such products could be produced in a similarly efficient manner.

Hence, outsourcing has become a billion dollar industry and many software outsourcing companies opt for different strategies while outsourcing. Here we will discuss the major strategies adopted by the companies over the world.

Courtesy: Bhavesh Bulchandani

Sunday, 24 April 2016

Managing Cyber Security Risks for Software Outsourcing Companies in Third Party Contracts

software outsourcing companies in India

Currently the corporate world focuses on curbing data breaches but the element that many companies overlook from the point of cyber security is the relationship with the third party vendors and contractors such as software outsourcing companies in India. The current trends of outsourcing in today’s rapidly evolving global economy has raised a whole new set of risk management concerns for companies in various industries. It has been a very evident fact that most of these data breaches are a result of involvement of third party relationship. Cybercriminals exploits vulnerabilities in third party’s network thus gaining access to the company’s confidential information. The current examples of such exploitation can be traced to incidents at Goodwill, Bank of America, AT&T, AutoNation and Lowe where cyber-attacks took place. The loss does not limit financially but also causes loss in confidence of a customer mind thereby creating a prolonged reputational damage.

A number of reports show that the breaches linked to outside contractors is very alarming. As per a 2013 PwC report, 63% of global data breaches were traced to a third party element in the company’s administration. The report further states that only 32% of the organizations emphasized that the third party vendors comply with the company’s cyber security policies. Some other alarming facts were 69% of the companies were unable to produce an accurate record of the places at which their data was stored and 74% did not have a complete inventory of the third party suppliers that handle employee and customer data. These statistics are enough to prove that the loopholes left behind are too much for a cyber-attacker to exploit it.

A company might have a very well designed cyber security policy internally but when it comes to dealing with the third party providers like outsourcing companies there is a clear tendency of them letting this strict guidelines loosen a little. A company should not afford to take matters of such intensity lightly. Thus, it is of utmost importance of holding the third party entities to comply with the same set of cyber security standards and protocols that are a part of the company’s internal security framework.

The Importance of Third-Party Management Agreements:

This forms an important aspect as part of third party risk management process as it forms the right contractual and governance protections in place required when engaging with any supplier. This agreement is known as Service Level Agreement (SLA) and is considered as one of those essential tools that help in mitigating a company’s risk. When under a contract with third-party vendors one must clearly define the security procedures and policies to be complied during the tenure of contract. Also the liability and indemnification provisions that correspond to the value of data must be included. A company must not consider only how third parties manage cyber security but also how the relationship with these service providers such as software outsourcing companies will expose data and increase risk for itself.

There are certain ways to increase the effectiveness of SLAs:
An organization must include detailed security assessments and internal cyber security experts which help them gain an understanding of supplier’s processes and the security tools. This also helps in identifying any gaps or any vulnerabilities existing in the process. To know how efficient a supplier is one must analyze how the supplier handled any past cyber security incidents and what steps they undertook to improve their operations. To have a glitch free process an effective SLA must focus on key elements such as:
 Information security
 Information privacy
 Definition and analysis of specific threats and risks
 Compliance requirements range
 Enforcement mechanisms
 Foreign corrupt practices management
 Internal audit and monitoring terms

Any SLA requires the contractor to comply with relevant regulations and it also needs to be specific regarding the timeframe for reporting of a data breach to the company.  The terms and conditions must be mentioned explicitly so that no misunderstanding take place regarding the company’s expectations and requirements. There should also be a provision in contract to accommodate the new laws and regulations that may take effect during the tenure of agreement.

Taking Responsibility for Third-Party Risk

Many companies do not have in-house staff with necessary expertise to properly assess the vulnerabilities for networks, systems and databases or negotiate SLAs with third party contractors. The responsibility for ensuring safety of cyber security assets lies with the company that hires the third party and not the software outsourcing company. There are some regulations that hold the service provider liable but the principal company should not have a perceived conception from start and must plan accordingly.

When dealing with such risks one must have a system that allows the company to address security with suppliers on both an individual and a case-by-case basis. Response to security incidents should be dealt with utmost priority and strategic decisions should be made keeping the impact on overall cyber security risk management program.

Summarizing this, outsourcing has become a billion dollar industry but many companies neglect the cyber security risks associated with it. This article discusses the management of such risks that a company should take into consideration before getting into a contract with a software outsourcing company in India.
Being aware and proactive will help in ensuring that the risk associated with your software outsourced to software outsourcing companies is kept to a minimum.

Courtesy: Bhavesh Bulchandani

Wednesday, 20 April 2016

Case Study : Success in Outsourcing done by Software outsourcing companies

software outsourcing companies

Case Overview:

Unilever Europe and IBM shook hands in 2005 to create a centralized ”One Unilever” finance organization using intelligent technology, instrument asset based process solutions and global delivery capabilities that it possessed. The motive behind optimizing the finance process was to simplify, standardize, unify and ultimately transform the global operations of organizations like software outsourcing companies. This solution enhanced the quality and control and access to information for Unilever Europe which contributed to an amount of EUR 700 million annual savings.

About Unilever:

Unilever with operations in about 100 countries spanning five continents is considered to one of the world’s most respected and recognized brands generating an annual revenue of more than EUR 44 billion. Unilever manages 500 individual brands across 14 categories employing more than 167,000 people. Unilever Europe has 32% of Unilever’s global business employing 32,000 staff. The company’s motive has always been to help people feel good, look good adding vitality to their lives.

Why Outsourcing?

Unilever Europe needed to make operational changes as it was facing soft top-line revenues and an elevated cost structure. Unilever Europe had become a loose federation of business groups operating across 24 countries as all of them were using multiple ERP systems. This impeded their growth as there were many different finance and accounting processes.
In 2005, the leadership team made a decision to integrate these different business units into a single, unified Pan –European organization. To achieve this, it needed to implement the systems and framework.

Aspects considered while Outsourcing:

The diversity of cultures, policies and languages across Europe was a challenge which could make the process complex and even the varying levels of technologies that existed in the business units ranging from advanced to outmoded paper-based systems for these outsourcing companies. The company went ahead with a bold move implementing a total business transformational initiative called “One Unilever” and set an aggressive timeline of two years. As the company needed to implement all components at the same time and not sequentially, a road map was developed for each activity that would be carried out over this period.

How did they implement?

With the initiative in place, the company began looking for a right service provider. As the company wanted to complete the work on a strict timeline, it decided to go for an outsourcing model than taking a “stepping-stone” approach. Their leadership team believed that this would present less risk than in-sourcing and they started to look out for partners like software outsourcing companies in India that had track record of helping large companies transforming business as this would help them achieve the expected results quicker. Most importantly, they were looking for a partner which had a like-minded culture as this would make the transformation process smoother. 
Unilever Europe believed that IBM could provide the required expertise, experience and technology which the project required. IBM came up with a rigorous methodology towards project management and a “one team “transition strategy which played a factor in achieving the company’s trust and this helped them in getting a 7-year contract.


Both companies collaborated to establish standardized financial processes and systems and integrating these processes into company’s single ERP which would allow them gaining more control and transparency in its operations.
The benefits from this partnership were as follows:
• Improved efficiency in finance processes
• Business processes got standardized with a common ERP across Europe
• Significant cost and operating savings
• Pan- European service management gave access to high quality information for decision making and continuous improvement
• More focus on its core competencies helping them make brand and growth initiative
• Faster and more direct access to benefits related to economies of scale

Success Factors:

IBM developed an intelligent finance strategy which was broad in scope, scale and speed. It developed business cases country by country which called for rigorous management of individual situations and the costs associated with it. IBM rolled out business process services on a three-tier delivery model from its facilities from different locations in Poland, Portugal, Bangalore and Manila in Philippines.
The company started implementing this in small number of countries and with the successful implementation transferred it to a larger number. Both parties made adjustments with the progress of the processes by ensuring buy-in by various business groups which included the mid-level and upper level IT managers and the management. Key stakeholders were asked to visit the Poland and Bangalore centers where a video would help them understand the advantages of the project. This helped Unilever Europe understand that transformation of its financial processes and outsourcing this to a software outsourcing company was critical to the success of the larger initiative.

Collaborating with Unilever Europe, IBM implemented innovative and intelligent technology to enable a more globally integrated enterprise. This outsourcing agreement between these and the outsourcing company empowered Unilever Europe to meet its goals for the “One Unilever” initiative on an aggressive timeline. The company transformed itself into a more responsive, globally integrated enterprise with enhanced channels designed for better and faster decision making as well as continuous performance and cost improvements.
Thus, IT plays a strategic role in the business performance of an organization such as a software outsourcing company. However deployment of strategic IT systems involves a high degree of risk and outsourcing such services further increases the risk. Using a case study approach, the success factors that are involved in outsourcing will be identified.

Courtesy: Bhavesh Bulchandani

Tuesday, 19 April 2016

Safety Training – An Essential Investment for any Software outsourcing company - Part 2

software outsourcing companies

Case Study for an Efficient Safety Training Program:

Efficient safety training is a phrase that is unofficially developed by the Occupational Safety and Health Administration (OSHA). OSHA is the government labor organization of United States. OSHA has played a major role in bringing out many standards and regulations which have played a major role in affecting the lives of employees of organization such as software outsourcing companies. As per OSHA, an effective safety training program must include areas such as: 

• Preventing accidents and promoting safety within an organization
• Compliance with safety standards
• Response at time of emergency
• Protecting personal equipment
• Following safety practices
• Demonstrating use of equipment and machinery
• Workplace hazards
• Employee engagement

OSHA follows a safety model with certain guidelines:
• Examining the need to training
• Analysing Training Needs
• Identification of Goals and Objectives
• Developing learning activities
• Conducting the training
• Evaluating program effectiveness
• Improving the program
• Aligning training with job tasks.

Why is safety training so important?

Everybody agrees to the fact that attaining 100% safety is unachievable and there remains a certain amount of risk. To mitigate this, providing the employees of an outsourcing company with the right information on health and safety courses can significantly reduce the chances of an accident or incident.

Let alone the moral reasons for providing a safe place of work, one also needs to look at the legal and financial issues associated with health and safety. It is evident from the fact that virtually every country in the world has health and safety legislation in place which is designed to protect people at work. A software outsourcing company needs to understand this legislation and comply with it or else the company might run itself into risk of being fined. In event of a grieve situation, those in charge of the company could also face criminal charges for failing to comply with the legislation which could play a huge spoilsport making the customers loose trust with the company. Looking at this from a financial point of view, not only can the company be fined, but a worker who is injured at work may also sue for compensation. For such reasons the price of health and safety training can be just a fraction of this cost, making them a sound investment.

With frequent injuries occurring employees might report off work due to illness or injury which will cause a drop in output, impacting the firm's profitability. The employees meanwhile will receive sick pay when they are off work, but an organization might need to get temporary workers to provide cover, which would incur additional recruitment costs.

Benefits of safety training:

• Reduces accidents and protects employees from injuries and illness saving the company’s time lose and diminished productivity.
• Increases employee job satisfaction, motivation and morale.
• Less turnover

How to calculate ROI?

Calculating ROI of worker safety training is a complex task. It is important to know this part as you know various aspects such as:
• Whether or not your employee training is effective?
• Are employees well trained to act at time of emergency?
• If you don’t invest in the training, will one employee unknowingly put himself and potentially others at risk? 

There are an infinite number of ways to calculate how the money being invested in safety is being put to work. Whether you’re using an employee learning management system, investing in company-specific online course development, or investing in expensive off-site classroom training for important theory courses, the formulas that help you calculate your safety training return on investment remains the same. The formula for calculating ROI is:

ROI (per cent) = (Monetary Savings / Training Costs) x 100

Assume that as a result of a new safety training program, an organization's accident rate declines 10 percent, yielding a total annual savings of $200,000 in terms of lost workdays, material and equipment damage, and workers' compensation costs. If the training program costs $50,000 to implement, the ROI would be 300 percent.

ROI = ((200,000 – 50,000) ÷ 50,000) x 100 = 300%

So in this example, for every $1 spent on training, the organization gained a net benefit of $3.

To get the figures for ROI analysis, keep track of training costs, including the cost of design and development, promotion and administration, delivery (staff or technology), materials and training facilities, trainee wages, and training evaluation for an organization like an outsourcing company. And after training, keep track of monetary benefits, including labor savings, reduction in lost workdays and workers' compensation costs, productivity increases, and lower turnover costs.

Summarizing this, having your employees receive regular health and safety training will give them the knowledge and awareness to be safe in the workplace whilst they go about their duties. This article describes how safety training reaps benefits if invested in a right way for an organization such as a software outsourcing company in India.

Effective employee safety programs provide a means for businesses to comply with state and federal regulatory requirements, reducing the concern over exposure to fines and legal sanctions. The benefits can be listed as: increased profitability, productivity and savings, potential costs and intangible returns. A software outsourcing company in India should think of its business and must evaluate the need of safety and match the training to that business need by thorough process of discovery, design, development, implementation, and execution for results.

Courtesy: Bhavesh Bulchandani

Safety Training – An Essential Investment for any Software outsourcing company - Part 1

outsourcing company in India

Look around the office. Now imagine one of the power points accidentally catches fire in an organization like an outsourcing company. What will you do next? How do you expect your employees to react in such a situation? Is there any fire extinguisher present in the vicinity of the premise?

It is only at the time of emergency one realizes what the company has missed out on. “Safety Training” is one of the things that an outsourcing company in India must prioritize while strategizing their business. In most businesses it has been noted that health and safety troubles cost for unaccounted losses every year. This is true especially for SME’s which depend not only on the human resource but also have limited financial resources to spend with. Recent researches prove that positivity towards workplace safety relates to better performance through increase in productivity and lowering in costs which ultimately results in higher profitability.

Most individuals do not realize the importance of safety training in workplace environment of a software outsourcing company as they claim that this is more of common sense rather than acquired knowledge, which is actually true. But observe your mind losing its ability to think rationally in such an emergency. You might know where the extinguishers are placed but that does not matter if one does not know how to use it efficiently. For such purposes, “Safety Training” is important.

Safety Training deals with training the individuals as how to react at time of emergency and equipping one with confidence and skill to think, process and act quickly and efficiently. A proper safety training program equips an individual with hands-on training to familiarize with safe practices so that one does not fumble at time of emergency in the premises of a software outsourcing company.

Thus, Safety training and awareness should be considered as a long-term investment for any business. Software outsourcing companies in India should have a portion of yearly budget allocated towards safety training as that will be less costly than paying off the expenses for frequent damage repairs. For an unbiased implementation of this one must appoint an external expert who will analyze the workplace with a fresh perspective and fill in the safety gaps appropriately.

Monday, 18 April 2016

Disaster Recovery v/s Business Continuity Planning for Software Outsourcing Companies in India

software outsourcing company

Disaster recovery and business continuity planning are separate but related concepts. In fact, disaster recovery is part of business continuity. Disaster recovery (DR) concerns the recovery of the technical components of your business, such as computers, software, the network, data, and so on. Business continuity planning (BCP) includes disaster recovery along with procedures to restore business operations and the underlying functionality of the business infrastructure needed to support the business of an organization such as a software outsourcing company, along with the resumption of the daily work of the people in your workplace. Business continuity planning is vital to keeping your business running and to providing a return to “business as usual” during a disaster. DR and BCP professionals work together to ensure the recoverability and continuity of all aspects of an organization that are affected by an outage or security event. A disaster is defined generally by DRI International as a “sudden, unplanned calamitous event causing great damage or loss” or “any event that creates an inability on an organization’s part to provide critical business functions for some predetermined period of time.” With this general definition in mind, the disaster recovery planner or business continuity professional would sit down with all the principals in the organization and map out what would constitute a disaster for that organization. This is the initial stage of creating a business impact analysis (BIA), which is an important input into the planning of service reliability and resumption.

When you put together a disaster recovery plan, you need to understand how your organization’s information technology (IT) infrastructure, applications, and network support the business functions of the enterprise you are recovering. The business continuity professional is more concerned with the business functions of an enterprise such as an outsourcing company, that the employees perform than with the underlying technologies. In order to figure out how the business can resume normal operations during a disaster, the business continuity professional needs to work with each business unit as closely as possible. This means they need to meet with the people who make the decisions, the people who carry out the decisions in the management team, and finally the “worker bees” who actually do the work.

There are four main components of business continuity planning, each of which is essential to the whole BCP initiative:

• Plan initiation
• Business impact analysis or assessment
• Development of the recovery strategies
• Rehearsal or exercise of the disaster recovery and business continuity plans.

Each business unit should have its own plan. An organization such as a software outsourcing company in India as a whole needs to have a global plan, encompassing all the business units. There should be two plans that work in tandem: a business continuity plan (recovery of the people and business function) and a disaster recovery plan (technological and application recovery).

Another important element of disaster recovery and business continuity planning is an awareness program. The business continuity or disaster recovery professional can meet with each business unit to hold what are known as “tabletop” exercises. These exercises are important, because they actually get the members of the business unit to sit down and think about a particular event and how to first prevent or mitigate it, and then how to recover from it. The event can be anything from a category 3 hurricane to workplace violence. Any work stoppage can potentially impede the progress of an organization’s recovery or resumption of services, and it is up to the management team to design or develop a plan of action or a business continuity plan. The business continuity or disaster recovery professional must facilitate this process and make the business unit aware that there are events that can bring the business to a grinding halt.

Backups may be used for complete system restoration, but they can also allow you to recover the contents of a mailbox, for example, or an “accidentally” deleted document. Backups can be extended to saving more than just digital data. Backup processes can include the backup of specifications and configurations, policies and procedures, equipment, and data centers. However, if the backup is not good, or is too old, or the backup media is damaged, then it will not fix the problem. Just having a backup procedure in place does not always offer adequate protection.

Traditional Backup Methods:

In the traditional backup process, data is copied to backup media, primarily tape, in a predictable and orderly fashion for secure storage both onsite and offsite. Backup media can thus be made available to restore data to new or repaired systems after failure. In addition to data, modern operating systems and application configurations are also backed up. This provides faster restore capabilities and occasionally may be the only way to restore systems where applications that support data are intimately integrated with a specific system.

Backup Policy

Software outsourcing companies can obtain many benefits from backing up as a regular part of IT operations:

• Cost savings: It takes many people-hours to reproduce digitally stored data. The cost of backup software and hardware is a fraction of this cost.
• Productivity: Users cannot work without data. When data can be restored quickly, productivity is maintained.
• Increased security: When backups are available, the impact of an attack that destroys or corrupts data is lessened. Data can be replaced or compared to ensure its integrity.
• Simplicity: When centralized backups are used, no user needs to make a decision about what to back up.

Summarizing this, many a time’s individuals in the IT world are unclear about the difference between disaster recovery and business continuity planning. This article describes the underlying difference between the two and some precautions that a software outsourcing company must undertake in the planning for the same.

Courtesy - Bhavesh Bulchandani

Regulation in India for Information Security in Software Outsourcing Companies in India - Part 2

software outsourcing companies

Future Objectives:

On July 2nd, 2013, the Indian government discharged its goal-oriented National Cyber Security Policy 2013 (Ministry of Communication and IT, 2013). Of prominent hobby, the strategy puts forward 14 different destinations, including improvement of 500,000 talented cybersecurity experts through the following five years. Different goals incorporate assigning a national organization to arrange all cybersecurity matters and the creation and operation of a National Critical Information Infrastructure Protection Center. Further goals incorporate improving worldwide collaboration concerning fighting cybersecurity dangers and upgrading training and preparing projects in cybersecurity. Further goals support the assignment of a Chief Information Security Officer for all private and open associations like software outsourcing companies, and adding to an element lawful system to address cybersecurity concerns inside ranges, for example, distributed computing, portable registering, and social networking. These targets are viewed as trying by the Indian Minister of Communications and Information Technology Kapil Sibal, however are important to "guarantee there is no interruption of the kind that will destabilize the economy."


Law implementation offices are urged under the Act to seek after cybercrimes. As needed under the Act, a corporate element for software outsourcing companies is to be held subject for harms if any touchy data that it holds, oversees, or handles causes wrongful misfortune or addition to any person. Common punishments for such harms can reach up to USD $954,938 while harms paid to a common suit may surpass this sum. Illicit revelation of data can bring about criminal fines up to USD $9,557 and/or up to 3 years detainment.

So summarizing this as a whole, Information Security in IT industry is of utmost importance as it plays a huge part in protecting its assets. There is no formula for 100% security, so there is a need for a set of benchmarks to ensure an adequate level of security is attained. This article lists the various regulations that are available for information security in software outsourcing companies in India.

India has long been a nation with a solid business foundation and their ecommerce industry is becoming quickly. As of not long ago, a large portion of their enactment has managed secure business rehearses, nonetheless, the late precludes set in 2011 imprint a noteworthy day for individual information assurance in India. The Indian government has recognized that digital security is discriminating to keeping up their foundation and their future destinations demonstrate that they are going in the right course.   

India gives solid definitions to what they consider individual information and delicate individual information and late laws accommodate the insurance of such information. While huge numbers of the laws and regulations delineate that individual data must be ensured, there are still no laws in regards to any particular specialized rules for securing such information in a software outsourcing company in India.

Regulation in India for Information Security in Software Outsourcing Companies in India - Part 1

software outsourcing company in India

India at present holds the 2nd biggest populace on the planet with 1,236,344,631 natives (July 2014) (Source: CIA, 2014) and keeps on battling with improvement and is in this manner termed as a "third world" nation. Presently the India's data innovation industry is in a progressive stage which has seen an increment in the quantity of digital assaults. To counter these the Indian government has begun executing principles and regulations for software outsourcing companies in this area in the course of the most recent couple of years to battle security issues and reinforce web security. The main Indian enactment was presented in 2000, called the Information Technology Act. It was a first endeavor to redesign old laws and give new chances to battle digital unlawful acts. It has following been revised in 2008. Beside these demonstrations, numerous different guidelines and warnings have started to be in India, numerous nearly taking after European Standards on Information Security.

Data Technology Act, 2000:

The first and first act particularly managing data innovation, this bill expected to furnish India with a lawful foundation for e-business of software outsourcing company in India. While the demonstration does not go into insight about Information Security or information security, the digital laws expressed inside have had a broad effect on e-organizations and the Indian economy since their usage, and further served as a system for future web and information protection regulations. The IT Act of 2000 likewise gave the lawful structure to the taking care of and exchanging of records and different exercises passed on by advanced measures. As reported by the Gazette of India (2000) the accompanying are a portion of the highlights of the Act:   

The initial couple of parts of the Act concentrate on advanced marks. Part two forces that any client can approve an electronic record by affixing their advanced mark to the record. Likewise, the part expounds that check of electronic records could be possible by method for an open key of said client. Further sections go onto the lawful acknowledgment of Digital Signatures, and also specifying various procurements for the issuing of Digital Signature Certificates. Section nine points of interest the reprisal and arbitration for various digital offenses. The punishments for harm to PCs and PC frameworks (and so forth.) is settled by remunerating influenced gatherings to a greatest of 1 million Rupees (or $164,370 USD). In connection, section 11 discussions about offenses that ought to be researched by law requirement organizations. These offenses incorporate PC hacking, messing with PC records, or distributed disgusting electronic information. Section ten of the Act creates the Cyber Regulations Appellate Tribunal. The Act further secures the constitution of the Cyber Regulations Advisory Committee, whose objective is to give the administration counsel with respect to any regulations or related capacity associated with the Act. While this demonstration emphatically concentrates on computerized marks and punishments for digital offenses, it doesn't talk particularly on data security and information insurance.

IT (Amendment) Act, 2008:   

This revision compliments the Information Technology Act of 2000. The Gazette of India (2009) reported that the correction further refined the meaning of data to incorporate "information, message, content, pictures, sound, voice, codes, PC projects, programming and databases or smaller scale film or PC produced smaller scale fiche". It additionally set out to represent sensible security practices, reinforce information insurance, and give strategies to keep digital gatecrashers under control. The principle center of this law is to secure touchy individual data by making the organizations such as software outsourcing companies in India that process, arrangement, and handle the data subject for bringing about unjustified misfortune or unjustified addition to any person.   

Data Technology Rules, 2011:   

Complimenting India's 2008 IT Security Act change, the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules were executed as far as possible how organizations like software outsourcing companies can deal with individual data. They build far reaching responsibility measures for any organization/association that "gathers, gets, has, stores, arrangements, or handles" individual data. The acquainted responsibility measures commit organizations with spot limitations on the transforming of touchy individual data and the exchange of worldwide information, to give protection arrangements and take other efforts to establish safety. A significant number of these new guidelines take after nearly to the European Union assurance laws, nonetheless they posture road obstructions for India's numerous outsourcing sellers and their customers. A rundown of the new commitments take after (Gazette of India, 2011).

Limitations on Data Collection and Processing: Companies must illuminate people that they are having their data gathered at the purpose of beginning accumulation. They should likewise be educated of the reason the data is being gathered, the assigned beneficiaries of the data, and the contact data for both the gathering organization and the accepting office. Further, confinements are placed set up with respect to the preparing of the data for auxiliary purposes, constraining the information to be transformed just for its unique expectation.

Meaning of Personal Data: Resembling nearly China's meaning of individual information, India's own information is characterized as any information that identifies with a characteristic individual and is equipped for recognizing that person, may be joined with other data that a business or association may utilize or acquire.

Meaning of Sensitive Personal Data: Closely taking after the European Union information insurance law, delicate individual information incorporates data identified with passwords, budgetary data, wellbeing data (physical, physiological, mental, therapeutic, biometric) and sexual introduction. It further expresses that if the data is openly accessible or can be gotten to by means of an open space, the information is prohibited from this definition.

Extra Restrictions for Sensitive Personal Data: Before touchy information can be prepared, the processor must acquire composed assent from the given individual, either by letter, fax, or email.   

Security: This commitment expresses that an enterprise such as a software outsourcing company must conform to sensible security hones. It further expresses that an organization must archive their exhaustive data security project, including approaches to cover "administrative, specialized, operational, and physical control measures" identified with data resources and their kind of industry. It additionally expresses that if an association has a security rupture, they must demonstrate that they have satisfied their reported security control measures. Then again, similar to Brazil, there are no settled necessities to report information security breaks.   

While these new principles fix information security and data security, they are exceptionally expansive and are not particular on the most proficient method to secure data. The principles do state, on the other hand, that any association that actualizes International Standard IS/ISO/IEC 27001 or a sanction industry code of practice is in consistence with sensible security practices and methodology the length of their security controls are examined yearly. Further elucidations from the Indian government expressed that outsourcing companies present elsewhere are Exempt from these new protection regulations. 

Thursday, 14 April 2016

Regulation Compliance for Information Security in Software Outsourcing Companies - Part 2

software outsourcing companies

Other regulations followed globally by software outsourcing companies are:

 Health Insurance Portability and Accountability Act (HIPAA): 

This act came into act in 1996 with its main intent being improvement in efficiency and effectiveness of the health care system. It includes, among its various components, privacy and security rules. The rules focuses on Protected Health Information (PHI) and electronic PHI (ePHI) gathered in the healthcare process and mandate the standardization of electronic transactions, code sets, and identifiers. Recognizing that electronic technology could erode the privacy of health information, the law also incorporates provisions for guarding the security and privacy of personal health information. It does this by enforcing national standards to protect:

• Individually identifiable health information, known as the Privacy Rule.
• The confidentiality, integrity and availability of electronic protected health information, known as the Security Rule.

The complete suite of rules is known as the HIPAA Administrative Simplification Regulations. It is administered by The Centers for Medicare & Medicaid Services and The Office for Civil Rights. There are five parts to HIPAA's Administrative Simplification Statute and Rules:
1. Electronic Transaction and Code Sets Standards: Requires every provider who does business electronically to use the same health care transactions, code sets and identifiers. This rule is administered by The Centers for Medicare & Medicaid Services.
2. Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The rule permits the disclosure of personal health information needed for patient care and other important purposes. This rule is administered by the Office for Civil Rights.
3. Security Rule: Specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information. This rule is administered by the Office for Civil Rights.
4. National Identifier Requirements: Requires that health care providers, health plans and employers have standard national numbers that identify them on standard transactions. This rule is administered by The Centers for Medicare & Medicaid Services.
5. Enforcement Rule: Provides standards for enforcing all the Administration Simplification Rules.

 The Federal Information Security Management Act (FISMA): 

This act was enacted in 2002 to promote computer and network security for the information and the information systems within the U.S. federal government and also for parties such as government contractors which used to manage it by mandating yearly audits. With the FISMA act in place it enacted the federal government to focus on cyber security for outsourcing companies which was previously neglected. The FISMA act recommends that an effective security program must include:
• Risk assessment at periodic intervals
• Addressing policies and procedures based on the risk assessments
• Subordinating plans for information security for networks, facilities, etc.
• Information Security awareness program for employees
• Periodic testing and evaluating effectiveness of IS policies, procedures, practices and controls on a yearly basis
• Defining process to detect, report and respond to security incidents.
• Planning to ensure continuity of operations.

 Payment Card Industry Data Security Standard (PCI-DSS): 

The Cardholder Information Security Program (CISP) was instituted by Visa USA and MasterCard International. Mandated since June 2001, the program is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, software outsourcing companies and service providers maintain the highest information security standard. Using the Payment Card Industry (PCI) Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry. The PCI Data Security Standard consists of 12 basic requirements supported by more detailed sub conditions.

Summarizing, information security in software outsourcing industry is of utmost importance as it plays a huge part in protecting its assets. There is no formula for 100% security, so there is a need for a set of benchmarks to ensure an adequate level of security is attained for a software outsourcing company in India. This article lists the various regulatory compliances that are available for information security.

The after-effects of not being regulatory compliant in the software outsourcing industry are complex, and there is no running away than to face them. A lot of precious time and effort can be saved by becoming familiar with the laws and by bringing in specialists who can work together a plan combining regulatory compliance and IT security. Most importantly, regulatory compliance translates into plain old good IT security practices.

Regulation Compliance for Information Security in Software Outsourcing Companies - Part 1

outsourcing companies in India

The revolution of Information Technology has reaped a bucket of benefits to thus but has also increased the concern that personal information is not being protected. The alarming speed at which private information is been accessed and is been used and shared without permission has caused worries in the top management of the software outsourcing companies regarding the possibility of identity theft and other unauthorized uses of information . Earlier, outsourcing companies in India believed in self-regulating themselves by implementing good security practices as the way to protect personal information especially the information in digital format. With the IT boom in latter part of the twentieth century, a sector-wise approach to information security regulation started gaining favor in the different industry domains.

Thus, from a software outsourcing company’s perspective, Compliance has emerged as one of the greatest challenges. To keep in tune with regulatory compliance audit, policies are a requisite for any organization as sensitive data related to the enterprise is always at a risk of being compromised. Thus it has become of utmost importance to secure sensitive information by establishing network security processes and meeting the guidelines of the regulatory bodies applicable with the concerned industry domain. Examples of regulatory compliance can be: PCI DSS, FISMA, GLBA, SOX, ISO 27001 and HIPAA which require organizations to monitoring their network in real-time, ensuring high levels of security are attained for their confidential assets and providing network compliance audit reports to auditors when demanded. An organization must comply with the regulatory compliance audit guidelines as any compromises in the regulatory standards can result in severe penalties.

The main intention behind these regulations is protecting the three pillars of information security, i.e, the CIA Triad: Confidentiality, Integrity, and Availability of information which impacts the stakeholders of the software outsourcing company in India. These laws can be complied by:
• Establishing and implementing controls
• Maintaining, protecting, and assessing issues related to compliance
• Identifying vulnerabilities and mitigate them
• Producing reports to ensure organization's compliance

Some of the major regulations which are followed globally have been discussed below:

 Sarbanes-Oxley: 

The Sarbanes-Oxley Act of 2002 (SOX) was an outcome to counter corporate scandals. The most prominent aspect of this act looking from an IT perspective is Section 404, which requires that the annual reports of public companies include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. The section also requires that the outsourcing company's independent auditors attest and report on this assessment. The assessment of financial controls has been extended into the IT space on the opinion of the Public Company Accounting Oversight Board (PCAOB), a private-sector, non-profit entity created by SOX to oversee the auditors of public companies. This extension of financial controls into the IT space has provided the required impetus for IT controls.
The Act is organized into 11 titles:
1. Public Company Accounting Oversight
2. Auditor Independence
3. Corporate Responsibility
4. Enhanced Financial Disclosures
5. Analyst Conflicts of Interest
6. Commission Resources and Authority
7. Studies and Reports
8. Corporate and Criminal Fraud Accountability
9. White-Collar Crime Penalty Enhancements
10. Corporate Tax Returns
11. Corporate Fraud Accountability

 Gramm-Leach-Bliley Act: 

The Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), protects the privacy and security of individually identifiable financial information collected, held, and processed by financial institutions. The privacy component requires financial institutions to provide their customers with an annual notice of their privacy practices and to allow customers to choose not to share such information. The safeguards component requires that financial institutions establish a comprehensive security program to protect the confidentiality and integrity of the private financial information in their records. Recommendations for audit were produced by the Federal Financial Institutions Examination Council (FFIEC), an interagency group comprised of five of the eight major financial regulatory agencies. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.

The Financial Privacy Rule: Requires financial institutions to give customers privacy notices that explain its information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Financial institutions and other software outsourcing companies that receive personal financial information from a financial institution may be limited in their ability to use that information.

The Safeguards Rule: Requires all financial institutions to design, implement and maintain safeguards to protect the confidentiality and integrity of personal consumer information.
Pretexting provisions: Protect consumers from individuals and outsourcing companies that obtain their personal financial information under false pretenses, including fraudulent statements and impersonation.