Benefits of BYOD in the classroom

Today’s generation of students is different from previous generations. They keep their mobile devices on them eternally and expect connectivity all the time. Therefore, as our culture continues to become more and more gadget dependent, BYOD in schools (bring your own device) becomes BYOD in education and it is inevitable. There is going to be a wave of devices arriving at the school wireless network, whether software companies in India like it or not. The times is changing and education and softwares developed by software development companies must change with it.

Here are some benefits of implementing BYOD in classroom:

1) Workforce ready students

The world today’s student’s upbringing is becoming increasingly tech-addicted. We use our mobile devices all the time for just every task we do these days. Today’s students will likely be using mobile devices in their future vocations, so why not in still them with the tools they will be working with in the future.  It provides a chance for teaching courteous/appropriate use of mobile devices which they will be using when they grow up to become future professionals. The whole point of education is to prepare them for their future.

2) Teamwork becomes easier

With BYOD technology in the classroom, students can easily team up on projects and even with students from other schools. Group effort is the key to engagement in today’s classrooms.

3) Learning outside the school walls

Students spend many hours outside the school on their mobile devices. So why not use it as an advantage. Let them use these devices as engaging learning tools in the classroom. Then, they can simply bring their homework, educational games, projects, books, etc. and everything they need to continue learning outside the school can be accessed with a swipe of the finger.

4) Personalised instruction

BYOD provides a chance for personalised education. Teachers can use media to cater to the different learning needs of the students. Then all students can learn and shine at their own pace.

5) Cost Saving

Although BYOD is really about delivering education in innovative ways, saving money isn’t a bad objective to have additionally. With the students using their own mobile devices as classroom technology, schools can save some serious money on technology costs. Schools nowadays spend a fortune trying to keep up with all the latest and updated technology that can be used for education these days. So let students bring in their latest technology in the classroom and remove that burden from schools.

6) Gamification

It’s an old saying that ’Video games make children dumb’,  but apparently there are all sorts of new games these days that parents and teachers actually inspire video game playing. There’s an app and a game for everything these days that makes learning a funny and exciting experience.

7) Education becomes more interactive

BYOD allows student to use their own devices in the classroom to make learning more fun and interactive than ever before. Students can interact with students and subject matter experts in other countries, create a digital scavenger hunt or take virtual field trips. Hence, the possibilities are endless and students love it.

8) Increased Engagement

Students these days live for technology. So it only makes sense to use their love for technology in the classroom if we really want to get them engaged.

9) Student and Teacher exchange the roles

BYOD changes the entire learning and teaching model. With the technology they are using for BYOD, students can have more command over their own learning. They can raise questions and do research instead of just listening to a lecture from the teacher.

10) eBooks

In the real world, things and information are constantly changing. Till the time most textbooks reach the classroom, the information contained in them is considered outdated. BYOD allows students’ access to the latest and updated information available through ebooks/digital textbooks. Many digital textbooks also offer interactive aspects as well.  Also, students can easily carry them around and access them whenever they want.

Conclusion
By acknowledging that smartphones, tablets, and laptops are realistic components in the lives of every human being and by accepting it openly and actively in the exploratory use of these tools for education, we are opening the door for our students that leads to the core of the 21st century experience. Software development companies should consider this view while developing new generation softwares.

BDaaS - Big Data as a Service

The terms software as a service, platform as a service and infrastructure as a service are known to cloud enthusiasts. Now, by combining the data used in a software outsourcing company in india, by each of these all together and up scaling the amount of data involved, the term that we arrive on is Big Data as a Service.

What is BDaaS?

BDaaS is a term used to describe the varieties of outsourcing of Big Data functions.This can range from supply of data, to the supply of analytical tools through which actual analysis can be performed by interrogating the data and provision of reports. Some vendors have BDaaS packages which include consulting and advisory services provided by them.

Why is BDaaS useful?

There are many advantages of outsourcing or virtualizing your analytics activities which involve huge datasets.

The fame of Hadoop has to some extent made Big Data usable for all – anyone can use cheap off-the-shelf hardware and open source software to analyse data, if they invest time and resources effectively in learning how to do so. However, money is being spent up front on components and infrastructure for most commercial Big Data initiatives. 

Also, on top of upfront costs, storing and managing huge amount of information requires an ongoing investment of time and resources for a software outsourcing company. When you use BDaaS, all of the techy “nuts and bolts” are theoretically, out of sight and out of mind, giving you ample time for concentrating on business issues.

BDaaS providers often leave this decision making to the customer – the providers have everything set up and ready to go – and the customer simply rents the use of their cloud-based storage and analytics engines and pays either for the time they used these or the amount of data crunched. BDaaS vendors often take on the cost of complying with the standards and policies as well as data protection. When the data is stored on their servers, they are often held responsible for it.

(Twitter, 2016) usage statistics on IBM’s Analytics for Twitter service, which provides businesses with access to data and analytics on Twitter’s 5000lakhs tweets per day and 2800lakhs monthly active users. The service provides analytical tools and applications for deriving information from that unorganized, unstructured data and has trained 4,000 consultants to help businesses convert plans into action to profit from them.

The arrival of Apple’s Watch – the device that will bring consumer wearables into the workplace – will doubtlessly bring with it a plethora of new BDaaS apps. They will immerse up the data from the assumed millions of people who will soon be using it for functions ranging from monitoring their heart rate to arranging their social calendar to remote controlling their home entertainment. Apple and IBM have just announced their collaboration on a big data health platform too.

In the area of sales and marketing, BDaaS is increasingly playing its role, too. Large number of software outsourcing companies now offer customer profiling services, including Acxiom – the biggest seller of direct marketing data. By applying analytics to the huge amount of personal data they collect, they can more effectively profile people as consumers and hand their own customers potential leads.

Amazon’s AWS and Google’s AdSense &AdWords are some of the known services that would also fall under thiscategory. They are all used by thousands of SMB to host data infrastructure, and target their marketing at relevant places where potential customers could be lurking.

Conclusion

The term ‘Big Data as a Service’ may be rather clumsy and inelegant but the concept is not the same. As more and more software outsourcing companies realise the value of implementing Big Data strategies, more services will emerge to support them. Data analysis brings positive change to any firm that takes it earnestly, and this includes smaller scale operations which neither have the expertise nor the budget to develop that expertise to do it themselves.

Integrating analytics into working in a virtualized environment is the next step. Big Data projects are viable now for many businesses that previously would have considered them out of reach.

Bibliography

Twitter. (2016, March 31). Twitter usage. Retrieved from Twitter: https://about.twitter.com/company

Strategic Models in Outsourcing done by Software outsourcing companies

Outsourcing is considered as a way to acquire skilled labor at a lower rate than it is available in developed economies. The transfer of manufacturing functions from developed nations like the United States to developing nations started way back in 1950. Technological advances have accelerated the ability of firms to procure and source products across the globe.

The concept of outsourcing began when large companies decided to eliminate routine work that could be performed by third parties like software outsourcing companies in India at a lower cost. Initially, many businesses started outsourcing everything except core business activities to other companies within the same national boundaries. But as the global economy started to evolve, businesses in developing countries began offering services to perform functions that companies had been outsourcing domestically. Transferring an organization's internal functions to a foreign country is known as Global Outsourcing, while the entities that are set up to perform these functions are part of what's called offshoring.

Outsourcing Strategies

Generally, there are two basic models used in outsource strategies: The outsource model and the captive model.

The Outsource Model

Within the outsource model, functions are transferred overseas and performed mostly by third-party providers such as software outsourcing companies. There are two subgroups within the outsource model: Information technology outsourcing and business process outsourcing.

• Information technology outsourcing, or ITO, is the transfer of the development and processing of information technology systems such as help desk functions, systems administration, network management and web development.

• Business process outsourcing, or BPO, is the transfer of the management and processes of certain business operations like accounting, human resource functions (in particular payroll processing and health benefits management), and customer service call centers.

ITO transfers do not require an organization to establish a presence in a foreign country since third-party providers normally perform these functions. BPO transfers, however, sometimes require a company to establish an overseas subsidiary in order to control the functions being transferred. In addition to establishing a foreign subsidiary, some companies may opt to invest in an overseas company to which functions are being transferred. An investment of 10% or more in a foreign enterprise is considered direct foreign investment.

The Captive Model

BPO and direct foreign investments form the basis for yet another method — the captive model. Under this model, the software outsourcing company in India establishes a foreign subsidiary, bypassing reliance on a third party. Under this model, a company maintains control of the operations being transferred, as well as the hiring process and management of the workers performing the work. Because there is less risk for a company to establish a foreign subsidiary, a larger percentage of global outsourcing occurs following this method.

Global outsourcing has also caused a ripple effect on labor markets throughout the world. As jobs shift overseas, permanent jobs disappear, giving way to an increase in part-time, temporary and freelance workers.

When a business decides to enter the global outsourcing market, there are a number of factors that contribute to that decision. These include, but are not limited to: Risk, cost, and market opportunity.

Risk

Some of the risks involved in outsourcing are geopolitical and economic. In certain "hot spot" areas where there is a great deal of conflict and political turmoil, transferring functions to these regions can pose a threat to the health and safety of the employees as well as the economic well-being of the organization . The terrorist attacks on certain subsidiaries of oil companies and service providers in Saudi Arabia is evidence of the geopolitical risks just as the nationalization of the oil industry in Venezuela is evidence of economic risk. Other risk factors that a business must consider are quality of service, loss of operations control and security of data and stored information.

Cost

In addition to understanding the risks associated with a particular outsource market, organizations must also consider the cost of outsourcing and must be familiar with foreign wage structures before outsourcing the work to software outsourcing companies. To be sure, there are skilled workers in many areas of the world who are willing to work for lower wages than workers in the U.S., but as companies tap into these markets, competition eventually results in turnover as workers in those markets seek higher wages. Other costs include infrastructure costs, taxes and regulatory fees. Finally, a company needs to determine market opportunity and identify those countries that provide workers in their particular industry. A skilled workforce and established infrastructure will allow a company to expediently bring products and services to a market without sacrificing quality. Conversely, a company needs to also be ready to cease the operation in the event that the demand for the outsourced product or service declines.

Market Opportunity

Before entering a global outsourcing market, a business needs to determine what types of products and services are best suited for outsourcing. When global outsourcing first came into play, the production of labor-intensive products and manufactured goods was transferred abroad. At the time, labor-intensive products and manufactured goods were some of the only products that could be produced more efficiently by outsourcing companies in those countries. However, as time went on, advancements in the overseas economies and technologies made it possible to outsource products and services that required more advanced technology and know-how. This constant shifting and advancement allows for the creation and emergence of other outsource markets that specialize in different types of production. For example, consumer goods and textile manufacturing were some of the first products to be outsourced to China. However, as that market matured and economic development expanded, China as well as other Asian markets became outsource locations for products and services that required more advanced technology. In particular, electronic components, telecommunications equipment, microchips, and computer boards were produced in China, Taiwan and Hong Kong. This left the textile and other labor-heavy markets for other countries where such products could be produced in a similarly efficient manner.

Hence, outsourcing has become a billion dollar industry and many software outsourcing companies opt for different strategies while outsourcing. Here we will discuss the major strategies adopted by the companies over the world.

Courtesy: Bhavesh Bulchandani

Managing Cyber Security Risks for Software Outsourcing Companies in Third Party Contracts

Currently the corporate world focuses on curbing data breaches but the element that many companies overlook from the point of cyber security is the relationship with the third party vendors and contractors such as software outsourcing companies in India. The current trends of outsourcing in today’s rapidly evolving global economy has raised a whole new set of risk management concerns for companies in various industries. It has been a very evident fact that most of these data breaches are a result of involvement of third party relationship. Cybercriminals exploits vulnerabilities in third party’s network thus gaining access to the company’s confidential information. The current examples of such exploitation can be traced to incidents at Goodwill, Bank of America, AT&T, AutoNation and Lowe where cyber-attacks took place. The loss does not limit financially but also causes loss in confidence of a customer mind thereby creating a prolonged reputational damage.

A number of reports show that the breaches linked to outside contractors is very alarming. As per a 2013 PwC report, 63% of global data breaches were traced to a third party element in the company’s administration. The report further states that only 32% of the organizations emphasized that the third party vendors comply with the company’s cyber security policies. Some other alarming facts were 69% of the companies were unable to produce an accurate record of the places at which their data was stored and 74% did not have a complete inventory of the third party suppliers that handle employee and customer data. These statistics are enough to prove that the loopholes left behind are too much for a cyber-attacker to exploit it.

A company might have a very well designed cyber security policy internally but when it comes to dealing with the third party providers like outsourcing companies there is a clear tendency of them letting this strict guidelines loosen a little. A company should not afford to take matters of such intensity lightly. Thus, it is of utmost importance of holding the third party entities to comply with the same set of cyber security standards and protocols that are a part of the company’s internal security framework.

The Importance of Third-Party Management Agreements:

This forms an important aspect as part of third party risk management process as it forms the right contractual and governance protections in place required when engaging with any supplier. This agreement is known as Service Level Agreement (SLA) and is considered as one of those essential tools that help in mitigating a company’s risk. When under a contract with third-party vendors one must clearly define the security procedures and policies to be complied during the tenure of contract. Also the liability and indemnification provisions that correspond to the value of data must be included. A company must not consider only how third parties manage cyber security but also how the relationship with these service providers such as software outsourcing companies will expose data and increase risk for itself.

There are certain ways to increase the effectiveness of SLAs:

An organization must include detailed security assessments and internal cyber security experts which help them gain an understanding of supplier’s processes and the security tools. This also helps in identifying any gaps or any vulnerabilities existing in the process. To know how efficient a supplier is one must analyze how the supplier handled any past cyber security incidents and what steps they undertook to improve their operations. To have a glitch free process an effective SLA must focus on key elements such as:

 Information security

 Information privacy

 Definition and analysis of specific threats and risks

 Compliance requirements range

 Enforcement mechanisms

 Foreign corrupt practices management

 Internal audit and monitoring terms

Any SLA requires the contractor to comply with relevant regulations and it also needs to be specific regarding the timeframe for reporting of a data breach to the company.  The terms and conditions must be mentioned explicitly so that no misunderstanding take place regarding the company’s expectations and requirements. There should also be a provision in contract to accommodate the new laws and regulations that may take effect during the tenure of agreement.

Taking Responsibility for Third-Party Risk

Many companies do not have in-house staff with necessary expertise to properly assess the vulnerabilities for networks, systems and databases or negotiate SLAs with third party contractors. The responsibility for ensuring safety of cyber security assets lies with the company that hires the third party and not the software outsourcing company. There are some regulations that hold the service provider liable but the principal company should not have a perceived conception from start and must plan accordingly.

When dealing with such risks one must have a system that allows the company to address security with suppliers on both an individual and a case-by-case basis. Response to security incidents should be dealt with utmost priority and strategic decisions should be made keeping the impact on overall cyber security risk management program.

Summarizing this, outsourcing has become a billion dollar industry but many companies neglect the cyber security risks associated with it. This article discusses the management of such risks that a company should take into consideration before getting into a contract with a software outsourcing company in India.

Being aware and proactive will help in ensuring that the risk associated with your software outsourced to software outsourcing companies is kept to a minimum.

Courtesy: Bhavesh Bulchandani

Case Study : Success in Outsourcing done by Software outsourcing companies

Case Overview:

Unilever Europe and IBM shook hands in 2005 to create a centralized ”One Unilever” finance organization using intelligent technology, instrument asset based process solutions and global delivery capabilities that it possessed. The motive behind optimizing the finance process was to simplify, standardize, unify and ultimately transform the global operations of organizations like software outsourcing companies. This solution enhanced the quality and control and access to information for Unilever Europe which contributed to an amount of EUR 700 million annual savings.

About Unilever:

Unilever with operations in about 100 countries spanning five continents is considered to one of the world’s most respected and recognized brands generating an annual revenue of more than EUR 44 billion. Unilever manages 500 individual brands across 14 categories employing more than 167,000 people. Unilever Europe has 32% of Unilever’s global business employing 32,000 staff. The company’s motive has always been to help people feel good, look good adding vitality to their lives.

Why Outsourcing?

Unilever Europe needed to make operational changes as it was facing soft top-line revenues and an elevated cost structure. Unilever Europe had become a loose federation of business groups operating across 24 countries as all of them were using multiple ERP systems. This impeded their growth as there were many different finance and accounting processes.

In 2005, the leadership team made a decision to integrate these different business units into a single, unified Pan –European organization. To achieve this, it needed to implement the systems and framework.

Aspects considered while Outsourcing:

The diversity of cultures, policies and languages across Europe was a challenge which could make the process complex and even the varying levels of technologies that existed in the business units ranging from advanced to outmoded paper-based systems for these outsourcing companies. The company went ahead with a bold move implementing a total business transformational initiative called “One Unilever” and set an aggressive timeline of two years. As the company needed to implement all components at the same time and not sequentially, a road map was developed for each activity that would be carried out over this period.

How did they implement?

With the initiative in place, the company began looking for a right service provider. As the company wanted to complete the work on a strict timeline, it decided to go for an outsourcing model than taking a “stepping-stone” approach. Their leadership team believed that this would present less risk than in-sourcing and they started to look out for partners like software outsourcing companies in India that had track record of helping large companies transforming business as this would help them achieve the expected results quicker. Most importantly, they were looking for a partner which had a like-minded culture as this would make the transformation process smoother. 

Unilever Europe believed that IBM could provide the required expertise, experience and technology which the project required. IBM came up with a rigorous methodology towards project management and a “one team “transition strategy which played a factor in achieving the company’s trust and this helped them in getting a 7-year contract.

Result:

Both companies collaborated to establish standardized financial processes and systems and integrating these processes into company’s single ERP which would allow them gaining more control and transparency in its operations.

The benefits from this partnership were as follows:

• Improved efficiency in finance processes

• Business processes got standardized with a common ERP across Europe

• Significant cost and operating savings

• Pan- European service management gave access to high quality information for decision making and continuous improvement

• More focus on its core competencies helping them make brand and growth initiative

• Faster and more direct access to benefits related to economies of scale

Success Factors:

IBM developed an intelligent finance strategy which was broad in scope, scale and speed. It developed business cases country by country which called for rigorous management of individual situations and the costs associated with it. IBM rolled out business process services on a three-tier delivery model from its facilities from different locations in Poland, Portugal, Bangalore and Manila in Philippines.

The company started implementing this in small number of countries and with the successful implementation transferred it to a larger number. Both parties made adjustments with the progress of the processes by ensuring buy-in by various business groups which included the mid-level and upper level IT managers and the management. Key stakeholders were asked to visit the Poland and Bangalore centers where a video would help them understand the advantages of the project. This helped Unilever Europe understand that transformation of its financial processes and outsourcing this to a software outsourcing company was critical to the success of the larger initiative.

Collaborating with Unilever Europe, IBM implemented innovative and intelligent technology to enable a more globally integrated enterprise. This outsourcing agreement between these and the outsourcing company empowered Unilever Europe to meet its goals for the “One Unilever” initiative on an aggressive timeline. The company transformed itself into a more responsive, globally integrated enterprise with enhanced channels designed for better and faster decision making as well as continuous performance and cost improvements.

Thus, IT plays a strategic role in the business performance of an organization such as a software outsourcing company. However deployment of strategic IT systems involves a high degree of risk and outsourcing such services further increases the risk. Using a case study approach, the success factors that are involved in outsourcing will be identified.

Courtesy: Bhavesh Bulchandani

Safety Training – An Essential Investment for any Software outsourcing company - Part 2

Case Study for an Efficient Safety Training Program:

Efficient safety training is a phrase that is unofficially developed by the Occupational Safety and Health Administration (OSHA). OSHA is the government labor organization of United States. OSHA has played a major role in bringing out many standards and regulations which have played a major role in affecting the lives of employees of organization such as software outsourcing companies. As per OSHA, an effective safety training program must include areas such as: 

• Preventing accidents and promoting safety within an organization

• Compliance with safety standards

• Response at time of emergency

• Protecting personal equipment

• Following safety practices

• Demonstrating use of equipment and machinery

• Workplace hazards

• Employee engagement

OSHA follows a safety model with certain guidelines:

• Examining the need to training

• Analysing Training Needs

• Identification of Goals and Objectives

• Developing learning activities

• Conducting the training

• Evaluating program effectiveness

• Improving the program

• Aligning training with job tasks.

Why is safety training so important?

Everybody agrees to the fact that attaining 100% safety is unachievable and there remains a certain amount of risk. To mitigate this, providing the employees of an outsourcing company with the right information on health and safety courses can significantly reduce the chances of an accident or incident.

Let alone the moral reasons for providing a safe place of work, one also needs to look at the legal and financial issues associated with health and safety. It is evident from the fact that virtually every country in the world has health and safety legislation in place which is designed to protect people at work. A software outsourcing company needs to understand this legislation and comply with it or else the company might run itself into risk of being fined. In event of a grieve situation, those in charge of the company could also face criminal charges for failing to comply with the legislation which could play a huge spoilsport making the customers loose trust with the company. Looking at this from a financial point of view, not only can the company be fined, but a worker who is injured at work may also sue for compensation. For such reasons the price of health and safety training can be just a fraction of this cost, making them a sound investment.

With frequent injuries occurring employees might report off work due to illness or injury which will cause a drop in output, impacting the firm's profitability. The employees meanwhile will receive sick pay when they are off work, but an organization might need to get temporary workers to provide cover, which would incur additional recruitment costs.

Benefits of safety training:

• Reduces accidents and protects employees from injuries and illness saving the company’s time lose and diminished productivity.

• Increases employee job satisfaction, motivation and morale.

• Less turnover

How to calculate ROI?

Calculating ROI of worker safety training is a complex task. It is important to know this part as you know various aspects such as:

• Whether or not your employee training is effective?

• Are employees well trained to act at time of emergency?

• If you don’t invest in the training, will one employee unknowingly put himself and potentially others at risk? 

There are an infinite number of ways to calculate how the money being invested in safety is being put to work. Whether you’re using an employee learning management system, investing in company-specific online course development, or investing in expensive off-site classroom training for important theory courses, the formulas that help you calculate your safety training return on investment remains the same. The formula for calculating ROI is:

ROI (per cent) = (Monetary Savings / Training Costs) x 100

Assume that as a result of a new safety training program, an organization's accident rate declines 10 percent, yielding a total annual savings of $200,000 in terms of lost workdays, material and equipment damage, and workers' compensation costs. If the training program costs $50,000 to implement, the ROI would be 300 percent.

ROI = ((200,000 – 50,000) ÷ 50,000) x 100 = 300%

So in this example, for every $1 spent on training, the organization gained a net benefit of $3.

To get the figures for ROI analysis, keep track of training costs, including the cost of design and development, promotion and administration, delivery (staff or technology), materials and training facilities, trainee wages, and training evaluation for an organization like an outsourcing company. And after training, keep track of monetary benefits, including labor savings, reduction in lost workdays and workers' compensation costs, productivity increases, and lower turnover costs.

Summarizing this, having your employees receive regular health and safety training will give them the knowledge and awareness to be safe in the workplace whilst they go about their duties. This article describes how safety training reaps benefits if invested in a right way for an organization such as a software outsourcing company in India.

Effective employee safety programs provide a means for businesses to comply with state and federal regulatory requirements, reducing the concern over exposure to fines and legal sanctions. The benefits can be listed as: increased profitability, productivity and savings, potential costs and intangible returns. A software outsourcing company in India should think of its business and must evaluate the need of safety and match the training to that business need by thorough process of discovery, design, development, implementation, and execution for results.

Courtesy: Bhavesh Bulchandani

Safety Training – An Essential Investment for any Software outsourcing company - Part 1

Look around the office. Now imagine one of the power points accidentally catches fire in an organization like an outsourcing company. What will you do next? How do you expect your employees to react in such a situation? Is there any fire extinguisher present in the vicinity of the premise?

It is only at the time of emergency one realizes what the company has missed out on. “Safety Training” is one of the things that an outsourcing company in India must prioritize while strategizing their business. In most businesses it has been noted that health and safety troubles cost for unaccounted losses every year. This is true especially for SME’s which depend not only on the human resource but also have limited financial resources to spend with. Recent researches prove that positivity towards workplace safety relates to better performance through increase in productivity and lowering in costs which ultimately results in higher profitability.

Most individuals do not realize the importance of safety training in workplace environment of a software outsourcing company as they claim that this is more of common sense rather than acquired knowledge, which is actually true. But observe your mind losing its ability to think rationally in such an emergency. You might know where the extinguishers are placed but that does not matter if one does not know how to use it efficiently. For such purposes, “Safety Training” is important.

Safety Training deals with training the individuals as how to react at time of emergency and equipping one with confidence and skill to think, process and act quickly and efficiently. A proper safety training program equips an individual with hands-on training to familiarize with safe practices so that one does not fumble at time of emergency in the premises of a software outsourcing company.

Thus, Safety training and awareness should be considered as a long-term investment for any business. Software outsourcing companies in India should have a portion of yearly budget allocated towards safety training as that will be less costly than paying off the expenses for frequent damage repairs. For an unbiased implementation of this one must appoint an external expert who will analyze the workplace with a fresh perspective and fill in the safety gaps appropriately.

Regulation Compliance for Information Security in Software Outsourcing Companies - Part 2

Other regulations followed globally by software outsourcing companies are:

 Health Insurance Portability and Accountability Act (HIPAA): 

This act came into act in 1996 with its main intent being improvement in efficiency and effectiveness of the health care system. It includes, among its various components, privacy and security rules. The rules focuses on Protected Health Information (PHI) and electronic PHI (ePHI) gathered in the healthcare process and mandate the standardization of electronic transactions, code sets, and identifiers. Recognizing that electronic technology could erode the privacy of health information, the law also incorporates provisions for guarding the security and privacy of personal health information. It does this by enforcing national standards to protect:

• Individually identifiable health information, known as the Privacy Rule.

• The confidentiality, integrity and availability of electronic protected health information, known as the Security Rule.

The complete suite of rules is known as the HIPAA Administrative Simplification Regulations. It is administered by The Centers for Medicare & Medicaid Services and The Office for Civil Rights. There are five parts to HIPAA's Administrative Simplification Statute and Rules:

1. Electronic Transaction and Code Sets Standards: Requires every provider who does business electronically to use the same health care transactions, code sets and identifiers. This rule is administered by The Centers for Medicare & Medicaid Services.

2. Privacy Rule: Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The rule permits the disclosure of personal health information needed for patient care and other important purposes. This rule is administered by the Office for Civil Rights.

3. Security Rule: Specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity and availability of electronic protected health information. This rule is administered by the Office for Civil Rights.

4. National Identifier Requirements: Requires that health care providers, health plans and employers have standard national numbers that identify them on standard transactions. This rule is administered by The Centers for Medicare & Medicaid Services.

5. Enforcement Rule: Provides standards for enforcing all the Administration Simplification Rules.

 The Federal Information Security Management Act (FISMA): 

This act was enacted in 2002 to promote computer and network security for the information and the information systems within the U.S. federal government and also for parties such as government contractors which used to manage it by mandating yearly audits. With the FISMA act in place it enacted the federal government to focus on cyber security for outsourcing companies which was previously neglected. The FISMA act recommends that an effective security program must include:

• Risk assessment at periodic intervals

• Addressing policies and procedures based on the risk assessments

• Subordinating plans for information security for networks, facilities, etc.

• Information Security awareness program for employees

• Periodic testing and evaluating effectiveness of IS policies, procedures, practices and controls on a yearly basis

• Defining process to detect, report and respond to security incidents.

• Planning to ensure continuity of operations.

 Payment Card Industry Data Security Standard (PCI-DSS): 

The Cardholder Information Security Program (CISP) was instituted by Visa USA and MasterCard International. Mandated since June 2001, the program is intended to protect cardholder data—wherever it resides—ensuring that members, merchants, software outsourcing companies and service providers maintain the highest information security standard. Using the Payment Card Industry (PCI) Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise across the entire payment industry. The PCI Data Security Standard consists of 12 basic requirements supported by more detailed sub conditions.

Summarizing, information security in software outsourcing industry is of utmost importance as it plays a huge part in protecting its assets. There is no formula for 100% security, so there is a need for a set of benchmarks to ensure an adequate level of security is attained for a software outsourcing company in India. This article lists the various regulatory compliances that are available for information security.

The after-effects of not being regulatory compliant in the software outsourcing industry are complex, and there is no running away than to face them. A lot of precious time and effort can be saved by becoming familiar with the laws and by bringing in specialists who can work together a plan combining regulatory compliance and IT security. Most importantly, regulatory compliance translates into plain old good IT security practices.

Regulation Compliance for Information Security in Software Outsourcing Companies - Part 1

The revolution of Information Technology has reaped a bucket of benefits to thus but has also increased the concern that personal information is not being protected. The alarming speed at which private information is been accessed and is been used and shared without permission has caused worries in the top management of the software outsourcing companies regarding the possibility of identity theft and other unauthorized uses of information . Earlier, outsourcing companies in India believed in self-regulating themselves by implementing good security practices as the way to protect personal information especially the information in digital format. With the IT boom in latter part of the twentieth century, a sector-wise approach to information security regulation started gaining favor in the different industry domains.

Thus, from a software outsourcing company’s perspective, Compliance has emerged as one of the greatest challenges. To keep in tune with regulatory compliance audit, policies are a requisite for any organization as sensitive data related to the enterprise is always at a risk of being compromised. Thus it has become of utmost importance to secure sensitive information by establishing network security processes and meeting the guidelines of the regulatory bodies applicable with the concerned industry domain. Examples of regulatory compliance can be: PCI DSS, FISMA, GLBA, SOX, ISO 27001 and HIPAA which require organizations to monitoring their network in real-time, ensuring high levels of security are attained for their confidential assets and providing network compliance audit reports to auditors when demanded. An organization must comply with the regulatory compliance audit guidelines as any compromises in the regulatory standards can result in severe penalties.

The main intention behind these regulations is protecting the three pillars of information security, i.e, the CIA Triad: Confidentiality, Integrity, and Availability of information which impacts the stakeholders of the software outsourcing company in India. These laws can be complied by:

• Establishing and implementing controls

• Maintaining, protecting, and assessing issues related to compliance

• Identifying vulnerabilities and mitigate them

• Producing reports to ensure organization's compliance

Some of the major regulations which are followed globally have been discussed below:

 Sarbanes-Oxley: 

The Sarbanes-Oxley Act of 2002 (SOX) was an outcome to counter corporate scandals. The most prominent aspect of this act looking from an IT perspective is Section 404, which requires that the annual reports of public companies include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. The section also requires that the outsourcing company's independent auditors attest and report on this assessment. The assessment of financial controls has been extended into the IT space on the opinion of the Public Company Accounting Oversight Board (PCAOB), a private-sector, non-profit entity created by SOX to oversee the auditors of public companies. This extension of financial controls into the IT space has provided the required impetus for IT controls.

The Act is organized into 11 titles:

1. Public Company Accounting Oversight

2. Auditor Independence

3. Corporate Responsibility

4. Enhanced Financial Disclosures

5. Analyst Conflicts of Interest

6. Commission Resources and Authority

7. Studies and Reports

8. Corporate and Criminal Fraud Accountability

9. White-Collar Crime Penalty Enhancements

10. Corporate Tax Returns

11. Corporate Fraud Accountability

 Gramm-Leach-Bliley Act: 

The Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), protects the privacy and security of individually identifiable financial information collected, held, and processed by financial institutions. The privacy component requires financial institutions to provide their customers with an annual notice of their privacy practices and to allow customers to choose not to share such information. The safeguards component requires that financial institutions establish a comprehensive security program to protect the confidentiality and integrity of the private financial information in their records. Recommendations for audit were produced by the Federal Financial Institutions Examination Council (FFIEC), an interagency group comprised of five of the eight major financial regulatory agencies. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.

The Financial Privacy Rule: Requires financial institutions to give customers privacy notices that explain its information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Financial institutions and other software outsourcing companies that receive personal financial information from a financial institution may be limited in their ability to use that information.

The Safeguards Rule: Requires all financial institutions to design, implement and maintain safeguards to protect the confidentiality and integrity of personal consumer information.

Pretexting provisions: Protect consumers from individuals and outsourcing companies that obtain their personal financial information under false pretenses, including fraudulent statements and impersonation.

Various Information Security Standards followed by Software Outsourcing Companies in India - Part 2

Other standards for information security:

2. Payment Card Industry Data Security Standard (PCI-DSS):

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by a number of major credit card companies (including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) as members of the PCI Standards Council to enhance payment account data security for software outsourcing companies. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures. These requirements are organized into the following areas:

1. Build and Maintain a Secure Network

2. Protect Cardholder Data

3. Maintain a Vulnerability Management Program

4. Implement Strong Access Control Measures

5. Regularly Monitor and Test Networks

6. Maintain an Information Security Policy

3. COBIT:

The Control Objectives for Information and related Technology (COBIT) is “a control framework that links IT initiatives to business requirements, organizes IT activities into a generally accepted process model, identifies the major IT resources to be leveraged and defines the management control objectives to be considered”. The IT GOVERNANCE INSTITUTE (ITGI) first released it in 1995, and the latest update is version 4.1, published in 2007. COBIT 4.1 consists of 7 sections, which are

(1) Executive overview

(2) COBIT framework

(3) Plan and Organize

(4) Acquire and Implement

(5) Deliver and Support

(6) Monitor and Evaluate and 

(7) Appendices, including a glossary.

Its core content can be divided according to the 34 IT processes. COBIT is increasingly accepted internationally among outsourcing companies as a set of guidance materials for IT governance that allows managers to bridge the gap between control requirements, technical issues and business risks. Based on COBIT 4.1, the COBIT Security Baseline focuses on the specific risks around IT security in a way that is simple to follow and implement for small and large software outsourcing companies. COBIT 5 was released in April 2012. COBIT 5 consolidates and integrates the COBIT 4.1, Val IT 2.0 and Risk IT frameworks, and draws from ISACA's IT Assurance Framework (ITAF) and the Business Model for Information Security (BMIS). It aligns with frameworks and standards such as Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO), Project Management Body of Knowledge (PMBOK), PRINCE2 and The Open Group Architecture Framework (TOGAF).

4. ITIL:

The Information Technology Infrastructure Library (ITIL) is a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user. It was developed by the United Kingdom's Office of Government Commerce (OGC). Since 2005, ITIL has evolved into ISO/IEC 20000, which is an international standard within ITSM. An ITIL service management self-assessment can be conducted with the help of an online questionnaire maintained on the website of the IT Service Management Forum. The self-assessment questionnaire helps evaluate the following management areas:

(a) Service Level Management

(b) Financial Management

(c) Capacity Management

(d) Service Continuity Management

(e) Availability Management

(f) Service Desk

(g) Incident Management

(h) Problem Management

(i) Configuration Management

(j) Change Management 

(k) Release Management

Summarizing, information security in IT industry is of utmost importance as it plays a huge part in protecting its assets. There is no formula for 100% security, so there is a need for a set of benchmarks to ensure an adequate level of security is attained. This article lists the various standards that are available for information security for a software outsourcing company in India.

Information security is a never ending process which involves various ongoing training programs, risk assessments, protection of assets, monitoring and detection of vulnerabilities, incident response and repair, documentation, and review. All this has made information security a core part of the business operations across different domains for software outsourcing companies in India.

Courtesy: Bhavesh Bulchandani