Is physical security in BPOs good enough?

Physical security measures like physical access control form the first line of defense. In an outsourcing scenario however, the data security and data privacy initiative usually consists of the following along with physical security: Implementing continual background checks of employees, Implementing processes to ensure that access rights to information resources are provisioned and de-provisioned in a timely manner, Ensuring better coordination between the physical access control team and the IT security team so that device prohibition rules are adhered to, Implementing technical solutions for data protection, Assigning account wise compliance officers to keep a track of regulatory requirements which have to adhered to for each and every client and conducting audits to gauge adherence to standards such as PCI – DSS, ISO, HIPPA, ...

All of these initiatives mentioned above are taken by the outsourcing companies' as per client requirements and also because of regulatory frameworks. The most common steps taken by clients are : Designing a security framework which the BPO should adhere to, Signing non disclosure agreement and Conducting regular audits of the BPO's security processes. Technical controls on the data that is outsourced to the BPO is rare. Many companies are resorting to using virtualization as a means of controlling the flow of data and the end user desktop environment while some are also ensuring that agents only get to see only a part of the confidential data like the last four digits of a credit card number. These approaches have their pros and cons and moreover they do not fully prevent flow of data to the BPO and once the data goes out of controlled environment of a company there is no way to technically control what the BPO can do with it.

Given that the underlying message of all regulations is that companies can outsource operations but cannot outsource accountability or responsibility for data security/privacy it is imperative that more effective technical solutions should be looked at. Information Rights Management (IRM) can help to a large extent here. IRM ensures that security policies associated with the data travels along with the data wherever it goes and best of all important elements such as time based controls and usage for specific purposes/applications can be inbuilt in these policies. This ensures that an organization retains full control on the data even after it is shared with a BPO to be process either by humans or by applications.

Data centric approach is need of the day when it comes to effective data protection in an outsourcing relationship. IRM enables an organization to become more aware of how data should be managed during its life cycle and also provides granular control and visibility on how data is being used by each of its vendors. This is huge empowerment which will help the global shared knowledge economy to grow.