Does the following scenario sound familiar: You sign up for a new demat account or home loan or trading account, and within a week or so you receive a call from a related service asking whether you’d be interested in signing up with them as well? One recent example comes to my mind: a friend of mine just bought a new car and took a car loan for it. Within one week he received an SMS offering him car polishing and window tinting services!We face these instances on an alarmingly regular basis. Those pesky calls and those irritating SMSes are simply dealt with as a part of life in a growing economy and we move ahead after uttering a few curses. But all of us need to pause and think about what is really happening behind the scenes? How is it that our private data so readily spreads around to all and sundry?
Contrast this to the recently released Notification expanding the IT Act to include Privacy Laws for protection of a citizen’s private data. This notification requires companies to secure my personal data and also keep the public informed of the practices and policies they adopt with regards to this data. It also requires the companies to obtain an explicit permission from me before sharing this data with someone else.
In spite of this, how is it possible for anyone to obtain highly specific private information for just a few paise per record. Sample this:
- Car Owner’s Database
- Active Intraday Trader’s Database with their Ledger Balance and Mark To Market
- Demat Account Database including DP ID and Client ID
All of this represents what can only be called a data leakage epidemic in India!
However, before you rush to file RTI (Right to Information) applications and PILs (Public Interest Litigations) against your bank, share broker or home loan provider, you must realize that this information is most likely not being disclosed directly by your service provider. These service providers outsource their back office work to domestic BPOs and KPOs who are often common providers of these services to multiple institutions. The real problem then lies with the way that these service providers manage the security of this data. While your bank might be ISO 27001 certified and implement best practices in terms of information security, the vendor that it outsources it’s KYC (Know Your Customer) back-office work to may not even have a basic security policy in place!
One of the solutions that fits very well in such scenarios is for organizations outsourcing work to BPOs to use an Information Rights Management product. An IRM product protects files even when the leave the bank’s network and provides a comprehensive audit trail of the actions carried out by a service provider on that file. The organization sending this data – imagine an Excel file containing a few million customer records – can restrict the recipient from printing, copying, modifying, forwarding as an email attachment, and even taking screen-shots of this file. Any such attempt would be neatly logged and the vendor could then be questioned as to why he was attempting to leak the Bank’s data outside his own network.
This is not to say that an IRM is a magic bullet and solves all issues. But for sure it goes a very long way in protecting data even when the data has left the organization’s network boundaries.
However, before you rush to file RTI (Right to Information) applications and PILs (Public Interest Litigations) against your bank, share broker or home loan provider, you must realize that this information is most likely not being disclosed directly by your service provider. These service providers outsource their back office work to domestic BPOs and KPOs who are often common providers of these services to multiple institutions. The real problem then lies with the way that these service providers manage the security of this data. While your bank might be ISO 27001 certified and implement best practices in terms of information security, the vendor that it outsources it’s KYC (Know Your Customer) back-office work to may not even have a basic security policy in place!
One of the solutions that fits very well in such scenarios is for organizations outsourcing work to BPOs to use an Information Rights Management product. An IRM product protects files even when the leave the bank’s network and provides a comprehensive audit trail of the actions carried out by a service provider on that file. The organization sending this data – imagine an Excel file containing a few million customer records – can restrict the recipient from printing, copying, modifying, forwarding as an email attachment, and even taking screen-shots of this file. Any such attempt would be neatly logged and the vendor could then be questioned as to why he was attempting to leak the Bank’s data outside his own network.
This is not to say that an IRM is a magic bullet and solves all issues. But for sure it goes a very long way in protecting data even when the data has left the organization’s network boundaries.
Guest Blog by K. K. Mookhey (CISA, CISSP, CISM) is the Principal Consultant and Founder at Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of IT governance, information risk management, forensic fraud investigations, compliance, and business continuity. He has more than a decade of experience in this field, having worked with prestigious clients such as the The Indian Navy, The United Nations, Abu Dhabi & Dubai Stock Exchanges, State Bank of India, Saudi Telecom, Capgemini, BNP Paribas, the Mumbai Crime Branch and many others.He is well-versed with international standards such as COBIT, ISO 27001, PCI DSS, BS 25999, and ITIL / ISO 20000.He is the author of two books (Linux Security And Controls by ISACA, and Metasploit Framework, by Syngress Publishing), and of numerous articles on information security. He has also presented at conferences such as OWASP, Blackhat, Interop, IT Underground and others.
Posts
0 comments:
Post a Comment