NASSCOM, which is India's trade body and chamber of Commerce for the IT industry, announced plans to form an independent self regulatory body to monitor information security among member IT companies in India. Called the Data Security Council of India (DSCI), it is formed especially to combat security lapses within companies offering outsourcing services.This body aims to offer security policies, bring about increased governance to the hiring process and offer accreditation/certification services.
According to Shymal Ghosh, chairman of DSCI, 'it will be an independent organization, at arms length from NASSCOM.'
What is important in order to combat inadequate controls surrounding information security, is to ensure that there is a body of information security standards that companies are expected to follow. This ensures process standardization, industry comparisons as well as enables accreditations/certifications. These standards would encompass
- encryption standards,
- physical controls,
- logical controls (especially user access controls, interface controls, restriction over the use of Instant Messaging etc.)
- other infrastructure related standards.
Best practices dictate establishing an information security policy and a data classification policy. Data that has been classified as critical, sensitive or public data, automatically becomes much more organized and it is easy to see which data should be given priority for security.
Although we have seen incidents of internal control violations (data theft, cheating, passing on confidential information) in recent years, the core of the outsourcing business in India stays strong. Today’s Wall Street Journal reports another U.S. investment bank outsourcing work to an Indian research firm.
Maybe, an initiative like DSCI will be the first successful step towards achieving formal governance in corporate India.