Session 11-12

Typical Corporate IT landscape

Data Centre DR centre

Branches Head Office Manufacturing Warehouses

Product Development Subsidiaries

Typical Corporate IT landscape

Cloud Mobile

Data Centre DR centre

Branches Head Office Manufacturing Warehouses

Product Development Subsidiaries

Typical Corporate IT landscape
Is this a Complete Picture ?
Data Centre DR centre

Branches Head Office Manufacturing Warehouses

Product Development Subsidiaries

IT Ecosystem – Extended Enterprise
Logistics
Distributors

Suppliers Corporate
IT
CRM
network

Partners of Banks B2B Customers

Other Services
Partners and IT Risk Management
✓ What is now different about partners in relation to IT Risk
Management?
▪ Scale
▪ Control over entities – lack of it
▪ Owner of the risk
▪ Training
▪ Change control in system
▪ Transition from one partner to another
▪ Communication
▪ External User Management
IT Risks – Partner Systems
✓ Supplier
✓ Distributor
✓ Banker
✓ Logistics Provider
Partners and IT Risk Management – Why important?
✓ Kanban
✓ GST
✓ Quality
✓ Adherence to changes in design and specifications
✓ Wastage of precious materials
✓ Changes in Production plan due to market changes
….
Partners - Suppliers
✓ Order Information incorrect ✓ Quality specification
✓ Communication link failure ✓ Confidentiality of new product’s
✓ Part Code missing components
✓ Unit of Count ✓ Data access
✓ Location of supply ✓ Infrastructure
✓ Product Specification / Safety ✓ Supplier’s IT team
data ✓ Security
✓ Tax Information - GST ✓ Viruses
Partners – Distributors & B2B Customers
✓ Lost sales !!, Stock market
✓ Customer satisfaction
✓ Space !!
✓ GST
….
Distributors - Partners
✓ Wrong Product / price
✓ Wrong Discount , taxes, promos
✓ Stock data mismatch
✓ Transition to new distributors – previous sales history
✓ Territory re-organisation
✓ Misreporting of sales to avail incentives
✓ Infrastructure – failure
✓ Rapid Turnover of IT personnel
✓ Virus etc propagation
✓ Software version mismatch
✓ Ease of Payments
IT Risks - Websites
✓ UI
✓ Content – Completeness, correctness, Obsolescence, Consistency, relevance,
legal/social sensitivity
✓ Security
✓ Infrastructure resilience, DRP
✓ User Devices – display errors
✓ Link with on-Premise database
✓ Latency
✓ Scale-up
✓ Inadvertent disclosure
✓ Ownership by users
✓ Ownership of Software domains , contact numbers
IT Risks - Outsourcing
✓ IT services
✓ BPO/KPO
✓ Manufacturing
Value from IT Outsourcing

Savings on Information Processing Cost

Information IT Infrastructure Cost
Cost Savings on Business
Operations Business
Business
Improved competitiveness Value of IS
Benefits
Savings on & management Outsourcing
Accuracy, Reliability etc.
System and
Information Timeliness, ease of access
Quality
IT Outsourcing – Missing Benefits
What is missing ?
✓ Focus on your key area
✓ Access large pool of knowledgeable, experienced staff for short
durations
✓ More rapid implementation of Strategic programs
IT Outsourcing – NOT a panacea
✓ It is YOUR business
✓ Risks are Transferred , not eliminated
✓ Outsourcing is not Abdication
✓ Managing outsourced services requires appropriate skills
✓ Risks of :
✓ Poor performance
✓ Control on Costs
✓ Delivery of SLAs
✓ Missing Strategic Inputs
✓ Invisible risks – especially people of outsourced service provider
✓ Legal Compliance
✓ Ownership and control of Data , Applications, Source Code, Website
IT Outsourcing – Addressing Risks
✓ Contractual terms including SLAs, Exit clause, Cost changes, Compliance with regulations
✓ On-line visibility of quality of work and KPIs
✓ Customer representatives at Outsourcer premises
✓ Monthly reports , Quarterly reviews
✓ Audits – on process, safety, data protection, DR readiness
✓ Compliance reporting and Self-assessment reports
✓ Industry advisory
✓ Top level visits and sharing strategic direction ( with NDAs)
✓ Customer feedback
✓ Joint plans for the year ahead
✓ Agreed processes e.g. Change of people, Architecture, Procurement , SW licence usage
✓ Also ……Larger team conference, celebration, rewards, fun sessions
IT Outsourcing – Best Practices
✓ Do not lose knowledgebase, key competent knowledge workers
✓ Retain people who can challenge, judge service provider
✓ Key contract clauses:
✓ business continuity ✓ IP
✓ SLAs ✓ People changes
✓ Regulatory ✓ Hidden costs
✓ Ethics ✓ Non Disclosure
✓ Exit clauses ✓ Data Protection
✓ Change of scope
✓ Reporting
IT Outsourcing – Other Aspects
✓ Multiple service providers – coordination , communication, processes,
beware of “no-man’s land”
✓ Do NOT assume that outsourcing means NO Risk !
Legal Aspects of IT
✓ Data Protection
✓ Privacy
✓ Data Retention
✓ License violation
✓ Intellectual Property
✓ Competition act
✓ Compliance on IT readiness , disclosure about hacks
✓ Stock market price sensitivity
Examples of IT related legislation
✓ Information Technology Act 2000 of India/ 2008 Amendment,
✓ Information Technology (Intermediary Guidelines (Amendment) Rules)
2018
✓ Personal Data Protection Bill, 2019
✓ General Data Protection Regulation ( Europe)/ Data Protection Act (UK)
✓ US : Broadly applicable laws and regulations
✓ Sarbanes-Oxley Act (SOX)
✓ Payment Card Industry Data Security Standard (PCI DSS)
✓ Fair and Accurate Credit Transaction Act (FACTA)
GDPR – Europe – In force from May 2018
✓ A processor of personal data must clearly disclose any data collection,
declare the lawful basis and purpose for data processing, and state how
long data is being retained and if it is being shared with any third
parties or outside of the EU.
✓ Data subjects ( Customers,Employees, Prospective Customer ) have the
right to request a portable copy of the data collected by a processor in
a common format, and the right to have their data erased under certain
circumstances.
✓ Public authorities, and businesses whose core activities centre around
regular or systematic processing of personal data, are required to
employ a data protection officer (DPO), who is responsible for
managing compliance with the GDPR.
GDPR – Europe – In force from May 2018

✓ Businesses must report any data breaches within 72 hours if they have
an adverse effect on user privacy.
✓ Personal data must be stored using pseudonymization or full
anonymization and use the highest-possible privacy settings by
default, so that the data is not available publicly without explicit,
informed consent.
IT act 2000/ 2008
✓ Enables electronic transaction
Digital Signature
✓ E-filing
✓ Certifying Authorities
Issues
✓ Liability of Company

✓ Protection of data – Concern for outsourcing industry

✓ Privacy of data – Individual’s concern

Sec. 43A – Compensation for failure to protect data
• If body corporate, possessing, dealing or handling any sensitive
personal data or information in a computer resource which it owns,
controls or operates, is negligent in implementing and maintaining
reasonable security practices and procedures and thereby causes
wrongful loss or wrongful gain to any person
• Liability – Damages by the way of compensation
Who is liable?
Sec.85: Offences by companies
• The company itself, being a legal person;
• The top management including directors; and

• The managers (persons directly responsible for the data)

If it is proved that –
• they had knowledge of a contravention; or
• they have not used due diligence
• that it was caused due to their negligence
Issues
What is Sensitive Personal data or Information?

What are Reasonable Security Practices and Procedures?

Sensitive Personal Data or Information
Password

Rule 3 - IT (Reasonable
Financial Health security practices and
Info Condition procedures and sensitive
personal data or
information) Rules, 2011
SPD
Health
Biometrics
Records

Sexual
Orientation
Reasonable Security Practices
Implementing comprehensive documented information security
programme and information security policies
Containing –
▪Managerial, technical, operational and physical security control
measures commensurate with the information assets held by the
person.

Rule 8 - IT (Reasonable security practices and procedures and sensitive personal data or information)
Rules, 2011
Reasonable Security Practices
The International Standard IS/ISO/IEC 27001 on “Information Technology
– Security Techniques – Information Security Management System –
Requirements” is one such standard OR
An agreement between the parties regarding protection of “Sensitive
Personal Information”