The revolution of Information Technology has reaped a bucket of benefits to thus but has also increased the concern that personal information is not being protected. The alarming speed at which private information is been accessed and is been used and shared without permission has caused worries in the top management of the software outsourcing companies regarding the possibility of identity theft and other unauthorized uses of information . Earlier, outsourcing companies in India believed in self-regulating themselves by implementing good security practices as the way to protect personal information especially the information in digital format. With the IT boom in latter part of the twentieth century, a sector-wise approach to information security regulation started gaining favor in the different industry domains.
Thus, from a software outsourcing company’s perspective, Compliance has emerged as one of the greatest challenges. To keep in tune with regulatory compliance audit, policies are a requisite for any organization as sensitive data related to the enterprise is always at a risk of being compromised. Thus it has become of utmost importance to secure sensitive information by establishing network security processes and meeting the guidelines of the regulatory bodies applicable with the concerned industry domain. Examples of regulatory compliance can be: PCI DSS, FISMA, GLBA, SOX, ISO 27001 and HIPAA which require organizations to monitoring their network in real-time, ensuring high levels of security are attained for their confidential assets and providing network compliance audit reports to auditors when demanded. An organization must comply with the regulatory compliance audit guidelines as any compromises in the regulatory standards can result in severe penalties.
The main intention behind these regulations is protecting the three pillars of information security, i.e, the CIA Triad: Confidentiality, Integrity, and Availability of information which impacts the stakeholders of the software outsourcing company in India. These laws can be complied by:
• Establishing and implementing controls
• Maintaining, protecting, and assessing issues related to compliance
• Identifying vulnerabilities and mitigate them
• Producing reports to ensure organization's compliance
Some of the major regulations which are followed globally have been discussed below:
The Sarbanes-Oxley Act of 2002 (SOX) was an outcome to counter corporate scandals. The most prominent aspect of this act looking from an IT perspective is Section 404, which requires that the annual reports of public companies include an end-of-fiscal-year assessment of the effectiveness of internal control over financial reporting. The section also requires that the outsourcing company's independent auditors attest and report on this assessment. The assessment of financial controls has been extended into the IT space on the opinion of the Public Company Accounting Oversight Board (PCAOB), a private-sector, non-profit entity created by SOX to oversee the auditors of public companies. This extension of financial controls into the IT space has provided the required impetus for IT controls.
The Act is organized into 11 titles:
1. Public Company Accounting Oversight
2. Auditor Independence
3. Corporate Responsibility
4. Enhanced Financial Disclosures
5. Analyst Conflicts of Interest
6. Commission Resources and Authority
7. Studies and Reports
8. Corporate and Criminal Fraud Accountability
9. White-Collar Crime Penalty Enhancements
10. Corporate Tax Returns
11. Corporate Fraud Accountability
The Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), protects the privacy and security of individually identifiable financial information collected, held, and processed by financial institutions. The privacy component requires financial institutions to provide their customers with an annual notice of their privacy practices and to allow customers to choose not to share such information. The safeguards component requires that financial institutions establish a comprehensive security program to protect the confidentiality and integrity of the private financial information in their records. Recommendations for audit were produced by the Federal Financial Institutions Examination Council (FFIEC), an interagency group comprised of five of the eight major financial regulatory agencies. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.
The Financial Privacy Rule: Requires financial institutions to give customers privacy notices that explain its information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Financial institutions and other software outsourcing companies that receive personal financial information from a financial institution may be limited in their ability to use that information.
The Safeguards Rule: Requires all financial institutions to design, implement and maintain safeguards to protect the confidentiality and integrity of personal consumer information.
Pretexting provisions: Protect consumers from individuals and outsourcing companies that obtain their personal financial information under false pretenses, including fraudulent statements and impersonation.