2. Payment Card Industry Data Security Standard (PCI-DSS):
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed by a number of major credit card companies (including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) as members of the PCI Standards Council to enhance payment account data security for software outsourcing companies. The standard consists of 12 core requirements, which include security management, policies, procedures, network architecture, software design and other critical measures. These requirements are organized into the following areas:
1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
The Control Objectives for Information and related Technology (COBIT) is “a control framework that links IT initiatives to business requirements, organizes IT activities into a generally accepted process model, identifies the major IT resources to be leveraged and defines the management control objectives to be considered”. The IT GOVERNANCE INSTITUTE (ITGI) first released it in 1995, and the latest update is version 4.1, published in 2007. COBIT 4.1 consists of 7 sections, which are
(1) Executive overview
(2) COBIT framework
(3) Plan and Organize
(4) Acquire and Implement
(5) Deliver and Support
(6) Monitor and Evaluate and
(7) Appendices, including a glossary.
Its core content can be divided according to the 34 IT processes. COBIT is increasingly accepted internationally among outsourcing companies as a set of guidance materials for IT governance that allows managers to bridge the gap between control requirements, technical issues and business risks. Based on COBIT 4.1, the COBIT Security Baseline focuses on the specific risks around IT security in a way that is simple to follow and implement for small and large software outsourcing companies. COBIT 5 was released in April 2012. COBIT 5 consolidates and integrates the COBIT 4.1, Val IT 2.0 and Risk IT frameworks, and draws from ISACA's IT Assurance Framework (ITAF) and the Business Model for Information Security (BMIS). It aligns with frameworks and standards such as Information Technology Infrastructure Library (ITIL), International Organization for Standardization (ISO), Project Management Body of Knowledge (PMBOK), PRINCE2 and The Open Group Architecture Framework (TOGAF).
The Information Technology Infrastructure Library (ITIL) is a collection of best practices in IT service management (ITSM), and focuses on the service processes of IT and considers the central role of the user. It was developed by the United Kingdom's Office of Government Commerce (OGC). Since 2005, ITIL has evolved into ISO/IEC 20000, which is an international standard within ITSM. An ITIL service management self-assessment can be conducted with the help of an online questionnaire maintained on the website of the IT Service Management Forum. The self-assessment questionnaire helps evaluate the following management areas:
(a) Service Level Management
(b) Financial Management
(c) Capacity Management
(d) Service Continuity Management
(e) Availability Management
(f) Service Desk
(g) Incident Management
(h) Problem Management
(i) Configuration Management
(j) Change Management
(k) Release Management
Summarizing, information security in IT industry is of utmost importance as it plays a huge part in protecting its assets. There is no formula for 100% security, so there is a need for a set of benchmarks to ensure an adequate level of security is attained. This article lists the various standards that are available for information security for a software outsourcing company in India.
Information security is a never ending process which involves various ongoing training programs, risk assessments, protection of assets, monitoring and detection of vulnerabilities, incident response and repair, documentation, and review. All this has made information security a core part of the business operations across different domains for software outsourcing companies in India.
Courtesy: Bhavesh Bulchandani