Beruflich Dokumente
Kultur Dokumente
DATA PROTECTION - means the right of a person to know which data is gathered in regards
to her person, how the data is used, aggregated, protected and where data is transmitted.
Anyone can have access to that data and modify it but in all cases, the person has to give
his/her consent for that data to be used by another person, government or entity.
-
DEFINITION OF TERMS:
-
SECURITY COMPONENTS: BPO providers today have the responsibility of not just protecting
their own internal information but also that of their customers.
1. INTEGRITY: it is the assurance that information can only be accessed or modified by
those authorized to do so. Measured taken to ensure integrity are:
Making servers accessible only to network administrators
Keeping transmission media covered and protected to ensure
that they cannot be tapped
Restricting access to data such as passwords, keycards,
biometrics, etc.
Creating disaster recovery plans for occurrences such as power
outages, server failure and virus attacks
2. AVAILABILITY: ensuring that authorized parties are able to access the information
when needed. Information only has value if the right people can access it at the right
times. Inaccessible data can be very costly. This can be due to computer viruses,
power outages or natural disasters. Measures taken to ensure availability are:
Back-up. Having off-site location ready to restore services in
case anything happens to primary data centers will heavily
reduce downtime in case anything happens.
Maintaining hardware. Performing hardware repairs immediately
when needed and keeping up with system updates.
Maintain a disaster recovery plan.
Intended to help employees determine what information can be disclosed to nonemployees as well as the relative sensitivity of information that should not be
disclosed outside of company without proper authorization.
Security policies should cover not only physical security of computers and
other devices but also cover security of networks and servers since it can
be a way for hackers and viruses to have access important information or
data.
Visible participation and action, ongoing communication and championing
and placing information security high on their agenda. Executives must
serve as role models in placing a high priority on information security and
in setting the stage for an organizations approach to implementing a
program and setting expectations for improved security performance
Routinely assess vulnerabilities. Assessments should be done by a security
specialist. Routinely check all computer systems and network devices to
ensure that they all have the latest updates. Establish security training
program for both IT staff and end users. Weakness and vulnerabilities must
be resolved. Post security banners to remind employees of their
responsibilities and restrictions along with the list of punishments if
violated.
Be aware of where back-ups are maintained, who can access them and
procedures for data restoration and system recovery. Regularly verify
back-ups and media by selectively restoring data.
Duties, responsibilities as well as restrictions of each employee should be
properly communicated. Passwords or keycards should be secured by each
employee and not shared with others.
Have a Computer Security Incident Response Team (CSIRT) to deal with
security incidents. (Duties include: monitoring systems for security
breaches, documenting security incidents, test system and network for
vulnerabilities, promote security awareness within the company)
Many security breaches come from within an organization so the fewer the people
with access to internal information of the system, the better.
A rigorous procedure should be in place for granting and revoking rights of access
and granting privileges should be recorded and made available to both client and
BPO partner.
Develop difficult passwords
Data backup and disaster recovery plans, CSIRT and know actions to be taken in case
of a breach.
Have security policies be audited by external professional organizations to assess
effectiveness of security controls and to detect vulnerabilities.
Train employees to integrate the cultures of BPO. May include Language training to
reduce communication barriers, training on laws and customs of BPO buyer, training
on management and leadership, etc.
SOLUTION:
Almost all security breaches happen due to the people. Machines are not so
intelligent today to originate the fraud. So have a good screening mechanism while
recruiting people. HR may be burdened by this but any laxity in checking credentials
of the candidate may become more expensive for the company. Have background
checks, interview previous employers, etc.
Educate customers/clients to not give their private information easily. Provide them
with security policies on which or what type information are only to be given out
through phone or email. Any questions asked beyond the security policies should not
be entertained.
A loophole an inadequacy or ambiguity in a system which can be used to circumvent
or otherwise avoid the intent, implied or explicitly stated of the system. It allows an
individual or group to use some gap in the restrictions or requirements of the law or
contract for personal advantage without technically breaking the law or contract. In
response, lawmakers and regulators work to pass reforms that will close the
loophole. Loopholes exist because it is impossible to foresee every circumstance or
course of conduct that will arise under, or in response to, the law. Loopholes often
endure for a time because they can be difficult to close. Those who benefit from a
loophole will lobby legislators or regulators to leave the loophole open.