Monday, January 9, 2012

BPO Security Audit Checklist

Business Processing Outsourcing (BPO) has already proved to be an employment generator in addition to being a Foreign Exchange earner. With skill level demanded much lower than that of programmer or any other faculty professional, most of the BPOs have changed the life style of the employed though there are a few BPOs requiring higher professional skills.

The anticipated employment level of several millions in Indian BPOs by 2008 makes the industry one of the most promising economic phenomena in India. However, frequent security breaches and the associated international pressure on job losses in their respective countries hold the threat of reducing the promise into an unfulfilled dream. If BPO bubble bursts in the future especially due to security issues by diversion of work to other countries, then we may have an economic disaster on
hand with a couple of million youngsters losing their jobs which will lead to frustration and ultimately end in anarchy. The issue of security in a BPO therefore achieves
national importance than mere single corporate security and its goodwill plus revenue protection.

The BPO Industry, Nasscom and the Ministry of
Communications and Information Technology (MCIT) therefore have a joint responsibility to work for an effective solution to secure the operations of the BPO industry.

Security in BPO industry is a combination of Management of Human Resources and
Techno Legal IT Security along with Solutions created, delivered and managed with the use of ICT. It is therefore a multidiscipline challenge and the three dimensions to the challenge are HR Management, Techno Legal Compliance and Technology Solutions.

Complete security is a myth. Efforts should be in the directions to thwart easy penetrations. Contrary to popular notion not all perpetuators are insiders and lax
security in installation of firewalls or their updation may also be a contributor.

H. R. Management


1. Does the company have tactical and strategic plans considering actual retention level of the employees dovetailed into the expansion plans of the company?
Some BPO contracts translate into employee requirements in hundreds or thousands. That is the weakest moment of the company when it is cornered to recruit in a hurry. Background check then takes a back seat which rears its ugly head in the future. HR Planning is the start of a well run BPO.

2. Does the company have a well screened panel of Recruiting agencies to supplement its own work and is the screening done formally and evaluated continually ensuring the given rating stands?
A common feature in all industries of various quality of service is a feature also in the recruitment industry. While some take efforts to evaluate candidates others merely forward received applications in response to advertisements. What is the need of the company and whether those on the panel supply it not only initially but continually should be monitored by the HR Department.

3. Has the company entered formal agreements with the Recruiting agencies after negotiations preferably within the market trend and has the company raised claims where due or demanded replacements as per the agreement?
It is common for the recruiting agencies to give replacement of person in case he/she resigns within a certain period (say six months). Though this is strictly not a security issue but a revenue protection issue, monitoring of this point will generate statistics of trend of the recruiting agencies which will later give early warning signals of the quality of resource recommended and thus the need for revaluation of the agency before due by mere passage of time.

4. During the induction process is each employee made sufficiently aware the need for protection of data and the prevention of accidental leakage and has a confidentiality agreement signed by each and every one?
Awareness is one powerful communication to not only prevent leakage of information through the ignorant but also sends a message to all that the company means business regarding privacy. Signing the confidentially agreement normally extends even after the employee resigns from the company.

5. Does the company have restricted entry into the work area controlled by devices preferably biometric?
This control goes beyond just designing conference rooms near the reception area. This point demands restricted points of entry and all such points to be device
controlled linked to attendance or compared with attendance procedures if different. Internal auditors have reported glaring faults in device controls where the employee is shown as not left the work place for more than 48 continuously. This is the common complaint when access is made by one colleague and the other colleague follows without swiping the card. On the other hand if the swipe was also for attendance, you can be sure no person would ‘tag’ behind a colleague. This point is of concern since proof of such records may be used in later investigation to indicate their presence or absence as it may suit to their advantage.

6. Is there a formal restriction for carriage of devices of data storage (flash drive, CD, Floppy, IPod etc.) and other devices capable of recording / transmission like cameras and mobile phones, in the work area and is it monitored by the security?
This point is to thwart the carriage of tools of mass copy of data. What is normally spirited away is not just small information but mass of data which is beyond the memory capability of a normal person eg. 20,000 names and account numbers with their User ID and password. Perhaps only one to five may be committed to memory but there are no takes for such small information so the emphasis is on restriction of devices of either mass storage or communication (cell phone)

7. Does the HR Department report to the executives, non utilization of eligible leave by any employee?
Leave utilization is accepted as a good measure of internal control. A perpetrator will not opt for the eligible leave lest the replacement stumbles onto his departure from routine.

8. Does the company have a working ‘Know Your Employee’ policy in place?
A sin-qua-non for any BPO is this policy which is noted to be slowly formalized in many enlightened companies.

Technical Solutions

9. Has the company disabled all external devices such as floppies, CDs and UPS points other than those required and effectively prevented any direct communication from terminal to the outside world through modem or any device or to the internet?
Hardware restrictions preventing copying and prevention of direct communication via internet is one primary effective security procedure.

10. Are there sufficiently updated security arrangements to prevent intrusion into the system?
Firewalls and anti virus systems are normal safeguards to prevent intrusion devices which compromise privacy and secrecy of the data. It is often noticed that primarily due to technical ignorance, the Internal Audit stops at the point of installation of Firewall. The configuration of the Firewall is more important or it will be like a cannon which is not loaded – may frighten only but not perform. However, there is general puzzlement even at the stage of configuration since control of intrusion from outside is well executed but control of flow from the company to the outside world is often not controlled though all firewalls have this control! It is absence of this control that is often abused.

11. Does the company conduct periodic ‘Security Audit’ and ‘Penetration Audit’ for continual assurance of security of data?
In the fluid world of computers, a one time set up is never a permanent protection. Since intrusion devices are continually evolving so are the protection techniques and no company in this industry can rest on their historic action of security. Specialist agencies may fill in the gap of technical knowledge needed for this work.

12. Does the company undertake adequate precaution in communication of data (either receipt or transmission)?
Networking across countries or within the country, the BPO units are normally linked with their host company via a Virtual Private Network (VPN) or any other mode-even the a internet. It is considered safe to encrypt the data during transmission and it is expected for most contracts to specify this. Software encrypting is also supported by
Hardware encrypting to-day.

13. Before the execution of a BPO contract, is the work flow and process evaluated from the angle of security and prevention of all data in the hands of one person to exploit in adverse circumstance?
Not much thought was hitherto given to this aspect which is the bone of internal control in any industry. The BPO unit has to invest time and energy to assure this internal control which will be beneficial in the long run not only to the company but the industry as a whole!

Techno Legal Solutions

14. Does the company have adequate software rights in case of purchased software and in case of dedicated software by the contracting company is the right to use sufficient for the protection of the BPO company?
Adequate licensing is the point considered here. Standard software should be legally purchased and in case the contracting company has a unique software it wants the BPO company to use then this should be supported by adequately worded agreement.

15. Is the main contract self sufficient in definition of expected quality and tolerance level determined by an objective process? Is the company regularly monitoring it and are its findings supported by the actual revenue from the contracting company?
Being a knowledge process industry, the acceptance standards should be set in the main agreement (under negotiation of course) settling the tolerance level of acceptance and thus the payment of fees to the BPO company. The primary revenue of the company is dependant on this point. It is therefore paramount to note whether
the contracting company’s results of accuracy are the same as that of the company. Prima facie this is not directly affecting security of data but over anxiousness in this
direction due to inadequate continuous monitoring diverts attention of the management from the aspects of security as they plunge headlong into revenue protection.

16. Is the quality control (QC)department staff turned over periodically?
Quality control of processed data is one point of process where internal control is often compromised as they have to be made available with all data to execute their work. In such a case staff turnover is a good measure of control.

This checklist is the bare minimum for the auditor. There are many more aspects to delve into which demand technical skills which should not be too difficult for the initiated.