India's IT services and outsourcing companies need to improve safety awareness

Beijing time, April 10 Noon news, according to foreign media reports, the U.S. market research company Forrester study published this week that U.S. companies commissioned by Indian outsourcing firms to engage in research and development activities should strive to ensure that the other side to take strong measures to protect data security, not just a formality. In a mere formality, Forrester says many Indian companies have raised safety measures in recent years, but there is still a lack of enforcement to ensure they are implemented.　　The effectiveness of these measures has been undermined to a certain extent by the lack of adequate training and awareness due to reliance on technology. "Customers should urge suppliers to increase staff input and training, not only by making commitments to executives, but also by pushing government agencies to develop better regulations to allow timely scrutiny of relevant measures," the report says. Soutille Epte Sudhir Apte, a Forrester study analyst who wrote the report, said that the main purpose of many security measures was to reassure users, but the actual effect was not satisfactory.　　In his view, most Indian outsourcing companies ' security measures are only a formality, they are only a marketing approach. Measures Epte pointed out that in order to appease users, the Indian government, the Indian software industry and Service Companies Association (hereinafter referred to as "Nasscom") and several Indian companies have taken many steps to improve security. For example, many large Indian outsourcing firms have deployed international security standards such as BS7799, and have further enhanced transparency in financial reporting standards while enhancing physical security measures to prevent terrorist attacks.　　BS7799 provides a range of IT system security control standards for the enterprise. The Indian Government is also actively supporting industry development and has passed the Information Technology Act (Information Marvell Act), which forces all Indian IT companies to provide data security programs that can be reviewed.　　The Indian Data Security Council (hereinafter referred to as "Dsci"), established by Nasscom, also helps India's IT service industry and business process outsourcing vendors (BPO) to enhance security levels. Epte quoted Dsci's report as saying that almost all Indian IT service companies and BPO have appointed a chief security officer over the past two years and have developed a robust disaster recovery and business continuity plan.　　Many Indian companies also deploy terminal cryptography, management tools, and virtual security. It's not working. The report appreciates India's willingness to lift security measures but retains a positive view of the actual results. One of the biggest problems, Epte believes, is the overemphasis on technical controls to meet relevant policy and industry standards. But these measures appear to be just to show security, not to reduce the threat. Key factors such as employee training and increased safety awareness are often completely overlooked, and many companies manage control and physical security measures in a more dispersedDiffuse。 Epte also pointed out that India's outsourcing companies lack the implementation of security projects support. In his view, many of India's chief security officers ' reports were ignored by their superiors, and the relevant executive support was inconsistent.　　Only when there is a problem or exposure to the media, security issues will cause the attention of enterprises. The reason for this, Epte, is that many American companies that outsource jobs to India rarely pay attention to security issues, and they tend to be more concerned about prices, especially in IT services.　　"Customers in the BPO industry are more sensitive," he said. Jonathan Gossels, Systemexperts president of the US consultancy, Jonathan Gossers that most big Indian companies are fully capable of providing first-class security, but U.S. customers also need to be clear about their safety expectations.　　Because users do not know what to ask for, and do not know how to refine their expectations, so that the security measures greatly compromised. "According to my personal experience, leading a business is very sensitive to the market," Gossers said. As long as their users require better security, they respond. Epte also made some suggestions for American companies that outsource their business to India. For example, the risk of terrorist attacks and natural disasters should be covered not only in the contract, but also in the prevention of information security threats. The enterprise should also ensure that the outsourced manufacturer can not only provide remote disaster recovery facilities, but also allow the other party to appoint professional technicians to oversee. In addition, the report suggests that U.S. companies urge their outsourcing partners to join security programs such as Dsci. (Ding Macro)