Security and Quality
Kamlesh Bajaj
CEO, DSCI
May 23, 2009
NASSCOM Quality Summit
Hyderabad
A NASSCOM® Initiative
1
IT Services Management
IT Operations
Shifting from a technology-led siloed structure into a process-centric serviceoriented organization
Organizing Framework
To link technology components in infrastructure to the process steps that exist
within IT
Guiding Framework
Link IT Processes to business activities and create service-level metrics
IT Management frameworks
Improve the management of IT
ISO; CMMI; ITIL
Allow for the systematic and least disruptive path to adoption
Generic FWs; must be tailored to
the specific needs of a company
Support IT Governance imperatives
1. ISO 20000
1. Focus on certification
2. CMM
2. Describes process maturity
3. CMMI
3. Emphasizes process improvements
4. ITIL
4. Defines & leverages best practices for management and operations of IT org
IT Management Frameworks
organized into 5 logical subject
areas
1. Project Management (PMBOK, PRINCE2...)
Integrate new technologies and architectures into a service-oriented operation
2. Software development (TickIT, Agile, MSF, IT CMM...)
3. Process management (Software CMM, CobIT, ISO 15504, Six Sigma, TOGAF..)
4. Service management (ISO 20000, ISO/IEC 38500, ITIL, MOF, eTOM...)
5. Security management (ISO 27001...)
6. Strategy (Balanced Scorecard...)
A NASSCOM® Initiative
2
IT Frameworks benefit both business and IT
Six Sigma and ITIL
1.
2.
3.
4.
Facilitate Business and IT alignment through quality
Helps deliver high-quality IT services at min cost to business
Provide both process and performance improvements
Six Sigma focus on process; ITIL on best practices for
delivery and support of IT services
CMM and ITIL
1. Help streamline infrastructure and development processes
2. ITIL focus on service management (Operations); CMM focus
on maturity of the organization that develops and maintains
software
3. Interdependencies through three key processes: change
management, configuration management, and release
management
CoBIT and ITIL
1. To measure ITIL in which ‘how’ of detailed tasks and steps
absent
2. CobIT defines 34 processes; its performance measures define
key performance indicators that ITIL processes must deliver
against
A NASSCOM® Initiative
3
Security and QA in SOX Compliance
SOX Compliance
1. Controls and monitoring practices required not new to QA
2. Companies with strong QA groups ahead in SOX
compliance
QA’s independence 1. From applications development and the checks and
balances performed by QA groups ensure adherence to
best practices.
2. Implementing formal QA to standardize and document
current processes for improvement and leveraging those
practices for continued SOX compliance
Restructuring of
organizations
1. IT shops making testers part of centralized testing teams;
not of development teams
2. Moving testing out of development and into operations.
3. Similar to Security Organization and IT Operations
independence
4. Many IT functions, including quality assurance, security,
architecture, and compliance, need some level of
independence to avoid conflicts of interest.
A NASSCOM® Initiative
4
QA and Security groups: synergize for Compliance
QA important for
compliance
1. Adds value through formal process
2. Audit not a one-time exercise, process helps culture change
3. Continual verification, validation, and audit processes via QA assist
in changing culture while improving overall delivery practices
4. Nature of QA is to develop, review, and document: test plans or
SDLC practices, the essence of QA is in the auditability of processes
5. Leveraging QA practices provides assistance in ensuring IT
compliance
Section 404 of SOX or in
COBIT requires that
internal controls be in
place ; but does not
specify
1. QA's primary role is to validate processes and document findings in
SDLC
QA Role expansion
App Dev and delivery processes expanded to include compliance-related
issues, such as risk, change control, and release management.
2. Employing similar QA practices to validate compliance with SOX can
gain additional value.
3. Using existing QA processes brings visibility to detect potential risks of
noncompliance, as well as planning strategies for correction and
validation.
A NASSCOM® Initiative
5
Triumph of Quality Management Frameworks
A NASSCOM® Initiative
6
Framework for a Systematic, Comprehensive Approach to Information Security
7
®
A NASSCOM Initiative
DSCI- Data Protection Practices
Security Market
Research
Legal
Forums
Privacy Regulations
Academic
Collaborations
Data Protection
Authorities
Knowledge Collaboration
Security Technology Trends
EU Privacy Directives
DSCI- Best Practices
Data Security
Data Privacy
Canada- PIPEDA
Aus- Privacy Act 1988, APAC
IT (Amendment) Act, 2008
Compliance Regulations
Technology Forums
• Mapping to compliance
regulations
• Adoption of leading practices
• Micro level & customized
• Easy of implementation
GLBA
HIPAA
Technology and
Vendor interactions
US- FTC directives, Patriot Act
Legal & Regulatory
Requirements
UK- Data Protection Act 1998
Architecture Principles
Solution Categories
Product, solution trends
Technology advancement
Security Vendor Collaboration
Vendor forums, interactions
Industry best practices
PCI-DSS
Security Management
ISO 27001
Risk Management
OCTAVE | COSO | FMEA
Security Standards
ITU-T X.1051
Security Practices
NIST SP 800
8
®
A NASSCOM Initiative
IT Governance
CoBIT
Infrastructure Mgmt
ITIL | ISO 20000
Best Practices: Data Security and Privacy
Privilege Account Management
Access to personal information
164.310(d)(2)(iv) Data backup & storage
164.310(d)(2)(i)
Disposal
164.3122(a)(2)(i)
User identification
Back-Up
Media Handling
Controls against Mobile code
Physical Sec Eqp Security
Reporting security events
Access Cntrl
Access
User Mgmt
Mapping of
Compliance
Regulations
OECD Principles
Control
Identification
Best Practice
Framework
Security Privacy
ISO 27001
Best Practices
Industry Standards
Global Best Practices
Privacy Principles
Technology Trends
9
®
A NASSCOM Initiative
Thank You
A NASSCOM® Initiative
10