DSCI Framework- Pilot Implementation

Operational Locations Different project groups Different client Geographies Different services Exposes PI through different means Privacy Organization New Project- Exposure to Personal information Training and Awareness Report Visibility over Personal Information Exposure to different compliance regulations Regulatory Compliance Intelligence Privacy Policies, processes Enforce Contract, Service Agreement Guide Privacy Contract Management Monitoring & Incident Management Privacy breach Detect Information Usage & Access Personal Information Security DSCI Privacy Approach (POR) (PPP) VPI) (RCI) (PCM) (MIM) (PIS) (IUA) (PAT)

VPIPPPPCM PIS PATMIM POR Personal Information Security Information Usage & Access, Monitoring & Training RCI IUA VPI – Visibility Over Personal Information POR – Privacy Organization & Relations PPP – Privacy Policy & Processes RCI – Regulatory Compliance Intelligence PCM – Privacy Contract Management MIM – Privacy Monitoring & Incident Management IUA – Information Usage & Access PAT – Privacy Awareness & Training PIS– Personal Information Security Privacy Strategy & Processes DSCI- Privacy Framework DPF © - DSCI Privacy Framework

A NASSCOM ® Initiative What brings the data to you ? What the data brings to you? Business processes that involve transactions with the end customer Business relationships that involve transactions in the data Business functions that deal with employee data Concerns Retail Business Customer Services Business Partners Retailers CRM Sales & Marketing Outsourcing Service Agents HR Management Finance Travel Admin Data Protection requirements End Customer Client / Partner Employee Governments Privacy Principles Technology Measures Compliance Requirements Security & Safeguards Service (MSA) Agreements Geographical regulations (UK DPA, US California Data Sec) Vertical specific regulations (HIPAA/HITECH: Health) Functional regulations (GLBA- Finance Products) Organizational Measures Data Centric Approach DSCI Framework Implementation

A NASSCOM ® Initiative DC Role for Employee Data Protection Data Processor Role Data Controller Role Data Elements Data Fields Data Access Points Data Operations Application Access Underlying Infrastructure Physical Environment Personnel security Client environment Type of Data US, California State Health Financial Processing Data Origin Client: xyz MSA SB 1386 HIPAA/ HITECH GLBA Client Relations ProcessSub-process Business Functions ProcessSub-process Business Services ProcessSub-process Business Process Portfolio Relationship Portfolio Business Function Portfolio DSCI Framework Implementation Data Centric Approach Portfolio from Data Perspective Example Compliance MSA Requirements Geographical regulations Vertical regulations Functional regulations

A NASSCOM ® Initiative Client Relationship, Processes, Sub Processes, Gives insight into the data associated with the process/sub-process Process Portfolio: Data Perspective Data View Data Field, Form, File View of data in all processes Access, Process, Transmits, Storage View of operations performed on the data element Data AccessData Env Client & Offshore Env, Infrastructure Physical Env View of underlying infrastructure that process data Compliance MSA, Geography), Domain Specific, Special Legislation View of compliance reqds mapped to the Data Visibility Exercise Visibility Vigilance Coverage & Accuracy Discipline in defense Compliance demonstration Enablers DSCI Framework: DSF& DPF DSCI Best Practices DSCI- Document Ecosystem (Strategic Options, Guidance Notes etc) Framework Implementation Strategic, tactical & operational View DSCI Principles DSCI Framework Implementation Identify Problem Strategic Options Security Program Impleme ntation Operatio nalization DSCI Best Practices DSF & DPF or Any Security Program- ISO, PCIDSS, etc.

A NASSCOM ® Initiative Pilot Implementation DSCI Contribution DSCI Approach & Methodology Visibility tool (spreadsheet) Data capture guidance Data analysis & presentation Phase I: Visibility Exercise Service Provider Contribution Identify function/ LOS is to be covered, define sample size Data capture Help in data analysis Create case study Client relationship portfolio from data security perspective Consolidated view of data, & underlying environment Granular risk map, revealing real issues Risk classification - reveals client, as well as, SP accountability Deliverables Roles & Responsibility Scope Scope restricted to a mutually agreed sample size. Depends on the LOBs to, no of client relationships, & number of processes or sub processes under each relationship Future directions & plan No involvement of third party Lean exercise, avoiding bulkiness Enablers DSCI Best Practices Data Controller Data Processor DSCI Framework - DPF | DSFVisibility Exercise Tools

A NASSCOM ® Initiative Brings data centric approach in the security initiatives Creates a portfolio of business processes from data perspective Focus on scenarios that may lead to data breach, identify the issues in environments both at client and service provider Reach to the granularities of risks, which help fix accountability of process and project owners, Revitalize security operations, compliances and reporting to incorporate data centric elements Rely on visibility that identifies where the data is residing and how it is transacting Provides assurance over security over the specific data element in the wake of emerging data protection regulations Data Centric Approach Visibility as a fundamental Principle Portfolios from Data perspective Granularity of risks Scenario based evaluation Revitalization of security operations Assurance in the wake of regulations Framework Implementation Benefits

A NASSCOM ® Initiative Thank You