A NASSCOM ® Initiative Security and Quality Kamlesh Bajaj CEO, DSCI May 23, 2009 NASSCOM Quality Summit Hyderabad 1

A NASSCOM ® Initiative 2 IT OperationsShifting from a technology-led siloed structure into a process-centric service- oriented organization Organizing FrameworkTo link technology components in infrastructure to the process steps that exist within IT Guiding FrameworkLink IT Processes to business activities and create service-level metrics IT Management frameworks ISO; CMMI; ITIL Generic FWs; must be tailored to the specific needs of a company Improve the management of IT Allow for the systematic and least disruptive path to adoption Support IT Governance imperatives Integrate new technologies and architectures into a service-oriented operation 1. ISO CMM 3. CMMI 4. ITIL 1. Focus on certification 2. Describes process maturity 3. Emphasizes process improvements 4. Defines & leverages best practices for management and operations of IT org IT Management Frameworks organized into 5 logical subject areas 1. Project Management (PMBOK, PRINCE2...) 2. Software development (TickIT, Agile, MSF, IT CMM...) 3. Process management (Software CMM, CobIT, ISO 15504, Six Sigma, TOGAF..) 4. Service management (ISO 20000, ISO/IEC 38500, ITIL, MOF, eTOM...) 5. Security management (ISO ) 6. Strategy (Balanced Scorecard...) IT Services Management

A NASSCOM ® Initiative 3 Six Sigma and ITIL1.Facilitate Business and IT alignment through quality 2.Helps deliver high-quality IT services at min cost to business 3.Provide both process and performance improvements 4.Six Sigma focus on process; ITIL on best practices for delivery and support of IT services CMM and ITIL1.Help streamline infrastructure and development processes 2.ITIL focus on service management (Operations); CMM focus on maturity of the organization that develops and maintains software 3.Interdependencies through three key processes: change management, configuration management, and release management CoBIT and ITIL1.To measure ITIL in which ‘how’ of detailed tasks and steps absent 2.CobIT defines 34 processes; its performance measures define key performance indicators that ITIL processes must deliver against IT Frameworks benefit both business and IT

A NASSCOM ® Initiative 4 SOX Compliance1.Controls and monitoring practices required not new to QA 2.Companies with strong QA groups ahead in SOX compliance QA’s independence1.From applications development and the checks and balances performed by QA groups ensure adherence to best practices. 2.Implementing formal QA to standardize and document current processes for improvement and leveraging those practices for continued SOX compliance Restructuring of organizations 1.IT shops making testers part of centralized testing teams; not of development teams 2.Moving testing out of development and into operations. 3.Similar to Security Organization and IT Operations independence 4.Many IT functions, including quality assurance, security, architecture, and compliance, need some level of independence to avoid conflicts of interest. Security and QA in SOX Compliance

A NASSCOM ® Initiative 5 QA important for compliance 1.Adds value through formal process 2.Audit not a one-time exercise, process helps culture change 3.Continual verification, validation, and audit processes via QA assist in changing culture while improving overall delivery practices 4.Nature of QA is to develop, review, and document: test plans or SDLC practices, the essence of QA is in the auditability of processes 5.Leveraging QA practices provides assistance in ensuring IT compliance Section 404 of SOX or in COBIT requires that internal controls be in place ; but does not specify 1. QA's primary role is to validate processes and document findings in SDLC 2. Employing similar QA practices to validate compliance with SOX can gain additional value. 3. Using existing QA processes brings visibility to detect potential risks of noncompliance, as well as planning strategies for correction and validation. QA Role expansionApp Dev and delivery processes expanded to include compliance-related issues, such as risk, change control, and release management. QA and Security groups: synergize for Compliance

A NASSCOM ® Initiative 6 Triumph of Quality Management Frameworks

A NASSCOM ® Initiative Framework for a Systematic, Comprehensive Approach to Information Security 7

A NASSCOM ® Initiative Security Management ISO IT Governance CoBIT Security Standards ITU-T X.1051 Security Practices NIST SP 800 Risk Management OCTAVE | COSO | FMEA Infrastructure Mgmt ITIL | ISO EU Privacy Directives US- FTC directives, Patriot Act GLBA HIPAA Aus- Privacy Act 1988, APAC Canada- PIPEDA IT (Amendment) Act, 2008 UK- Data Protection Act 1998 PCI-DSS Privacy Regulations Compliance Regulations Security Market Research Academic Collaborations Industry best practices Data Protection Authorities Legal & Regulatory Requirements Knowledge Collaboration Legal Forums Architecture Principles Product, solution trends Vendor forums, interactions Technology advancement Solution Categories Security Technology Trends Security Vendor Collaboration Technology and Vendor interactions DSCI- Best Practices Data Security Data Privacy Technology Forums DSCI- Data Protection Practices Mapping to compliance regulations Adoption of leading practices Micro level & customized Easy of implementation 8

A NASSCOM ® Initiative Best Practices: Data Security and Privacy 9

A NASSCOM ® Initiative Thank You 10