Offshore Outsourcing - Dealing with Compliance Issues
Download
Report
Transcript Offshore Outsourcing - Dealing with Compliance Issues
Offshore Outsourcing - Dealing
with Compliance Issues
Ken D. Nguyen, PMP, CISSP, CISM, MCSE
SVP & CTO
SourceSentry, Inc.
[email protected]
Agenda
Compliance Landscape
Current & Pending (Federal & State) Bills
Corporate Governance
Binding Corporate Rules (BCR)
Vendor Governance
Q/A
©SourceSentry 2004
The Compliance Landscape
* Meta Group, Inc. 2004
©SourceSentry 2004
The Compliance Landscape
SOX Implications on Outsourcing
Regulatory clarification lagging: 2H04 is too late
for many
What about Sec 409 and PCAOB Audit No 2?
Sarbanes-Oxley (SOX) does not differentiate
between insourced and outsourced processes
SAS 70 audits: Good enough?
©SourceSentry 2004
The Compliance Landscape
What You Still Need to be thinking about for HIPAA
Service Providers Contracts on the whole
Individual rights issues – Are we rally supposed
to check with every business associate?
What do they want you to do with the Security
Rule?
Monitoring issues – an emerging issue for
everyone
©SourceSentry 2004
The Compliance Landscape
US Patriot Act
Information Sharing
Anti-Money Laundering Program
– Section 352(a)
Suspicious Activity Reporting
Customer Identification Program
– Section 326
Concerns about US companies violating privacy law of
other countries
©SourceSentry 2004
The Compliance Landscape
Basel II
Basel II includes three mutually reinforcing pillars:
– Pillar 1: Minimum Capital Requirement
Pillar 2: Supervisory Review Process
– Pillar 3: Market Discipline
Offshoring Outsourcing affects Pillar 1 particular the
Operational Risk aspect
Regulatory review practices will spread to bank’s key
suppliers, third-party outsourcing service providers,
offshore processing services, and providers of key
systems and tools
US Federal Reserve expects only the top 11 US banks to
comply - although a further 10 or more are expected to
opt in.
©SourceSentry 2004
The Compliance Landscape
State of New Offshore Legislation
42 separate bills introduced in 22 states
addressing state contracting and the use of
foreign labor
Another 13 bills in 12 states requiring individuals
to identify themselves, their location, and the
company they work for
Other bills prohibit financial data from leaving
the U.S.
Changes to tax policy
“Buy Home State” provisions
©SourceSentry 2004
The Compliance Landscape
Federal Bills
S. 2090 – (WARN Act) – Same as federal plant closure laws
– Notice to be given before operations go offshore,
– Make trade adjustment assistance available to workers
S. 1873 – Call centers to ID location of call
S. 2094 – No Federal contracts to offshore providers
S. 2143, S. 2157 and H.R. 3881 would extend trade adjustment
assistance for displaced workers
S. 2148 – Similar to S. 2094
S. 2312 – Consent from customers for transferring personal, medical or
financial data (H. Clinton)
S1232 – Safeguarding Americans From Exporting Identification Data Act
(SAFE-ID)
S1637 - (Senator Dodd Amendment) Senate has already passed
Amendment to prohibit companies from fulfilling federal contracts using
offshore outsourced labor
©SourceSentry 2004
The Compliance Landscape
State Bills – For Example California
AB 1829 - Prohibits state agency or local government
from contracting out services unless the company
certifies that all work will be performed solely by workers
in the US
AB 3021 - Requires CA employers to determine the
amount of offshore outsourcing they do by reporting the
number of workers employed outside CA
AB 2517 - Requires call center employees to give
(honest) disclosure of their location
SB 888 - Prevents offshore transmittal of info "important
to homeland security” (broad definition)
SB 1492 - Prevents medical records from being shipped
overseas, unless prior consent received from individual
©SourceSentry 2004
The Compliance Landscape
Other Challenges
Enforcing Judgments Abroad
Jurisdictional Challenges
Enforcing Damages and
Limitations of Liability
No Uniformity
Security of Information
Potential Liability under
US/EU Privacy/Data Laws
Poor IP Rights Regimes
in Developing Countries
Overlapping Laws and
Conflicts
Conflict between US and
Local Laws
Overlapping regulations and
ambiguities
©SourceSentry 2004
Impact of Compliance
Impact regulations will have on the likelihood to outsource IT in the
interests of compliance or to outsource business process/functions
* Meta Group, Inc. 2004
©SourceSentry 2004
What can be done?
Crafting a Corporate Governance
Frameworks
COBIT - Control Objectives for
Information and related Technology
Corporate Governance
Framework
COSO - Committee of Sponsoring
Organizations
FRAP - Facilitated Risk Assessment
Process
CRAMM - The CCTA’s (Central
Organizations must develop global
and integrated corporate
governance strategies, practices,
and processes
Computer and Telecommunications
Agency) Risk Analysis and Management
Method
OCTAVE - Operationally Critical
Threat, Asset, and Vulnerability
Evaluation
ITIL – IT Infrastructure Library
BizSentry – Offshore Outsourced
COBIT, COSO, BizSentry, others?
©SourceSentry 2004
Activities
What can be done?
Binding Corporate Rules
BCRs
– Consistent with company’s compliance structure and
practices
– Harmonized global guidelines ensure a consistent, strong
protection
– Binding on company’s entities and employees
– Policies are alive and visible to our employees
– Language is user-friendly for data handlers and employees
Alternative - Contracts
Alternative - Safe Harbor
©SourceSentry 2004
What can be done?
Establish Vendor Governance Program
Partnership / Communication
Govern by contract, then be friends
Use a dashboard: Then watch it!
Industry Solution? – SVR, BITS, etc
©SourceSentry 2004
What can be done?
Additional Recommendations
Use external independent assessment in the
offshore location
Scrutinize regulatory compliance mandates
Integrate services sourcing and management
processes within overall corporate governance
framework
Don’t procrastinate…act now
©SourceSentry 2004
Offshoring/Outsourcing Resources
Outsourcing/Offshoring Knowledge
– SourceSentry: http://www.sourcesentry.com
– ISACA: http://www. isaca.org
– FDIC: Offshore Outsourcing of Data Services by Insured
Institutions and Associated Consumer Privacy Risks:
http://www.fdic.gov/regulations/examinations/offshore/toc
.html
– IT Compliance Institute:
http://www.itcinstitute.com/index.aspx
– Ponemon Institute: http://www.ponemon.org
– Outsourcing Institute: http://www.outsourcing.com
– Outsourcing Journal: http://www.outsourcingjournal.com
– NASSCOM: http://www.nasscom.org
– Philippines: http://www.outsourcephilippines.org
– Global: www.witsa.org
©SourceSentry 2004
Questions
Ken D. Nguyen, PMP, CISSP, CISM, MCSE
SVP & CTO
SourceSentry, Inc.
[email protected]
©SourceSentry 2004