Transcript Offshore Outsourcing - Dealing with Compliance Issues

Offshore Outsourcing - Dealing
with Compliance Issues
Ken D. Nguyen, PMP, CISSP, CISM, MCSE
SVP & CTO
SourceSentry, Inc.
[email protected]
Agenda

Compliance Landscape

Current & Pending (Federal & State) Bills

Corporate Governance

Binding Corporate Rules (BCR)

Vendor Governance

Q/A
©SourceSentry 2004
The Compliance Landscape
* Meta Group, Inc. 2004
©SourceSentry 2004
The Compliance Landscape
SOX Implications on Outsourcing

Regulatory clarification lagging: 2H04 is too late
for many

What about Sec 409 and PCAOB Audit No 2?

Sarbanes-Oxley (SOX) does not differentiate
between insourced and outsourced processes

SAS 70 audits: Good enough?
©SourceSentry 2004
The Compliance Landscape
What You Still Need to be thinking about for HIPAA

Service Providers Contracts on the whole

Individual rights issues – Are we rally supposed
to check with every business associate?

What do they want you to do with the Security
Rule?

Monitoring issues – an emerging issue for
everyone
©SourceSentry 2004
The Compliance Landscape
US Patriot Act

Information Sharing

Anti-Money Laundering Program
– Section 352(a)

Suspicious Activity Reporting

Customer Identification Program
– Section 326

Concerns about US companies violating privacy law of
other countries
©SourceSentry 2004
The Compliance Landscape
Basel II

Basel II includes three mutually reinforcing pillars:
– Pillar 1: Minimum Capital Requirement
Pillar 2: Supervisory Review Process
– Pillar 3: Market Discipline

Offshoring Outsourcing affects Pillar 1 particular the
Operational Risk aspect

Regulatory review practices will spread to bank’s key
suppliers, third-party outsourcing service providers,
offshore processing services, and providers of key
systems and tools

US Federal Reserve expects only the top 11 US banks to
comply - although a further 10 or more are expected to
opt in.
©SourceSentry 2004
The Compliance Landscape
State of New Offshore Legislation

42 separate bills introduced in 22 states
addressing state contracting and the use of
foreign labor
 Another 13 bills in 12 states requiring individuals
to identify themselves, their location, and the
company they work for
 Other bills prohibit financial data from leaving
the U.S.
 Changes to tax policy
 “Buy Home State” provisions
©SourceSentry 2004
The Compliance Landscape
Federal Bills








S. 2090 – (WARN Act) – Same as federal plant closure laws
– Notice to be given before operations go offshore,
– Make trade adjustment assistance available to workers
S. 1873 – Call centers to ID location of call
S. 2094 – No Federal contracts to offshore providers
S. 2143, S. 2157 and H.R. 3881 would extend trade adjustment
assistance for displaced workers
S. 2148 – Similar to S. 2094
S. 2312 – Consent from customers for transferring personal, medical or
financial data (H. Clinton)
S1232 – Safeguarding Americans From Exporting Identification Data Act
(SAFE-ID)
S1637 - (Senator Dodd Amendment) Senate has already passed
Amendment to prohibit companies from fulfilling federal contracts using
offshore outsourced labor
©SourceSentry 2004
The Compliance Landscape
State Bills – For Example California





AB 1829 - Prohibits state agency or local government
from contracting out services unless the company
certifies that all work will be performed solely by workers
in the US
AB 3021 - Requires CA employers to determine the
amount of offshore outsourcing they do by reporting the
number of workers employed outside CA
AB 2517 - Requires call center employees to give
(honest) disclosure of their location
SB 888 - Prevents offshore transmittal of info "important
to homeland security” (broad definition)
SB 1492 - Prevents medical records from being shipped
overseas, unless prior consent received from individual
©SourceSentry 2004
The Compliance Landscape
Other Challenges
Enforcing Judgments Abroad
 Jurisdictional Challenges
 Enforcing Damages and
Limitations of Liability
 No Uniformity
Security of Information
 Potential Liability under
US/EU Privacy/Data Laws
 Poor IP Rights Regimes
in Developing Countries
Overlapping Laws and
Conflicts
 Conflict between US and
Local Laws
 Overlapping regulations and
ambiguities
©SourceSentry 2004
Impact of Compliance
Impact regulations will have on the likelihood to outsource IT in the
interests of compliance or to outsource business process/functions
* Meta Group, Inc. 2004
©SourceSentry 2004
What can be done?
Crafting a Corporate Governance
Frameworks
COBIT - Control Objectives for
Information and related Technology

Corporate Governance
Framework
COSO - Committee of Sponsoring
Organizations
FRAP - Facilitated Risk Assessment
Process

CRAMM - The CCTA’s (Central
Organizations must develop global
and integrated corporate
governance strategies, practices,
and processes
Computer and Telecommunications
Agency) Risk Analysis and Management
Method
OCTAVE - Operationally Critical
Threat, Asset, and Vulnerability
Evaluation
ITIL – IT Infrastructure Library
BizSentry – Offshore Outsourced

COBIT, COSO, BizSentry, others?
©SourceSentry 2004
Activities
What can be done?
Binding Corporate Rules

BCRs
– Consistent with company’s compliance structure and
practices
– Harmonized global guidelines ensure a consistent, strong
protection
– Binding on company’s entities and employees
– Policies are alive and visible to our employees
– Language is user-friendly for data handlers and employees

Alternative - Contracts

Alternative - Safe Harbor
©SourceSentry 2004
What can be done?
Establish Vendor Governance Program

Partnership / Communication

Govern by contract, then be friends

Use a dashboard: Then watch it!

Industry Solution? – SVR, BITS, etc
©SourceSentry 2004
What can be done?
Additional Recommendations

Use external independent assessment in the
offshore location

Scrutinize regulatory compliance mandates

Integrate services sourcing and management
processes within overall corporate governance
framework

Don’t procrastinate…act now
©SourceSentry 2004
Offshoring/Outsourcing Resources

Outsourcing/Offshoring Knowledge
– SourceSentry: http://www.sourcesentry.com
– ISACA: http://www. isaca.org
– FDIC: Offshore Outsourcing of Data Services by Insured
Institutions and Associated Consumer Privacy Risks:
http://www.fdic.gov/regulations/examinations/offshore/toc
.html
– IT Compliance Institute:
http://www.itcinstitute.com/index.aspx
– Ponemon Institute: http://www.ponemon.org
– Outsourcing Institute: http://www.outsourcing.com
– Outsourcing Journal: http://www.outsourcingjournal.com
– NASSCOM: http://www.nasscom.org
– Philippines: http://www.outsourcephilippines.org
– Global: www.witsa.org
©SourceSentry 2004
Questions
Ken D. Nguyen, PMP, CISSP, CISM, MCSE
SVP & CTO
SourceSentry, Inc.
[email protected]
©SourceSentry 2004