1 / 18

Offshore Outsourcing - Dealing with Compliance Issues

Offshore Outsourcing - Dealing with Compliance Issues. Ken D. Nguyen, PMP, CISSP, CISM, MCSE SVP & CTO SourceSentry, Inc. knguyen@sourcesentry.com. Agenda. Compliance Landscape Current & Pending (Federal & State) Bills Corporate Governance Binding Corporate Rules (BCR)

dianthe
Download Presentation

Offshore Outsourcing - Dealing with Compliance Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Offshore Outsourcing - Dealing with Compliance Issues Ken D. Nguyen, PMP, CISSP, CISM, MCSE SVP & CTO SourceSentry, Inc. knguyen@sourcesentry.com

  2. Agenda • Compliance Landscape • Current & Pending (Federal & State) Bills • Corporate Governance • Binding Corporate Rules (BCR) • Vendor Governance • Q/A ©SourceSentry 2004

  3. The Compliance Landscape * Meta Group, Inc. 2004 ©SourceSentry 2004

  4. The Compliance Landscape SOX Implications on Outsourcing • Regulatory clarification lagging: 2H04 is too late for many • What about Sec 409 and PCAOB Audit No 2? • Sarbanes-Oxley (SOX) does not differentiate between insourced and outsourced processes • SAS 70 audits: Good enough? ©SourceSentry 2004

  5. The Compliance Landscape What You Still Need to be thinking about for HIPAA • Service Providers Contracts on the whole • Individual rights issues – Are we rally supposed to check with every business associate? • What do they want you to do with the Security Rule? • Monitoring issues – an emerging issue for everyone ©SourceSentry 2004

  6. The Compliance Landscape US Patriot Act • Information Sharing • Anti-Money Laundering Program • Section 352(a) • Suspicious Activity Reporting • Customer Identification Program • Section 326 • Concerns about US companies violating privacy law of other countries ©SourceSentry 2004

  7. The Compliance Landscape Basel II • Basel II includes three mutually reinforcing pillars: • Pillar 1: Minimum Capital RequirementPillar 2: Supervisory Review Process • Pillar 3: Market Discipline • Offshoring Outsourcing affects Pillar 1 particular the Operational Risk aspect • Regulatory review practices will spread to bank’s key suppliers, third-party outsourcing service providers, offshore processing services, and providers of key systems and tools • US Federal Reserve expects only the top 11 US banks to comply - although a further 10 or more are expected to opt in. ©SourceSentry 2004

  8. The Compliance Landscape State of New Offshore Legislation • 42 separate bills introduced in 22 states addressing state contracting and the use of foreign labor • Another 13 bills in 12 states requiring individuals to identify themselves, their location, and the company they work for • Other bills prohibit financial data from leaving the U.S. • Changes to tax policy • “Buy Home State” provisions ©SourceSentry 2004

  9. The Compliance Landscape Federal Bills • S. 2090 – (WARN Act) – Same as federal plant closure laws • Notice to be given before operations go offshore, • Make trade adjustment assistance available to workers • S. 1873 – Call centers to ID location of call • S. 2094 – No Federal contracts to offshore providers • S. 2143, S. 2157 and H.R. 3881would extend trade adjustment assistance for displaced workers • S. 2148 – Similar to S. 2094 • S. 2312 – Consent from customers for transferring personal, medical or financial data (H. Clinton) • S1232 – Safeguarding Americans From Exporting Identification Data Act (SAFE-ID) • S1637 - (Senator Dodd Amendment) Senate has already passed Amendment to prohibit companies from fulfilling federal contracts using offshore outsourced labor ©SourceSentry 2004

  10. The Compliance Landscape State Bills – For Example California • AB 1829 - Prohibits state agency or local government from contracting out services unless the company certifies that all work will be performed solely by workers in the US • AB 3021 - Requires CA employers to determine the amount of offshore outsourcing they do by reporting the number of workers employed outside CA • AB 2517 - Requires call center employees to give (honest) disclosure of their location • SB 888 - Prevents offshore transmittal of info "important to homeland security” (broad definition) • SB 1492 - Prevents medical records from being shipped overseas, unless prior consent received from individual ©SourceSentry 2004

  11. The Compliance Landscape Other Challenges Enforcing Judgments Abroad • Jurisdictional Challenges • Enforcing Damages and Limitations of Liability • No Uniformity Security of Information • Potential Liability under US/EU Privacy/Data Laws • Poor IP Rights Regimes in Developing Countries Overlapping Laws and Conflicts • Conflict between US and Local Laws • Overlapping regulations and ambiguities ©SourceSentry 2004

  12. Impact of Compliance Impact regulations will have on the likelihood to outsource IT in the interests of compliance or to outsource business process/functions * Meta Group, Inc. 2004 ©SourceSentry 2004

  13. What can be done? Crafting a Corporate Governance Frameworks COBIT - Control Objectives for Information and related Technology COSO - Committee of Sponsoring Organizations FRAP - Facilitated Risk Assessment Process CRAMM - The CCTA’s (Central Computer and Telecommunications Agency) Risk Analysis and Management Method OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation ITIL – IT Infrastructure Library BizSentry – Offshore Outsourced Activities • Corporate Governance Framework • Organizations must develop global and integrated corporate governance strategies, practices, and processes • COBIT, COSO, BizSentry, others? ©SourceSentry 2004

  14. What can be done? Binding Corporate Rules • BCRs • Consistent with company’s compliance structure and practices • Harmonized global guidelines ensure a consistent, strong protection • Binding on company’s entities and employees • Policies are alive and visible to our employees • Language is user-friendly for data handlers and employees • Alternative - Contracts • Alternative - Safe Harbor ©SourceSentry 2004

  15. What can be done? Establish Vendor Governance Program • Partnership / Communication • Govern by contract, then be friends • Use a dashboard: Then watch it! • Industry Solution? – SVR, BITS, etc ©SourceSentry 2004

  16. What can be done? Additional Recommendations • Use external independent assessment in the offshore location • Scrutinize regulatory compliance mandates • Integrate services sourcing and management processes within overall corporate governance framework • Don’t procrastinate…act now ©SourceSentry 2004

  17. Offshoring/Outsourcing Resources • Outsourcing/Offshoring Knowledge • SourceSentry: http://www.sourcesentry.com • ISACA: http://www. isaca.org • FDIC: Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks: http://www.fdic.gov/regulations/examinations/offshore/toc.html • IT Compliance Institute: http://www.itcinstitute.com/index.aspx • Ponemon Institute: http://www.ponemon.org • Outsourcing Institute: http://www.outsourcing.com • Outsourcing Journal: http://www.outsourcingjournal.com • NASSCOM: http://www.nasscom.org • Philippines: http://www.outsourcephilippines.org • Global:www.witsa.org ©SourceSentry 2004

  18. Questions Ken D. Nguyen, PMP, CISSP, CISM, MCSE SVP & CTO SourceSentry, Inc. knguyen@sourcesentry.com ©SourceSentry 2004

More Related