Wednesday, June 22, 2005

Operational Risk: Call Center Fraud

The risk of offshoring is rearing it's head again as the infamous Sun Tabloid has uncovered Call Centre Fraud in India impacting banks and other firms that outsource these operations.

City of London police are investigating allegations that a call centre worker in India sold the bank account details of 1000 UK customers to an undercover reporter, raising fresh fears about the security of customer data at offshore centres. UK daily tabloid The Sun claims a reporter was able to buy personal bank account details for £4.25 each from an IT worker in Delhi. The worker reportedly told the journalist that he could sell up to 200,000 names a month.


Let's review the Benefits of BS 7799-2: 2002 Information Security Management System Certification:

· Brings your organization to compliance with legal, regulatory, and statutory requirements including HIPAA, Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley, California SB1386, CFR21:Part 11, EU-Directive, and many others...

· Significantly limits security and privacy breaches that can cost millions: examples include lost information, downtime, internal/external threats, consumer driven litigation, etc.

· Ensures that a commitment to security and privacy exists at all levels and that all employees are educated on security and privacy within your business

· Provides your organization with continuous protection that allows for a flexible, effective, and defensible approach to security and privacy

· Reduces operational risk; vulnerabilities are mitigated


Here is another good lesson from the International Security Forum.

Section:CB61 Third Party Access Source: ISF

Objective:
To ensure that access to the application by a third party is only provided once a risk assessment has been performed and a formal agreement, such as a contract, has been established.

Standard of Good Practice:

Third parties (ie external organisations, such as customers or suppliers and members of the public) that require access to the application should be subject to additional controls. They should only be granted access on completion of a satisfactory risk assessment and if supported by a formal agreement.

Risk assessments of third party access arrangements should take account of the:

· criticality and sensitivity of information and systems to be accessed
· relationship with prospective third parties (including the strength of their security practices) and the nature of the associated business process
· technical aspects of connection (including the effectiveness of IT infrastructure, access control mechanisms, methods of connection and any vulnerabilities in third party networks)
· obligations implicit in any agreements such as providing a third party with a reliable service or timely and accurate information. Agreements should be documented in a formal contract and approved by the business ‘owner’.

The contract should:
· oblige third parties to comply with good business practices and provide information about any security incidents
· clearly state the services to be provided such as the business practices to be adopted, timeframes for completion of transactions and an agreed process for resolving disputes
· specify agreed security arrangements, such as those for managing changes / incidents, restricting access and preserving the confidentiality of important business information
· include arrangements for ensuring that transactions cannot be repudiated
· protect intellectual property rights
· include the right to audit third party security arrangements.

Third party access arrangements should be reviewed periodically to ensure that risks remain within an acceptable limit.


The International Security Forum (ISF): Formerly known as the European Security Forum, the ISF has developed a standard of good practice for its forum members. The Forum’s Standard for Information Security is loosely based on the British Standard 7799 and COBIT. The Forum’s Standard of Good Practice addresses 5 primary aspects of information security, 30 control areas and 133 control sections.

No comments: