Welcome to the SecAware blog

I spy with my beady eye ...

4 Jan 2007

Outsourcing in India

We all know about the off-shore call-centers in places like India and Indonesia, but there's more to outsourcing than call-centre operations. A fascinating article in Bank Technology News paints a beautifully clear picture of IT outsourcing in India, particularly the islands of investment awash in a sea of poverty.

It's easy for us Westerners to overlook the cultural differences and make false assumptions about India, especially if we have never visited that part of the world. Outsourcing may be a massive earner for India and is still growing strongly but the local infrastructure is creaking under enormous strain. The caste system survives, meaning inherent inequalities. India has over a billion citizens, half of them under 25, and an average wage of just US$3,300 per year. Whereas two thirds of the population survives on less than a dollar a day, highly-trained IT specialists earn well and are in short supply. High IT staff turnover creates its own security issues.

The article specifically calls out the information security and privacy concerns in India. "... background checks of personnel remains a nagging concern. No central criminal databases exist and credit agencies remain relatively new, so any background checks must be done in person, which is often invasive. "Sometimes they'll just ride around the [potential employee's] neighborhood and talk to the constable," says Crosby. "None of this stuff is documented."

"... the Indian Information Technology Act of 2002 makes cyber crimes a federal offense, enforceable by India's Central Bureau of Investigation. The CBI established the Cyber Crime Investigation Cell in March 2002 to patrol such crimes, including a crime lab to train investigators. Parliament is now debating an amendment to the act, already approved by the Cabinet, that would make fines and jail time more stringent for those convicted of IT privacy crimes."

Indian data centers are reasonably secure according to those who have inspected the facilities. "... most outsourcers are compliant and certified for BS779 and ISO17799 controls, the two U.S. best-practice controls for information security, which have now become internationally recognized." [Some artistic license there by the journalist: British Standard BS 7799 became ISO standard ISO/IEC 17799, neither of which are American!].

More privacy and information security management links


  1. Wonder why you need to single out on the "one mistake" by the Indian journalist about ISO 27001 not being a US standard, its so good to hear that there is something that is not US!!!!

    NYTimes and other US based news items seem to always potray a negative and polarized view on India - on whose labor and brains, countries like yours survive!

  2. Hi Shini.

    I merely pointed out a minor inaccuracy in the article.

    Whilst I personally have nothing against the US or India or any other country, I sympathise to some extent with your final point. Without India and the wider SE Asian nations, the GGP (Gross Global Product) would take a big dip and the so-called First World (now there's a contentious term!) would certainly suffer.

    But try being a Chinaman right now. Recent dark, forboding comments from the White House about China's growing capability for cyberwarfare strike me as not entirely dissimilar to the "Weapons of Mass Destruction" nonsense we were spoon fed not too long ago. Call me a cynic ("Gary, you're a cynic") but my auditor's nose smells the feintest whiff of political agendas. Golly!