Table of Contents

1. Executive Summary
2. Overview: The Importance of Cybersecurity Frameworks and Standards for BPOs
3. Top Cybersecurity Standards, Frameworks and Legislations for BPO CISOs
4. How to Choose the Right Standard(s) and Framework(s) for Your BPO?
5. Operationalizing Cybersecurity Frameworks
6. Aligning Frameworks with Compliance Goals
7. Key Recommendations
8. Conclusion
9. About Twosense

Executive Summary

Business Process Outsourcing (BPO) companies handle sensitive data and critical operations for their clients, making them prime targets for cyber threats. Given their important roles and the sensitive nature of the data they manage, BPOs must comply with strict legislative requirements specific to the industries or markets they operate in. This complex landscape often leaves BPOs grappling with the dilemma of determining which standards to comply with and which frameworks offer the most optimal benefits.

The article highlights the importance of cybersecurity frameworks and standards for BPOs, emphasizing that standard compliance can provide valuable differentiation. However, simply complying with necessary standards and holding multiple certifications does not guarantee security. In an industry where data breaches can result in significant financial and reputational damage, adopting the proper cybersecurity framework is not just a good practice—it is a necessity.

Discussed standards and frameworks include PCI DSS, NIST Cybersecurity Framework, ISO/IEC 27001, SOC 2, CIS Controls, MITRE ATT&CK, MITRE DEFFEND, NIS2, TISAX, HIPAA, and GLBA. The article also provides guidance on how to choose the right ones, and how to operationalise and align them with compliance goals.

Recommendations include considering the adoption of meta-frameworks like the Security Compliance Framework (SCF), customising them to specific needs, focusing on risk management, and leveraging compliance for differentiation. By following these guidelines, BPOs can enhance their security posture, maintain client trust, and gain a competitive edge in the market.

Overview: The Importance of Cybersecurity Frameworks and Standards for BPOs

Business Process Outsourcing (BPO) companies handle sensitive data and critical operations for their clients. Given their important roles within their ecosystems, clients often impose various security requirements on BPOs. Furthermore, due to the sensitive nature of the data they handle, BPOs must comply with strict legislative requirements specific to the industries or markets in which they operate. This complex landscape often leaves BPOs grappling with the dilemma of determining which standards to comply with and which frameworks offer the most optimal benefits. Additionally, standard compliance can provide a valuable differentiation, as prospective organisations often will not even consider BPOs that lack various compliance certifications.

However, simply complying with the necessary standards and holding multiple certifications 

does not guarantee security. In an industry where data breaches can result in significant financial and reputational damage, adopting the right cybersecurity framework is not just a good practice – It is a necessity.

A (small) Sample of notable Standards, Frameworks, and Legislations for BPOs

Here is just a small sample of standards, frameworks, and legislations that should be considered by the owners of infosec functions within BPO organisations:

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS is a set of security standards designed to ensure that companies handling credit card information maintain a secure environment. It is essential for BPOs dealing with payment processing to protect cardholder data and comply with industry regulations.

CSF (NIST Cybersecurity Framework)

CSF is developed by the National Institute of Standards and Technology (NIST) and provides guidelines for improving critical infrastructure cybersecurity. It offers a comprehensive approach to managing cybersecurity risks, making it suitable for BPOs of all sizes.

ISO/IEC 27000 series

The 27000 series has over 60 standards covering a broad spectrum of information security issues. The most well-known one is ISO/IEC27001. It is an internationally recognised and certifiable standard for information security management systems (ISMS), focusing on the protection of information assets. It provides a systematic approach to managing sensitive information, ensuring confidentiality, integrity, and availability.

SOC 2 (System and Organisation Controls 2)

SOC2 is a reporting framework developed by the American Institute of CPAs (AICPA) that focuses on controls relevant to security, availability, processing integrity, confidentiality, and privacy. A SOC2 report could help BPOs demonstrate their commitment to security and compliance, building trust with clients.

CIS Critical Security Controls Framework (Center for Internet Security)

CIS Controls provide a prioritised set of actions that organisations can take to block or mitigate known attacks. The benefit are practical, actionable steps to improve cybersecurity defences, making it easy to implement and measure progress.

MITRE ATT&CK Framework

ATT&CK is maintained knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Although not a standard that can be “complied with”, when utilised within the Security Operations, it can help BPOs understand and defend against specific cyber threats, enhancing their threat intelligence capabilities.

MITRE DEFFEND Framework

DEFFEND is a framework that provides a structured approach to understanding and implementing defensive measures against cyber threats. It complements the ATT&CK framework by focusing on defensive strategies, making it a comprehensive tool for cybersecurity planning.

NIS2 (Network and Information Systems Security Directive 2)

The NIS2 Directive is an updated version of the original NIS Directive, which was the first piece of EU-wide legislation on cybersecurity. NIS2 expands the scope of the original directive to cover a broader range of sectors and types of entities, including essential and important entities, as well as digital service providers. It aims to enhance the security of network and information systems across the EU by establishing a common level of cybersecurity. NIS2 can be crucial for Business Process Outsourcing (BPO) companies, particularly those operating within the EU, as it provides a comprehensive framework for managing cybersecurity risks. It requires BPOs to implement robust risk management measures, report significant cybersecurity incidents, and manage supply chain risks. Compliance with NIS2 ensures that BPOs meet regulatory requirements, enhance their overall security posture, and maintain client trust. Additionally, adhering to NIS2 can provide a competitive advantage as clients increasingly prioritize cybersecurity and resilience.

TISAX (Trusted Information Security Assessment Exchange)

TISAX is an assessment and exchange mechanism for the information security capabilities of companies in the automotive industry. It is based on the Information Security Assessment (ISA) criteria catalogue developed by the German Association of the Automotive Industry (VDA). TISAX provides a standardised approach to assessing and certifying the information security levels of companies, ensuring that they meet the stringent security requirements of the automotive industry. It is particularly relevant for BPOs that work with automotive manufacturers and suppliers. Compliance with TISAX demonstrates a commitment to information security, building trust and credibility with automotive industry clients and providing a competitive advantage, as automotive industry clients often require their suppliers and service providers to be TISAX-certified.

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA is a U.S. law that provides data privacy and security provisions for safeguarding medical information. It is essential for BPOs handling healthcare data to ensure compliance with data protection requirements and to maintain the confidentiality, integrity, and availability of healthcare information.

GLBA (Gramm-Leach-Bliley Act)

GLBA is a U.S. law that requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. BPOs working with financial institutions might need to take it into account, to ensure compliance with data protection and privacy requirements.

How to Choose the Right Standard(s) or Framework(s) for Your BPO?

Making the right selection is not a simple decision. The above list, although containing some very important and well-known “contenders,” was intentionally put together as a confusing mix of items that I could think of at the time of writing. Allow me to explain: as mentioned, pure compliance with standards does not necessarily improve security. Simply chasing “certification badges” might only have a short-lived positive impact – it will almost inevitably turn into a wasteful effort by already stretched infosec teams.

So, what do I recommend then? 

Rewinding the clock back to 2018, SANS Institute recommended selecting three frameworks: controls, programme, and risk: 

The Controls Framework focuses on specific security measures and best practices. A good example would be CIS Controls.

Next up, the Programme Framework provides a structured approach to managing cybersecurity programmes, like the NIST Cybersecurity Framework.

Lastly, the Risk Framework will help identify and manage cybersecurity risks – think of ISO/IEC 27005.

I am a big believer in this approach. The frameworks should be aligned to provide a comprehensive security strategy. More importantly, the frameworks should be chosen based on the true value and alignment with the actual needs. Furthermore, they need to be selected and applied when the experience allows:

Figure 1: The trio of frameworks - source SANS Institute

Operationalizing Cybersecurity Frameworks

Operationalising a successful trio of frameworks will involve integrating the guidelines and best practices into the daily operations of the BPO. And this will span well beyond the boundaries of security teams: 

• Assessment and Planning: Conducting a thorough assessment of the current security posture and developing a plan to implement the chosen framework.
• Training and Awareness: Providing training to employees to ensure they understand their roles in maintaining cybersecurity.
• Implementation: Deploying the necessary tools, processes, and policies to meet the framework's requirements.
• Monitoring and Reporting: Continuously monitoring the security environment and reporting on compliance and performance.
  
  

Aligning Frameworks with Compliance Goals

Let’s not forget that aligning cybersecurity frameworks with compliance goals ensures that BPOs meet regulatory requirements, their clients’ requirements, as well as have the marketing purpose and can significantly reduce the burden of answering endless avalanche of security questionnaires. So, the alignment should account for:

• Identifying Relevant Regulations: Understanding the specific regulations and standards that apply to the clients’ target industries.
• Mapping Frameworks to Regulations: Aligning the chosen frameworks with these regulations to ensure compliance.
• Continuous Improvement: Regularly reviewing and updating the cybersecurity programme to adapt to changing regulations and threats.
  
  

Key Recommendations

Remember, based on the specific chosen market(s), every BPO will have potentially unique needs. Hence, the optimal solution could be adopting a metaframework. Aligning to a meta-framework like the Security Compliance Framework (SCF), which encompasses many other standards (including almost all of the aforementioned ones), could allow BPOs to select multiple areas to comply with. Hence, making it a more effective way forward.

Customise the chosen framework(s) and tailor them to the specific needs and risks of the BPO, ensuring they address your unique challenges.

Focus on risk management! Prioritise risk management over pure compliance to ensure that the cybersecurity programme effectively mitigates real-world threats. 

No matter which framework(s) and standard(s) are selected or needed, implement multi-factor authentication for critical systems to provide an additional layer of security. Develop continuous monitoring strategies to detect and respond to threats early, thereby minimising potential damage. Focus on user education to prevent phishing attacks and increase security awareness, as human error is often the weakest link. Conduct regular audits and reviews of security controls to ensure compliance with established frameworks and to adapt to evolving threats. These proactive measures will significantly enhance the cybersecurity posture. A great example would be utilising Twosense’s behavioral biometrics technology that offers an innovative and powerful solution to ensuring PCI DSS compliance whilst preventing password sharing and mitigating phishing risks.

Finally, leverage compliance for differentiation. Recognise that compliance certifications can provide a competitive advantage. Prospective clients often require these certifications as a prerequisite for consideration.

Conclusion

Cybersecurity frameworks are essential for BPOs to protect sensitive data, maintain client trust, and comply with regulatory requirements. Choosing the right framework involves carefully considering the specific needs and risks of the BPO and aligning controls, programme, and risk frameworks. Operationalising these frameworks and aligning them with compliance goals ensures a comprehensive and effective cybersecurity strategy. By adopting a meta-framework, focusing on risk management, and leveraging compliance for differentiation, BPOs can enhance their security posture and better protect their clients' data, ultimately gaining a competitive edge in the market.