ODC Baseline Controls

Clients often expect IT organizations to implement stringent security controls at their Offshore Delivery Centers (ODCs). Below are key recommendations for ODC Security Controls at various levels.

Data Security Controls:

• Drive Encryption: Implement drive encryption using BitLocker or any latest encryption mechanism.

• Device Controls:  Endpoint security restrictions such as disabling USB Drive Access & Clipboard to be applied in accordance with client need.

• Secure Email Communication:

  • Apply TLS encryption for email communication between customer and organization mail domains.

  • End-to-End Encryption (E2EE) with Office Message Encryption (OME) or S/MIME.

Both are enabled by default when using Office 365 or Google Workspace mail tenants.

• Block Public Email Services: Restrict access to public email domains like Gmail, Yahoo etc.

• Internet Browsing Security:

  • Ensure secure internet browsing by restricting non-business browsing,

  • Disbale access to public cloud drive access such a Google Drive, Personal OneDrive, Dropbox etc.

  • Restrict downloading executable files (.exe, .bat).

• Restriscted Internet Access: 

  • Web Proxy: Route all web browsing through a secure web proxy with content filtering (e.g., Blue Coat).

  • If Web Proxy is not available, ensture browing is restricted at Firewall, strictly content filtered. The Firewall must have NextGen Security Controls enabled. 

• Printer Restrictions

  • Avid printer within ODC.

  • Disable PDF printing from all endpoints.

  • If a printer is necessary, ensure to have a paper shredder within the ODC to destroy the printed documents safely.

OS & Application Security Controls:

• Hardened OS Images: Deploy hardened OS image Windows 11/ or Windows 10 OS builds and manage patch updates through tools like SCCM or Unified Endpoint Management solutions.  Avoid any outdated /legacy OS windows versions such as Windows 7, 8.1 etc.

• Endpoint Security: Use reliable endpoint security solutions such as EDR/XDR with features including antivirus, anti-spyware, anti-malware, and Data Loss Prevention (DLP) controls.

• Restrict Admin Access: Restrict admin access to users. ensure users do not have admin privileges.

• Enforce DLP: Implement Data Loss Prevention controls to prevent data leakage, especially for email communications.

Network Security Controls:

• Network Segregation: Segregate ODC networks through physical isolation or dedicated VLANs with strict Layer 3 Access Control Lists (ACLs).

• Restri Non-Business Network Ports & IP Addresses: Disable all non-business network ports by default, and enforce source- and destination-based restricted limited firewall access for the identified critical network ports towards the ODC LAN.

• Next-Gen Firewall: In addition to perimeter security Firewall used at Campus level or Site level, it is advised to use a 2nd level dedicated firewall, deploy a lightweight Next-Gen Firewall (e.g., PA220) with Intrusion Prevention System (IPS) for the internet perimeter of the ODC network.

• Secure Communication Links: Use secure communication networks  between the ODC LAN and Client network, preferably either MPLS or Site-to-Site (S2S) VPN, or at minimum, Client-to-Site (C2S) VPN.

• Periodic VA/PT Testing: Conduct regular Vulnerability Assessment and Penetration Testing (VA/PT) on critical systems, such as DMZ servers, web application servers, and cloud infrastructure.

• Log Collection & Security Monitoring: Ensure that critical ODC systems are monitored using SIEM (Security Incident and Event Monitoring) tools to detect suspicious activities across networks and key devices.

Personal Security:

• Rigorous Recruitment: Implement a rigorous recruitment process that includes thorough background checks.

• Code of Conduct: Require employee sign-offs on the Code of Conduct and Confidentiality Agreements.

• Awareness Promotion: Encourage Compliance & Information Security awareness through various channels, including portals, emails, posters, and training campaigns.

• Incident Management Framework: Maintain a Security Incident Management Framework to ensure prompt response and resolution of security incidents.

Perimeter Security:

• Secured Location: Ensure the ODC is located within secured campus or IT park premises to restrict unauthorized access.

• Entry and Exit Points: Designate a single entry and exit point, along with an additional emergency exit door for emergency use only.

• Access Control: Have Electronic door access control system and maintain 24x7 CCTV monitoring.

• Stationed Security Post : Wherever required, employ stationed security guard to monitor visitor access and restrict personal devices, such as laptops and USB storage devices to or from secure ODC areas.

• Emergency Response: Establish emergency response teams and conduct regular evacuation drills in accordance with standards like ISO 14001.