CASE STUDY

Information Security and Privacy Program at an Indian Fintech SMB

Context

The organization in a mid-sized Indian fin tech organization. It caters to clients in the Financial Services domain with strict Security & Privacy laws as well as sector-specific regulations and mandates. Tt ‘inherited’ the same via their client contracts. Further, the reality of this sector is that these laws and regulations are continually evolving and changing. Moreover, the underlying technology is also evolving. Given this complex reality, the organization needed to implement a robust security and privacy compliance and risk management program that kept up with the continual changes without impacting the fundamentals. 

Approach

Compliance to any law/ framework/ standard/ contractual agreement requires baselining. Secondly, compliance is   contextual. Therefore, Arrka initially worked with the client team to understand and define the boundaries of their compliance. Being a SAAS player, there are under the hood compliances which need to be completed and demonstrated while maintaining the confidentiality required for each client. Therefore, we first baselined the compliance requirement using the Arrka framework and applicable controls. Subsequently, we rapidly scaled the same and worked with the team to get the organization certified across multiple standards while, simultaneously, ensuring the multiple contractual as well as regulatory requirements were addressed. We achieved this across both the Security and Privacy domains. Leveraging our frameworks and the Arrka Platform (APMP), the organization was able to not only comply quickly but has also been able to sustain the compliance on an ongoing basis. What is more, this was achieved across each layer: of Technology (Infrastructure and Development), Processes, Physical facilities, and People. Our approach enabled the organization to align and work with their own teams, minimizing their dependance on external experts.  

Solution and Results

The organization attained the necessary compliance and certification as required.

They established an Information Security and Data Privacy team that helped put a structure to the program with a clear definition of roles & responsibilities.

The technological level changes suggested strengthened the organization’s products from a Security and Privacy perspective.

Benefits

Rapid achievement of multiple certifications and compliances.

A faster roll out of new product features & functionalities with Security & Privacy requirements incorporated owing to the Privacy and Security by Design Approach deployed. Speedier responses to requirements during the Pre-Sales process

Assurance to Management and Sales that they have a secure & privacy-ready product that is being taken to clients