Information Security Group
|
Home > About Us

ISG Overview

The Information Security Group (ISG) provides business assurance to our Customers, Board, and Management that our business is well defended against cyber risks. ISG sets and operates the minimum-security requirements and policies for the company to operate, and to ensure compliance to, security and privacy best practices. This helps Functions, Projects, and Associates to remain secure, ensure compliance and to respond to incidents/breaches.

The Information Security Management process is responsible for six outcomes which are:

  1. Secure Workplace

    TechM will be seen as a safe outsourcing destination. To achieve this there will be strict compliance to customer and TechM security policies.

  2. Secure Service Delivery

    TechM deliveries to our customers will be secured in lines with industry best practices like ISF Standard of Good Practice , NIST, SOC2 TYPE2, ISO standards (ISO27001, ISO22301, ISO27701) etc.

  3. Secure Digital Platforms

    TechM's new age services based on digital solutions and platforms will be certified as part of an internal security certification program.

  4. Secure Subsidiaries and Trusted Partners

    To extend the TechM security governance to partners and subsidiaries.

  5. Secure Culture

    To ensure that employees and contractors understand their responsibilities, are aware of and fulfil their information security responsibilities during employment, receive appropriate awareness education and training to do their job well and securely along with protecting the organization’s interests as part of the process of changing and terminating employment.

  6. Customer Trust

    To adopt risk-based approach to handling information security, which keeps our security controls and practices relevant to our business and customers. To build a trust, we keep striving to give best information security possible to our customers.

ISG has specialized sub functions for handling incidents, detecting, and investigating threats, performing audits, risk, and compliance, ensuring privacy, technical security vulnerability management, security awareness and business continuity.

Org Structure

The Information Security Function structure which is inline with organization structure has been designed to ensure effective operation of the core processes and to facilitate smooth implementation of strategic programs. The structure also takes note of the segregation of duty matrix by making independent the Audit and Compliance functions.

The structure is illustrated below

  1. Risk & Compliance: Risk & Compliance has dedicated SPOCs for each Delivery Service Line and Enterprise Functions. It manages risk, ensures compliance for all contractual and regulatory obligations across enterprise( Delivery, functions, supplier etc.), drive & represent TechM for all security and customer audits/ customer incidents/escalations,/visits, Pre-Sales Support & Contract Review, ISG ServiceDesk (18x7), Supplier Risk Management, Portfolio companies Security, Central Risk Management and all ISG Automation activities. Below is the updated structure with details of SPOC for each Service Line -

  2. Security Assurance:

    Independent internal audit unit. Ensure that the Security and Privacy Operational process and controls are compliant to Industry standards, of highest quality and effective all the time. Standards and requirements – ISO27001, ISO22301, ISO 27701, SOC2, NIST, PCIDSS , TMW , Contractual requirements.

  3. Business Continuity:

    The Global Business Continuity Management team governs the organization wide continuity and resilience program integrating business units, support functions and provides support and oversight to the Interconnect-Continuity and Disaster Recovery programs for the organization.

  4. Data Privacy:

    Data Protection Function is responsible for governance of policies and facilitating compliance to data privacy requirements and customer privacy requirements. The team will define and facilitate that the requirements to safeguard personal data which includes Personal Information (“PI”), are followed by the Delivery as well as support functions. The function is responsible for facilitating and reviewing Privacy by Design controls, GDPR and country specific, contractual data privacy requirements for the organization units consisting of support functions and delivery units.

  5. Incident Management, Threat Intelligence, Training & Awareness:

    Dedicated Incident Response Teams to respond to security incidents. Implementing Containment, prevention and corrective actions through documented best practices and procedure within a stipulated SLA. Threat intelligence is 24x7 team to ensure respond to rapidly evolving threats, including sophisticated cyber-attacks, using threat intelligence to increase cyber resilience. Vulnerability management program to detect and remediate vulnerabilities in a timely and effective manner. The Security Training and Awareness unit ensures that all the associates are adequately trained on security, privacy and continuity.

  6. NXTGen Technologies Security:

    To ensure Next Gen solutions and projects are suitably engineered to meet security and privacy requirements and standards, These include platforms, AI, Cloud and BlockChain Solutions. It involves architecture, engineering, process development and detailed audits/assessments.

Copyright © Tech Mahindra Limited. All Rights Reserved