Security and Regulatory Compliance
This area constitutes the process and requirements for guiding compliance objectives with the security, privacy and business-specific obligations that are applicable to it (for example, privacy regulations such as the GDPR, CCPA, DPA, etc., security standards and frameworks such as ISO, NIST, CSA CCM, etc., as well as industry-specific requirements such as HIPAA, PCI DSS, etc.).
The documents under this area will guide to determine the requirements of applicable laws, regulations, contractual requirements, etc., to incorporate the requirements in its applications, platforms, IT solutions and enterprise-grade portals (“applications, platforms and IT solutions” hereafter) and monitor compliance with the identified requirements.
# |
Description / Details
|
Objectives
|
The objective of the security and regulatory compliance process is to ensure that Tech Mahindra/Customer developed, owned, deployed, operated and maintained applications, platforms and IT solutions and applications comply with the applicable security and regulatory compliance requirements.
|
Pre-requisites
|
- Relevant national laws and legislations
- Applicable industry standards
- Customer contractual requirements
- Business context (such as purpose of the application/platform/IT solution, the users of the application/platform/IT solution, type of data to be held, type of deployment, business operating model, etc.)
- The Fact File Template will capture key parameters related to the application/platform/IT solution, including information such as type of data processed, third-party involvement, business model etc., which will be required to determine the compliance requirements
|
Activities & Tasks
|
- Identify the applicable compliance requirements (security, privacy and business-specific regulatory requirements) for the application/platform/IT solution. Utilize the information populated in the Fact File to determine the business context required to identify the applicable requirements.
- Utilize the “Compliance Check Template” to document the compliance requirements considered the application/platform/IT solution and take approval from ISG and where applicable, Legal Team.
- Incorporate security and privacy requirements during the design phase of the application/platform/IT solution itself, and then throughout all subsequent phases of the application/platform/IT solution lifecycle. Consider the following during this step:
- Refer to relevant security and privacy assessment documents/checklists/templates (such as “Application Security Review Checklist”, “Privacy Control Checklist”, “Privacy Impact Assessment” templates, etc.) as applicable for incorporating the security and privacy requirements.
- For third-party procured application/platform/IT solution, ensure that the third-party meets the applicable compliance requirements (ensure that the agreements signed with third-party includes relevant security and regulatory requirements).
- If an Open-Source Software (OSS) is utilized, ensure that it complies with the open-source licensing requirements. Obtain clearance from the Legal Team where necessary (such as for all open-source components).
- Ensure that the use of applications, platforms and IT solutions does not cause infringement of any Intellectual Property Right (IPR).
- Train stakeholders involved in development and maintenance of applications/platforms/IT solutions regarding the applicable security, privacy, and business-specific regulatory requirements
- Review and update the identified laws and regulations as well as the security, privacy, and contractual requirements periodically (such as annually).
- Monitor compliance using the define Key Performance Indicators (included in the Guideline document for this area) and review implementation of identified controls to achieve compliance.
- Ensure remediation of the identified non-compliances.
|
Expected Outcomes
|
- Compliance Controls (to be documented as part of the “Compliance Check Template”
|
Key Stakeholders
|
- Application, platform, and IT solution owners and Business Units, in consultation with ISG and Legal Team (where required)
|
Reference Documents
Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development.
Note: Documents referred would be uploaded soon
Document Category
|
Document Name
|
Description |
Guideline/
Checklist/
Template
|
Compliance check template
|
The purpose of the template is to document the compliance requirements considered for the platform, IT solution, enterprise grade portal and application. The template should be used to document the following information:
- Details regarding the application/platform/IT solution and the applicable regulations, standards, and business-specific obligations
- Implemented controls to meet the requirements of the applicable regulations, standards, and business-specific obligations
- The ISG and Legal Team's (where applicable) comments and approval
|
Policy
|
Compliance Policy for Applications, Platforms, and IT Solutions
|
This Policy document sets the expectations for ensuring compliance with various security, privacy and business-specific regulatory obligations that may be applicable to Tech Mahindra’s applications, platforms, and IT solutions.
|
Process/Procedure
|
Compliance Guidelines for Applications, Platforms, and IT Solutions
|
This Guideline document provides guidance for enabling Tech Mahindra’s platforms, IT solutions and enterprise grade portals and applications to comply with security, privacy and business-specific regulations. The purpose of this Guideline is to ensure that security and privacy is built-in to Tech Mahindra’s applications, platforms, and IT solutions that follow applicable regulatory obligations and industry leading practices.
|