Information Security Group
|
Home > Knowledge Hub > Information Security and Privacy Framework

Information Security and Privacy Framework

The information security and privacy framework provides necessary guidance to design, implement, deploy, operate and manage security and data privacy of Applications, Platforms and IT Solutions. This framework has 8 areas which comprises of policies, processes, procedures, checklists, and guidelines, audit approach and measurement criteria based on industry best practices, standards, and associated audit and compliance requirements. The development of framework and associated documentation includes all the aspects of security and regulatory needs across the lifecycle of the entities involved.

Areas Title

Area - 1

Solution and Deployment Security Architecture

Area - 2

Security in Operations

Area – 3

Security Configurations, Controls Adequacy and effectiveness

Area - 4

Security and Regulatory Compliance

Area – 5

Intellectual Property Management

Area - 6

Secure Development, Testing and Delivery Process

Area – 7

Security Assessments

Area – 8

Vendor, Supplier, Partner or Third Party Security Risk Assessment

Solution and Deployment Security Architecture

This area outlines key security objectives which all Tech Mahindra/Customer platforms, application and IT solutions should consider and integrate for enhancing the overall security of the solution & deployment architecture. This area also prescribes the key security aspects in respect of the deployment architecture design, platform integration, cloud security, API security, microservices and container security.

# Description / Details
Objectives

The objective of the solution design and deployment architecture process is to:

  • Identify logical and technical security consideration(s) for design, including aspects related to integrated components and interfaces.
  • Document security layout related to deployment design and security architecture.
Pre-requisites
  • Executed commercial agreement and/or agreed Statement of Work (SoW).
  • Identified Platforms, applications and IT solutions related business and/or Customer requirements (both functional & non-functional).
  • Fact File Template for Platforms, application and IT Solutions’ comprising of key parameters related to the application/platform/IT solution, including information such as type of data processed, third-party involvement, business model etc., which will be required to ascertain salient business context.
  • Compliance Check Template comprising of identified compliance controls.
Activities & Tasks
  • Define the architecture & design related components & sub-systems based on the identified business, security and data privacy related requirements, considering the following areas, as applicable:
    • Structural relationships and components
    • Mechanism to support and integrate the components
    • Internal and external interfaces or connections
    • Component behaviour and interaction
    • Component classes, data schema, sequences, etc.
    • Design rules and authority for making decisions
  • Analyse the architecture for alternative solutions/ approaches prior to finalization. This analysis can be done for scenarios based on populated Compliance Check Template and Fact File Template. Examples of scenarios include aspects related to pattern, POC(s), technology and functionality related constraints, etc. It may be noted that separate evaluation is not required if the decision is made by the Customer / management and is communicated to the concerned stakeholders and Tech Mahindra teams.
  • Verify at a conceptual level to ascertain whether the architecture will be able to satisfy non-functional requirements – e.g., deployment, networking, data security & privacy, business resiliency & redundancy, audit logging, performance, maintainability and monitoring, configuration management, etc.
  • Create High-Level Design (HLD) and the Low-Level Design (LLD) based on Tech Mahindra/Customer defined templates such as ‘Application, Platform and IT Solution High Level Design Template’ and ‘Application, Platform and IT Solution Low Level Design Template’.
  • Capture security measures defined as part of Tech Mahindra/Customer ‘Application and Platform Deployment Policy’, ‘Cloud Security Policy’, ‘Application Programming Interface Security Standard’, ‘Container Security Standard’ and ‘Microservices Security Standard’ as part the HLD and LLD depending on utilization of containers, microservices, Application Programming Interface (API) and cloud hosting environment,
  • Conduct a review by Subject Matter expert (SME) of the design and ensuring that all the review comments are tracked to closure, prior to design transfer to the next phase.
  • Develop a story, as a proof of concept, depending upon the architecture and business aspects to demonstrate the correctness of the architecture.
  • In the event where the design and architecture of an existing platform/application/IT solution is being updated owing to enhancements, perform an adequacy review as per ‘Customer/Tech Mahindra Security Policy for Application and Platform Control Adequacy and Effectiveness’.
  • Define and document aspects to be considered throughout all subsequent phases of the System Development Life Cycle (SDLC) as per Tech Mahindra/Customer document format.
Expected Outcomes
  • Application, Platform and IT Solution High Level Design
  • Application, Platform and IT Solution Architecture Diagram
  • Application, Platform and IT Solution Low Level Design
  • Alternative Evaluation for business specific scenarios
Key Stakeholders
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.) in consultation with relevant Tech Mahindra Security Teams.

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Guideline/ Checklist/ Template Platform, Application and IT Solution High Level Design Template This template provides guidance to each business owner for creating and maintain a high-level design for their platform/application/IT solution.
Guideline/ Checklist/ Template Platform, Application and IT Solution Low Level Design Template This template provides guidance to each business owner for creating and maintain a low-level design for their platform/application/IT solution.
Standard API Security Standard This standard prescribes the security controls requisite for securing application programming interfaces (APIs) used by Tech Mahindra for various platforms, applications, and IT solutions.
Standard Container Security Standard This standard describes the security controls required for containers used by Tech Mahindra. The controls listed in this document are general vendor neutral security controls, applicable to all types of containers.
Standard Microservices Security Standard This standard describes the security controls required for microservices used by Tech Mahindra.
Policy Application and Platform Deployment Policy This policy outlines key security objective that all Tech Mahindra platforms, IT solutions, and enterprise grade portals and applications shall consider and integrate for enhancing the overall security of the deployment architecture. This policy also provides guidance on maintaining adequate and appropriate security documentation for each platform, IT solution, and enterprise grade portal and application. This security design documentation shall demonstrate compliance to Tech Mahindra security and privacy requirements.
Policy Cloud Security Policy This policy aims at assisting Tech Mahindra team(s) in defining process for securing Tech Mahindra technology solutions and services deployed in the cloud hosted environments. This document also prescribes the need to establish a governance mechanism to ensure that the usage of cloud services is in accordance with business needs, security requirements as well as relevant laws and regulations.

Security In Operations

This area highlights the key security aspects and operational activities which all Tech Mahindra/Customer platforms, applications, and IT solutions should consider for ensuring confidentiality, integrity and availability by implementing appropriate safeguards. The key sub domains as part of security in operations are logical user access management, release & deployment management, change management, configuration management, log management & monitoring and incident management,

# Description / Details
Objectives The objective of this area is to provide guidelines to ensure secure operations of all Tech Mahindra/Customer platforms, IT solutions and enterprise grade portals and applications, these platforms, applications and IT solutions protected against malware and loss of data, ensure any changes are handled as per the defined processes at TechM/Customer, ensure events / incidents are logged, and compliance monitored to ensure no unauthorized access is provided to any of these platforms, applications and IT solutions.
Pre-requisites
  • Release and Deployment Management Plan
  • Release and Deployment Management Checklist
  • Configuration Management Plan
  • Request for Change
  • Service Now / CMDB
Activities & Tasks
  • Provide all associates of Tech Mahindra working on Tech Mahindra internal/Customer projects a unique set of credentials to log in TechM/Customer platforms, applications and IT solutions and other resources credentials.
  • Ensure Temporary ID for suppliers and subsidiaries, service ID, generic ID, and temporary ID requirement for permanent associates have separated naming convention and traceability to the owner.
  • Ensure access to application / API management interface is granted based on the principle of least privilege. Maintain access list and ensure the deprovisioning of access is performed on time to prevent unauthorized and excessive privilege access.
  • All stages in the life cycle of user access to be ensured for access to platforms, applications and IT solutions: from registration of new users through periodic changes in access privileges based upon relevant changes to de-registration of users who no longer need access.
  • Ensure access to any Tech Mahindra/Customer platforms, applications and IT solutions is revoked within 24 hours of user’s last working day. Ensure accesses for time-based access / privilege accesses are revoked immediately after the expiry period.
  • Ensure user reconciliation is performed on users having access to platforms, applications, and IT solutions on a periodic basis. Additionally, ensure review of Privilege Access Rights is performed on a defined periodic basis.
Expected Outcomes
  • Periodic user access review reports
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)
  • Tech Mahindra Technical Infrastructure Management (TIM) team

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Security in Operations Policy The Security in Operations policy provides guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Tech Mahindra assets and information. The policy helps ensure correct and secure operations of information systems, those information systems are protected against malware and loss of data, that events are logged, and compliance monitored.
Guideline/ Checklist/ Template Logical User Access Management Guidelines This document provides the guidelines for user access management to ensure that access to information or information systems/applications/platforms is controlled and regulated. The primary purpose of this procedure is to ensure authorized user are granted access to Tech Mahindra applications, IT infrastructure, network infrastructure, cloud infrastructure, databases, and source code repositories.
# Description / Details
Objectives The objective of this area is to provide guidelines to ensure secure operations of all Tech Mahindra/Customer platforms, IT solutions and enterprise grade portals and applications, these platforms, applications and IT solutions protected against malware and loss of data, ensure any changes are handled as per the defined processes at TechM, ensure events / incidents are logged, and compliance monitored to ensure no unauthorized access is provided to any of these platforms, applications and IT solutions.
Pre-requisites
  • Release and Deployment Management Plan
  • Release and Deployment Management Checklist
  • Configuration Management Plan
  • Service Now / CMDB
Activities & Tasks
  • Classify the release requirements and complete change request (CR) with appropriate approvals. All projects requiring any changes to an existing service to go through the Release Management process.
  • Test and verify each release prior to implementation. Initiate the process through a standardized and approved process (service request, incident management, problem management etc.).
  • Evaluate and review comprehensive UAT, system and security test reports before release roll-out. Document and preserve the test reports for audit purposes.
  • Ensure necessary trainings such as, user training, operator training, training for deployment etc., are provided for the teams responsible for building, testing and deploying the release.
  • Ensure a detailed roll-out plan is documented including roll-out schedule, roles and responsibilities, major tasks, security and privacy requirements, etc.
  • Perform the post-release testing upon validation that the Release has been completed successfully to ensure the building meets the design requirements.`
  • Maintain a schedule window to detail planned releases and agree upon with relevant stakeholders.
  • Consider and identify dependencies between releases, or changes within a given release and ensure that these dependencies are factored into the deployment order, and/or Release Schedule.
Expected Outcomes
  • Updated Release and Deployment Management Plan
  • Release and Deployment Test Report
  • Periodic user access review reports
  • Documented Post-implementation Review reports
  • Updated Configuration Management Plan
  • Updated Configuration Record
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)
  • Tech Mahindra Technical Infrastructure Management (TIM) team

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Security in Operations Policy The Security in Operations policy provides guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Tech Mahindra assets and information. The policy helps ensure correct and secure operations of information systems, those information systems are protected against malware and loss of data, that events are logged, and compliance monitored.
Guideline/ Checklist/ Template Release and Deployment Management Plan This document provides Tech Mahindra a template for release and deployment management plan capture release approach, roles and responsibilities, roll-out schedule and testing approach.
Release and Deployment Management Guidelines Release and Deployment Management checklist This checklist shall allow respective teams to ensure coverage for areas such release plan and build, release testing, deployment, and post implementation review.
Guideline/ Checklist/ Template Release and Deployment Management Guidelines This document provides Tech Mahindra with the guidelines in cases of new or changed hardware, software, documentation, processes, or any other component and its movement to live environments. Deployment management practice may also be involved in deploying components to other environments for testing or staging.
Guideline/ Checklist/ Template Configuration Management Plan This document provides TechM a configuration management plan template capturing configuration identification, change control, configuration management tools, and reporting and auditing of configuration changes.
# Description / Details
Objectives The objective of this area is to provide guidelines to ensure secure operations of all Tech Mahindra/Customer platforms, IT solutions and enterprise grade portals and applications, these platforms, applications and IT solutions protected against malware and loss of data, ensure any changes are handled as per the defined processes at TechM, ensure events / incidents are logged, and compliance monitored to ensure no unauthorized access is provided to any of these platforms, applications and IT solutions.
Pre-requisites
  • Configuration Management Plan
  • Request for Change
  • Service Now / CMDB
Activities & Tasks
  • Raise a Request for Change (RFC) for all changes over the Change Management ITSM tool capturing all the necessary details (Name of change, Type of change, Scope of change, etc.).
  • Perform a risk assessment and impact assessment for all change requests. Based on the assessed risk, assign impact and urgency to TechM and its customers, to each change request.
  • Ensure authorization to begin any work on the change request. During this phase, ensure segregation of duties and signoffs are obtained to begin the change request from all relevant stakeholders.
  • Build the change in the development environment as per the secure SDLC guideline. The technical and functional requirement documented should be compliant with the company security policies.
  • Validate change functions as designed by executing and performing manual and automated tests. Evaluate and analyse the hardware, software and network environment associated with the change and integration issues, if any. is
  • Analyze the rectified issues pertaining to the application, platform components or infrastructure and if any benefits were derived specifically from implementing the change.
  • Ensure the time taken to complete a change cycle is as per the SLA. Ensure confirmation received from the change requester before closure, and completion of the CR upon close down approval.
Expected Outcomes
  • Updated Configuration Management Plan
  • Updated Configuration Record
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)
  • Tech Mahindra Technical Infrastructure Management (TIM) team

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Security in Operations Policy The Security in Operations policy provides guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Tech Mahindra assets and information. The policy helps ensure correct and secure operations of information systems, those information systems are protected against malware and loss of data, that events are logged, and compliance monitored.
Guideline/ Checklist/ Template Configuration Management Plan This document provides TechM a configuration management plan template capturing configuration identification, change control, configuration management tools, and reporting and auditing of configuration changes.
Guideline/ Checklist/ Template Configuration Management Guidelines The purpose of this document is to provide guidelines for tracking configuration information associated with hardware and software assets that are necessary to deliver information needed for operational services.
Guideline/ Checklist/ Template Change Management Guidelines The Change Management Guidelines ensures that standardized methods and procedures are used for handling all the changes in an efficient and systematic manner. This is to ensure all the changes are handled and properly controlled, evaluated and to minimize the impact of Change-related incidents upon service quality; consequently, to improve the day-today-operations of the organization
# Description / Details
Objectives The objective of this area is to provide guidelines to ensure secure operations of all Tech Mahindra/Customer platforms, IT solutions and enterprise grade portals and applications, these platforms, applications and IT solutions protected against malware and loss of data, ensure any changes are handled as per the defined processes at TechM/Customer, ensure events / incidents are logged, and compliance monitored to ensure no unauthorized access is provided to any of these platforms, applications and IT solutions.
Pre-requisites
  • Configuration Management Plan
  • Service Now / CMDB
Activities & Tasks
  • Ensure accurate configuration information is available to support the planning and control of changes and their subsequent release in the live environment by ensuring the Configuration Management Plan is in place for platforms, applications and IT solutions.
  • Ensure that the information security processes related to planning, identifying, controlling, monitoring and reporting of configuration items (CIs) and configuration changes is performed in accordance with this guideline document and ‘Configuration Management Plan’.
  • Identify, label and map the relation of CIs discovered in both manual or automated manner to other CIs in the CMDB model. Label and track the CIs during its entire life cycle.
  • Manage and store the associated CIs such as licenses (wherever applicable) and/or documents and their relationship with other identified in a central repository, and record in DML.
  • Ensure adding, modifying or removing a CI is properly managed
  • Determine the required configuration changes and analyze the security impact of the change on CMDB and other associated CIs
  • Perform periodic access reconciliation i.e., at least once in a year or whenever any significant changes are made to the CMBD structure, CIs and/or relationship between several CIs. Maintain the access reconciliation reports to trace changes back to their source in case of incidents and/or for audit purposes.
  • Perform periodic reviews to ensure that redundant CI records are systematically deleted. Rectify and update any accidental deletions or incomplete information of the CIs.
  • Perform periodic backup of the CMDB by raising a backup request as per the Backup and Recovery procedure
  • Update the status of the CI as they progress during the entire configuration management lifecycle. Accordingly, the status of CI in the CMDB should reflect the correct CI lifecycle state. Document and maintain the current and accurate configuration records for audit purposes.
  • Identify and communicate the corrective actions to the Change Advisory Board. Identify the corrective actions and monitor to closure.
Expected Outcomes
  • Documented Post-implementation Review reports
  • Updated Configuration Management Plan
  • Updated Configuration Record
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)
  • Tech Mahindra Technical Infrastructure Management (TIM) team

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Security in Operations Policy The Security in Operations policy provides guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Tech Mahindra assets and information. The policy helps ensure correct and secure operations of information systems, those information systems are protected against malware and loss of data, that events are logged, and compliance monitored.
Guideline/ Checklist/ Template Configuration Management Plan This document provides TechM a configuration management plan template capturing configuration identification, change control, configuration management tools, and reporting and auditing of configuration changes.
Guideline/ Checklist/ Template Configuration Management Guidelines The purpose of this document is to provide guidelines for tracking configuration information associated with hardware and software assets that are necessary to deliver information needed for operational services.
# Description / Details
Objectives The objective of this area is to provide guidelines to ensure secure operations of all Tech Mahindra/Customer platforms, IT solutions and enterprise grade portals and applications, these platforms, applications and IT solutions protected against malware and loss of data, ensure any changes are handled as per the defined processes at TechM, ensure events / incidents are logged, and compliance monitored to ensure no unauthorized access is provided to any of these platforms, applications and IT solutions.
Pre-requisites
  • Service Now / CMDB
Activities & Tasks
  • Define the requirements for logging that identify the level of information to be recorded based on security, legal / regulatory compliance, audit compliance requirements etc. in consultation with the respective platform, application and IT solution owners.
  • Identify the logs and types of logs based on the criticality of the system, the activities for which the logs are being considered, and any incident prone activities performed on any TechM/Customer applications, IT solutions and platforms.
  • Ensure all logs that are generated (also identify the format of generation) are aggregated in an event management tool like SIEM, or local systems in case of exceptions.
  • Limit / restrict the access to the logs generated to the log monitoring team. Restrict the access to managing the logs to the identified personnel / the dedicated team via a PAM solution.
  • Enforce secure storage of the logs and ensure periodic back up as per TechM/Customer backup policies.
  • Identify requirements for log storage, archival, transfer and disposal of logs based on the security, legal, regulatory requirements by the platforms or IT solutions or applications.
  • Configure the TechM/Customer platforms, applications and IT solutions to generate automated alerts and notify authorized personnel in case of any incident detected.
  • Ensure periodic audits are conducted to ensure compliance with logging and monitoring procedures. Monitor administrator activity through either manual analysis or using automated tools.
  • Obtain the security monitoring report and provide to the management on a regular basis.
Expected Outcomes
  • Updated Configuration Record
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)
  • Tech Mahindra Technical Infrastructure Management (TIM) team

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Security in Operations Policy The Security in Operations policy provides guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Tech Mahindra assets and information. The policy helps ensure correct and secure operations of information systems, those information systems are protected against malware and loss of data, that events are logged, and compliance monitored.
Guideline/ Checklist/ Template Log Management & Monitoring Guidelines This guideline document provides information about the monitoring and logging framework as it is necessary to foster user accountability, allow system management, and ensure that standardized methods and procedures are used for efficient and systematic handling of critical logs.
# Description / Details
Objectives The objective of this area is to provide guidelines to ensure secure operations of all Tech Mahindra/Customer platforms, IT solutions and enterprise grade portals and applications, these platforms, applications and IT solutions protected against malware and loss of data, ensure any changes are handled as per the defined processes at TechM/Customer, ensure events / incidents are logged, and compliance monitored to ensure no unauthorized access is provided to any of these platforms, applications and IT solutions.
Pre-requisites
  • Service Now / CMDB
Activities & Tasks
  • Establish and maintain an incident management framework that enables identification, reporting, response, recovery and governance of security and data privacy incidents.
  • Report major security incidents to the senior management of TechM/Customer Periodically update the incident management framework to accommodate new risks and vulnerabilities, or incidents detected outside the incident response framework.
  • All incident related information is shared and disclosed by users, associates, stakeholders.
  • Inform the Customer and/or customers in case of data breach of Customer confidential information and/or personal identifiable information.
  • Collect, preserve and protect the incident evidence by applying appropriate access controls (logical/physical), file permissions etc., and upload the evidence into the incident record in the IMS (Incident Management System).
  • Choose a relevant containment strategy based on the type of incidents to contain and eradicate the incident.
  • Close the incident after updating the immediate action taken, corrective action and preventing action in the IMS.
  • Maintain and review the incident report with appropriate approvals, post recovery of major security incidents. Subsequently, update and review the incident tracker.
Expected Outcomes
  • Updated Configuration Record
  • Incident Reports
  • Updated incident tracker
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)
  • Tech Mahindra Technical Infrastructure Management (TIM) team

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Security in Operations Policy The Security in Operations policy provides guidance to develop and implement the appropriate protective safeguards to ensure the confidentiality, integrity, and availability of Tech Mahindra assets and information. The policy helps ensure correct and secure operations of information systems, those information systems are protected against malware and loss of data, that events are logged, and compliance monitored.
Policy Incident Management Policy This document provides guidance with efficient incident handling reducing its impact and prevent reoccurrence. The purpose of this policy is to establish and enforce incident response preparedness for computer & non-computer related incidents. It covers threat intelligence, incident detection, reporting, acknowledgement, containment, root cause analysis, and closure within defined SLA’s in case of any suspected or successful incidents
Procedure Incident Management Procedure The purpose of this document is to ensure that incidents related to information security on Tech Mahindra systems, services and Tech Mahindra facilities are reported, escalated and resolved in a timely fashion and analyzed for further improvements.

Security Configuration, Controls Adequacy and Effectiveness

This area is to assists Tech Mahindra team(s) in ascertaining the adequacy of the security and data privacy requirements, and prescribes a process for ensuring the effectiveness is periodically reviewed for any change in the architecture and related environment(s). The procedure document of this area outlines the triggers and scenarios wherein a previously reviewed application, platform and IT solution adequacy shall require an adequacy criteria review. The control checklist comprising of security controls (including but not limited to authentication and authorization, network security, data privacy and security, security logging and monitoring, business continuity management, API security, microservice security, container security, supplier security, Intellectual Property Rights (IPR), Liabilities, Penalty, etc.) is captured as part of this area’s policy document to assist the concerned teams in performing these reviews.

# Description / Details
Objectives The objective of the prescribed process is to perform adequacy and security effectiveness review at the onset and thereafter, throughout the lifecycle of the application/platform/IT solution to evaluate the effectiveness of the implemented security configurations against Tech Mahindra’s information security objectives.
Pre-requisites
  • Executed commercial agreement and/or agreed Statement of Work (SoW).
  • Documentation pertaining to platforms, applications and IT solutions related processes, procedures (both functional & non-functional)
  • Fact File Template comprising of key parameters related to the application/platform/IT solution, including information such as type of data processed, third-party involvement, business model etc., which will be required to ascertain business context and determine the compliance requirements.
  • Compliance Check Template comprising of identified compliance controls.
  • Application, Platform and IT Solution High Level Design
  • Application, Platform and IT Solution Architecture Diagram
  • Application, Platform and IT Solution Low Level Design
Activities & Tasks Adequacy Review
  • Evaluate extent of implementation of security and privacy considerations defined by Tech Mahindra as part of Section 5.4 of Tech Mahindra ‘Security Policy for Application and Platform Control Adequacy and Effectiveness’ document in addition to specific business and/or Customer requirements.
  • Seek requisite approvals prior to performing adequacy review depending on the accountability for management of platforms, applications and IT solutions.
  • Initiate adequacy review process as part of design phase through population of compliance status and business justification for each of the previously identified security and privacy controls, documented as part of the ‘Compliance Check Template’, to ascertain the extent to which the identified security, privacy, business-specific and regulatory requirements are adequate. Wherever deemed necessary, consult Tech Mahindra Security Teams.
  • Remediate each non-compliance prior to deployment in production and/or go-live. In the event remediation is not performed, evaluate information security and privacy impacts along with the documentation of business justification and description of mitigating controls.
  • Perform adequacy review on periodic basis i.e., at least once in a year or as and when any significant change is made to the application, platform or the supported environment.
Expected Outcomes
  • Compliance Check Report documenting results of adequacy review
  • Periodic Security Effectiveness Review reports
  • Information Security Risk Register
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Guideline/ Checklist/ Template Compliance check template The purpose of the template is to document the compliance requirements considered, for the platform, IT solution, enterprise grade portal and application, as part of initiation followed by capturing of implementation status during an adequacy review. The template should be used to document the following information:
  • Details regarding the application/platform/IT solution and the applicable regulations, standards and business-specific obligations
  • Implemented controls to meet the requirements of the applicable regulations, standards, and business-specific obligations
  • The ISG and Legal Team (where applicable) comments and approval, if any
  • Adequacy Review Status Field with business justification, if any, for line items documented as ‘Not Compliant’ and ‘Not Applicable’.
Policy Security Policy for Application and Platform Controls Adequacy and Effectiveness This Policy assists Tech Mahindra team(s) in ascertaining the adequacy of the security and privacy requirements, and prescribes a process for ensuring effectiveness is periodically reviewed to consider any change in the architecture and related environment
Process/Procedure Security Review Criteria for Platform, Application, and IT Solution Adequacy This document establishes the triggers and scenarios to be used to determine as to when a previously reviewed application, platform and IT solution adequacy shall require adequacy criteria review prior to deployment of applicable security and privacy requirements.
# Description / Details
Objectives The objective of the prescribed process is to perform adequacy and security effectiveness review at the onset and thereafter, throughout the lifecycle of the application/platform/IT solution to evaluate the effectiveness of the implemented security configurations against Tech Mahindra’s information security objectives.
Pre-requisites
  • Executed commercial agreement and/or agreed Statement of Work (SoW).
  • Documentation pertaining to platforms, applications and IT solutions related processes, procedures (both functional & non-functional)
  • Fact File Template comprising of key parameters related to the application/platform/IT solution, including information such as type of data processed, third-party involvement, business model etc., which will be required to ascertain business context and determine the compliance requirements.
  • Compliance Check Template comprising of identified compliance controls.
  • Application, Platform and IT Solution High Level Design
  • Application, Platform and IT Solution Architecture Diagram
  • Application, Platform and IT Solution Low Level Design
Activities & Tasks
  • Perform security review of all platforms, applications and IT solutions on periodic basis, at least once in a year, to assess overall effectiveness and compliance with Tech Mahindra security and privacy policies, procedures and checklist defined in of Tech Mahindra/Customer ‘Security Policy for Application and Platform Controls Adequacy and Effectiveness’ document.
  • Validate all findings with involvement of the responsible stakeholder(s) along with documentation of the management response.
  • Define and document formal remediation plan for all findings where decision to remediate has been taken.
  • Implement formalized remediation plan, as required, to achieve the documented and recommended security configurations.
  • Ensure any finding that cannot be remediated is addressed through an exception management process, requiring a business justification, description of mitigating controls, and actions that can be taken in order to minimize the potential risk(s); and update the information security risk register accordingly.
  • Review the exceptions and remediation closure document(s) in consultation with Tech Mahindra Security Teams for appropriateness of the performed remediation and timeline or risk acknowledgment for exception.
Expected Outcomes
  • Compliance Check Report documenting results of adequacy review
  • Periodic Security Effectiveness Review reports
  • Information Security Risk Register
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Guideline/ Checklist/ Template Compliance check template The purpose of the template is to document the compliance requirements considered, for the platform, IT solution, enterprise grade portal and application, as part of initiation followed by capturing of implementation status during an adequacy review. The template should be used to document the following information:
  • Details regarding the application/platform/IT solution and the applicable regulations, standards and business-specific obligations
  • Implemented controls to meet the requirements of the applicable regulations, standards, and business-specific obligations
  • The ISG and Legal Team (where applicable) comments and approval, if any
  • Adequacy Review Status Field with business justification, if any, for line items documented as ‘Not Compliant’ and ‘Not Applicable’.
Policy Security Policy for Application and Platform Controls Adequacy and Effectiveness This Policy assists Tech Mahindra team(s) in ascertaining the adequacy of the security and privacy requirements, and prescribes a process for ensuring effectiveness is periodically reviewed to consider any change in the architecture and related environment
Process/Procedure Security Review Criteria for Platform, Application, and IT Solution Adequacy This document establishes the triggers and scenarios to be used to determine as to when a previously reviewed application, platform and IT solution adequacy shall require adequacy criteria review prior to deployment of applicable security and privacy requirements.

Security and Regulatory Compliance

This area constitutes the process and requirements for guiding compliance objectives with the security, privacy and business-specific obligations that are applicable to it (for example, privacy regulations such as the GDPR, CCPA, DPA, etc., security standards and frameworks such as ISO, NIST, CSA CCM, etc., as well as industry-specific requirements such as HIPAA, PCI DSS, etc.).

The documents under this area will guide to determine the requirements of applicable laws, regulations, contractual requirements, etc., to incorporate the requirements in its applications, platforms, IT solutions and enterprise-grade portals (“applications, platforms and IT solutions” hereafter) and monitor compliance with the identified requirements.

# Description / Details
Objectives The objective of the security and regulatory compliance process is to ensure that Tech Mahindra/Customer developed, owned, deployed, operated and maintained applications, platforms and IT solutions and applications comply with the applicable security and regulatory compliance requirements.
Pre-requisites
  • Relevant national laws and legislations
  • Applicable industry standards
  • Customer contractual requirements
  • Business context (such as purpose of the application/platform/IT solution, the users of the application/platform/IT solution, type of data to be held, type of deployment, business operating model, etc.)
  • The Fact File Template will capture key parameters related to the application/platform/IT solution, including information such as type of data processed, third-party involvement, business model etc., which will be required to determine the compliance requirements
Activities & Tasks
  • Identify the applicable compliance requirements (security, privacy and business-specific regulatory requirements) for the application/platform/IT solution. Utilize the information populated in the Fact File to determine the business context required to identify the applicable requirements.
  • Utilize the “Compliance Check Template” to document the compliance requirements considered the application/platform/IT solution and take approval from ISG and where applicable, Legal Team.
  • Incorporate security and privacy requirements during the design phase of the application/platform/IT solution itself, and then throughout all subsequent phases of the application/platform/IT solution lifecycle. Consider the following during this step:
  • Refer to relevant security and privacy assessment documents/checklists/templates (such as “Application Security Review Checklist”, “Privacy Control Checklist”, “Privacy Impact Assessment” templates, etc.) as applicable for incorporating the security and privacy requirements.
  • For third-party procured application/platform/IT solution, ensure that the third-party meets the applicable compliance requirements (ensure that the agreements signed with third-party includes relevant security and regulatory requirements).
  • If an Open-Source Software (OSS) is utilized, ensure that it complies with the open-source licensing requirements. Obtain clearance from the Legal Team where necessary (such as for all open-source components).
  • Ensure that the use of applications, platforms and IT solutions does not cause infringement of any Intellectual Property Right (IPR).
  • Train stakeholders involved in development and maintenance of applications/platforms/IT solutions regarding the applicable security, privacy, and business-specific regulatory requirements
  • Review and update the identified laws and regulations as well as the security, privacy, and contractual requirements periodically (such as annually).
  • Monitor compliance using the define Key Performance Indicators (included in the Guideline document for this area) and review implementation of identified controls to achieve compliance.
  • Ensure remediation of the identified non-compliances.
Expected Outcomes
  • Compliance Controls (to be documented as part of the “Compliance Check Template”
Key Stakeholders
  • Application, platform, and IT solution owners and Business Units, in consultation with ISG and Legal Team (where required)

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Guideline/ Checklist/ Template Compliance check template The purpose of the template is to document the compliance requirements considered for the platform, IT solution, enterprise grade portal and application. The template should be used to document the following information:
  • Details regarding the application/platform/IT solution and the applicable regulations, standards, and business-specific obligations
  • Implemented controls to meet the requirements of the applicable regulations, standards, and business-specific obligations
  • The ISG and Legal Team's (where applicable) comments and approval
Policy Compliance Policy for Applications, Platforms, and IT Solutions This Policy document sets the expectations for ensuring compliance with various security, privacy and business-specific regulatory obligations that may be applicable to Tech Mahindra’s applications, platforms, and IT solutions.
Process/Procedure Compliance Guidelines for Applications, Platforms, and IT Solutions This Guideline document provides guidance for enabling Tech Mahindra’s platforms, IT solutions and enterprise grade portals and applications to comply with security, privacy and business-specific regulations. The purpose of this Guideline is to ensure that security and privacy is built-in to Tech Mahindra’s applications, platforms, and IT solutions that follow applicable regulatory obligations and industry leading practices.

INTELLECTUAL PROPERTY MANAGEMENT

This area provide guidance on protection and management of intellectual property rights (IPR) of Tech Mahindra/Customer owned and acquired platforms, helps with securing and guarding of platform name and domain name trademark and copyright clearance, manages violation checks and maintains an effective system of Intellectual Property (IP) asset management.

The documents under this area will guide to manage IP throughout its lifecycle in terms of identifying, protecting and managing IPs. Further, it will provide procedures for management of IP Infringement as well.

# Description / Details
Objectives The objective of the Intellectual Property Management process is to establish controls and procedures around management of various forms of Tech Mahindra/Customer owned, acquired and managed Intellectual Property lifecycle and provide guidelines for management of IP infringements.
Pre-requisites
  • Identified list of Intellectual Properties proposed to be created, owned, acquired or managed by Tech Mahindra/Customer
  • Legal and compliance requirements for management of IP
  • Licensing/Confidentiality/Distribution/Employee Agreements signed for management of IPs
  • Registration details of existing Ips
Activities & Tasks
  • Identify and document different forms of IPs by means of regular mapping activities and periodic reviews to maintain a corporate inventory of IPs in the environment; and accordingly update the ‘IPR Checklist and Inventory’ template.
  • Implement Management and Technical controls to protect the identified IPs.
  • Management controls implemented for protection of IPs may include:
  • Appropriate registration of IPs under various forms of IPs such as copyrights, trademarks, patents etc.
  • signing licensing agreements and confidentiality agreements as required
  • Updating risk registers to manage IP related risks
  • Signing employee contracts for IP management etc.
  • Technical controls implemented for protection of IPs may include implementing controls at the following levels:
    • Perimeter
    • Logical
    • Physical
  • Monitor the identified IPs by performing periodic review of policies and procedures for management of IPs, IP related events and periodic assessments.
  • Manage IP infringements by performing periodic reviews and consultations with the IPR committees.
  • Ensure identified infringement of Tech Mahindra/Customer IP are addressed through use of Tech Mahindra/Customer defined ‘Intellectual Property Incident Handling Checklist’ to capture the relevant details of IP infringement; and raise security incident to investigate and manage the incident.
Expected Outcomes
  • IP Asset Inventory
Key Stakeholders
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.) in consultation with IPR Committee.

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Intellectual Property Rights Policy The objective of this Intellectual Property Rights (IPR) policy is to set expectations on expected controls for secure management of intellectual properties of Tech Mahindra platforms, applications, portals, and IT solutions.
Guideline/ Checklist/ Template Intellectual Property Rights Procedure The objective of this Intellectual Property Rights (IPR) Procedure is to ensure intellectual properties of Tech Mahindra platforms, applications, portals, and IT solutions are identified, protected, monitored, managed and business is conducted in compliance with the applicable IPR laws.
Guideline/ Checklist/ Template Intellectual Property Incident Handling Checklist The purpose of the checklist is to document details of IP related incidents and IP infringement cases, to assist incident handling team and IPR committee in resolution of these cases as per compliance requirements.
Guideline/ Checklist/ Template IPR Checklist and Inventory - Template The purpose of this template is to assist in identification of IPs in environment and further to create an inventory of the IPs capturing details such as type of IP, nature of IPR, date of establishment, registration details, storage controls etc.

Secure Development, Testing and Delivery Process

This area supports system security objectives by integrating security into the system development lifecycle. These activities include identifying security objective, applying secure design guidelines, conducting architecture and design review for security, performing regular code review for security, frame guidelines and procedures for performing vulnerability assessments and penetration testing, use of open-source codes, libraries and release management.

# Description / Details
Objectives The objective of the secure development, testing and delivery process is to:
  • Ensure security considerations are identified and adhered to at each stage of the system development lifecycle
Pre-requisites
  • Documentation pertaining to platforms, applications and IT solutions related processes, procedures (both functional & non-functional)
  • Fact File Template comprising of key parameters related to the application/platform/IT solution, including information such as type of data processed, third-party involvement, business model etc., which will be required to ascertain business context and determine the compliance requirements.
  • Compliance Check Template comprising of identified compliance controls.
  • Application, Platform and IT Solution High Level Design
  • Application, Platform and IT Solution Architecture Diagram
  • Application, Platform and IT Solution Low Level Design
  • Identified development methodology
Activities & Tasks
  • Security requirements shall be identified at initial planning and design phase
  • Security checkpoints and considerations shall be implemented at each phase of the system development lifecycle
  • Design phase of the SDLC shall take inputs from the outputs of Area 1: Solution and Deployment Architecture. Threat modelling should be considered as a part of the design phase and Tech Mahindra may refer to the ‘Threat Modelling Checklist’ document.
  • Development phase shall adhere to secure coding consideration as defined in the ‘Security Standards for Platforms and Applications’ document.
  • Data utilized for testing may be production or non-production data and may be provided by Customer or Tech Mahindra generated as per identified requirements. Testing data lifecycle should be securely managed as described in the ‘SDLC Procedure’ document.
  • Self and Peer level code review shall be performed as per the checklist defined in the ‘Secure Code Review Checklist’ document.
  • Security Assessments as a part of the SDLC shall be performed in adherence to controls defined in Area 7: Security Assessments.
  • Release and Deployment as a part of the SDLC shall be performed in adherence to controls defined in Area 2: Security in Operations.
  • Additionally, ‘Service Delivery Framework’ document provides guidelines on incorporating security considerations throughout the service delivery lifecycle phases such as build, operate and manage.
Expected Outcomes
  • Developed system to be deployed and released Filled code review checklist
Key Stakeholders
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.) in consultation with relevant Tech Mahindra Security Teams.

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy SDLC Policy This policy describes the set mandatory security activities which platform owners must follow when developing, integrating or maintaining systems for internal or external consumption.
Checklist Threat Modelling Checklist This document provides considerations for performing threat modelling as a part of the design phase of the system development lifecycle to identify potential threats, develop mitigation strategies and incorporate them as a part of design considerations.
Standard Security Standards for Platforms and Applications The purpose of this document is to guide to assist Tech Mahindra in integrating security into the SDLC processes used for managing its applications, enterprise grade portals and platforms. This document highlights baseline standards that may be adhered to across various security aspects such as access control, cryptography, data protection, error handling etc along with common attack vectors
Procedure SDLC Procedure The purpose of this document is to provide guidelines on ensuring security in each phase of service delivery, that is, build, operate and manage by implementing various security checkpoints throughout the lifecycle provides guidance on performing mandatory security activities that platform owners must follow when developing, integrating, or maintaining such systems.
Checklist Security Code Review Checklist This document provides a list of checkpoints to be considered as a part of secure code review (self-review and peer review) across various security areas and common threat vectors.
Framework Secure Delivery Framework The purpose of this document is to provide guidelines on ensuring security in each phase of service delivery, that is, build, operate and manage by implementing various security checkpoints throughout the lifecycle

Security Assessments

This document provides guidance to ensure all Tech Mahindra/Customer platform components, IT assets, network devices, applications, middleware’s etc. undergo security assessments during the development phase (before any release or move to production), periodically (once deployed to production) and on demand to detect, remediate vulnerabilities or to assess the existing security controls that are integrated into platform systems. This shall allow Tech Mahindra/Customer management to assess existing risk and ensure that security controls have been implemented to maintain the security posture for the Tech Mahindra/Customer platform components.

# Description / Details
Objectives The objectives of the security assessment process is to:
  • Identify security vulnerabilities, gaps, misconfigurations etc that may exist within the platform components
  • Track the identified vulnerabilities till its closure or acceptance of compensating controls shared towards logical closure of risk
Pre-requisites
  • Development and deployment of new Platforms, IT Solutions, enterprise grade portals and applications
  • Operation and regular/periodic maintenance for Platforms, IT Solutions, enterprise grade portals and applications
  • Ad hoc based on regulatory requirements, on demand or Customer specific requirement for Platforms, IT Solutions, enterprise grade portals and applications
Activities & Tasks
  • Identify scope to be tested as part of the security assessment
  • Identify security team (Internal, External and External on demand) and stakeholders who shall be involved in the overall assessment
  • Maintain and share the up-to-date asset inventory with the respective stakeholders
  • Agree on the POC, scope, assessment timelines etc. with all the stakeholders associated with the assessment
  • Wherever applicable schedule walkthrough sessions or knowledge transfer sessions and share pre-requisite details such as credentials, sample request/response, APK/IPA files, source code etc. with the respective stakeholders
  • Perform security testing based on industry standards such as OWASP Top 10, SANS, CIS etc.
  • Use a mixture of automated and manual approach (using Tech Mahindra/Customer approved tools) to perform the security assessment
  • When conducting assessment on production environment, intrusive checks that could lead to system downtime, account lockouts or malicious scripts getting stored on the database should be disabled
  • Perform manual checks wherever applicable to eliminate false positives
  • Discuss identified vulnerabilities with relevant stakeholders prior to finalizing
  • An initial report, a tracking sheet and periodic dashboards should be shared with the respective stakeholders
  • The vulnerabilities reported should be based on the severity score of critical, high, medium or low and should have vulnerability details such as name, date observed on, short description, severity rating (critical, high, medium or low), affected system, affected port number, version in use, risk implication, recommendation/remediation steps, proof of concept, point of contact etc.
  • Schedule periodic calls with the stakeholders to track the vulnerability status and estimated timelines for closure (this should be based on defined SLA)
  • Wherever necessary, provide assistance in fixing the observed vulnerabilities
  • Upon confirmation of closure, perform revalidation round to verify the fixes/controls deployed
  • Take exceptions wherever applicable, if the issue cannot be fixed either at that point in time or due to business justification
  • If the issue is still observed to be open post revalidation, the same should be updated and marked in the tracking sheet, shared with the respective stakeholders and tracked until its closure
  • Raise security incident in case a Critical or High severity vulnerability is reopened/recurring with last 2 scheduled scan cycles on same device/host
  • Perform Root Cause Analysis (RCA) on security incidents for reopened/recurring Critical or High severity vulnerability
  • Notify final closure of the vulnerability to all the respective stakeholders
  • Take “Certificate of Closure” upon completion of the security assessment
Expected Outcomes
  • In-scope Security Assessment Initial Report
  • Tracker Sheet for Identified Vulnerabilities
  • Final Revalidation Report
Key Stakeholders
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.) in consultation with relevant Tech Mahindra Security Teams.

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Security Assessment Policy This document outlines key security objective that all Tech Mahindra platforms, IT assets, APIs, container images and web applications shall maintain adequate levels of security by performing regular security assessments in a diverse IT environment. This policy also provides guidance on maintaining adequate and appropriate security documentation for each platform, IT solution, APIs, container images, and web applications. This security documentation shall assist in maintaining the security posture for the Tech Mahindra platforms.
Process/ Procedure Security Assessment Procedure This document directs the establishment of security assessment program at Tech Mahindra or Tech Mahindra to assist in maintaining the security posture for the platform infrastructure to proactively prevent the exploitation of vulnerabilities and potential loss to Tech Mahindra.
Guideline/ Checklist/ Template Platform Security Checklist The checklists shall allow ISG to ensure coverage for areas such as data exfiltration, outdated services, insecure communication, weak authentication/authorization, weak encryptions, horizontal/vertical privilege escalations, weak access controls, improper input validation etc. for their platforms and components.

Vendor, Supplier, Partner or Third Party Security Risk Assessment

This area covers the policies, process and procedures which provide methodology for performing risk assessments for vendors, suppliers & partners and assessing on-boarding/off-boarding processes for contractual, security and privacy risks and operational risks. The documents in this area provide guidance for managing third party access, security monitoring of the third-party suppliers, identify and document security commitments with third party and verify compliance by reviewing contractual obligations.

# Description / Details
Objectives The key objective of this process is to ensure that the IT assets, IT infrastructure, IT Solutions and Platforms and facilities of Tech Mahindra or its Customers, which are accessible to suppliers / third party vendors / contractors / sub-contractors etc., are protected and handled appropriately by supplier services or personnel.
Pre-requisites
  • Supplier Security checklist - Application Supplier SS 1.2 - 3.2 Customer & Tech M
  • Supplier Security checklist - Application Supplier SS 2.1 - 4.1(Cloud based) Customer & Tech M
  • Supplier Security Checklist - Managed Service Supplier SS 2.2 - 4.2 Customer & Tech M
  • Supplier Security checklist - Resource Supplier SS 1.1-3.1 Customer & Tech M
  • Supplier Security offboarding Checklist - Data Access
Activities & Tasks Ensure Supplier Security by developing, implementing, monitoring, and enforcing the appropriate safeguards. Govern the supplier security process as per the following stages:
  • Before onboarding, evaluate all suppliers and pass the supplier capability evaluation conducted by ISG before a contract is signed. Perform the evaluation / assessment as per the defined security checklists as per the supplier type and criticality of the supplier.
  • Supplier to take prior written consent from TechM/Customer for further outsourcing of services to sub-contractors.
  • Supplier or any sub vendor appointed by supplier having access to Customer /TechM Personal Information (PI) or Sensitive Personal Information (SPI) to sign DPA in addition to existing.
  • Ensure the suppliers maintain an agreed level of information security and service delivery in-line with Customer security agreements.
  • Onboard the supplier organization associate working for TechM, or its Customer via respective RMG function. The onboarding to be performed by the supplier manager in consultation with the ISG Team.
  • Ensure the supplier personnel sign the NDA, Code of Conduct, Acceptable Usage Agreement, Resource Usage Agreement etc. and BG are completed once the supplier contract is finalized.
  • Ensure supplier services or personnel appropriately safeguard information assets of TechM/TechM Customers accessible to suppliers.
  • Ensure all supplier personnel undergo TechM/Customer Internal Security, Privacy, IP Awareness trainings, tests and certifications as applicable to TechM regular employees within one month of joining.
  • Ensure the suppliers employ best industry security practices and secure coding methodologies in performing the assignment.
  • Perform Security Risk assessments at a frequency decided by the criticality of the supplier. Risk associated to supplier which may impact Customer delivery to be proactively highlighted to Customer.
  • Monitor the cloud environment of the suppliers providing IT solutions for vulnerabilities which can lead to personal / sensitive data breaches.
  • Identified risks to the confidentiality, integrity or availability of TechM/Customer Information in Supplier's processes or Supplier Systems are regularly assessed and remediated in time by the suppliers.
  • At the time of offboarding of suppliers, ensure offboarding checklist are filled by the suppliers / supplier manager.
  • Revoke the supplier’s accesses to software, server, network or other systems at the time of offboarding.
  • Upon termination of the contract, delete TechM/Customer data obtained under the agreement.
  • Upon becoming aware of any incident, TechM Security Contact to be informed within 24 hours. Refer to the Incident response policy to respond to cyber security incidents, so as to protect the organization’s systems, data, and prevent disruption.
  • Validate all audit findings and periodic assessment reports along with documentation of the management response.
Expected Outcomes
  • Updated Supplier Security Checklists
  • Periodic Supplier Security Review reports
  • Annual Internal Supplier Audit reports
Key Stakeholders
  • Tech Mahindra Information Security Group (ISG)
  • Business Owners (i.e., Platform Owners/Portal Owners/IT Solution Owners/Application Owners etc.)
  • Supplier Manager

Reference Documents

Customer provided, advised or mandated documents shall supersede the below listed documents. Please check if Customer has any documents similar to the ones mentioned below, which should be used for the project delivery as per the contract or agreement. In the absence of any such guidance or documents advised by Customer or mentioned in Customer contract or agreement, it is recommended to use below mentioned documents for any project delivery or system development. 

Note: Documents referred would be uploaded soon

Document Category Document Name Description
Policy Third Party Supplier Security Policy This policy ensures that the information assets of Tech Mahindra or its Customers, which are accessible to suppliers, are protected and handled appropriately by supplier services or personnel.
Guideline/ Checklist/ Template Third Party Supplier Security Procedure This Procedure document ensures that the Tech Mahindra and Customer Information Security and Privacy requirements of Tech Mahindra are included in Supplier contracts, controls to be in place for all supplier scenarios, controls for suppliers and that the supplier delivery is constantly monitored for security performance.
Guideline/ Checklist/ Template Supplier Security checklist - Application Supplier SS 1.2-3.2 Customer & Tech M The purpose of the Onboarding Checklists is to ensure all the security or privacy checks, all necessary parameters are kept in check before onboarding the suppliers. The objective of the onboarding checklist is to ensure any supplier onboarded by TechM is capable of providing the service or the product. The objective of the offboarding checklists is to ensure all the security checks (including data purging techniques by the supplier) are performed at the time of termination of the supplier.
Guideline/ Checklist/ Template Supplier Security checklist - Application Supplier SS 2.1-4.1(Cloud based)
Guideline/ Checklist/ Template Customer & Tech M Supplier Security Checklist - Managed Service Supplier SS 2.2-4.2 Customer & Tech M
Guideline/ Checklist/ Template Supplier Security checklist - Resource Supplier SS 1.1-3.1 Customer & Tech M
Guideline/ Checklist/ Template Supplier Security offboarding Checklist - Data Access
Copyright © Tech Mahindra Limited. All Rights Reserved