Information Security Group

HR Role

Handling DSAR

Responding Incidents

Handling PI/SPI

Handling sensitive email

Data Classification – Quick Review

Tech Mahindra Data Classification policy requires electronic information to be classified, as either “Company Confidential”, “Restricted” or “Public”.
Use Company Confidential classification, when the data is created, or to be used internally, within Tech Mahindra.
Restricted classification is used for data, which needs to be restricted, to pre-defined associates, groups, functions, or business units.
Public means any data, which can be shared to everyone, including inside, and outside, Tech Mahindra.
While saving a document in Microsoft word, excel or Power-point, or while sending an email, using Microsoft outlook, or web Email, a Sensitivity label must be applied.

How will Labels be applied?

To classify emails, using Microsoft Outlook and Webmail, On the Message tab, select the Sensitivity button on the ribbon, as indicated in the image, and then select, one of the labels that has been configured.
If Show Bar is enabled on the Sensitivity button, you can select a label from the Azure Information Protection bar directly.

Different Labels to be applied.

Choosing the right Sensitivity Label is an essential step in protecting the data, and ensuring, the data is right, and legal usage, as intended, or as per contract. Mentioned here are the labels, based on classification of data, along with some examples, indicating when they are used.

Documents Classified as Public, indicate the data, which can be shared with everyone, including inside, and outside, Tech Mahindra. For example, an approved, Press release by the Marketing Team. Such documents are not encrypted, and can be read or accessed, by internal and external parties.
“Confidential – Internal Use”, and “Confidential – External Use”, are to be used with data, that are classified, as Company Confidential. These documents are created for Tech Mahindra internal purposes, or for customer deliveries.
“Confidential – Internal Use”, is to be used, for example for Tech Mahindra Policy Documents, or Process Documents, published on Tech Mahindra BMS, or project documents, used and referenced, within Tech Mahindra.
Similarly, when an email is intended to be circulated within Tech Mahindra only, “Confidential – Internal Use”, label is to be applied.
For documents, created for customers, or partners, and while exchanging email, with customers, or sharing Tech Mahindra information, such as Job Descriptions, with vendors, or offer letters, with potential candidates, the label “Confidential – External Use”, is to be made use of. These emails will not be encrypted, however, monitoring of any confidential information, going outside Tech Mahindra domain will still be done.
The “Restricted” classification is to be used, for data, which needs to be restricted, to pre-defined associates, groups, functions, or business units. A good example would be a statement of work, or architecture documents, for a potential project, that needs to be exchanged, with vendors, and partners, but is sensitive, and cannot be disclosed.

Here, the label, “External Use – Do Not Forward and Print”, should be used.

Likewise, for internal Tech Mahindra sensitive information, such as Appraisal Discussions, Background Verification Reports, that need restricted circulation, and print protection, the label, “Internal Use – Do Not Forward and Print”, is to be used.
Sensitive documents, within a project or account, that should not be accessible outside the project, the label “Internal Use – Full Control”, can be used. This will enable the team to freely exchange information, within themselves, or update as needed.

Video - Zero Trust Internal Security - Information Protection | Tech Mahindra

Training and Awareness

Asset Recovery

Specific requirements for departments within HR Function

Within HR Department , varying levels of access to data necessiate different security requirements based on job roles and responsibilities.Security requirements are listed based on distinct roles within the HR Function.

Associate Sevices

To ensure associate services are secure and compliant, the following controls are important:

Compliance:

Associate services management policy (onboarding, Separation, Global mobility etc.) is in place, reviewed periodically and adhered appropriately.
Access (where applicable) and ID cards should be distributed to all the associates at the time of joining and reconciliation periodically.
Ensure new associates have been provided with an orientation that includes an overview of the company culture, relevant policies, and procedure.
Policy for all the regions to ensure end to end recovery of all the devices provided by TechM to associate on or before end of LWD.
Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.
Associate’s consent should be taken before collection any PII/SPI data from them.
Exit checklist reconciliation and final ownership process should be created and adhered appropriately.
NDA/COC should be signed before completion of onboarding of any third-party associate.
Any associate being reallocated to different country based of business requirement should have all the necessary approvals related to access and required data in place.
Ensure any new third-party platform being used is assessed and verified by the third-party risk management team and all mandatory risk assessments completed by the ISG team.
3rd party service providers assisting in associates service activities who have access to confidential data should be compliant with organization data privacy and regulatory requirements.

Data & Privacy:

Ensure adequate process in place to secure collected PI/PII/SPI data of the associates from unauthorized access. (secure handling during onboarding and off boarding as per regulatory compliance)
Any associate being reallocated to different country based of business requirement should have all the necessary approvals related to access and required data in place.
As per procedure, physical copies of associate data which are stored for 7 years post separation should be stored in a secure manner and shredded as soon as the statutory time limit has elapsed.
3rd party service providers assisting in recruitment and payroll activities who have access to confidential data should be trained and be made compliant with organization data privacy and regulatory requirements.
Disclaimers need to add in mail going to third party vendors, request for destroying PI/SPI data from third party vendor system.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Ensure sensitive data is encrypted both in transit and at rest.
Data retention/ deletion should be conducted as per organization data retention policy.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

BHR (Business Human Resource)

Compliance:

BHR team should designate category for role-based access to all critical application.
Incident reporting procedures should be made aware to all associates on periodic interval.
Any employee grievance recorded during employee engagement to be kept confidential and secured from unauthorized access.
Updated data privacy and protection Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Ensure any new third-party platform being used is assessed and verified by the third-party risk management team and all mandatory risk assessments completed by the ISG team.
3rd party service providers assisting in recruitment and payroll activities who have access to confidential data should be compliant with organization data privacy and regulatory requirements.
DSAR processing should be streamlined to avoid any regulatory penalties.
HR associates should be trained on handling associate PI/SPI data during day-to-day work schedule.
Disclaimers need to add in mail going to third party vendors, request for destroying PI/SPI data from third party vendor system.
Additional BV checks such as Criminal verification etc. should be conducted before engaging in critical HR roles.
Policy for all regions to ensure end to end recovery of all the devices provided by TechM to associate on or before end of LWD.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.
Associate’s consent should be taken before collection any PII/SPI data from them.

Data & Privacy:

As a time, handling candidate PI/SPI data, modes of communication and data storage to be encrypted to prevent any data leakage.
All grievances shared by associates should be handled as per data privacy regulations.
BHR to sensitise all associates about organization information security procedures such as phishing attack, password policy etc.
While sharing associates PI/ SPI and other confidential data, the mode of sharing should be in accordance with regional data privacy laws and access controlled.
Updated security requirements to be checked and incorporate in workflow to abide by updated organizational data privacy requirements.
Any survey or events which requires associates to share their personal and sensitive information should be in accordance with ISG guidelines and regional data privacy regulations.
Data retention/ deletion should be conducted as per organization data retention policy.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Ensure sensitive data is encrypted both in transit and at rest.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

Performance management and benefits

One of the major areas of responsibilities of HR includes formulating Performance Management and Benefits policies. To ensure processes are secure and compliant, the following controls are important:

Compliance:

Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.
Associate’s consent should be taken before collection any PII/SPI data from them.
Ensure any new third-party platform being used is assessed and verified by the third-party risk management team and all mandatory risk assessments completed by the ISG team.
3rd party service providers assisting in PMS activities who have access to confidential data should be compliant with organization data privacy and regulatory requirements.

Data & Privacy:

Associate performance related information should be handled as per data privacy regulations.
As a time, handling candidate PI/SPI data, modes of communication and data storage to be encrypted to prevent any data leakage.
While sharing associates PI/ SPI and other confidential data, the mode of sharing should be in accordance with regional data privacy laws and access controlled.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Data retention/ deletion should be conducted as per the organization data retention policy.
Ensure sensitive data is encrypted both in transit and at rest.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

Global Leadership

Global Leadership Acquisition and development team is responsible for providing support in areas of non – technical leadership recruitment, management trainee and global leadership hiring, leadership development, leadership training and development. To ensure Global leadership processes are secure and compliant, the following controls are important:

Compliance:

Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.
Associate’s consent should be taken before collection any PII/SPI data from them.
Ensure any new third-party platform being used is assessed and verified by the third-party risk management team and all mandatory risk assessments completed by the ISG team.
3rd party service providers assisting in GLS activities who have access to confidential data should be compliant with organization data privacy and regulatory requirements.

Data & Privacy:

Teams handling confidential data for leaders and potential leadership associates as per data privacy regulations of the region.
As a time, handling candidate PI/SPI data, modes of communication and data storage to be encrypted to prevent any data leakage.
While sharing associates PI/ SPI and other confidential data, the mode of sharing should be in accordance with regional data privacy laws and access controlled.
3rd party service providers assisting in recruitment and payroll activities who have access to confidential data should be compliant with organization data privacy and regulatory requirements.
Any survey or events which requires associates to share their personal and sensitive information should be assessed and approved by ISG & Legal team. Also abide by regional data privacy regulations.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Data retention/ deletion should be conducted as per the organization data retention policy.
Ensure sensitive data is encrypted both in transit and at rest.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

HR Labs

To ensure secure and compliant HR Labs processes, the following controls are important:

Compliance:

Ensure any new third-party platform being used is assessed and verified by the third-party risk management team and all mandatory risk assessments completed by the ISG team.
Application developed in collaboration with internal teams to have all necessary risk assessments completed.
All applications must be compliant with the laws of the land.
Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.

Data & Privacy:

Ensure any new third-party platform being used is assessed and verified by the third-party risk management team and all mandatory risk assessments completed by the ISG team.
All PI/SPI data collected for application to be retained in secured encrypted storage.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Data retention/ deletion should be conducted as per the organization data retention policy.
Ensure sensitive data is encrypted both in transit and at rest.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

Internal & Global Communications

Internal and global communication takes care of disbursing news of new policies, relevant updates related to the organisation with employees across the world. To ensure processes are secure and compliant, following controls are important.

Compliance:

All 3rd party software’s should be assessed as per ISG guidelines and only licenced version to be used.
Social media rights to be available to authorised personnel only and the accounts should be protected as per organizations security mandate.
Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.

Data & Privacy:

All internal and external communication should be handled securely and RBAC modes.
All the communications sent out should be compliant with the regions, data privacy and communications regulation.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Data retention/ deletion should be conducted as per the organization data retention policy.
Ensure sensitive data is encrypted both in transit and at rest.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

R & R (Reward & Recognition)

To ensure processes are secure and compliant, following controls are important.

Compliance:

Any platforms used for rewarding associates (eg Kudos Advantage club) should have platform and application security assessments completed before implementation.
Any new service addition to the application, should be assessed and validated by the information security team.
Work council recommendations and laws of the land to be kept in consideration while conducting any R&R activity.
Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.

Data & Privacy:

R&R team needs to access confidential performance data of associates for assessment, all such data to be handled in secure RBAC format.
3rd party service providers assisting in rewards and recognition activities should be compliant with organization data privacy and regulatory requirements.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information it should be encrypted and password to be shared to the intended recipient over a secure media.
Data retention/ deletion should be conducted as per the organization data retention policy.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.
Ensure sensitive data is encrypted both in transit and at rest.

CompBen & Variable Pay, Bonuses

To ensure processes are secure and compliant, following controls are important.

Compliance:

Employees pay and benefits related information to be stored, processed, and shared in an encrypted mode.
3rd party vendor handling variable pay and benefits for offshore locations should be trained and be made complaint with organisation and regulatory guidelines.
Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.
Associate’s consent should be taken before collection any PII/SPI data from them.
Ensure any new third-party platform being used is assessed and verified by the third-party risk management team and all mandatory risk assessments completed by the ISG team.
3rd party service providers assisting in CompBen & Variable Pay, Bonuses activities who have access to confidential data should be compliant with organization data privacy and regulatory requirements.

Data & Privacy:

Teams handling confidential data for leaders and potential leadership associates as per data privacy regulations of the region.
As a time, handling candidate PI/SPI data, modes of communication and data storage to be encrypted to prevent any data leakage.
While sharing associates PI/ SPI and other confidential data, the mode of sharing should be in accordance with regional data privacy laws and access controlled.
3rd party service providers assisting in recruitment and payroll activities who have access to confidential data should be compliant with organization data privacy and regulatory requirements.
Any survey or events which requires associates to share their personal and sensitive information should be assessed and approved by ISG & Legal team. Also abide by regional data privacy regulations.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Data retention/ deletion should be conducted as per the organization data retention policy.
Ensure sensitive data is encrypted both in transit and at rest.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

L&D (Leadership & Development)

To ensure processes are secure and compliant, following controls are important.

Compliance:

Any third-party platform being used and deployed should go through ISG assessments before deployment.
Any third-party organisation or faculty being used for upskilling activity should go through appropriate ISG and background verifications.
All requests for training websites should be verified as per ISG guidelines before approval.
Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.

Data & Privacy:

Any survey or events which requires associates to share their personal and sensitive information should be assessed and approved by ISG & Legal team. Also abide by regional data privacy regulations.
Ensure restriction of HR SharePoint folder only to authorized associates to safeguard PI/SPI information.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information it should be encrypted and password to be shared to the intended recipient over a secure media.
Data retention/ deletion should be conducted as per the organization data retention policy.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Ensure sensitive data is encrypted both in transit and at rest.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

RHR (Regional Human Resource)

Regional Human Resources or RHR are HR teams based out of locations or a certain region who are involved in multiple support activities like recruitment, employee profile due diligence, employee support, payroll support, performance improvement plans, upskilling activities etc.

To ensure regional human resources process are secure and compliant, the following controls are important:

Compliance:

All grievances shared by associates should be handled as per data privacy regulations.
RHR team should designate category for role-based access to all critical application.
RHR to sensitise all associates about organization information security procedures such as phishing attack, password policy etc.
Incident reporting procedures should be made aware to all associates on periodic interval.
Ensure any new third-party platform being used is assessed and verified by the third-party risk management team and all mandatory risk assessments completed by the ISG team.
3rd party service providers assisting in recruitment and payroll activities who have access to confidential data should be compliant with organization data privacy and regulatory requirements.
DSAR processing should be streamlined to avoid regulatory penalties.
Additional BV checks such as Criminal verification etc. should be conducted before engaging in critical HR roles.
Policy for all regions to ensure end to end recovery of all the devices provided by TechM to associate on or before end of LWD.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Work council recommendations to be periodically updated in the HR handbook.
Ensure being compliant with all ISG compliance parameters.
ISG & Legal team approval should be taken before launching any survey and event.
Associate’s consent should be taken before collecting PI/ SPI data from them.

Data & Privacy:

Onsite HRs handling associate handling employee PI/SPI data should store and process as per industry and organisational standards.
At the time of handling candidate PI/SPI data, modes of communication and data storage to be encrypted to prevent any data leakage.
While sharing associates PI/ SPI and other confidential data, the mode of sharing should be in accordance with regional data privacy laws and access controlled.
Any employee grievance recorded during employee engagement to be kept confidential and secured from unauthorized access.
Updated data privacy and protection Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Updated security requirements to be checked and incorporate in workflow to abide by updated organizational data privacy requirements.
Any survey or events which requires associates to share their personal and sensitive information should be in accordance with ISG guidelines and regional data privacy regulations.
Data retention/ deletion should be conducted as per organization data retention policy.
All emails should be tagged correctly based on priority and content. If the email contains attachments which have sensitive information, it should be encrypted and password to be shared to the intended recipient over a secure media.
Ensure sensitive data is encrypted both in transit and at rest.

Access:

Role based Access Control (RBAC) - Facilitation and Implementation done for PACE HR application and access reconciliation should be done as per defined frequency.
Once an associate is separated from the organization, all client and Tech M related accesses should be revoked on priority as per Tech M standard policy.
Access to data storage sites like share point, TM box, google drive etc which contains associates PI/SPI data, organizational information etc should be restricted to authorized personnel only and access to be reconciled on periodic interval.
Use multi- factor authentication (MFA) to secure access to critical systems and data.

For Any Queries write to ISG Compliance Management Team : ISGSupportfunctioncompliance@TechMahindra.com