Information Security Group
|
Home > Portfolio Management

Portfolio Management

Tech Mahindra Ltd. has acquired subsidiaries, which are yet to be fully integrated into Tech Mahindra. These subsidiaries are called “Portfolio Companies” to distinguish them from other fully owned subsidiaries. Information Security, Privacy and Data Protection are important to the proper function and regulatory compliance of every business. Therefore, this Policy aims to ensure Portfolio Companies maintain active risk management, compliance adherence, and proactive risk mitigation for their data and information systems.

Each Portfolio Company has appointed a senior risk officer and formed a subsidiary security council.

Tech Mahindra has appointed one executive- Risk Manager who liaises with all the Portfolio company risk officers for all Risk & Compliance matters including periodic compliance status reports from the Portfolio Company risk officers.

The Risk Manager works with Risk officers of all Portfolio Companies to ensure that portfolio companies (which are not yet integrated) are secure and comply with applicable laws and regulations (w.r.t security and privacy).

Through this council we drive maturity improvements and extend ISG services in the area of security testing, monitoring and advice. Each portfolio company also must undergo a self-driven security assessment based on the Standard of Good Practice which Tech Mahindra follows.

Tech Mahindra shall provide the guidance on the policies to be implemented by the portfolio companies and work with nominated risk officers to ensure:

  1. Each Portfolio Company has a well-defined security organization.
  2. Each Portfolio Company complies with established industry security management standards.
  3. Each Portfolio Company has a privacy and data protection policy and program.
  4. Each Portfolio Company has a well-defined security policy and improvement plan.
  5. External assurance is provided to the security program.
  6. Effective communication between Tech Mahindra and its portfolio companies
  7. Portfolio company security policies, tools, and processes align with the Tech Mahindra security policies, tools, and processes.
  8. Portfolio companies have a BYOD policy.
  9. Appropriate controls when associates from Portfolio companies access Tech Mahindra systems.
  10. Appropriate security and privacy controls during acquisition, integration, and merger with Tech Mahindra.

M&A team is responsible for initiating the process for Integration and Merger in consultation with Legal to ensure that the legal means for Data Protection/Transfer and compliance to other regulatory requirements. The following prerequisites must be completed, prior to porting data to TechM ERP system.

  1. Data Processing / Data transfer (IGDTA) agreement must be signed by the authorized signatory in the subsidiary organization before exchanging any business and employee PI/SPI data between the two companies.
  2. The acquired company must issue a worker privacy notice - HR team ensures that Portfolio HR has shared Worker Privacy Notice in line with TechM policy. (Email, published on Intranet and Internet as relevant

Portfolio company’s endpoints are installed with TechM baseline security controls using Intune which will enable endpoint to have TechM Group policy and baseline security controls/tools implemented.

Training

All Portfolio companies are required to have an annual Information Security and Data Protection training and assessment program. TechM is sharing the training program used in TechM with the companies for them to customize the program based on their requirements to use in their organization.

Employees who have been provided access to TechM systems, have access to TechM Learning portal (DEXT) and complete the mandatory security awareness training program.

For Any Queries write to : ISGPorfolioCompliance@techmahindra.com
Copyright © Tech Mahindra Limited. All Rights Reserved