Risk assessment is the process of cataloging information assets and evaluating risks by linking potential threats and vulnerabilities that could impact asset security, followed by documenting strategies for risk management.

Risk Vigil is a tool that aids organizations in identifying, assessing, and prioritizing operational and asset risks, offering a systematic approach for threat analysis and risk mitigation planning.

Every Project Manager is required to create a risk assessment and risk treatment plan for their projects. This ensures they can identify, analyze, and evaluate potential project risks and apply the appropriate treatment (mitigate, accept, avoid, or transfer).

Project managers are required to log into the Risk Vigil tool and carry out the risk assessment process for their respective projects.

Project Managers' responsibilities include:

• Creating and maintaining the Asset Inventory in the Risk Vigil Tool.
• Conducting Risk Assessments for information assets.
• Determining risk levels by considering existing controls.
• Documenting Risk Treatment Plans for risks assessed as Medium or High.

Whenever there is a new account/project being set-up, PM needs to connect with TIM and CS SPOCs from respective locations and get the ODC Set-up.

ODC Checklist is created based on the MSA and shared with TIM and CS for implementing the relevant/additional controls apart from TechM Baseline security controls, if any.

If there is no specific control mentioned in the MSA, TechM baseline security controls w.r.t. physical security is implemented.

Conducting a gap assessment for offshore development center (ODC) involves evaluating the security posture against contractual obligations, industry best practices, regulatory requirements, and organizational standards.

PM shall raise Gap assessment request for below criteria before any new customer ODC is operational.

• Setting up a new ODC
• Any change in ODC set-up, including network changes.
• ODC relocation
• ODC Closure

Any new account onboarded on TechM Pace system, delivery ensures to have MSA signed with the customer.

Before providing services to the customer, delivery team to ensure that we have a legal document signed between the two companies. (LOI/PO/SOW).

Below are the activities PM needs to perform during account initiation phase:

• ODC Setup request as applicable.
• Customer specific NDA signed by resources working on customer projects (as applicable).
• RBAC for onboarded resources.
• Security awareness trainings completion by associates (both Customer and TechM)
• Customer ID activation/deletion process agreement with customer
• Set-up Customer ID reconciliation process.
• Supplier risk assessment (as applicable)
• Technical security assessment (cloud/platform – as applicable)

Post account is created and is ready to go live, there are ISG In-life security compliance and baseline security compliance activities which each PM has to adhere to.

Closing an account securely from an information security perspective is crucial to prevent unauthorized access and protect sensitive data.

Once the deliverables are fulfilled and there's no contract/SOW renewal, account closure activities must be initiated according to the MSA. We need to proceed with the closure activities.

The project manager needs to raise a service request in Service Now for account closure procedures to ensure compliance with contractual obligations regarding data and media handling, as well as ID deactivation processes.

Below are the activities which needs to be performed while closing an account:

• Data Management: Before closing the account, PM needs to ensure data management activities are performed (involving TIM or CSRM as applicable) as stipulated in the Master Services Agreement (MSA). Please refer to MSA and perform Data Backup, Data Retention, Data Deletion activities.
• Access Revocation: Immediately revoke all access associated with the account. This includes access to systems, applications, networks, and any other resources that the account may have been authorized to use.
• Notification: Notify relevant stakeholders about the closure of the account, especially if it impacts their operations or access to shared resources. This may include internal teams, external partners, or customers who may be affected by the closure.
• Confirmation: Please connect with ISG Team to verify and validate if all steps pertaining to account closure is performed contractually.
• Account Deactivation: Once all necessary precautions have been taken, deallocate all associates from the projects, delete all information from TechM Pace systems to ensure closure of the account.

Project Managers are expected to raise any customer complaints. The Information Systems Group (ISG), in collaboration with the delivery team, will conduct an investigation and provide an analysis. Following this, appropriate resolution and remediation actions will be taken. Throughout this process, maintaining clear and transparent communication is imperative.

The delivery teams reach out to R&C Team for facilitating customer visits as part of BAU or due diligence in case of prospective customers.

The R&C Team leads the visit representing ISG, conducting a session on the company's best practices, policies, procedures, and technology employed to ensure compliance and safeguard against threats and vulnerabilities.

During client visits, the role of Risk and compliance is crucial in ensuring that the company's systems, data, and operations remain secure and compliant with relevant standards and regulations. Here's an expanded overview:

• Preparation and Coordination: R&C team collaborates with the project manager or delivery team to prepare for client visits. This involves assessing current in-life and baseline security compliance status, potential security risks and implementing necessary precautions.
• Facilitation of Visits: R&C team actively participates in client meetings or is available to address any security-related concerns raised by the client. They serve as subject matter experts on security practices and protocols.
• Demonstration of Security Measures: R&C team showcases the company's security measures, policies, and procedures to the client. This may include presenting information on information security and data protection protocols, access controls, encryption methods, and security monitoring tools.

Overall, the involvement of IS during client visits is essential for promoting trust, ensuring compliance, and demonstrating the company's commitment to maintaining a secure and resilient business environment.