Information Security Group
|
Home > Technical Security

Technical Security

The ISG Technical Security subfunction helps protect IT assets and applications, prevent data breaches, ensure regulatory compliance, and safeguards against potential threats. All IT assets and internal applications must undergo a comprehensive security assessment while being built and put in production. This helps remove security defects, bugs and comply with security and privacy laws and regulations. In addition, these assets require to be managed and tested routinely to prevent misconfigurations, exploitable vulnerabilities, and ensure proper access control.

ISG helps in:

  • Risks assessment of bespoke and SAAS applications and Cloud environments implemented for Tech Mahindra.
  • Vulnerability Testing of server, network and other infrastructure devices.
  • Security Assessments of TechM web, desktop and mobile applications before they are rolled out within TechM.
  • Review of network connectivity between TechM & external parties and identify risks from opening ports and connections.
Raise request under Helpnxt.techmahindra.com --> Request Something -> ISG -> Cloud & Application/Platform

ISG team support in below request


Application Risk assesment(Overall checks)

Actions Taken by TechSec Team
  1. Application Risk Assessment, Secure Code Review, Security Scanning of the Server (VAPT), Penetration Testing (WAPT) of the Application
  2. Provide Scanning Reports
  3. Provide Sign-Off for TIM to create the DNS Entry
Pre-Requisites from Requestor
  1. Filled "Application and Platform Risk Assessment and Risk Treatment Template"
  2. Application Design Documents (HLD, Data Flow Diagram, Deployment Diagram, etc), Data Protection Mechanism, etc
  3. IP Details, Codebase to be shared with ISG for Scanning

Actions Taken by TechSec Team
  1. Application Risk Assessment
  2. Review Reports - Secure Code Review, Security Scanning of the Server (VAPT), Penetration Testing (WAPT) of the Application
  3. Perform Vendor Risk Assessment
  4. Provide Sign-Off for TIM to create the DNS Entry / Approve Usage of Application
Pre-Requisites from Requestor
  1. Filled "Application and Platform Risk Assessment and Risk Treatment Template"
  2. Application Design Documents (HLD, Data Flow Diagram, Deployment Diagram, etc), Data Protection Mechanism, etc
  3. 3rd Party Application Reports - Secure Code Review, Application Risk Assessment, Vulnerability Scanning (VAPT) of the Server, Penetration Testing (WAPT) of the Application, Security Certifications (e.g. ISO 27001, PCI-DSS, etc)
Vulnerability Assesment only

Actions Taken by TechSec Team
  1. High Level Application Risk Assessment based on Updated Information
  2. Review Updated Security Scanning (VAPT) Report for the Server
  3. Perform Secure Code Review, Penetration Testing (WAPT) of the Application
  4. Provide Scanning Reports
  5. Provide Sign-Off
Pre-Requisites from Requestor
  1. Updated "Application and Platform Risk Assessment and Risk Treatment Template", Application Design Documents (HLD, Data Flow Diagram, Deployment Diagram, etc), Data Protection Mechanism, etc
  2. Updated Security Scanning (VAPT) Report for the Server
  3. IP Details, Codebase to be shared with ISG for Scanning

Actions Taken by TechSec Team
  1. Review of Previous Risk Assessment Report
  2. Scanning of Infrastructure Device / Server by ISG VAPT Team
  3. Closure Certificate
Pre-Requisites from Requestor
  1. Updated details of Device Purpose, Network / Deployment Diagram, Authentication, Adminsitration & Management, IP Address, Hostname, etc filled in the "Application and Platform Risk Assessment and Risk Treatment" Template Sheet
  2. Previous Risk Assessment / Approval Details

Actions Taken by TechSec Team
  1. High Level Risk Assessment
  2. Review CAB Approval (if Device will require changes to TechM Infra - Network Architecture / Design)
  3. Preform Device / Server VAPT.
  4. Provide Sign-Off
Pre-Requisites from Requestor
  1. Details of Device Purpose, Network / Deployment Diagram, Authentication, Adminsitration & Management, IP Address, Hostname, etc filled in the "Application and Platform Risk Assessment and Risk Treatment" Template Sheet
Quick starts

Actions Taken by TechSec Team
  1. High Level Risk Assessment
  2. Perform Device / Server VAPT & Application WAPT (For Applications with PI / SPI / Sensitive Data).
  3. Provide Sign-Off
Pre-Requisites from Requestor
  1. Details of Application, Purpose, Data Processed / Handled, Data Protection, HLD, Network / Deployment Diagram, Data Flow Diagram, Authentication and Authorisation Mechanism, Roles & Responsibilities, Users of the Application (TechM / External) to be provided
  2. Details of Environment / Server where the POC is to be provisioned.
  3. Duration of POC / Testing, Approival from Service Line / IBU Head.
  4. Details on who all have access to POC Environment, how access is limited / restricted, how access is made secure (E.g. VPN, 2FA).
  5. Evidence of Environment, Server Hardening / Patching

Actions Taken by TechSec Team For Applications with PI / SPI / Sensitive Data
  1. High Level Risk Assessment
  2. Perform Device / Server VAPT & Application WAPT
  3. Provide Sign-Off
For Other Applications --> TIM will directly provision the environment based on details provided in the Service Request
Pre-Requisites from Requestor
  1. Details of Application, Purpose, Data Processed / Handled, Data Protection, HLD, Network / Deployment Diagram, Data Flow Diagram, Authentication and Authorisation Mechanism, Roles & Responsibilities, Users of the Application (TechM / External) to be provided
  2. Details of Environment / Server where the POC is to be provisioned.
  3. Duration of POC / Testing, Approival from Service Line / IBU Head.
  4. Details on who all have access to POC Environment, how access is limited / restricted, how access is made secure (E.g. VPN, 2FA).
  5. 5. Evidence of Environment, Server Hardening / Patching
Other Request

Actions Taken by TechSec Team
  1. Perform Risk Assessment - Review if Connection Request is Secure
  2. Review if allowed as per MSA
  3. ISG Approval is automatically routed to TIM for Implementation
Pre-Requisites from Requestor
  1. Business Requirement
  2. Firewall (Dedicated or Shared or Corporate) where this is requested
  3. Source IPs, Destination IPs, Ports (With Purpose), Network Location (CDMZ/ LAN /DMZ/ Open internet), Connection between Source to Destination (S2S, VPN tunnel, MPLS, Open Internet)
  4. Documents - Network Connectivity Diagram
  5. VA&PT / WAPT Closure Certificate of Assets / Application

Actions Taken by TechSec Team
  1. Application Risk Assessed / Check if already approved by ISG for Publishing
  2. Provide Details - Multiple Similar Domains Selected for Procurement (To prevent malicious procurements and phishing or fraud).
  3. Procurement by TIM
Pre-Requisites from Requestor
  1. Appllcation ISG Approval / Sign-Off Validation.
  2. Recommendation of Domain + Multiple Similar domains.

Actions Taken by TechSec Team
  1. Application Risk Assessed / Check if already approved by ISG for Publishing
Pre-Requisites from Requestor
  1. Appllcation ISG Approval / Sign-Off Validation.
  2. Recommendation of Domain + Multiple Similar domains.
For Any Queries write to : isgtechsec@techamahindra.com
Copyright © Tech Mahindra Limited. All Rights Reserved