Important note: Some clients prohibit further subcontracting of their work while some allow it based on prior approval. From a compliance perspective it is therefore necessary that the Project Manager should check if such clauses exist in the client agreement and proceed accordingly. For example, if a client’s contract with TechM states that TechM can subcontract work only after prior approval from the client, then the Project Manager should first seek explicit approval from the client before engaging a supplier in the project.
TPRM Lifecycle Process flow:
Overview of each of the 4 stages
1. Security assessment for new supplier
The selection of the suppliers involves the supplier passing a set of security check criteria. ISG conducts supplier security assessment by assessing the security controls implemented by the supplier at their premises or their own infrastructure by validating the security questionnaire / checklist and evaluating the details and evidences shared by the supplier. Security certifications like ISO 27001 are also validated if available. Web risk assessment is also performed on the supplier organization's primary domain using a vendor risk management tool (UpGuard). The supplier can be onboarded after clearance from ISG.
2. Supplier onboarding and contracting
Once a supplier has been cleared by ISG, the contracting phase ensures that the security and privacy requirements are legally enforced in their contracts. The contracts/MSA/agreements are vetted by ISG to ensure back to back cascading of relevant clauses related to data privacy and security requirements from the client MSA. The organizational level NDA is also validated. If the supplier has access to PI-SPI (Personal Information-Sensitive Personal Information), then Privacy Impact Assessment is conducted for validating the data protection and privacy controls.
3. Supplier Compliance and Monitoring
Supplier Compliance with the agreed Security and data privacy controls is tracked at delivery level and reviewed on a regular basis the by respective ISG compliance managers responsible for the function/account. Security audit is conducted by ISG on applicable suppliers as per the client contractual and regulatory requirements and the agreed security controls. Annual review of risks associated with applicable suppliers is undertaken by ISG with active help from the respective functions and project delivery units. The security score of high-risk suppliers is continuously monitored by using the UpGuard supplier risk management tool and any vulnerabilities identified are communicated to the supplier for remediation within a defined timeline.
4. Supplier Termination
In case the contract with a supplier is planned to be terminated, the PM (Project Manager) concerned sends a notification email to ISG informing about the same. ISG team conducts checks during termination to ensure compliance. The main checks involved in this stage are: Return of Assets, Revocation of Access and Deletion of Data. The PM fills the Offboarding checklist after consulting the supplier and shares the filled responses with ISG for validation. After validation is completed by ISG, the supplier can be offboarded.
Project Manager’s responsibilities across each of the 4 stages.
1. Security assessment for new supplier - Determine if a supplier is involved. If yes, then raise a service request to involve ISG.
The PM needs first to check if any supplier is involved in the project. For example, there could be subon associates working in the project or a software application/tool developed by an external party being used, or a part of the project viz. testing, is being outsourced to an external supplier or some services like Cloud hosting or Helpdesk are being provided by a supplier. If the PM thus determines that a supplier is involved, then they should get in touch with ISG to get the Supplier security assessment conducted. To initiate the Supplier security assessment, the PM needs to raise a service request in the HelpNxt portal in path: "https://helpnxt.techmahindra.com -> Service Catalog -> ISG -> Supplier" and share the Request ID with the ISG TPRM team (ISGTPSRM@TechMahindra.com) along with the Agreement, NDA etc. documents signed by TechM and the supplier. The ISG team will then start working on the request.
The below table provides a sequence of steps involved:
| Sr. No. |
Step |
Remarks |
| 1 |
PM to check if any supplier is involved in the project |
If a supplier is involved, then go to step 2, else supplier security assessment by ISG is not applicable for the project. |
| 2 |
PM to raise a service request in the HelpNxt portal |
Path to raise the Service request: "https://helpnxt.techmahindra.com -> Service Catalog -> ISG -> Supplier"
and share the Request ID with ISGTPSRM@TechMahindra.com along with the Contract/MSA/SoW, NDA documents signed by TechM and the Supplier. |
| 3 |
ISG to evaluate vendor details provided in the service request raised by the PM |
ISG to determine if supplier security assessment is needed or not. If assessment is needed, ISG to finalize the supplier category. |
| 4 |
ISG to share the appropriate template, based on the supplier category, with the PM for capturing additional details |
If the supplier has access to personal data, then ISG to also share the Privacy Impact Assessment (PIA) and Record of Processing Activity (RoPA) templates with the PM. |
| 5 |
PM to submit the filled templates to ISG |
In the ISG template and the templates for PIA and RoPA (applicable in case supplier has access to personal data), the PM needs to fill project specific information and connect with the supplier to fill the supplier related information. |
| 6 |
ISG to validate the details shared in the filled templates and the supporting evidences |
In case ISG needs clarifications or further evidences, some iterations are likely with the PM and supplier. |
| 7 |
ISG to provide approval for supplier onboarding |
Supplier can be onboarded after approval from ISG. |
2. Supplier onboarding and contracting
Liaise with different stakeholders viz. ISG, Legal, Supplier and Delivery to finalize contracts and complete Privacy assessment as well, if applicable.
3. Supplier Compliance and Monitoring
Cooperate with ISG by liaising with the supplier for audits, annual assessments, remediation of vulnerabilities identified by UpGuard etc. Also inform ISG if there is any change in the scope of services being provided by the vendor from what they were initially assessed for.
4. Supplier Termination
Provide sufficiently advance intimation to ISG and help to get the offboarding checklist completed so that the validation of the same can be done by ISG in time before the supplier is terminated.
For further details refer to the following Documents in BMS
Associate need to raise service desk ticket to avail ISG TPSRM
services
Information security Policy Supplier Relationships - ISG-PO032
How to reach ISG TPSRM team
ISG TPSRM Email Contact: ISG TPSRM
Escalation matrix
For More Info Contact