Risk Management helps TechM to identify the security gaps/
vulnerabilities found at different levels and mitigate the same to
ensure TechM business is secured, build customer trust and
prevents damage to financial loss, reputation and brand image.
Technology is advancing at an unprecedented rate and it has
increased the complexity of data processing exponentially. Also the
development of advanced technologies has led to various cyber
threats, including viruses, malware, ransomware, and phishing
emails leading to data privacy breach and theft of confidential
data can lead to loss of business.
Security Compliance Management is done to ensure that the
entire organization is security compliant as per the Global
standards and Clients contractual, legal and regulatory
requirements. Also warrant the emerging and new risks are mitigated
appropriately. This also facilitates security maintenance from
Presales Stage thro execution till termination stage of an
assignment.
Adding to this, strict geographically varying data Privacy
and other regulations evolving around the globe, combined with high
customer expectations needs a Security and Compliance framework
within TechM which will support Delivery to build new business
models and can lead to exponential and sustainable business growth.
Both Risk and compliance goes hand in hand. If risk is
identified at early stages and compliance is handled properly then
a good portion and a base for risk mitigation is in place.
Hence well managed Information Security Risk and Compliance
will help TechM to build customer trust, protect TechM brand
image, improve operational process, enhance consistency and in turn
helps Business to take decisions in right direction.
Risk and Compliance function major responsibilities
- Assess the contractual and regulatory requirements and
support delivery and functions to ensure compliance
- Implement security improvement measures based on risk or
new standards
- Be aligned with Delivery units and Support functions
- Dedicated Compliance Manager / lead for each SBU/ cluster
and support function to cater to the requirements
- Drive various security improvement initiatives like e.g.
GDPR compliance initiative
- Creates and Maintains MSA Audit checklists and Account
Fact files
- Support Delivery that all security roles and
responsibilities are managed diligently by the Project or Account
Managers
- Provide monthly Compliance reports / ISBC scorecards for
all accounts
- Presales support - Ensure RFP/RFI/ Presales responses
including contract reviews and Schedule reviews done within SLA
timelines
- Assistance in closure of open NC or vulnerabilities
- Facilitates external audits and support Delivery to ensure
compliance with client security requirements
| RARTP |
The Risk assessment process would be applicable to
all assets owned and managed by TechM and its projects,
functions, events, lab and platform.
All projets in TechMahindra including Application
Development Management Services (ADMS). Managed Services (MS),
Business Support Group (BSG) services will be covered as part of
this process. |
| Lab
Security |
Security of the labs is a major concern due to the
presence of intellectual property as well as additional
privileges provided for lab environments. There are a variety of
Labs within Tech Mahindra for the purpose of customer delivery or
internal capability building. |
| Account VIGIL |
This is an important document created as part of the compliance requirement. Both the Account VIGIL and MSA checklists are signed off by the compliance team and are used as base documents for the Assurance review. |
| MSA
Check List |
Security compliance requirements are gathered from
MSA and Security / Privacy Schedule. Based on the MSA and other
security documentations from customer, Audit checklist is
prepared at the initial stages of contract execution and is used
as a part of the internal audit process.
This is in addition to the ISO 27001 requirements which
are audited as a part of the audit process. |
| SRC |
Security risk and compliance scorecard is prepared
for an account for measuring the operational and continuous
contractual security controls.
This provides compliance status for pre- onboarding and
post-onboarding and Separation controls for an account. This is
prepared based on client requirements on a regular basis |
| SPHR |
Security Health Parameters are the critical Project level
security parameters like Risk Assessment, Data Privacy and
Business Continuity mandatory requirements definitions and
documentation completions. These are assessed by project managers
at Project level and updated using the SPHR tool kit. |
| GAP
Assessment |
ISG Compliance team conducts information security gap
assessment to provide comparison of security program vs overall
best security practices to shed light on areas where
vulnerabilities and risks are lurking. |
| ISBC
Score Card |
Security compliance measurement across delivery is done
through ISBC scorecard. The following parameters are considered
to measure an represent the compliance status of the important
clusters
- Customer IP
- Data Privacy
- Contractual Obligation
- Network Security
- Physical Security
- HR Security
- BCM Overall Score
- Technical Vulnerability
|
| Supplier
Management |
TechM outsources certain delivery and function
work to external vendors, it is necessary to identify the risks
involved in outsourcing and mitigate as necessary.
ISG third party security management team (TPSRM) is
responsible to identify and categorized vendors based on the
supplier risk assessment performed and ensure implementation of
Information security controls to mitigate risk related to
suppliers |
| TechM
Subsidiaries |
Tech Mahindra Ltd. has acquired subsidiaries, which are
yet to be fully integrated into Tech Mahindra. Information
Security, Privacy and Data Protection are important to the proper
function and regulatory compliance of every business. Hence, a
subsidiary security council is formed so as to ensure that the
subsidiaries have an active risk management program, adhere to
compliance and actively mitigate risk that the data and
information systems are exposed to in their absence. |
| Pre
Sales Support |
Presales is a process or a set of activities
normally carried out before a customer is acquired. ISG team
helps business with MSA/RFI/RFP review, response to client
provided security questionnaire, review of indemnity and
unlimited liability clause and provide ISG approval during
pre-sales phase.
In addition to this, ISG team also participates in
reviewing MSA, client security policies, data privacy document
during renewal of projects |
| Third
Party Audits |
To address the customer contractual commitments or
Regulatory needs the Risk and Compliance team coordinates with
the external auditing firms to conduct second and third party
audits.
- ISO 27001
- ISO 22301
- SOC1 Type 2 Audit
- SCO2 Type 2 Audit
- PCIDSS
- TISAX Audit
|