Information Security Group
|
Services > Risk Management

Risk Management

Risk management is the process of identifying, assessing, and taking steps to reduce the risk to an acceptable level. It is the process of mitigating potential threats or vulnerabilities that could impact the confidentiality, integrity, or availability of an organization's information, assets, or operations. An effective risk management process is an important component of a successful information security program. TECH M has adopted best practices based on ISO 27005 standard and ISO 31000: 2009 guidelines.

The detailed process for Risk Assessment and Management is consists of the following phases as shown in the diagram below.



Communication and Consultation

The objective of this phase is to

  • improve the understanding of Information Security (IS) risks and the risk management process.
  • ensuring that the interests of the stakeholders are understood and considered and
  • securing endorsement and support for a treatment plan
Establishing the context

This phase defines the basic parameters for managing the Information security risk and sets the scope and criteria for the remaining process. The context includes the organization’s external and internal environment and the purpose of the risk management activity. This also includes consideration of the interface between the external and internal environments.


Identification of Assets
Once the context is established, the information and information processing assets within Tech Mahindra should be identified so that proper risk assessment and management can provide adequate protection.
  • Valuation of Assets
    To identify the business impact due to the loss of Confidentiality, Integrity, or Availability of an asset, it is necessary to evaluate each asset in terms of their importance to the business. Based on this business can identify, develop, and implement appropriate procedures for the protection of these assets.

Identification of Threat and Vulnerability pairs

Assets are subject to many kinds of threats that can exploit existing vulnerability of the systems, applications or services used by Tech Mahindra Once the Risk owner populates the Asset Inventory in Risk Assessment Template, the relevant risk description, category of risk and its references based on various threat and vulnerabilities along with possible safeguards will be prepopulated in the Risk Treatment Plan tab for the unique applicable asset blocks.


Asset Impact

The Risk owner needs to ascertain if a threat materializes its impact on the confidentiality, integrity and availability of the asset.

Impact Rating Impact Level Impact Description
1 Low Low or Minor impact to the organization on threat exploiting the vulnerability. Minor incidents are those from which are short term, controllable and should be able to recover. With careful management of the incident and the implementation of appropriate safeguards, the financial loss and public embarrassment can be brought to a low level / minimal cost
2 Medium Medium impact to the organization on threat exploiting the vulnerability. Incidents at this level can be Medium and, with an immediate and appropriate response, the impact can be brought to a control.
3 High Significant impact and may cause considerable system outage and or loss of connected customers or business confidence, Significant potential financial losses, coupled with a public loss of credibility. Might result in compromise of large amount of information or services.
4 Critical Serious or Critical impact - May cause system extended outage or to be permanently closed, causing operation to resume in an alternate location. May result in complete compromise of organizations’ information or services, client confidential information or Personal Data Breach. May cause damage to the reputation of system management, Termination of the contract, penalties for Data Privacy Breach and/or notable loss of confidence in system resources/services, might require expenditure of significant resources to repair.

Probability of occurrence rating levels

A rating for the probability or likelihood of occurrence of a potential information security incident involving threat exploiting vulnerability should be given as per the following table:

Rating Probability ratings Probability range Description
1 Low 01% through 40% The probability of these Information Security threat happenings is considered to be very low (may happen in once in 1 - 3 years)
2 Medium 41% through 60% It is considered a reasonable probability that this Information Security threat will occur. (may happen once a year)
3 High 61% through 80% It is considered to be a high probability that this threat will occur if corrective action is not applied. (may happen more than once a year)
4 Critical 81% through 99% It is considered a Critical probability that this threat will occur if corrective action is not applied. (may happen very frequently once in a month or so )

Determination and Analysis of Risk

The next step is the calculation of risk and its rating. Risk Rating, which is a value based on Business Impact (BI) and Probability of Occurrence ratings, which can take values as, per the below table:


Risk Evaluation

The risk evaluation process considers identification and selection of security measures (controls) for the identified high-risk levels for a given asset. The purpose of risk evaluation is to make decisions, based on the outcomes of risk analysis, about which risks need treatment and treatment priorities.

Risk treatment Process

Risk treatment involves identifying the range of options for treating risks, assessing these options and the preparation and implementation of treatment plans. Selecting the most appropriate option involves balancing the costs of implementing each option against the benefits derived from it.

Monitoring and Review

Ongoing monitoring and review of Risk management processes ensures that the management plan is relevant and up to date. Regular reviews to be done minimum once in a year or if there are any major changes in Business, operations, or technology.

The following documents will have to be maintained as a part of this Risk management process.

  • RA / RTP filled updated templates for Building, function, Applications, Event based and project Account / BU levels as applicable.
  • Information Security Risk Register to be maintained at ISG level.


Risk Assessment and management Activities

Sr.No Input Process description Out put Ownership
1 Establishing the Context Phase
SWOT analysis PEST analysis; Organization Structure /Culture; Internal Stakeholders/ Applicable Data Privacy laws Establishing Context Understanding of internal / External/ organizational Context CISO and Steering committee.
2 Risk Identification
H/w, S/w, Data, People, services, Applications, Personal Data Identify Assets and Valuate Asset value and Criticality BU Head /Function owner / PM / Location CS Head.
Identification of applicability of risks and its categories for the Asset subgroups Identify Risks Risks exposure analysis PM/ Respective Function Heads
Existing controls Assess Impact Impact Rating PM/ Respective Function Heads
Past incidents / Current context Likelihood of occurrence Probability rating PM/ Respective Function Heads
BI rating based on Asset value, probability rating Risk Determination Risk Rating PM/ Respective Function Heads
3 Risk Analysis
Risk Rating and Risk criteria Risk Analysis Prioritization of Risk PM/ Respective Function Heads
4 Risk Evaluation
Legal Regulatory requirements / Prioritized Risk Listing / Existing controls and its effectiveness Risk Evaluation Risk treatment requirements PM/ Respective Function Heads
5 Risk Treatment
Risk Assessment Report, Controls from ISO27001 Evaluate Controls recommended PM/ Respective Function Heads
Cost benefit Analysis / Treatment options Select Controls
Preparation of Risk treatment plans (RTP) Implement RTP Residual Risk, Controls roll out PM/ Respective Function Heads
6 Monitoring and review
Plan Audits / Reviews Monitoring and review Effectiveness of controls / Security improvement plans / Identification of new risks emerging. ISG / CISO

Information Security RARTP (Risk Assessment and Risk Treatment Plan)

The RARTP populates risks based on the assets entered. The Asset inventory will be filled first by the respective project managers. This input would be used to run the RARTP to populate respective risks and controls. They can be used for assessment and verifying the status of the risk in the project.





FAQ's

The Risk Management function is responsible for recording, ensuring mitigation and monitoring risks in ISG risk register, assessing, and helping to mitigate potential threats to the security and integrity of TechM information, systems, and assets. This team plays a crucial role in ensuring that our operations remain secure and resilient in the face of evolving risks.

Risk refers to the possibility of negative events or circumstances occurring that could lead to loss, damage, or disruption to an organization's goals or objectives. In the context of information security, risks can include data breaches, cyberattacks, unauthorized access, system failures, and more.

Risks are identified through a combination of techniques, such as risk assessments, vulnerability assessments, threat analysis, and scenario planning. Regular security audits, penetration testing, and keeping up to date with the latest security trends also contribute to identifying potential risks.

Associates play a critical role in risk identification. They are often the first to notice unusual activities or vulnerabilities. Encouraging associates to report risks fosters a culture of proactive risk management, helps prevent potential incidents, and enables the organization to respond effectively to emerging threats.

Mitigating risks is essential to safeguard TechM reputation, financial stability, and operational continuity. By implementing controls, safeguards, and countermeasures, we reduce the likelihood and impact of negative events and help maintain stakeholder trust and support the overall business objectives.

Risk Management assesses vulnerabilities and potential threats to our data and systems. By identifying weaknesses and implementing safeguards, the team ensures that sensitive information remains confidential, uncompromised, and only accessible to authorized personnel.

Risks are prioritized based on their potential impact and likelihood. The Risk Management team uses a risk assessment framework that considers factors such as the value of the asset at risk, the potential harm, and the probability of a threat occurring.

Associates are encouraged to promptly report any security concerns or potential risks they encounter to ISG Risk Management Team at isgriskmanagement@techmahindra.com

The Risk Assessment is conducted annually or whenever there is a major change in scope or nature of assignment by designated owners of Functions and Business Units/ Projects as applicable in consultation with designated Security coordinator and Information Security group member.

Mitigation strategies vary based on the nature of the risk. They may include implementing technical controls, enhancing security protocols, conducting employee training, and establishing contingency plans to minimize the impact of potential incidents.

Quick links and Reference Documents

Description Link
Information Risk Management Methodology Guidelines
Risk Assessment and Risk Treatment Plan template guidelines
Information Security RARTP Template
Information Security Risk Register Template
Information Security RARTP FAQ and Reference
List of Risk and References
Application and Platform Risk assessment and Risk Treatment plan Template
Event Based Risk Assessment Template

Glossary of Important Risk Management Terms

Term Definition
Asset Information, Data or Resource that has a business value.
Risk

Effect of uncertainty on objectives. Risk is a function of the likelihood of a given threat source is exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

Risk is defined as a function of impact likely to be caused on organization and the likelihood of a given threat exploiting corresponding vulnerabilities of an asset after taking account of controls in place to reduce the risks.

Risk Owner

One who has accountability and authority to manage a risk.

Asset Owner: Asset Owner may play the role of Risk Owner. In some cases, based on the criticality or nature of the asset, the Risk Ownership can be delegated to others, which need to be documented appropriately.
Acceptable level of Risk Tech Mahindra aims to reduce the risk level of all its information and information processing assets to an acceptable level, such that critical business is not affected. At all times there should remain a “Risk Level” for any given asset that is below an “Acceptable Risk Level” as set by the management. “Acceptable Risk is the risk level that the management is prepared to accept as business risk”.
Risk Assessment The process of identifying risks to assets and determining the probability of occurrence, resulting impact and additional safeguards that would mitigate this impact is part of Risk Management.
Risk Management The total process of identifying, controlling and mitigating information security and Business Continuity related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards.
Threat

A Threat has the potential to cause an unwanted incident that may result in harm to a system or organization and its assets.

The potential for a threat source to exercise either accidentally trigger or intentionally exploit a specific vulnerability.
Vulnerability

A flaw or weakness in asset security procedures, design, implementation, or internal controls that could be exercised, either accidentally triggered or intentionally exploited, and result in a security breach or a violation of asset security.

In other words, Vulnerabilities are weaknesses associated with an asset. These may be exploited by a threat causing an unwanted incident that may result in loss, damage, or harm to the business. Vulnerability does not cause harm; it is merely a condition or set of conditions that may allow a threat to affect an asset.
Probability Probability is a measure of the likelihood of the occurrence of the Threat taking account of vulnerability aspects, considering the threat will exploit the vulnerability, even with existing safeguards implemented to prevent.
Impact Business Impact is an estimate of the severity of adverse effects, or the magnitude of a loss, or the potential opportunity cost of asset groups should a risk be realized when the threat exploits the vulnerability for the asset group.
Loss of Confidentiality Unauthorized disclosure or intelligible interception of information assets
Loss of Integrity Loss of accuracy and completeness of information or computer software.
Loss of Availability Unavailability of information and vital services to users when required.
Legal requirement Statutory and contractual requirements, which have to be satisfied by the organization which includes government regulations, directives of trade bodies, statutory compliances, Intellectual Property Rights Including Customer Intellectual Property (IP) safeguarding of organizations records and data protection and privacy. Applicable Data Privacy laws to be mentioned in the Privacy Impact Assessment excel.
Copyright © Tech Mahindra Limited. All Rights Reserved