Third Party Risk Management

The selection of the suppliers involves the supplier passing a set of security check criteria. ISG conducts supplier security assessment by assessing the security controls implemented by the supplier at their premises or their own infrastructure by validating the security questionnaire / checklist and evaluating the details and evidence shared by the supplier. Security certifications like ISO 27001 are also validated if available. As part of Supplier Security Assurance, ISG conducts technical assessment through security monitoring tool (UpGuard), to ensure good security posture of all partners and suppliers engaged with Tech Mahindra to build resilient supply chain. The supplier can be onboarded after clearance from ISG.

The PM needs to first check if any supplier is involved in the project. (For example, there could be subcon associates working in the project or a software application/tool developed by an external party being used, or a part of the project viz. testing, is being outsourced to an external supplier or some services like Cloud hosting or Helpdesk are being provided by a supplier.) If the PM thus determines that a supplier is involved, then they should get in touch with ISG to get the Supplier security assessment conducted. To initiate the Supplier security assessment, the PM needs to raise a service request in HelpNxt portal:” https://helpnxt.techmahindra.com -> Service Catalog -> ISG -> Supplier” and share the Request ID with the ISG TPRM team (ISGTPSRM@TechMahindra.com) along with the Agreement, NDA etc. documents signed by TechM and the supplier. The ISG team will then start working on the request.

Once a supplier has been approved by ISG, the contracting phase ensures that the security and privacy requirements are legally enforced in their contracts. The contracts/MSA/agreements are vetted by ISG to ensure back-to-back cascading of relevant clauses related to data privacy and security requirements from the client MSA. The organizational level NDA is also validated. If the supplier has access to PI-SPI (Personal Information-Sensitive Personal Information), Privacy Impact Assessment is conducted for validating the data protection and privacy controls.

After receiving the service request, ISG will evaluate vendor details provided in the service request raised by the PM. If assessment is needed, ISG will share the appropriate template based on the supplier category, with the PM for capturing additional details. If the supplier has access to personal data, then ISG will also share the Privacy Impact Assessment (PIA) and Record of Processing Activity (RoPA) templates with the PM. PM needs to update project specific information and connect with the supplier to get supplier related information, required policy documents and other artifacts for validation.

Supplier Compliance with the agreed Security and data privacy controls are tracked at delivery level and reviewed on a regular basis by the respective ISG compliance managers responsible for the function/account. Security audit is conducted by ISG on applicable suppliers as per the client contractual and regulatory requirements and the agreed security controls. Annual review of risks associated with applicable suppliers is undertaken by ISG with active help from the respective functions and project delivery units. The security score of high-risk suppliers is continuously monitored by using the security monitoring tool (UpGuard) and any vulnerabilities identified are communicated to the supplier for remediation within a defined timeline.

Post supplier onboarding, PM needs to liaise with the supplier for audits, annual assessments, remediation of vulnerabilities identified by the security monitoring tool (UpGuard) etc. Also, PM need to inform ISG if there is any change in the scope of services being provided by the supplier from what they were initially assessed for.

In case the contract with a supplier is planned to be terminated, the PM (Project Manager) to send a notification email to ISG informing the same. ISG team conducts checks during termination to ensure compliance. The main checks involved in this stage are: Return of Assets, Revocation of Access and Deletion of Data. PM to update the ISG Offboarding checklist after consulting the supplier and share the updated responses with ISG for validation. After validation by ISG, the supplier can be offboarded. PM to inform the respective team to offboard the supplier in the system accordingly.

PM needs to provide sufficiently advance intimation to ISG for supplier termination. ISG will share the appropriate offboarding checklist with PM to fill and get validated by ISG in time before the supplier is terminated. Supplier can be offboarded after approval from ISG.