Information Security Group
|
Services > Technical Security Standards

Technical Security Standards

The IT Applications, Platforms, Services or IT infrastructure used to deliver corporate and business services need to be resilient to cyber-attacks. In order to achieve this resilience, Security Checks are necessary during life of the IT Systems i.e during architecture, design, development, test, deployment, operations, maintenance and sustenance of the entire system with its constituent components. Such Security Checks need specific Security skills, techniques, methodology and tools.

ISG TechSec conducts these Security Checks though well defined services covering the technology landscape of Tech Mahindra.

Services Provided by ISG TechSec

  • Vulnerability Assessment (VA) and Penetration Testing (PT)of application hosting infrastructure, serves, systems and IT infrastructure including networks, devices, enterprise deployments, data centers and cloud environments
  • Web Application Penetration Testing (WAPT) and Mobile Application Security Testing
  • Cloud Security Assessments of all Cloud environments and deployments
  • Platform Security Assessments covering Security and Regulatory Risks, IPR or Copyright issues
  • Static Source Code Scanning and Review for Security of software code base including Open Source Softwares
  • Vulnerability Management covering all TechM critical IT infrastructure and other project IT assets
  • Technical Security Risk Assessment (aka ERA - Event base Risk Assessment) for Applications, Platforms, Services, Labs, Cloud Deployments and IT Infrastructure Solutions.
  • Review, Validation and Approval of Firewall Rule Change Requests (FRCR) for security risks
  • Validation and Approval of Open Source and Freeware Softwares for security risks
  • Validation and Review of the security configurations and implemented security controls based on Security Standards, Policies and Regulatory requirements.
  • Draft Security Policies, Standards, Guidelines, Checklists and processes for Technologies used in the organization and project deliveries
  • Security risk assessment and Approvals as part of Change Management Board of TIM / CIO.
Build Secure Applications and Platforms

Applications and Platforms are built and used by organizations and business to cater essential services to their internal and external customers. They process, store and transmit critical and sensitive data (Personal Information - PI, Personally Identifying Information - PII, Sensitive Personal Information - SPI, financial, health etc.) every day. Which is why, these have become a target of choice for attackers looking for personal or financial gains through fraud.
Secure Environment

The business delivery environments executing various projects and engagements as per MSA and SoW need to ensure security of all constituting elements. This includes work area with physical security controls, machines, networks, systems and platforms are hardened and security configured based in CIS benchmarks, softwares and applications are security assessed and hosting (data centers or cloud) and operating environment is secured.

Facilities in different locations must be secured following the security and regulatory requirements and must be connected over a secured communication channel. Data in processing, transmit and at rest must be secured. All the internet facing systems and services must have at least two factor authentication enabled. All critical corporate systems and services must be protected from internal and external threats. All vendors and suppliers must contractually agree to security requirements of TechM (ref -Guidelines for Supplier Security Agreement (ISG-GL020)).

The corporate and business delivery environment must undergo periodic security assessments. The security vulnerabilities identified or advisory provided by vendors/suppliers/manufactures of IT assets must be patched within SLA. All the critical devices and events must be monitored for any possible security risk or breech

Below references are useful to secure the environment used for delivering business

  • Security and Privacy Controls for Information Systems and Organizations (NIST SP800-53)
  • Zero Trust Architecture (NIST SP800-207)
  • CIS benchmarks
  • Data protection controls, DLP
  • Laws of the land
  • Vulnerability Management
  • Patch Management
  • Group Policy for baselining the IT infrastructure
  • Use of Web Application Firewall (WAF)
  • 2FA for all administrative and critical systems
Applications

The application development and production environments must be secured and isolated. Besides the engineering approach (Secure SDLC) for building security in, the servers, systems, networks must be secured. The source of softwares used must be authentic and legitimate, versioning systems must maintain the secure versions, all the softwares must be upgraded to latest versions. Access to development and production environments must restricted based on roles.

The movement to production environment must be under strict governance and must have security clearance to go live. Engaging vendors or suppliers for development or devising solution, must ensure security and regulatory requirements for sharing the information, data, access to corporate or business network (such as VPN) to ensure that the network to and for remains secure and does not cause any risk to TechM environment or setup. Application environments are periodically security and risk assessed. Refer to Build Secure Applications Section for more details
Cloud

Using public cloud owned and managed by TechM, for internal or external projects must follow security guidance from Cloud Service Provider (CSP) as well as TechM Policy and guidelines.
Network

The corporate and business delivery networks must have security controls built in. All the access controls (ACL), network topologies must implement a layered security approach to achieve defense in depth. The perimeter to core, individual and isolated virtual LANs, VPNs, wireless networks, load balancers, secure transmission and security devices like IPS, IDS, APT, Firewalls, Application Gateways and firewalls, web filtering proxies are designed to ensure effective security.

All networks and perimeter devices are periodically security and risk assessed.
Mobile

Mobile devices such as laptops or phones, must be secured for accessing TechM services or used for business purpose. Mobile Application Management (MAM) and Mobile Device Management (MDM) technologies are used to isolate official use from personal use.
BYOD

TechM Bring Your Own Device (BYOD) policy (BYOD Policy TIM-PO 004) defines rightful use of using personal mobile phone(s) for official use. Using other personal mobile devices like personal laptops and tablets is strictly prohibited.
Laptop

The laptops issued by TechM are used for official purpose only. All such laptops are encrypted, hardened with least privileges, installed with endpoint protections like Anti- Virus / Malware, Data Loss Prevention, proxy with TechM group policy.

Any privileged access, services or softwares installed require exception approval. Refer to Laptop Security Policy (ISG-PO017). Laptops issued by clients have client specified builds and configurations. Such laptops are used only on client networks setup by client or by TechM.
Desktop

All desktops are installed with TechM provided builds of operating system and softwares. These desktops have hardened configurations based on TechM group policy. Refer to Desktop Security Policy (ISG-PO009)
Server

Serves used for corporate services like identity and directory services (AD), mails, domain controller, proxies, web, IPS, IDS, Firewalls etc. or business delivery like databases, ERPs, web servers, application servers etc. are hardened based on TechM group policy or client provided policy and controls.

All servers are securely placed in server rooms or data centers across TechM locations. Server administration is configured for two factor authentications configured and monitored through privileged identity management (PIM) or privileged access management (PAM) tools. All server event must be monitored though SIEM (Security Information and Event Management) or log monitoring tools. Servers are periodically security and risk assessed and audited for security.

What is required to move a server or service into Tech Mahindra Network.

  • Vulnerability Assessment of Server or Service including review of its Security Configurations and hardening level
  • Security assessment of Production Setup and Devices
  • Technical Risk Assessment of the solution of which the Server or Service is part of.
  • Closure Certificate issued by ISG TechSec. Exceptions approval with duly approved Risk Acceptance Document (RAD)

For Security Assessments, a hub request to be raised by system owner

ISG >> ISG - Service Request >> S-066-Event Based VA and PT / WAPT Request

 

Copyright © Tech Mahindra Limited. All Rights Reserved