Risk Controls | HCLTech
Home

Risk Controls

HCLTech Risk Controls For Customer Environment

To prevent data leakages in HCLTech customer’s environment, below is the list of indicative controls that are recommended to be put in place:

Control measures to ensure data confidentiality, security, integrity and availability:

  • Logical access control:
    • Every employee requires a unique ‘User ID’ and password to access the IT systems in the enterprise.
    • Every user ID has a password and users are required to set and change their passwords as per password policy.
    • User IDs are created as per defined process and with adequate authorizations.
    • User IDs are disabled on separation day based on information provided.
  • Data Access control:
    • Access to data is available only after user authentication with a valid user identifier and matching password; no “guest” access is permitted.
    • Access logs are kept for a minimum of 52 weeks.
    • Access permissions are reviewed and audited at least annually for all critical systems.
  • Information Security compliance:
    • Customer has an identified Information Security organization structure which oversees information security related processes and activities.
    • Customer has defined and documented data privacy policies and processes addressing access to personal data.
    • Customer has defined, documented and implemented a Risk Management framework to identify risks related to security, privacy and other contractual requirements.
    • Mandatory Information Security awareness training is provided through a country-wide e-Learning module.
    • All incidents reported are analyzed for root cause and impact. The remedial actions are initiated by the process owners. The key incidents along with their root causes and impact are reported to Customer’s management.
    • Customer’s Data Centers are ISO 27001certified.
  • Physical & environmental security:
    • Physical access to Data Processor offices and processing area(s) is controlled by access control mechanism.
    • Visitor entry is monitored and recorded. Visitors are allowed to visit only on prior approval basis.
    • Visitors are provided Visitor badges.
    • All critical areas are CCTV covered and recordings are maintained for at least 30 days.
    • Security guards are deployed on 24X7 basis.
    • Security guards are trained to challenge any individual with suspicious movements/ without appropriate identification card.
    • Operational area is equipped with fire and smoke detectors and alarms with Fire extinguishers.
    • Fire drills including evacuation drills are conducted on predefined frequency.
    • Power supply to all the computers and other equipment in the building are provided with UPS and generators
  • Laptops, Desktops, Servers and Networking equipment security:
    • Operating systems and application patches are recommended to be tested and applied regularly to the desktops, laptops, Servers and networking equipment.
    • If sharing of files/directories from a server to other computers is required, then it has to be enabled in such a way that only users who have need to know is having the access to the share and the principle of least privilege is followed.
    • Systems clocks of all the servers and networking equipment is synchronized and they are set to the time of the time zone of the location of the server/equipment. Only authorized personnel are having the privilege to change or reset system clock time.
    • Antivirus software is installed on all desktops and servers .
    • Antivirus signatures are updated on daily basis and any deviations/ exceptions are tracked.
    • Unauthorized software are not allowed on laptops, desktops and servers.
    • Backups are taken and restoration checks are done for identified systems based on agreed upon frequencies.
    • For the Data Center, Visitor laptops and other media devices are permitted only on approval basis and for required purposes only.
  • Email security, DLP etc.:
    • DLP is installed on all end user machines.
    • All emails are scanned for virus or malicious codes at gateway level.
    • Email systems are configured to restrict identity spoofing, spamming and relaying to protect against the same.
  • Firewall and router configuration to prevent unauthorized traffic:
    • Firewalls and routers are configured in such a way that only authorized traffic is allowed.
  • Threat and Vulnerability management
    • Patch management
    • Anti-virus / anti-malware
    • Threat notifications
    • Vulnerability scanning and periodic penetration testing
  • Availability/ Resilience:
    • BCP/ DR plans/ procedures are designed and in place to maintain service availability and/ or recovery from emergency situations

Risk Controls To Be Implemented By Vendors

Vendor shall be responsible for implementing the control measures in its organization and environment to ensure data confidentiality, security, integrity and availability.

To prevent data leakages, below is the indicative list of minimum controls that the Vendor is required to implement prior to the provision of Services to HCLTech or its customers:

  • Logical access control:
    • Every Vendor personnel is required to have a unique ‘User ID’ and password to access the HCL and/or client IT systems.
    • User IDs are created as per defined process and with adequate authorizations.
  • Data Access control:
    • Access to data is available only after user authentication with a valid user identifier and matching password; no “guest” access is permitted.
    • Access permissions are reviewed and audited at least annually by the Vendor for all critical systems.
  • Information Security compliance:
    • Vendor has defined and documented data privacy policies and processes addressing access to personal data.
    • Vendor’s Data Centers are ISO 27001 certified.
    • Vendor shall, at all times, comply with HCL’s and/or client’s information security related policies and guidelines.
  • Physical & environmental security:
    • Physical access to Data Processor offices and processing area(s) is controlled by access control mechanism. All critical areas are CCTV covered and recordings are maintained for at least 30 days.
    • Security guards are deployed on 24X7 basis. Operational area is equipped with fire and smoke detectors and alarms with Fire extinguishers.
  • Laptops, Desktops, Servers and Networking equipment security:
    • Operating systems and application patches are recommended to be tested and applied regularly to the desktops, laptops, Servers and networking equipment.
    • Antivirus software is installed and Antivirus signature are updated on all desktops and servers on daily basis. Unauthorized software are not allowed on laptops, desktops and servers.
  • Email security, DLP etc.:
    • DLP is installed on all end user machines.
    • All emails are scanned for virus or malicious codes at gateway level. Email systems are configured to restrict identity spoofing, spamming and relaying to protect against the same.
  • Firewall and router configuration to prevent unauthorized traffic:
    • Firewalls and routers are configured in such a way that only authorized traffic is allowed.
  • Threat and Vulnerability management
    • Threat notifications.
    • Vulnerability scanning and periodic penetration testing
  • Availability/ Resilience:
    • BCP/ DR plans/ procedures are designed and in place to maintain service availability and/ or recovery from emergency situations