information security and business continuity @ mahindra satyam mahindra satyam confidential

Information Security

And

Business Continuity

@

Mahindra Satyam

Mahindra Satyam Confidential

Source: ISO27001:2005 standard

• Management System that helps to – Establish, implement, and operate– Monitor, review, maintain and– Improve Information Security

• Information Security is preservation of– Confidentiality– Integrity and– Availability of Information

• And other properties such as– Authenticity– Accountability– Non-repudiation– Reliability

What is Information Security Management


• @Mahindra Satyam Based on the International standard ISO27001:2005

Globally certified (all current locations)

Additional reference (QUALIFY)

http://esupport.satyam.com Webqualify

– ISMS Policy Manual – Section on Locations

Certifying body: BVQI – UK

Compliance is verified annually through Audits

Information Security Management System (ISMS)


• Contains the following domains– Security Policy– Organizing Information Security– Asset management– Human resource security– Physical and environmental security– Communications and operations management– Access control– Information systems acquisition, development & maintenance– Information security incident management– Business continuity management– Compliance

ISO 27001: 2005


Security Policy

“To ensure Confidentiality, Integrity and Availability of information that is acquired, developed and provided to all stakeholders”

Refer: QUALIFY

QMS Documentation Policy Manuals ISMS ISMS – Policy Manual

Section: Information Security Policy


Organizing Information Security

Refer: QUALIFY


Section: Information Security Management Forum / Roles & Responsibilities

Chief Information Security Officer

Information Security

Management Forum

Core Group

Managing Director

Local Core Groups


Asset Management

– Assets classified as Physical, Software and Information– Each carries a potential risk related to security

• based on the possible threats, asset based risk assessment is carried out

• the identified risks are mitigated through the implementation of controls

– Each asset should have an asset owner– Information classification– Data creation, storage and disposal

Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Asset classification and control


Human Resource Security

– Is the weakest link in maintaining information security– Reference and background check– Confidentiality (non-disclosure) and Intellectual Property

Rights agreement– Specific agreements based on business requirement– Similar process for trainees, contract and temporary staff– Awareness training to all associates– Reporting Security Incidents through iSIMS

Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Personal Security


Physical and Environmental Security

Physical security

• Physical security perimeter• Physical entry control• Securing offices, rooms and facilities & Working in secure

areas

Equipment security

• Equipment siting and protection• Security of equipment – off premises such as laptops• Secure disposal or re-use of equipment

Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Physical and Environmental Security


Communications & operations management

– Email policyTo ensure proper use of Email facility by Mahindra Satyam Associates and to prevent its misuse.

Email is provided for associates to conduct business; Personal use is discouraged All Email messages created and stored are Mahindra Satyam’s Proprietory Information Mahindra Satyam retains the right to supervise, access, and review Associate’s

electronic mails Authorized users must not allow anyone else to send or receive e-mail using their Email

accounts Company Confidential Information shall not be shared except to the extent necessary Company-related information shall be sent only to those Associates concerned on a

“need to know” basis No Associate are allowed to send objectionable material Auto forwarding an email from inside Mahindra Satyam to an outside network shall not

be allowed A disciplinary process is in place to address any violation of the spirit of this guideline Sending emails to Public Internet Email accounts shall be restricted and controlled

Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Communications and operations management


Access control

– Access control policy– User access management

• Privilege management• User password management

– User responsibilities• Password use• Unattended user equipment

– Internet / intranet access policy– Application access control

Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Access Control


iSIMS

Information Security Incident Management System


“ “ Business Continuity Management is the process of

anticipating incidents which will affect critical

functions and preparing the organization to prevent

and respond to disasters in a planned and

rehearsed manner.”

What is Business Continuity Management ?

“If you fail to plan, you plan to fail” - Anonymous

Lost Revenue• Direct Loss

• Compensatory Payments

• Lost Future Revenues

• Investment Loss

Productivity Loss• Number of Employees

impacted

Damaged Reputation • Customer, Suppliers,

Partners, Banks, Financial Markets

• Credit Ratings

Delayed Collections• Billing Losses

• Missed Discounts

Extra Expense• Cost to Recover

• Overtime Expense

• Increased Fraud Risk

• Increased Error Rate

• Travel Expenses

• Temporary Employees

Penalties • Contractual

• Regulatory

• Legal

Impact of Disaster on our Business

Failure Mode

How does it affect operations

What causes disasters

Effect

What fails

• Fire • War • Power Outage

• Explosion • Computer Virus

• Strike • Hacking • Flood

• Telecommunication Failure

• Theft & Robbery

• Shortage of Critical Items

• Critical Server Breakdown

• Earthquake

• Prolonged absence of

Essential Public services

Cause

Country Outage

City Outage

Site Outage Information

Infrastructure

Personnel

Mahindra Satyam’s BCMS Model

Contingency Plans

Site Outage

City Outage

Country Outage

Critical services from alternate site inthe same city

Mahindra Satyam leverages its multi-location presence across the world to provide alternate sites for the critical projects.

Critical services from alternate site inanother city

- Critical services from BC center @ Singapore

- Onsite/Offsite

Business Continuity Planning in Projects

Assess BCP requirements Vs cost

BC Plan Development

Maintenance

Identify Critical Projects

Best Practice / Lessons learnt

Risk Assessment

Recovery SLAs & Options

Implementation & Testing

Project Acquisition

Project Initiation

Project Execution

Project Planning

Project Closure

Business Continuity Management

– Identification of Applications or Support services critical for continuity as required by the customer.

– Mitigation plans to minimize impact– Customer approved Business continuity plans to manage disaster – Continuity of services from alternate sites– Multi-site and multi-city presence to manage site, city and country outage

scenario– BC options based on recovery window (RTO)– Completion of scheduled BC tests and retrospective meetings– Support required from other stakeholders such as CS, N&S to be notified

and to be documented in the Location specific BCP.

• Updated call tree details to be sent on a monthly basis• Logistics to address contingency and resumption activities (movement

to alternate site, seating arrangement, connectivity requirements, and accommodation and food if required) including for critical associates

Refer: QUALIFY QMS Documentation Policy Manuals BCMS BCMS – Policy Manual


• BC Plan I - provides min.acceptable service levels for customers.• BC Plan II, III - provides enhanced service levels at additional cost

BC Plan Options

Plan I<72 hoursMahindra Satyam

Plan III<4 hoursProject

Plan II<12 hoursCustomer

Co

st

Service Level


BC Plan I Recovery of Critical projectsSite Outage and City Outage scenarios24hr –72 hr recovery windows Shared infrastructure Project specific infrastructure at costSite capacity up to 5% of primary site15% capacity over 3 shifts, in a common operating environment

Compliance

– Compliance with Legal requirement

– Data Privacy protection

– Third party software usage

– Safeguarding organizational records

– Prevention of misuse of information processing facilities

Refer: QUALIFY


Section: Compliance


Why Information Security

– Is a Statutory requirement

– Avoid legal liability in case of security breach

– Customers need assurance

– Information is key to business and any breach can have long lasting impact on the organization success & growth

– Competitive advantage

– To ensure Confidentiality, Integrity and Availability

– To ensure continuity of services


Do’s and Don’ts

Do’s– Follow Mahindra Satyam specific password guidelines– Change password if there is an indication of compromise– Change default passwords on computers and devises– Use MS Office Communicator for instant messaging– Follow clear screen and clear desk policy

Don’ts– Share passwords – you could be liable for a breach– Use another associate’s email account – Forward business mails to public email accounts– Open suspicious attachments– Distribute email addresses to third parties


Do’s and Don’ts

Do’s– Follow information classification guidelines – Periodically check for the anti-virus signature– Safeguard portable devices against theft– Report lost or stolen equipment immediately– Use iSIMS to report Information security incidents

Don’ts– Send sensitive data through wireless devises– Use external storage devises – Turnoff or disable anti-virus– Download software, audio/video files from internet– Publish Mahindra Satyam IP on internet sites


Do’s and Don’ts

Do’s– Lock workstation when it is not being used – Zip the attachments to optimize bandwidth– Safeguard portable devices against theft– Report lost or stolen equipment immediately– Use iSIMS to report Information security incidents

Don’ts– Share customer reference and / or related information– Install unauthorized software– Send offensive or disruptive material through email– Visit malicious sites on the internet– Misuse resources and privileges


Do’s and Don’ts

Do’s– Be aware of the NDA – Go through the Information Security Policy Manual– Use proximity access card for access to the facility– Ensure boot password for laptops– Secure laptops when left unattended

Don’ts– Use photographic equipment within Mahindra Satyam

premises– Leave laptops unattended (shopping malls, parking etc)– Discuss company confidential information in public– Ignore security requirements while developing Software– Disclose project related data to unintended parties


Do’s and Don’ts

Do’s– Maintain Confidentiality on Customer Name, Project &

Documents – Maintain project records as per record retention guidelines /

contract– Identify Mahindra Satyam’s and Customer’s IP while delivering

services to claim proprietary rights on Mahindra Satyam IP when required

– Adhere to Personal Data Privacy obligations as per contract– Be sensitive to Information Security policy and procedures

Don’ts– Commence performance of work Contract is signed– Subcontract work without Customer’s written consent– Use Open Source unless authorized by Customer in writing– Refer to Customer / Customer Trademarks / Logos in

presentations unless the customer is REFERENCE-ABLE – Be ignorant to the security policy and procedures


Thank You


information security and business continuity @ mahindra satyam mahindra satyam confidential

Documents

information securityreference

asset classification

mahindra satyambased

standardmanagement system

risk assessment

potential risk

reuse of equipmentrefer

proper use of em