information security and business continuity @ mahindra satyam mahindra satyam confidential
TRANSCRIPT
Information Security
And
Business Continuity
@
Mahindra Satyam
Mahindra Satyam Confidential
Source: ISO27001:2005 standard
• Management System that helps to – Establish, implement, and operate– Monitor, review, maintain and– Improve Information Security
• Information Security is preservation of– Confidentiality– Integrity and– Availability of Information
• And other properties such as– Authenticity– Accountability– Non-repudiation– Reliability
What is Information Security Management
Mahindra Satyam Confidential
• @Mahindra Satyam Based on the International standard ISO27001:2005
Globally certified (all current locations)
Additional reference (QUALIFY)
http://esupport.satyam.com Webqualify
– ISMS Policy Manual – Section on Locations
Certifying body: BVQI – UK
Compliance is verified annually through Audits
Information Security Management System (ISMS)
Mahindra Satyam Confidential
• Contains the following domains– Security Policy– Organizing Information Security– Asset management– Human resource security– Physical and environmental security– Communications and operations management– Access control– Information systems acquisition, development & maintenance– Information security incident management– Business continuity management– Compliance
ISO 27001: 2005
Mahindra Satyam Confidential
Security Policy
“To ensure Confidentiality, Integrity and Availability of information that is acquired, developed and provided to all stakeholders”
Refer: QUALIFY
QMS Documentation Policy Manuals ISMS ISMS – Policy Manual
Section: Information Security Policy
Mahindra Satyam Confidential
Organizing Information Security
Refer: QUALIFY
QMS Documentation Policy Manuals ISMS ISMS – Policy Manual
Section: Information Security Management Forum / Roles & Responsibilities
Chief Information Security Officer
Information Security
Management Forum
Core Group
Managing Director
Local Core Groups
Mahindra Satyam Confidential
Asset Management
– Assets classified as Physical, Software and Information– Each carries a potential risk related to security
• based on the possible threats, asset based risk assessment is carried out
• the identified risks are mitigated through the implementation of controls
– Each asset should have an asset owner– Information classification– Data creation, storage and disposal
Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Asset classification and control
Mahindra Satyam Confidential
Human Resource Security
– Is the weakest link in maintaining information security– Reference and background check– Confidentiality (non-disclosure) and Intellectual Property
Rights agreement– Specific agreements based on business requirement– Similar process for trainees, contract and temporary staff– Awareness training to all associates– Reporting Security Incidents through iSIMS
Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Personal Security
Mahindra Satyam Confidential
Physical and Environmental Security
Physical security
• Physical security perimeter• Physical entry control• Securing offices, rooms and facilities & Working in secure
areas
Equipment security
• Equipment siting and protection• Security of equipment – off premises such as laptops• Secure disposal or re-use of equipment
Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Physical and Environmental Security
Mahindra Satyam Confidential
Communications & operations management
– Email policyTo ensure proper use of Email facility by Mahindra Satyam Associates and to prevent its misuse.
Email is provided for associates to conduct business; Personal use is discouraged All Email messages created and stored are Mahindra Satyam’s Proprietory Information Mahindra Satyam retains the right to supervise, access, and review Associate’s
electronic mails Authorized users must not allow anyone else to send or receive e-mail using their Email
accounts Company Confidential Information shall not be shared except to the extent necessary Company-related information shall be sent only to those Associates concerned on a
“need to know” basis No Associate are allowed to send objectionable material Auto forwarding an email from inside Mahindra Satyam to an outside network shall not
be allowed A disciplinary process is in place to address any violation of the spirit of this guideline Sending emails to Public Internet Email accounts shall be restricted and controlled
Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Communications and operations management
Mahindra Satyam Confidential
Access control
– Access control policy– User access management
• Privilege management• User password management
– User responsibilities• Password use• Unattended user equipment
– Internet / intranet access policy– Application access control
Refer: QUALIFY QMS Documentation Policy Manuals ISMS ISMS – Policy ManualSection: Access Control
Mahindra Satyam Confidential
iSIMS
Information Security Incident Management System
Mahindra Satyam Confidential
“ “ Business Continuity Management is the process of
anticipating incidents which will affect critical
functions and preparing the organization to prevent
and respond to disasters in a planned and
rehearsed manner.”
What is Business Continuity Management ?
“If you fail to plan, you plan to fail” - Anonymous
Lost Revenue• Direct Loss
• Compensatory Payments
• Lost Future Revenues
• Investment Loss
Productivity Loss• Number of Employees
impacted
Damaged Reputation • Customer, Suppliers,
Partners, Banks, Financial Markets
• Credit Ratings
Delayed Collections• Billing Losses
• Missed Discounts
Extra Expense• Cost to Recover
• Overtime Expense
• Increased Fraud Risk
• Increased Error Rate
• Travel Expenses
• Temporary Employees
Penalties • Contractual
• Regulatory
• Legal
Impact of Disaster on our Business
Failure Mode
How does it affect operations
What causes disasters
Effect
What fails
• Fire • War • Power Outage
• Explosion • Computer Virus
• Strike • Hacking • Flood
• Telecommunication Failure
• Theft & Robbery
• Shortage of Critical Items
• Critical Server Breakdown
• Earthquake
• Prolonged absence of
Essential Public services
Cause
Country Outage
City Outage
Site Outage Information
Infrastructure
Personnel
Mahindra Satyam’s BCMS Model
Contingency Plans
Site Outage
City Outage
Country Outage
Critical services from alternate site inthe same city
Mahindra Satyam leverages its multi-location presence across the world to provide alternate sites for the critical projects.
Critical services from alternate site inanother city
- Critical services from BC center @ Singapore
- Onsite/Offsite
Business Continuity Planning in Projects
Assess BCP requirements Vs cost
BC Plan Development
Maintenance
Identify Critical Projects
Best Practice / Lessons learnt
Risk Assessment
Recovery SLAs & Options
Implementation & Testing
Project Acquisition
Project Initiation
Project Execution
Project Planning
Project Closure
Business Continuity Management
– Identification of Applications or Support services critical for continuity as required by the customer.
– Mitigation plans to minimize impact– Customer approved Business continuity plans to manage disaster – Continuity of services from alternate sites– Multi-site and multi-city presence to manage site, city and country outage
scenario– BC options based on recovery window (RTO)– Completion of scheduled BC tests and retrospective meetings– Support required from other stakeholders such as CS, N&S to be notified
and to be documented in the Location specific BCP.
• Updated call tree details to be sent on a monthly basis• Logistics to address contingency and resumption activities (movement
to alternate site, seating arrangement, connectivity requirements, and accommodation and food if required) including for critical associates
Refer: QUALIFY QMS Documentation Policy Manuals BCMS BCMS – Policy Manual
Mahindra Satyam Confidential
• BC Plan I - provides min.acceptable service levels for customers.• BC Plan II, III - provides enhanced service levels at additional cost
BC Plan Options
Plan I<72 hoursMahindra Satyam
Plan III<4 hoursProject
Plan II<12 hoursCustomer
Co
st
Service Level
Mahindra Satyam Confidential
BC Plan I Recovery of Critical projectsSite Outage and City Outage scenarios24hr –72 hr recovery windows Shared infrastructure Project specific infrastructure at costSite capacity up to 5% of primary site15% capacity over 3 shifts, in a common operating environment
Compliance
– Compliance with Legal requirement
– Data Privacy protection
– Third party software usage
– Safeguarding organizational records
– Prevention of misuse of information processing facilities
Refer: QUALIFY
QMS Documentation Policy Manuals ISMS ISMS – Policy Manual
Section: Compliance
Mahindra Satyam Confidential
Why Information Security
– Is a Statutory requirement
– Avoid legal liability in case of security breach
– Customers need assurance
– Information is key to business and any breach can have long lasting impact on the organization success & growth
– Competitive advantage
– To ensure Confidentiality, Integrity and Availability
– To ensure continuity of services
Mahindra Satyam Confidential
Do’s and Don’ts
Do’s– Follow Mahindra Satyam specific password guidelines– Change password if there is an indication of compromise– Change default passwords on computers and devises– Use MS Office Communicator for instant messaging– Follow clear screen and clear desk policy
Don’ts– Share passwords – you could be liable for a breach– Use another associate’s email account – Forward business mails to public email accounts– Open suspicious attachments– Distribute email addresses to third parties
Mahindra Satyam Confidential
Do’s and Don’ts
Do’s– Follow information classification guidelines – Periodically check for the anti-virus signature– Safeguard portable devices against theft– Report lost or stolen equipment immediately– Use iSIMS to report Information security incidents
Don’ts– Send sensitive data through wireless devises– Use external storage devises – Turnoff or disable anti-virus– Download software, audio/video files from internet– Publish Mahindra Satyam IP on internet sites
Mahindra Satyam Confidential
Do’s and Don’ts
Do’s– Lock workstation when it is not being used – Zip the attachments to optimize bandwidth– Safeguard portable devices against theft– Report lost or stolen equipment immediately– Use iSIMS to report Information security incidents
Don’ts– Share customer reference and / or related information– Install unauthorized software– Send offensive or disruptive material through email– Visit malicious sites on the internet– Misuse resources and privileges
Mahindra Satyam Confidential
Do’s and Don’ts
Do’s– Be aware of the NDA – Go through the Information Security Policy Manual– Use proximity access card for access to the facility– Ensure boot password for laptops– Secure laptops when left unattended
Don’ts– Use photographic equipment within Mahindra Satyam
premises– Leave laptops unattended (shopping malls, parking etc)– Discuss company confidential information in public– Ignore security requirements while developing Software– Disclose project related data to unintended parties
Mahindra Satyam Confidential
Do’s and Don’ts
Do’s– Maintain Confidentiality on Customer Name, Project &
Documents – Maintain project records as per record retention guidelines /
contract– Identify Mahindra Satyam’s and Customer’s IP while delivering
services to claim proprietary rights on Mahindra Satyam IP when required
– Adhere to Personal Data Privacy obligations as per contract– Be sensitive to Information Security policy and procedures
Don’ts– Commence performance of work Contract is signed– Subcontract work without Customer’s written consent– Use Open Source unless authorized by Customer in writing– Refer to Customer / Customer Trademarks / Logos in
presentations unless the customer is REFERENCE-ABLE – Be ignorant to the security policy and procedures
Mahindra Satyam Confidential
Thank You
Mahindra Satyam Confidential