Log in to use authoring capabilities
  • Open site menu Sites
  • HCL Technologies homeHCL Technologies home
{}
start portlet menu bar

Web Content Viewer

Display content menu Display portlet menu
end portlet menu bar
 
  • HCL Logo
  • HCLTech
  • About Us
    • Overview
    • Careers
    • HCL Ambassadors
    • Newsroom
    • Analyst Reports
    • Trust Center
  • Language EN
    • FR
    • EN
    • IT
    • DE
    • PT
    • JP
    • ES
    • CN
    • RU
HCL Software Logo
  • Digital Transformation  
    • Digital Transformation Overview Technology that aligns people and systems
    • Commerce Enterprise e-commerce for B2C and B2B
    • Connections Enterprise collaboration platform
    • Discover Behavioral insights for customer journeys
    • Domino Rapid application development platform
    • DX The DXP for the moments that matter
    • Sametime Enterprise secure video meetings and chat
    • Unica Enterprise marketing automation platform
    • Volt MX Multi-experience low code app dev

    Other Featured Products

    • HCL Now
    • SoFy
    • Cloud Native
    • Mainframe Solutions
    • Secure DevOps
    • Home
    • Data
      Data and Analytics
    • AI & Automation
      AI and Automation
    • Enterprise Security
      Enterprise Security
    • Help & Support
  • Data and Analytics  
    • Data, Analytics and Insights Overview Trusted, flexible and easy-to-use platforms
    • Actian Empowers the data-driven enterprise
    • Avalanche Cloud Data Platform Data services suite; flexible deployment
    • DataConnect Low-code integration platform
    • Ingres Transactional Database Legendary transactional RDBMS
    • HCL OneDB Build database-driven enterprise apps
    • Vector Analytics High-performance BI and analytics
    • Zen Edge Data Management Embeddable edge data management

    Other Featured Products

    • HCL Now
    • SoFy
    • Cloud Native
    • Mainframe Solutions
    • Secure DevOps
    • Home
    • Digital
      Digital Transformation
    • AI & Automation
      AI and Automation
    • Enterprise Security
      Enterprise Security
    • Help & Support
  • AI and Automation  
    • AI and Automation Overview Humanizing AI to solve real-world problems
    • Automation Power Suite Accelerate IT and business automation
    • DRYiCE AI foundation for the digital enterprise
    • Secure DevOps Automated testing and security scanning

    Other Featured Products

    • HCL Now
    • SoFy
    • Cloud Native
    • Mainframe Solutions
    • Secure DevOps
    • Home
    • Digital
      Digital Transformation
    • Data
      Data and Analytics
    • Enterprise Security
      Enterprise Security
    • Help & Support
  • Enterprise Security  
    • Enterprise Security Overview Security from application to endpoint
    • AppScan Scans for Application Vulnerabilities
    • BigFix Secure endpoint management

    Other Featured Products

    • HCL Now
    • SoFy
    • Cloud Native
    • Mainframe Solutions
    • Secure DevOps
    • Home
    • Digital
      Digital Transformation
    • Data
      Data and Analytics
    • AI & Automation
      AI and Automation
    • Help & Support
  • Products  
    • Alphabetical List
    • Industry Software Solutions
    • Industries
    • AI and Automation
    • Automation Power Suite
    • DRYiCE
    • Secure DevOps Network performance accelerator
    • Enterprise Security
    • AppScan Efficient invectory management
    • BigFix Secure endpoint management
    • Other Featured Products
    • Cloud Native
    • HCL Now
    • Mainframe Solutions
    • Sofy
    • Secure DevOps
    • Data and Analytics
    • Actian
    • Avalanche Cloud Data Platform
    • DataConnect
    • Ingres Transactional Database
    • Vector Analytics
    • OneDB
    • Zen Edge Data Management
    • Digital Transformation
    • Commerce
    • Discover
    • DX
    • Unica
    • Connections
    • Domino
    • Sametime
    • Volt MX
    View All Products forward-arrow
    • Telecom & 5G
    • HCL Augmented Network Automation (SON)Intelligent RAN automation platform
    • HCL iCE.XIntelligent device management
    • HCL NFV Acceleration Network performance accelerator
    • HCL X-Haul Complete modern IP suite
    • HCL SMARTWiFi Intelligent WiFi cloud platform
    • Field Service
    • Quest Informatics Solutions Efficient inventory management
    • Entreprise Cloud AI
    • HCL IntelliServiceEmpowers the data-driven enterprise
    • HCL IntelliSearchEntreprise cognitive search
    • Digital Manufacturing
    • HCL CAMWorksCAM for machining productivity
    • HCL DFMProCAD integrated Design-for-Manufacturing platform
    • HCL GloviusModern lightweight CAD Viewer
    • Banking and Financial Services Trusted solutions for banking
    • Healthcares Deliver new patient experiences
    • Insurance Improve policyholder experiences
    • Manufacturing Transform traditional manufacturing
    • Retail Meet changing consumer needs
  • Learn & Support  
    • Support
    • Knowledge Base
    • Product Documentation
    • Ask the Community
    • Learn
    • Success Stories
    • Event
    • Blog
  • Partners
  • Contact us
HCLSoftware Logo
  • Digital Transformation
    • Digital Transformation overviewTechnology that aligns people and systems
    • Commerce Enterprise e-commerce for B2C and B2B
    • ConnectionsEnterprise collaboration platform
    • DiscoverBehavioral insights for customer journeys
    • DominoRapid application development platform
    • DXThe DXP for the moments that matter
    • SametimeEnterprise secure video meetings and chat
    • UnicaEnterprise marketing automation platform
    • Volt MXMulti-experience low code app dev
    • Other Featured Products
    • HCL Now
    • SoFy
    • Cloud Native
    • Mainframe Solutions
    • Secure DevOps
  • Data and Analytics
    • Data, Analytics and Insights OverviewTrusted, flexible and easy-to-use platforms
    • ActianEmpowers the data-driven enterprise
    • Avalanche Cloud Data PlatformData services suite; flexible deployment
    • DataConnectLow-code integration platform
    • Ingres Transactional Databaselegendary transactional RDBM
    • HCL OneDBBuild database-driven enterprise apps
    • Vector AnalyticsHigh-performance BI and analytics
    • Zen Edge Data ManagementEmbeddable edge data management
    • Other Featured Products
    • HCL Now
    • SoFy
    • Cloud Native
    • Mainframe Solutions
    • Secure DevOps
  • AI and Automation
    • AI and Automation Overview Humanizing AI to solve real-world problems
    • Automation Power SuiteAccelerate IT and business automation
    • DRYiCEAI foundation for the digital enterprise
    • Secure DevOpsAutomated testing and security scanning
    • Other Featured Products
    • HCL Now
    • SoFy
    • Cloud Native
    • Mainframe Solutions
    • Secure DevOps
  • Enterprise Security
    • Enterprise Security OverviewEnterprise Security
    • AppScanScans for Application Vulnerabilities
    • BigFixSecure endpoint management
    • Other Featured Products
    • HCL Now
    • SoFy
    • Cloud Native
    • Mainframe Solutions
    • Secure DevOps
  • Products
    • Alphabetical List
      • AI and Automation
      • Automation Power Suite
      • DRYiCE
      • Secure DevOpsNetwork performance accelerator
      • Data and Analytics
      • Actian
      • Avalanche Cloud Data Platform
      • DataConnect
      • Ingres Transactional Database
      • Vector Analytics
      • OneDB
      • Zen Edge Data Management
      • Digital Transformation
      • Commerce
      • Discover
      • DX
      • Unica
      • Connections
      • Domino
      • Sametime
      • Volt MX
      • Enterprise Security
      • AppScanEfficient invectory management
      • BigFixSecure endpoint management
      • Other Featured Products
      • Cloud Native
      • HCL Now
      • Mainframe Solutions
      • Sofy
      • Secure DevOps
      • View All Products
    • Industry Software Solutions
      • Telecom & 5G
      • HCL Augmented Network Automation (SON)
      • HCL iCE.X
      • HCL NFV AccelerationNetwork performance accelerator
      • HCL X-HaulComplete modern IP suite
      • HCL SMARTWiFiIntelligent WiFi cloud platform
      • Entreprise Cloud AI
      • HCL IntelliService
      • HCL IntelliSearch
      • Digital Manufacturing
      • HCL CAMWorks
      • HCL DFMPro
      • HCL Glovius
      • Field Service
      • Quest Informatics SolutionsEfficient inventory management
    • Industries
      • Banking and Financial ServicesTrusted solutions for banking
      • HealthcaresDeliver new patient experiences
      • InsuranceImprove policyholder experiences
      • ManufacturingTransform traditional manufacturing
      • RetailMeet changing consumer needs
  • Learn & Support
    • Learn
    • Success Stories
    • Event
    • Blog
    • Support
    • Knowledge Base
    • Product Documentation
    • Ask the Community
  • Partners
  • Contact us
  • About Us
    • Overview
    • Careers
    • HCL Ambassadors
    • Newsroom
    • Analyst Reports
    • Trust Center
  • HCLTech
  • Contact us
  • Language EN
    • FR
    • EN
    • IT
    • DE
    • PT
    • JP
    • ES
    • CN
    • RU
  • HCL Logo

HCLSoftware
Technical and Organizations Measures (TOMs) – Security

The Technical and Organizational Measures (TOMs) provided below apply to all HCLSoftware product offerings. Evidence of the measures implemented and maintained by HCLSoftware Security may be presented in the form of up-to-date compliance attestations, audit reports or extracts from independent bodies upon request from the customer.


Security Policies

HCLSoftware maintains a robust Information Security Management System (ISMS). Security policies are reviewed annually and amended as HCLSoftware deems necessary to maintain security compliance.

A formal Management Review is held every 6 months to assess and evaluate the effectiveness of technical and organizational measures. This includes tracking metrics related to the Governance, Risk and Compliance of our Information Security Management System.

HCLSoftware employees complete Security and Privacy training annually. HCLSoftware has an identified Information Security Organization structure which oversees all Information Security related processes and activities for HCLSoftware.

  • HCL has defined and documented data privacy policies and processes addressing access to personal data.
  • Mandatory Information Security awareness training is provided.
  • HCL continuously reviews event logs for malicious/abnormal behavior.
  • All confirmed incidents reported are analyzed for root cause and impact. The remedial actions are initiated by the process owners. The key incidents along with their root causes and impact are reported to HCL management.
  • HCLSoftware Data Centers and Support Organization are ISO 27001 certified.


Internal IT and IT Security Governance and Management

A formal Internal Audit program is operated to measure the conformance and governance of our ISMS controls. Metrics from our Internal Audit program are presented at our Management Reviews.


Certification/Assurance of Processes and Products

External and independent audits are organized and managed to meet our business needs with respect to certification/assurance. This includes a full and formal examination of the process and products that are supported by our ISMS.

For more information, see Requesting Certification.


Risk Management

HCLSoftware has defined, documented, and implemented a Risk Management framework based on ISO 27005 to identify risks related to security, privacy and other contractual requirements. All risks are evaluated to determine their impact to the business, and then assessed to determine the correct treatment action.

HCLSoftware assesses and addresses risks and creates action plans to mitigate identified risks. All areas of HCLSoftware have Risk Focal Points to assist in the identification and management of risks. All risks are reviewed as needed, once a year at a minimum.


Incident Management

HCLSoftware maintains an incident response policy and follows documented incident response plans including prompt breach notifications as appropriate, to the relevant authorities, customers, and data subjects when a breach is known or reasonably suspected to impact customer data.

The HCLSoftware Incident Response program follows NIST 800-61 r2 (see diagram below)

HCLSoftware maintains separate flows for the following incidents:

  • Cybersecurity incidents
  • Data incidents (including Privacy team when personal data is impacted)
Communication outside of HCL is handled by the appropriate customer-facing resources.

HCL monitors for security incidents 24x7 and escalates to the appropriate Incident Management Response team when an event is detected. The incident process includes isolation/eradication/retention as required, and a root cause analysis is performed for high/critical incidents. Post-incident activity also includes reviews to improve processes/tools as needed.


Physical & Environmental Security

HCLSoftware maintains the physical security of its facilities and Data Centers, which includes taking precautions against environmental threats and power disruptions.

  • Access to Data Centers is controlled and limited by job role and subject to approval.
  • Access to Data Centers is provided on a need only basis and reviewed periodically.
  • Physical access to offices is controlled by an access control mechanism.
  • Visitor entry is monitored and recorded.
  • All critical areas are CCTV covered and recordings are maintained for at least 30 days.


Data Privacy

HCLSoftware has implemented and will maintain a privacy program that is designed to comply with all privacy regulations applicable to the company and the personal data we hold. We also employ processes to ensure that we handle personal data of our customers in accordance with our legal obligations and our customer contracts. The privacy program includes, among other things, the following:

  1. Data protection impact assessment
  2. Policies and Procedures
  3. Privacy Employee Awareness Training
  4. Customer Contracts
  5. Data Transfer Impact Assessments
  6. Vendor/Third Party Privacy Assessments
  7. Product Privacy by Design
  8. Response to Data Subject Requests
  9. Incident Response
  10. Documenting Compliance with Global Privacy Regulations


Ensuring Limited Data Retention

  • Support only collects personal data that is necessary for the purposes of providing support and related services to our customers. Support does not store customer data for longer than needed and takes all the necessary measures to ensure that personal data is secured and deleted in accordance with the internal policies and applicable laws.
  • The diagnostic data stored in the Customer Data Repository (CuDaR) is deleted from the active repository after case closure and takes up to 60 days for it to be permanently deleted from the backups. The case data stored in ServiceNow is retained for up to 5 years after case closure.

Access to and Erasure of Customer Data

Support has the capability to process Data Subject Requests in accordance with internal policies and applicable laws. Customers have access to their data in the Customer Support Portal and can export their data if required. Additionally, HCL Support can assist with exporting customer data upon customer request.


Pseudonymization / Anonymization

Measures for pseudonymization or anonymization of personal data are implemented to the extent necessary in the Support non-production environments.


Encryption of Personal Data

  • When personal data is transmitted, secure end-to-end encryption of the communication is ensured. All personal data transfers occur over HTTPS/SFTP and use minimum TLS 1.2 protocol. The backend database is encrypted at rest using AES-256 encryption.
  • Data in Transit - TLS (Transport Layer Security) encryption is required for all Internet connections during login and all data shall be encrypted during transmission.
  • Data at Rest - Stored customer data is encrypted. Key Management conforms to industry best practices. Encryption leverages AES 256 standards

Measures of Encryption

  • Encryption Key Management - Cryptographic key management procedures are documented and automated. Products or solutions are deployed to keep the data encryption keys encrypted (e.g., software- based solution, Hardware Security Module (HSM)). This is software-based Encryption, Key Management procedure will be automated. Encryption of data is configured at rest and in transit.
  • Encryption Uses - Confidential information transmission over the public internet always utilizes an encrypted channel. Encryption details are documented if transmission is automated. If manual encryption is required, approved, and dedicated staff is responsible for encrypting / decrypting the data. Confidential information is encrypted while in transit over any network using secure protocols like HTTPS, SSL, SFTP, etc. VPN transmissions are performed over an encrypted channel.

System Configuration

The default configuration will be hardened to our HCLSoftware defined system configuration, including passwords before connecting the device to the network.


Confidentiality, Integrity, Availability and Resilience of Processing Systems and Services

  • Support ensures that appropriate controls are in place to safeguard the confidentiality, integrity, and accessibility of Support systems and customer data.
  • Support has implemented a process for onboarding and offboarding of users to prevent from unauthorized access to data. Support follows documented ISMS incident response policies and has a process to escalate data privacy and security issues.
  • Roles and responsibilities are segmented within the support organization to reduce opportunities for unauthorized or unintentional modification or misuse of data. Support ensures that all Support personnel complete the required security and privacy trainings on an annual basis.
  • Support’s ticket management data centers and cloud-based infrastructure are designed to be highly available with redundant components and multiple network paths to avoid single points of failure. Advanced High Availability (AHA) architecture is the primary means to restore service in the case of a disruption that could impact availability. Full backups are performed on Support’s ticket management system every seven days direct to disk and are retained for 28 days, with differential backups taken every 24 hours.

Ability to Restore Availability and Access to Personal Data

  • Support has a Business Continuity Plan that ensures the availability of support in the event of a physical or technical incident. Support’s BCP guides restoration of operations to a pre-defined level, within a predetermined time frame, following a business disruption.The BCP is annually tested.
  • Database backups are taken with the goal of preventing the loss of personal data in the event of a technical malfunction or human error. Incremental backups are performed on the (Customer Data Repository) CuDaR every 12 hours, with weekly differential backups and monthly backup overwrite. The data backup restores are tested regularly, at least once a year.

Business Continuity & Disaster Recovery Planning

  • Backup procedures are applied to all critical development systems.
  • Backup is done at the storage level and industry standards are followed. Each data center has its own backup infrastructure. Data storage procedures comply with the ISO 27001 standard.
  • Interruptions and outages are communicated to affected customers. Communication includes the following information:
    • Nature of impact
    • Locations / departments / process impacted
    • Extent of impact
    • Location and contact information of the IT helpdesk

Test, Assess and Evaluate the Effectiveness of Technical and Organizational Measures

Our Technical and Organizational measures are assessed through formal audit and an internal testing program. A formal Senior Leadership team Management Review is held every 6 months to assess and evaluate the effectiveness of our Information Security Management Systems and therefore our technical and organizational measures. This includes metrics and measures for Governance, Risk and Compliance of our Information Security Management System.


User Access Management

HCL maintains appropriate controls for requesting, approving, granting, revoking and revalidating user access to systems. Only employees with a business need may access data. Access requests are approved based on an individuals role and user access is reviewed regularly.

Logical access procedures define the request, approval, access provisioning and de-provisioning processes. The logical access procedures restrict user access (local or remote) based on user job function for applications and databases (role/profile based appropriate access) for applications, databases and systems to ensure segregation of duties. The procedures are reviewed, administered, and documented based on on-boarding, resource re-assignment or separation. User access reviews are performed to ensure access is appropriate throughout the year.

  • All HCLSoftware system administrators are authenticated using multi-factor authentication, Tacca’s, VPN, AD for system access through privileged access management.
  • In addition, the use of privileged access management is recorded for audit and forensic analysis.

User Identification and Authorization

Every user has a unique named access control (user id and password) to access their accounts.


Protection of Data During Storage

Every user will have access to their specific data and not to all storage.


Asset Management and controls - Laptops, Desktops, Servers, Networking Equipment and Software Assets

  • All Assets are formally declared, reviewed and managed on an Asset Register.
  • Operating systems patches recommended by the vendor are tested and applied regularly to the desktops, laptops, servers, and networking equipment.
  • Default IDs are changed and disabled. Passwords are changed after initial installation. Manufacturers’ default passwords are not used.
  • If sharing of files/directories from a server to other computers is required, then it has to be enabled in such a way that only users who have need to know is having the access to the share and the principle of least privilege is followed.
  • Systems clocks of all the servers and networking equipment are synchronized, and they are set to the time of the time zone of the location of the server/equipment. Only authorized personnel have the privilege to change or reset system clock time.
  • Administrative accounts are set with strong passwords and privileges are given to only identified persons. Admin access is regularly reviewed.
  • Endpoint Detection and Response (NexGen Antivirus & Malware) software is installed where applicable.
  • Backups are taken and restoration checks are done for identified systems based on agreed upon a request basis.
  • Only company owned & Managed laptops are permitted inside the facility.
  • Every HCL employee requires a unique ‘User ID’ and password to access the IT systems in the enterprise.
  • Every user ID has a password and users are required to set and change their passwords as per HCL password policy.
  • User IDs are created as per defined process and with adequate authorizations.
  • Share service accounts are managed via Privileged Access Management platform.

Wireless Controls

  • How we apply wireless controls:
    • Wireless AP can be accessible only from Network Team jump server with authorized access for Wireless management.
  • How we apply wireless controls:
    • PNP-CORP SSID Authentication – Wireless authentication is allowed through the radius/AD server so it will be allowed only HCLSW valid users to connect SSID
    • HCL-Software Guest Authentication – Wireless authentication is allowed through internal captive portal authentication. We will be creating username & password based on the server now request (Wireless Guest ticket will create two tasks, one is for creating credential and second one is disabling credentials , . The second task will be assigned after the end date of WiFi request ).
    • HCL-TECH-SSID authentication – Wireless authentication is using Pre-shared key and it will be shared to HCL Tech users. Password will be changed every three weeks.
  • How do we replace vendor default settings:
    • HCLSW standard templates are used.

Email Security

  • All emails are scanned for virus or malicious codes at gateway level.
  • Email systems are configured to restrict identity spoofing, spamming, and relaying to protect against the same.

Cloud Security

Cloud assets, and services are hardened with Center for Internet Security (CIS) Benchmarks.

  • Cloud Security Posture Management standards and configurations are monitored in real-time by our 24/7 365 Detection, Analytics and Response Team.
  • Cloud Workload Protection and Endpoint Detection and Response (NexGen Antivirus & Malware) software is installed where applicable.
  • HCLSoftware leverages cloud vendor Web Applications Firewalls (WAF) for protection against DDoS and other external attack vectors.

Security Operations

HCLSoftware maintains a 24/7 365 Detection, Analytics and Response (DART) Team that provides monitoring and response services for deviations from defined standards, malicious and/or abnormal activity and threat modeling.

  • Defined CSIRT Response team.
  • CyberSecurity forensics services.

Other Security Controls

  • Firewalls are configured in such a way that only authorized layer 7 application traffic is allowed.
  • All secured communications at HCL follow the current encryption standard.
  • EDR and DLP is installed on all end user machines.

Use of Sub-processors

  • HCL uses certain third parties in connection with providing its services. These include third parties utilized for cloud hosting and for the provision of support and related services. Sub-processors who may access customer personal data are listed on our Trust Center site here: https://www.hcltechsw.com/resources/data-processing-and-transfers , and customers can subscribe to receive updates to the list of sub-processors.
  • HCLSoftware has executed Data Processing Agreements where appropriate with all sub-processors who may access customer personal data to ensure appropriate safeguards are in place for data protection and secure data transfers.
HCL Software Logo
Contact us

hclsoftware logo transparent
  • Columns group1
    • Digital Transformation
    • Data, Analytics & Insights
    • AI & Intelligent Automation
    • Enterprise Security
  • Products
    • Digital Transformation
      • Commerce
      • Discover
      • DX
      • Unica
      • Connections
      • Domino
      • Sametime
      • Volt MX
    • AI and Intelligent Automation
      • Automation Power Suite
      • DRYiCE
      • Secure DevOps
    • Enterprise Security
      • AppScan
      • BigFix
    • Other Featured Products
      • HCL Now
      • SoFy
      • Cloud Native
      • Mainframe Solutions
    • Data, Analytics and Insights
      • Actian
      • Avalanche Cloud Data Platform
      • DataConnect
      • Ingres Transactional Database
      • Vector Analytics
      • OneDB
      • Zen Edge Data Management
  • Columns group 2
    • Resources
      • Success Story
      • Blog
      • Events
      • Video Gallery
    • About Us
      • Overview
      • Careers
      • HCL Ambassadors
      • Newsroom
      • Analyst Reports
      • Trust Center
    • HCLSoftware Customers
      • Ecommerce
      • Submit Idea
      • Support
      • Client Advocacy
      • Master Agreements
      • License Agreements
      • Open Source
      • Product Lifecycle
  • Partners
    • Partner Connect
  • Columns group3
    • Legal
      • Accessibility
      • Blog
      • Compliance
      • Privacy Statement
      • Cookie Statement
      • CCPA-Statement
      • Website Disclaimer
      • Future Products
      • PSIRT
      • Software Disclaimer
      • Terms of Use
      • SOC
      • Government - US Federal

Copyright © 2022 HCL Technologies Limited

  • Contact Us
  • Disclaimer
  • Privacy
  • Accessibility
  • Terms of use

We use cookies on our site. Please read more about them here.

Complementary Content Deferred Modules
  • ${title}${badge}
${loading}
Deferred Modules