The Technical and Organizational Measures (TOMs) provided below apply to all HCLSoftware product offerings. Evidence of the measures implemented and maintained by HCLSoftware Security may be presented in the form of up-to-date compliance attestations, audit reports or extracts from independent bodies upon request from the customer.
HCLSoftware maintains a robust Information Security Management System (ISMS). Security policies are reviewed annually and amended as HCLSoftware deems necessary to maintain security compliance.
A formal Management Review is held every 6 months to assess and evaluate the effectiveness of technical and organizational measures. This includes tracking metrics related to the Governance, Risk and Compliance of our Information Security Management System.
HCLSoftware employees complete Security and Privacy training annually. HCLSoftware has an identified Information Security Organization structure which oversees all Information Security related processes and activities for HCLSoftware.
- HCL has defined and documented data privacy policies and processes addressing access to personal data.
- Mandatory Information Security awareness training is provided.
- HCL continuously reviews event logs for malicious/abnormal behavior.
- All confirmed incidents reported are analyzed for root cause and impact. The remedial actions are initiated by the process owners. The key incidents along with their root causes and impact are reported to HCL management.
- HCLSoftware Data Centers and Support Organization are ISO 27001 certified.
Internal IT and IT Security Governance and Management
A formal Internal Audit program is operated to measure the conformance and governance of our ISMS controls. Metrics from our Internal Audit program are presented at our Management Reviews.
Certification/Assurance of Processes and Products
External and independent audits are organized and managed to meet our business needs with respect to certification/assurance. This includes a full and formal examination of the process and products that are supported by our ISMS.
For more information, see Requesting Certification.
HCLSoftware has defined, documented, and implemented a Risk Management framework based on ISO 27005 to identify risks related to security, privacy and other contractual requirements. All risks are evaluated to determine their impact to the business, and then assessed to determine the correct treatment action.
HCLSoftware assesses and addresses risks and creates action plans to mitigate identified risks. All areas of HCLSoftware have Risk Focal Points to assist in the identification and management of risks. All risks are reviewed as needed, once a year at a minimum.
HCLSoftware maintains an incident response policy and follows documented incident response plans including prompt breach notifications as appropriate, to the relevant authorities, customers, and data subjects when a breach is known or reasonably suspected to impact customer data.
The HCLSoftware Incident Response program follows NIST 800-61 r2 (see diagram below)
HCLSoftware maintains separate flows for the following incidents:
- Cybersecurity incidents
- Data incidents (including Privacy team when personal data is impacted)
HCL monitors for security incidents 24x7 and escalates to the appropriate Incident Management Response team when an event is detected. The incident process includes isolation/eradication/retention as required, and a root cause analysis is performed for high/critical incidents. Post-incident activity also includes reviews to improve processes/tools as needed.
Physical & Environmental Security
HCLSoftware maintains the physical security of its facilities and Data Centers, which includes taking precautions against environmental threats and power disruptions.
- Access to Data Centers is controlled and limited by job role and subject to approval.
- Access to Data Centers is provided on a need only basis and reviewed periodically.
- Physical access to offices is controlled by an access control mechanism.
- Visitor entry is monitored and recorded.
- All critical areas are CCTV covered and recordings are maintained for at least 30 days.
HCLSoftware has implemented and will maintain a privacy program that is designed to comply with all privacy regulations applicable to the company and the personal data we hold. We also employ processes to ensure that we handle personal data of our customers in accordance with our legal obligations and our customer contracts. The privacy program includes, among other things, the following:
- Data protection impact assessment
- Policies and Procedures
- Privacy Employee Awareness Training
- Customer Contracts
- Data Transfer Impact Assessments
- Vendor/Third Party Privacy Assessments
- Product Privacy by Design
- Response to Data Subject Requests
- Incident Response
- Documenting Compliance with Global Privacy Regulations
Ensuring Limited Data Retention
- Support only collects personal data that is necessary for the purposes of providing support and related services to our customers. Support does not store customer data for longer than needed and takes all the necessary measures to ensure that personal data is secured and deleted in accordance with the internal policies and applicable laws.
- The diagnostic data stored in the Customer Data Repository (CuDaR) is deleted from the active repository after case closure and takes up to 60 days for it to be permanently deleted from the backups. The case data stored in ServiceNow is retained for up to 5 years after case closure.
Access to and Erasure of Customer Data
Support has the capability to process Data Subject Requests in accordance with internal policies and applicable laws. Customers have access to their data in the Customer Support Portal and can export their data if required. Additionally, HCL Support can assist with exporting customer data upon customer request.
Pseudonymization / Anonymization
Measures for pseudonymization or anonymization of personal data are implemented to the extent necessary in the Support non-production environments.
Encryption of Personal Data
- When personal data is transmitted, secure end-to-end encryption of the communication is ensured. All personal data transfers occur over HTTPS/SFTP and use minimum TLS 1.2 protocol. The backend database is encrypted at rest using AES-256 encryption.
- Data in Transit - TLS (Transport Layer Security) encryption is required for all Internet connections during login and all data shall be encrypted during transmission.
- Data at Rest - Stored customer data is encrypted. Key Management conforms to industry best practices. Encryption leverages AES 256 standards
Measures of Encryption
- Encryption Key Management - Cryptographic key management procedures are documented and automated. Products or solutions are deployed to keep the data encryption keys encrypted (e.g., software- based solution, Hardware Security Module (HSM)). This is software-based Encryption, Key Management procedure will be automated. Encryption of data is configured at rest and in transit.
- Encryption Uses - Confidential information transmission over the public internet always utilizes an encrypted channel. Encryption details are documented if transmission is automated. If manual encryption is required, approved, and dedicated staff is responsible for encrypting / decrypting the data. Confidential information is encrypted while in transit over any network using secure protocols like HTTPS, SSL, SFTP, etc. VPN transmissions are performed over an encrypted channel.
The default configuration will be hardened to our HCLSoftware defined system configuration, including passwords before connecting the device to the network.
Confidentiality, Integrity, Availability and Resilience of Processing Systems and Services
- Support ensures that appropriate controls are in place to safeguard the confidentiality, integrity, and accessibility of Support systems and customer data.
- Support has implemented a process for onboarding and offboarding of users to prevent from unauthorized access to data. Support follows documented ISMS incident response policies and has a process to escalate data privacy and security issues.
- Roles and responsibilities are segmented within the support organization to reduce opportunities for unauthorized or unintentional modification or misuse of data. Support ensures that all Support personnel complete the required security and privacy trainings on an annual basis.
- Support’s ticket management data centers and cloud-based infrastructure are designed to be highly available with redundant components and multiple network paths to avoid single points of failure. Advanced High Availability (AHA) architecture is the primary means to restore service in the case of a disruption that could impact availability. Full backups are performed on Support’s ticket management system every seven days direct to disk and are retained for 28 days, with differential backups taken every 24 hours.
Ability to Restore Availability and Access to Personal Data
- Support has a Business Continuity Plan that ensures the availability of support in the event of a physical or technical incident. Support’s BCP guides restoration of operations to a pre-defined level, within a predetermined time frame, following a business disruption.The BCP is annually tested.
- Database backups are taken with the goal of preventing the loss of personal data in the event of a technical malfunction or human error. Incremental backups are performed on the (Customer Data Repository) CuDaR every 12 hours, with weekly differential backups and monthly backup overwrite. The data backup restores are tested regularly, at least once a year.
Business Continuity & Disaster Recovery Planning
- Backup procedures are applied to all critical development systems.
- Backup is done at the storage level and industry standards are followed. Each data center has its own backup infrastructure. Data storage procedures comply with the ISO 27001 standard.
- Interruptions and outages are communicated to affected customers. Communication includes the following information:
- Nature of impact
- Locations / departments / process impacted
- Extent of impact
- Location and contact information of the IT helpdesk
Test, Assess and Evaluate the Effectiveness of Technical and Organizational Measures
Our Technical and Organizational measures are assessed through formal audit and an internal testing program. A formal Senior Leadership team Management Review is held every 6 months to assess and evaluate the effectiveness of our Information Security Management Systems and therefore our technical and organizational measures. This includes metrics and measures for Governance, Risk and Compliance of our Information Security Management System.
User Access Management
HCL maintains appropriate controls for requesting, approving, granting, revoking and revalidating user access to systems. Only employees with a business need may access data. Access requests are approved based on an individuals role and user access is reviewed regularly.
Logical access procedures define the request, approval, access provisioning and de-provisioning processes. The logical access procedures restrict user access (local or remote) based on user job function for applications and databases (role/profile based appropriate access) for applications, databases and systems to ensure segregation of duties. The procedures are reviewed, administered, and documented based on on-boarding, resource re-assignment or separation. User access reviews are performed to ensure access is appropriate throughout the year.
- All HCLSoftware system administrators are authenticated using multi-factor authentication, Tacca’s, VPN, AD for system access through privileged access management.
- In addition, the use of privileged access management is recorded for audit and forensic analysis.
User Identification and Authorization
Every user has a unique named access control (user id and password) to access their accounts.
Protection of Data During Storage
Every user will have access to their specific data and not to all storage.
Asset Management and controls - Laptops, Desktops, Servers, Networking Equipment and Software Assets
- All Assets are formally declared, reviewed and managed on an Asset Register.
- Operating systems patches recommended by the vendor are tested and applied regularly to the desktops, laptops, servers, and networking equipment.
- Default IDs are changed and disabled. Passwords are changed after initial installation. Manufacturers’ default passwords are not used.
- If sharing of files/directories from a server to other computers is required, then it has to be enabled in such a way that only users who have need to know is having the access to the share and the principle of least privilege is followed.
- Systems clocks of all the servers and networking equipment are synchronized, and they are set to the time of the time zone of the location of the server/equipment. Only authorized personnel have the privilege to change or reset system clock time.
- Administrative accounts are set with strong passwords and privileges are given to only identified persons. Admin access is regularly reviewed.
- Endpoint Detection and Response (NexGen Antivirus & Malware) software is installed where applicable.
- Backups are taken and restoration checks are done for identified systems based on agreed upon a request basis.
- Only company owned & Managed laptops are permitted inside the facility.
- Every HCL employee requires a unique ‘User ID’ and password to access the IT systems in the enterprise.
- Every user ID has a password and users are required to set and change their passwords as per HCL password policy.
- User IDs are created as per defined process and with adequate authorizations.
- Share service accounts are managed via Privileged Access Management platform.
- How we apply wireless controls:
- Wireless AP can be accessible only from Network Team jump server with authorized access for Wireless management.
- How we apply wireless controls:
- PNP-CORP SSID Authentication – Wireless authentication is allowed through the radius/AD server so it will be allowed only HCLSW valid users to connect SSID
- HCL-Software Guest Authentication – Wireless authentication is allowed through internal captive portal authentication. We will be creating username & password based on the server now request (Wireless Guest ticket will create two tasks, one is for creating credential and second one is disabling credentials , . The second task will be assigned after the end date of WiFi request ).
- HCL-TECH-SSID authentication – Wireless authentication is using Pre-shared key and it will be shared to HCL Tech users. Password will be changed every three weeks.
- How do we replace vendor default settings:
- HCLSW standard templates are used.
- All emails are scanned for virus or malicious codes at gateway level.
- Email systems are configured to restrict identity spoofing, spamming, and relaying to protect against the same.
Cloud assets, and services are hardened with Center for Internet Security (CIS) Benchmarks.
- Cloud Security Posture Management standards and configurations are monitored in real-time by our 24/7 365 Detection, Analytics and Response Team.
- Cloud Workload Protection and Endpoint Detection and Response (NexGen Antivirus & Malware) software is installed where applicable.
- HCLSoftware leverages cloud vendor Web Applications Firewalls (WAF) for protection against DDoS and other external attack vectors.
HCLSoftware maintains a 24/7 365 Detection, Analytics and Response (DART) Team that provides monitoring and response services for deviations from defined standards, malicious and/or abnormal activity and threat modeling.
- Defined CSIRT Response team.
- CyberSecurity forensics services.
Other Security Controls
- Firewalls are configured in such a way that only authorized layer 7 application traffic is allowed.
- All secured communications at HCL follow the current encryption standard.
- EDR and DLP is installed on all end user machines.
Use of Sub-processors
- HCL uses certain third parties in connection with providing its services. These include third parties utilized for cloud hosting and for the provision of support and related services. Sub-processors who may access customer personal data are listed on our Trust Center site here: https://www.hcltechsw.com/resources/data-processing-and-transfers , and customers can subscribe to receive updates to the list of sub-processors.
- HCLSoftware has executed Data Processing Agreements where appropriate with all sub-processors who may access customer personal data to ensure appropriate safeguards are in place for data protection and secure data transfers.