The Technical and Organizational measures (TOMs) provided below apply to all HCL Software product offerings. Evidence of the measures implemented and maintained by HCL Software Security may be presented in the form of up-to-date compliance attestations, audit reports or extracts from independent bodies upon request from the customer.
Security Policies
HCL Software maintains a robust Information Security Management System (ISMS). Security policies are reviewed annually and amended as HCL Software deems necessary to maintain security compliance.
A formal Management Review is held every 6 months to assess and evaluate the effectiveness of technical and organizational measures. This includes metrics for Governance, Risk and Compliance of our Information Security Management System.
HCL Software employees will complete Security and Privacy training / education annually.
HCL Software has an identified Information Security Organization structure which oversees all Information Security related processes and activities for HCL Software.
- HCL has defined and documented data privacy policies and processes addressing access to personal data.
- Mandatory Information Security awareness training is provided through a world-wide e-Learning module.
- HCL polices states that all relevant event logs are to be reviewed 24/7 for malicious / abnormal behavior.
- All incidents reported are analyzed for root cause and impact. The remedial actions are initiated by the process owners. The key incidents along with their root causes and impact are reported to HCL management.
- HCL Software Data Centers and Support Organization are ISO 27001 certified.
Internal IT and IT Security Governance and Management
A formal Internal Audit program is operated to measure conformance and governance of our Information Security Management System controls. Metrics from our Internal Audit program and presented at our Management Review.
Certification/Assurance of Processes and Products
External and independent audit are organized and managed to meet our business needs with respect to Certification / Assurance. This includes a full and formal examination of the process and products that are supported by our Information Security Management System.
Risk Management
HCL Software has defined, documented and implemented a Risk Management framework to identify risks related to security, privacy and other contractual requirements.
HCL Software will assess and address risks and create action plans to mitigate identified risks. All areas of HCL Software have Risk Focal Points to assist in the identification and management of risks. All risks are reviewed as needed, once a year at a minimum.
Incident Management
HCL Software will maintain an incident response policy and follow documented incident response plans including prompt breach notifications to the appropriate controllers / authorities when a breach is known or reasonably suspected to impact customer data.
The HCL Software Incident Response program follows NIST 800-61 r2 (see diagram below)

HCL Software maintains separate flows for
- Cybersecurity incidents
- Data incidents (including Privacy team when personal data is impacted)
Physical & Environmental Security
HCL Software maintains physical security for HCL Software facilities inclusive of Data Centers as well as take precautions against environmental threats and power disruptions.
- Access to Data Centers is controlled and limited by job role and subject to approval.
- Access to Data Centers is provided on a need only basis and reviewed periodically.
- Physical access to offices is controlled by an access control mechanism.
- Visitor entry is monitored and recorded.
- All critical areas are CCTV covered and recordings are maintained for at least 30 days.
Data Privacy Document Management
HCL Software has implemented and will maintain a privacy program that endeavors to comply with all privacy regulations applicable to the personal data we hold. We take our privacy commitment to our customers seriously.
Ensuring Limited Data Retention
- Support only collects personal data that is necessary for the purposes of providing support and related services to our customers. Support does not store customer data for longer than needed and takes all the necessary measures to ensure that personal data is secured and deleted in accordance with the internal policies and applicable laws.
- The diagnostic data stored in the Customer Data Repository (CuDaR) is deleted from the active repository within 30 days after case closure and takes up to 60 days for it to be permanently deleted from the backups. The case data stored in ServiceNow is retained for up to 5 years after case closure.
Access to and Erasure of Customer Data
Customers have access to their data in the support ticketing system and have the ability to export data as needed. Support has the capability to process Data Subject Requests in accordance with internal policies and applicable laws. Customers have access to their data in the Customer Support Portal and can export their data if required. Additionally, HCL Support can assist with exporting customer data upon customer request.
Pseudonymization / Anonymization
Measures for pseudonymization or anonymization of personal data are implemented to the extent necessary in the Support non-production environments.
Encryption of Personal Data
- When personal data is transmitted, secure end-to-end encryption of the communication is ensured. All personal data transfers occur over HTTPS/SFTP and use minimum TLS 1.2 protocol. The backend database is encrypted at rest using AES-256 encryption.
- Data in Transit - TLS (Transport Layer Security) encryption is required for all Internet connections during login and all data shall be encrypted during transmission.
- Data at Rest - Stored customer data is encrypted. Key Management conforms to industry best practices. Encryption leverages AES 256 standards
Measures of Encryption
- Encryption Key Management - Cryptographic key management procedures are documented and automated. Products or solutions are deployed to keep the data encryption keys encrypted (e.g., software- based solution, Hardware Security Module (HSM)). This is software-based Encryption, Key Management procedure will be automated.
- Encryption Uses - Confidential information transmission over the public internet always utilizes an encrypted channel. Encryption details are documented if transmission is automated. If manual encryption is required, approved and dedicated staff is responsible for encrypting / decrypting the data. Confidential information is encrypted while in transit over any network using secure protocols like HTTPS, SSL, SFTP, etc. VPN transmissions are performed over an encrypted channel.
System Configuration
Default configuration will be changed including passwords before connecting the device to network
Confidentiality, Integrity, Availability and Resilience of Processing Systems and Services
- Support ensures that appropriate controls are in place to safeguard the confidentiality, integrity, and accessibility of Support systems and customer data.
- Support has implemented a process for onboarding and offboarding of users to prevent from unauthorized access to data. Support follows documented ISMS incident response policies and has a process to escalate data privacy and security issues.
- Roles and responsibilities are segregated within the support organization to reduce opportunities for unauthorized or unintentional modification or misuse of data. Support ensures that all Support personnel complete the required security and privacy trainings on an annual basis.
- Support’s ticket management data centers and cloud-based infrastructure are designed to be highly available with redundant components and multiple network paths to avoid single points of failure. Advanced High Availability (AHA) architecture is the primary means to restore service in the case of a disruption that could impact availability. Full backups are performed on Support’s ticket management system every seven days direct to disk and are retained for 28 days, with differential backups taken every 24 hours.
Ability to Restore Availability and Access to Personal Data
- Support has a Business Continuity Plan that ensures the availability of support in the event of a physical or technical incident. Support’s BCP guides restoration of operations to a pre-defined level, within a predetermined time frame, following a business disruption.
- Database backups are taken with the goal of preventing the loss of personal data in the event of a technical malfunction or human error. Incremental backups are performed on the (Customer Data Repository) CuDaR every 12 hours, with weekly differential backups and monthly backup overwrite. The data backup restores are tested regularly, at least once a year.
Ability to Restore Availability and Access to Personal Data
- Support has a Business Continuity Plan that ensures the availability of support in the event of a physical or technical incident. Support’s BCP guides restoration of operations to a pre-defined level, within a predetermined time frame, following a business disruption.
- Database backups are taken with the goal of preventing the loss of personal data in the event of a technical malfunction or human error. Incremental backups are performed on the (Customer Data Repository) CuDaR every 12 hours, with weekly differential backups and monthly backup overwrite. The data backup restores are tested regularly, at least once a year.
General Business Continuity
- Business Continuity & Disaster Recovery Planning
- Backup Procedures Backup procedures are applied to critical development systems.
- Backup is done at the storage level and industry standards are followed. . Each Data Center has its own backup infrastructure.
- Interruptions and Outages are communicated. Communication includes the following:
- Nature of impact
- Locations / Departments / Process impacted
- Extent of impact
- Location and contact information of the IT helpdesk
- Location and contact information of recovery coordinator responsible for recovery activities
Test, Assess and Evaluate the Effectiveness of Technical and Organizational Measures
- Formal Management Review is held every 6 months to assess and evaluate the effectiveness of our technical and organizational measures. This includes metrics / measure for Governance, Risk and Compliance of our Information Security Management System
- Support has an internal review process to regularly assess and evaluate the effectiveness of Support’s processes and procedures. Support participates in an internal audit performed by the HCL SW Security team once every year. Information on potential technical vulnerabilities in Support systems is evaluated at regular intervals and appropriate measures are initiated for remediation.
User Access Management
HCL maintains appropriate controls for requesting, approving, granting, revoking and revalidating user access to systems containing Information. Only employees with a business need may access data. Access requests are approved based on an individuals role and reviewed regularly.
- Logical access procedures define the request, approval, access provisioning and de-provisioning processes. The logical access procedures restrict user access (local or remote) based on user job function for applications and databases (role/profile based appropriate access) for applications, databases and systems to ensure segregation of duties and are reviewed, administered, and documented based on on-boarding, resource re-assignment or separation. User access reviews are performed to ensure access is appropriate throughout the year.
- All HCL Software system administrators are authenticated using multi-factor authentication, Tacacs, VPN, AD for system access through privileged access management.
- In addition, the use of privileged access management is recorded for audit and forensic analysis.
User Identification and Authorization
Every user has named access control (user id and password) to access their accounts.
Protection of Data During Storage
Every user will have access to their specific data and not to all storage.
Laptops, Desktops, Servers and Networking Equipment
- Operating systems and application patches recommended by the vendor are tested and applied regularly to the desktops, laptops, servers and networking equipment.
- Default IDs are changed and disabled. PasSoftwareords are changed after initial installation. Manufacturers default passwords are not used.
- If sharing of files/directories from a server to other computers is required, then it has to be enabled in such a way that only users who have need to know is having the access to the share and the principle of least privilege is followed
- Systems clocks of all the servers and networking equipment are synchronized and they are set to the time of the time zone of the location of the server/equipment. Only authorized personnel have the privilege to change or reset system clock time.
- Administrative accounts are set with strong passwords and privileges are given to only identified persons.
- Endpoint Detection and Response (NexGen Antivirus & Malware) software is installed where applicable, antivirus signatures.
- Backups are taken and restoration checks are done for identified systems based on agreed upon a request basis.
- Only company owned & Managed laptops are permitted inside the facility.
- Every HCL employee requires a unique ‘User ID’ and passwords to access the IT systems in the enterprise.
- Every user ID has a passwords and users are required to set and change their passwords as per HCL password policy.
- User IDs are created as per defined process and with adequate authorizations.
- Share service accounts are managed via Privileged Access Management platform
Email Security
- All emails are scanned for virus or malicious codes at gateway level.
- Email systems are configured to restrict identity spoofing, spamming and relaying to protect against the same.
Cloud Security
- Cloud assists and services are hardened with Center for Internet Security (CIS)Benchmarks
- Cloud Security Posture Management standards and configurations are monitoring in real-time by 24/7 365 Detection, Analytics and Response Team
- Cloud Workload Protection and Endpoint Detection and Response (NexGen Antivirus & Malware) software is installed where applicable
- HCL Software leverages cloud vendor Web Applications Firewalls (WAF) for protection against DDoS and other external attack vectors.
Security Operations
- HCL Software maintains a 24/7 365 Detection, Analytics and Response Team that provides monitoring and response services for deviations from defined standards, malicious and/or abnormal activity and threat modeling.
- Defined CSIRT Response team.
- CyberSecurity forensics services.
Other Security Controls
- Firewalls and routers are configured in such a way that only authorized layer 7 application traffic is allowed.
- All secured communications at HCL follow the current encryption standard.
- DLP is installed on all end user machines.
Use of Subprocessors
- HCL uses certain third parties in connection with providing its services. These include third parties utilized for cloud hosting and for the provision of support and related services. Sub processors who may access customer personal data are listed on our Trust Center site here: https://www.hcltechsw.com/resources/data-processing-and-transfers, and customers can subscribe to receive updates to the list of sub processors.
- The specific technical and organizational measures to be taken by each sub processor can be found on the entity’s site.
- HCL Software has executed a Data Processing Agreement where appropriate with all sub processors who may access customer personal data to ensure appropriate safeguards are in place for data protection and secure data transfers.
Support’s ticketing system is hosted by ServiceNow. Please refer to the ServiceNow Trust Center for specific technical and organizational measures.- https://www.servicenow.com/company/trust.html