The Technical and Organizational measures (TOMs) provided below apply to all HCL Software product offerings. Evidence of the measures implemented and maintained by HCL Software Security may be presented in the form of up to date compliance attestations, audit reports or extracts from independent bodies upon request from the client.
Data Privacy Document Management
HCL Software has implemented and will maintain a privacy program that endeavors to comply with all privacy regulations applicable to the personal data we hold. We take our privacy commitment to our customers seriously.
HCL Software will implement and maintain a robust Information Security Management System (ISMS). Security policies will be reviewed annually and amended as HCL Software deems necessary to maintain security compliance.
HCL Software employees will complete Security and Privacy training / education annually.
HCL Software has an identified Information Security Organization structure which oversees all Information Security related processes and activities for HCL Software.
- HCL has defined and documented data privacy policies and processes addressing access to personal data.
- Mandatory Information Security awareness training is provided through a world-wide e-Learning module.
- All incidents reported are analyzed for root cause and impact. The remedial actions are initiated by the process owners. The key incidents along with their root causes and impact are reported to HCL management.
- HCL Software Data Centers are ISO 27001 certified.
HCL Software has defined, documented and implemented a Risk Management framework to identify risks related to security, privacy and other contractual requirements.
HCL Software will assess and address risks and create action plans to mitigate identified risks.
HCL Software will maintain an incident response plan and follow documented incident response policies including prompt data breach notifications to the appropriate controllers / authorities when a breach is known or reasonably suspected to impact client Personal Data.
Physical & Environmental Security
HCL Software will implement physical security for HCL Software facilities inclusive of Data Centers as well as take precautions against environmental threats and power disruptions.
- Access to Data Centers is controlled and limited by job role and subject to approval.
- Access to Data Centers is provided on a needs only basis and reviewed periodically.
- Physical access to offices is controlled by an access control mechanism.
- Visitor entry is monitored and recorded.
- All critical areas are CCTV covered and recordings are maintained for at least 30 days.
User Access Management
HCL will maintain appropriate controls for requesting, approving, granting, revoking and revalidating user access to systems containing Personal Identifiable Information. Only employees with a business need may access data. Access requests will be approved based on an individuals role and reviewed regularly.
Laptops, Desktops, Servers and Networking Equipment
- Operating systems and application patches recommended by the vendor are tested and applied regularly to the desktops, laptops, servers and networking equipment.
- Default IDs are changed and disabled. Passwords are changed after initial installation. Manufacturers default passwords are not used.
- If sharing of files/directories from a server to other computers is required, then it has to be enabled in such a way that only users who have need to know is having the access to the share and the principle of least privilege is followed.
- Systems clocks of all the servers and networking equipment are synchronized and they are set to the time of the time zone of the location of the server/equipment. Only authorized personnel have the privilege to change or reset system clock time.
- Administrative accounts are set with strong passwords and privileges are given to only identified persons.
- Antivirus software is installed on all desktops and servers.
- Antivirus signatures are updated on daily basis and any deviations/ exceptions are tracked.
- Unauthorized software is not allowed on laptops, desktops and servers.
- Backups are taken and restoration checks are done for identified systems based on agreed upon frequencies.
- Only company owned laptops are permitted inside the facility.
- Every HCL employee requires a unique ‘User ID’ and password to access the IT systems in the enterprise.
- Every user ID has a password and users are required to set and change their passwords as per HCL password policy.
- User IDs are created as per defined process and with adequate authorizations.
- All emails are scanned for virus or malicious codes at gateway level.
- Email systems are configured to restrict identity spoofing, spamming and relaying to protect against the same.
Other Security controls
- Firewalls and routers are configured in such a way that only authorized traffic is allowed.
- HCL Software IT environment is regularly monitored for security related issues and incidents are reported on timely basis, once detected.
- All secured communications at HCL follow the encryption standard.
- DLP is installed on all end user machines.