HCL Information Security Policy
HCL Technologies Ltd - BPO Services is certified for BS7799 standard by British Standard Institute, India across all delivery centers located in Noida and Chennai. Information security management system of HCL practices 10 domains, 36 control objectives and 125 controls of BS7799 standard. Transition practice to ISO 27001 from BS7799 has started and will be completed within few months. HCL is also a part of NASSCOM core team to define and implement policies for information security.
How HCL Ensures its Clients for their Data Protection
HCL practices various methods to achieve data security needs of customers and for its internal need of securing intellectual property; some of them are detailed below:
- Identification of data: We have a documented approach to identify and collect the data used as part of business operations or support
- Assessment of its criticality: Data is assessed for its risk and criticality is measured
- Classification of data: Documented approach exists for classification and sign off of the assessed data
- Documented process to handle the critical data: Controls are identified and implemented to securely handle the data
- Data security awareness: Periodic awareness sessions are conducted to employees to understand the need of data security, their roles and responsibilities and approach we follow for data security
- Audits conducted by internal audit department and information security management system team
- Audits conducted by client audit team to ensure compliance as per the client requirements
HCL has been directly audited by a number of clients and found to be fully compliant with the data security requirements.
HCL has implemented various controls and monitors it continuously to ensure security is delivered as per the commitments.
Physical Security
- Agents are not allowed to carry pen and paper while working
- Electronic Devices such as mobile phones, PDA etc are not be allowed on the production floor
- Random Audits to ensure security policies are followed
- Disciplinary action for the non compliance
Access Control
- Limited, applicable application access required as per operations
- Mandatory profiles to ensure any stored data will be automatically erased after temporary use
- No local storage provided, all data are stored at central storage
- Regular audits of the central storage server
- USB Ports, floppy drives and CD drives are restricted
Email Security
- Agents should be given organization email facility only when required
- No mails can be sent outside the organization from the given mail facility
Internet Access Security
- Restricted access to internet, sites will be allowed only if it is a process requirement
- Continuous monitoring of web traffic and disciplinary actions taken for violations
Awareness Programs
- Regular awareness program are conducted on data protection and its legality
- Awareness of information security through class room sessions, intranet sessions, posters, mailers etc.
Monitoring
- 24*7 monitoring of all security infrastructure
- Dedicated team and infra to perform security monitoring
- Products like McAfee EPO, Web sense reporter, ISS/CISCO Network and host intrusion detection system etc are used for monitoring
For more information, please write to us at: digital@hcl.com
