An understanding of security requirements is obtained by analyzing security requirements(contractual), Client’s existing policies and procedures and the Group and local/BU/Region security policies,baselines and standards. Based on these requirements, the security policies for the engagement must be developed. These must also be inline with the security and regulatory standards that the Client must comply with. Procedures and controls must then be developed in order to implement these policies in the engagement.

The procedures and controls would typically include:

• Procedures and controls for on-boarding and off-boarding of resources
• Procedures and controls for access provision for different job functions, roles and designations and segregation of duties
• Procedures and controls for password management
• Procedures and controls for network security (in terms of firewalls, antivirus etc.that need to be employed)
• Procedures and controls for data privacy and security (in terms of encryption or data masking or classification that needs to be done)
• Procedures and controls for export compliance
• Procedures and controls for mobile security (if applicable)
• Procedures and controls for media handling (if applicable)
• Procedures and controls for handling security breaches.

The Information Security And Compliance Lead must seek concurrence with relevant stakeholders viz. Clients risk and compliance SMEs, Independent Security Manager, Client’s compliance cell, Engagement Manager (Services), Service Delivery Teams and information security teams to develop these policies and ensure these are inline with the Clients security and compliance requirements.