An understanding of security requirements is obtained by analyzing security requirements(contractual), Client’s
existing policies and procedures and the Group and local/BU/Region security policies,baselines and standards. Based on
these requirements, the security policies for the engagement must be developed. These must also be inline with the
security and regulatory standards that the Client must comply with. Procedures and controls must then be developed in
order to implement these policies in the engagement.
The procedures and controls would typically include:
-
Procedures and controls for on-boarding and off-boarding of resources
-
Procedures and controls for access provision for different job functions, roles and designations and segregation of
duties
-
Procedures and controls for password management
-
Procedures and controls for network security (in terms of firewalls, antivirus etc.that need to be employed)
-
Procedures and controls for data privacy and security (in terms of encryption or data masking or classification
that needs to be done)
-
Procedures and controls for export compliance
-
Procedures and controls for mobile security (if applicable)
-
Procedures and controls for media handling (if applicable)
-
Procedures and controls for handling security breaches.
The Information Security And Compliance Lead must seek concurrence with relevant stakeholders viz. Clients risk and
compliance SMEs, Independent Security Manager, Client’s compliance cell, Engagement Manager (Services), Service
Delivery Teams and information security teams to develop these policies and ensure these are inline with the Clients
security and compliance requirements.
|
