1Copyright © 2014 Tech Mahindra. All rights reserved. 1

2Copyright © 2014 Tech Mahindra. All rights reserved.

AT&T Security Controls/SISR: Update to TechM Constituents

Version 1.1Created by: Manav Agnihotri

3Copyright © 2014 Tech Mahindra. All rights reserved.

Overview: AT&T Controls

Controls for CS

Agenda

4Copyright © 2014 Tech Mahindra. All rights reserved.

Overview: AT&T Security Controls

AT&T, TechM’s largest customer, began the journey in 2005 from Pune.

AT&T handed over controls to TechM every year and TechM was audited by external auditors ( E&Y). The AT&T security controls now comprises SISR, IT Offshore compliance and Requirements for Offshore Information Technology Services Requiring Elevated Right.

From Jun 2013, the security controls were added to the main body of the MSA. The amendment 7 of the MSA that became effective from 28 Jun 2013 had AT&T Security Controls added to its main body.

The external audit by E&Y 2013 was held in 2013 on 2010 IT Offshore External Audit Controls covering all AT&T ODCs in India.

.

5Copyright © 2014 Tech Mahindra. All rights reserved.

Overview: AT&T Security Controls

AT&T Security Controls in the MSA Amendment No 7 includes the following:-

1. SISR 2011: 17 domains with 74 controls. SISR: An acronym meaning Supplier Information Security Requirements. The SISR is minimum information security requirements that a supplier must adhere to ( Referred hereinafter as AT&T Security Requirements No. 1)

2. Sec 18: Requirements for Offshore Information Technology Services Requiring Elevated Rights: 4 Controls ( Referred herein as AT&T Security Requirements No. 2)

3. Requirements for Offshore Information Technology Services :26 controls. ( Referred hereinafter as AT&T Security Requirements No. 3)

6Copyright © 2014 Tech Mahindra. All rights reserved.

Security Requirements: Domains and Controls

AT&T Security Requirements No. 1

Domain Total Controls Stakeholder

System Security 12 TIMPhysical Security 2 CSNetwork Security 5 TIMInformation Security 8 ISG, Delivery/PMOIdentification and Authentication 8 TIM, Delivery/PMOWarning Banner 1 TIMSoftware and Data Integrity 6 Delivery, ISGPrivacy Issues 3 ISG, Delivery Monitoring and Auditing Controls 6 ISGReporting Violations 2 ISG, Delivery/PMOSoftware Development 1 Delivery, QMGSecurity Policies and Procedures 3 ISG, DeliveryMobile and Portable Devices 7 TIM, Delivery, ISGSecurity Gateways 5 TIMWireless Networking 1 TIMConnectivity Requirements 3 TIMWIFI Access Points 1 TIM

7Copyright © 2014 Tech Mahindra. All rights reserved.

AT&T Security Requirements No. 2

AT&T Security Requirements No. 3

Domain Stakeholder Total Controls

Access, Logging, Disabling USB etc. TIM 7

Information Security, Classification etc. Delivery 4

Physical Security, ACS, CCTV, Dedicated ODC etc. CS 6

BV and CVC, Denied personnel check RMG, PMO 2

Training, Compliance etc. ISG 3

ACS Records reconciliation etc. Delivery/PMO & CS 2

AT&T’s Rights Business 2

Domain Stakeholder Total Controls

Privileged Access TIM 1

Auditing & Logging TIM 1

VAPT ISG 1

Deploy IPS TIM 1

8Copyright © 2014 Tech Mahindra. All rights reserved.

AT&T Security Controls for CS

1. Ensure Physical Security of the Facility, ODC and/or OOC and Restricted Areas housing Infrastructure supporting AT&T ( Control No. 13)

2. Ensure the ODC is controlled by ACS and has CCTV coverage in place. Ensure CCTV coverage of the location/periphery remains up ( Control No. 14, 21).

3. Ensure AT&T specific Notification is pasted on the Doors to ODC and/or OOC. The notification declares it to be a restricted area allowed for AT&T associates, supporting AT&T. ( Control No 8)

4. Ensure Security personnel deployed on AT&T ODCs are adequate trained for AT&T Physical Controls and maintain evidence for it. Security must stop tailgating, un-authorized access and respond to alarms. ( Control No 19, TechM’s ISMS posture)

5. Generate weekly records of Access Logs of AT&T ODCs and/or OOC and share with AT&T Security coordinators and act per their recommendations. Access to ODC must be recommended/approved by the AT&T Security Coordinator. ( Control No 20)

6. Ensure Baggage check of AT&T Associates while exiting the ODCs and/or OOC ( Control No 8)

7. Ensure only authorized associates are allowed inside AT&T ODCs and/or OOC while updating records ( Control No 24)

8. Ensure that Third Party is given only escorted entry to AT&T after green BV/CVC ( Control No 23)

9. Ensure only authorized laptops are allowed inside AT&T ODCs and/or OOC and check Laptops with available records circulated by AT&T PMO.

10. Ensure no prohibited devices are allowed inside ODC and/or OOC ( TechM’s ISMS)

Please refer to AT&T Security Controls excel embedded in this slide for security controls wherein CS leads as implementer and/or assists. The points given below are highlights and for details, the attachment must be referred.

AT&T Security Controls_Amendment 7

9Copyright © 2014 Tech Mahindra. All rights reserved.

Controls for CS

12. Ensure no AT&T assets and TechM assets supporting AT&T are allowed outside without due approvals in place ( Control No 24)

13.Ensure to conduct check of printed pink papers. While blank stationery is not allowed inside ODC and/or OOC ( Control No 24)

14. Ensure Paper Indent Process is followed for allowing personal prints outside ODC and/or OOC ( Control No 10)

15.Ensure availability of shredders and bins ( with locks in place) inside ODC and/or OOC.

16.Ensure adherence to Third Party Agreement policy and guideline (TechM’s ISMS)

17.Ensure that clear desk report is prepared and signed by Security Coordinator and reviewed by CS ( Control No. 10)

10Copyright © 2014 Tech Mahindra. All rights reserved.