Published on September 20, 2023
.jpg)
As Tata Tele Business Services (TTBS) focuses on providing the best services and enhancing third-party risk management (TPRM), it felt the need for a strong emphasis on data security controls. The existing process primarily focused on safeguarding the TTBS IT environment and its parameters. Following were some of the issues:
- Limitations with the existing processes in enforcing security requirements for partners with access to IT applications. Inadequate protection against data security risks from a contractual perspective
- Lack of visibility into the level of access partners have to critical IT applications
- Insufficient assurance regarding security controls in partners’ environment
The TTBS team Jiji Unnikrishnan, VP - IT Operations; Parag Patil, GM - IT Security, along with Deepak Garg, Head - Internal Audit, had detailed interactions. Some learnings emerged during the Chief Audit Executive meet as well. Interactions happened with two Tata group companies — Tata Realty (Madhu Kumar - IT Security Head, Girish Hadkar - IT Head and Gaurav Khandelwal - IA Head) and Croma (Smitesh Valanju - CISO and Keyur Shah - IA Head) — from April 2023 onwards. A few concerns were discussed:
- Assessing the necessity of individual resource-level access for partners, aligning it with business requirements, and possibilities of optimising access. Measures to safeguard against data security risks associated with partner engagements using mechanisms such as virtual desktop infrastructure
- Actions in case of instances such as partners failing to comply with security controls, implementing mechanisms to prevent data leakage, and deploying security awareness programmes
These benchmarking interactions helped while developing the TPRM framework. TTBS created an in-house TPRM framework for data security comprising the following elements:
- Identification of partners having access to TTBS applications/data
- Categorisation of partners based on the type of access to data and risks
- Applying risk mitigation strategies as per the categorisation (minimum security controls, contractual security clauses)
- Performing periodic assessments/reviews based on partner categorisation
- Monitoring security KPIs for partners such as:
- Level of compliance to minimum controls
- Minimise risk of unauthorised access with access reconciliation
- Prevention/mitigation of security incidents
- Security compliance reports (SOC2/ISO 27001 or other security certifications) for SaaS partners
The insights obtained from discussions with Tata Realty and Croma were added to the in-house framework to make it more comprehensive and robust (e.g., inclusion of elements related to personal data in the risk evaluation process).
Following are the benefits perceived in KPIs as part of the TPRM programme implementation:
- Increased visibility into partner resource access levels within the TTBS environment, with the implementation of necessary corrections where applicable. Robust approach towards mitigation of risks for different categories of partners
- Increased visibility on security controls partners have deployed in their environment and compliance with minimum security controls prescribed by TTBS
- Reasonable assurance on protection against data security risks in engagement with partners