Mahindra Satyam Confidential Information Security And Business Continuity @ Mahindra Satyam Mahindra Satyam Confidential

What is Information Security Management Management System that helps to Establish, implement, and operate Monitor, review, maintain and Improve Information Security Information Security is preservation of Confidentiality Integrity and Availability of Information And other properties such as Authenticity Accountability Non-repudiation Reliability Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes Integrity: the property of safeguarding the accuracy and completeness of assets Availability: the property of being accessible and usable upon demand by an authorized entity Authenticity: the property of being genuine and being able to be verified and trusted Accountability: the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity Non-repudiation: assurance that the sender of information is provided with proof of delivery and the recipient is provided with the proof of the sender’s identity, so neither can later deny having processed the information Source: ISO27001:2005 standard Mahindra Satyam Confidential

Information Security Management System (ISMS) @Mahindra Satyam Based on the International standard ISO27001:2005 Globally certified (all current locations) Additional reference (QUALIFY) http://esupport.satyam.com  Webqualify ISMS Policy Manual – Section on Locations Certifying body: BVQI – UK Compliance is verified annually through Audits As the policies and controls are consistently applied across the organization, Satyam is globally certified. Any new location is considered as a scope extension and is covered as part of the surveillance and / or recertification audits. The current locations under scope are listed in the ISMS Policy Manual Mahindra Satyam Confidential

Mahindra Satyam Confidential ISO 27001: 2005 Contains the following domains Security Policy Organizing Information Security Asset management Human resource security Physical and environmental security Communications and operations management Access control Information systems acquisition, development & maintenance Information security incident management Business continuity management Compliance Mahindra Satyam Confidential

Mahindra Satyam Confidential Security Policy “To ensure Confidentiality, Integrity and Availability of information that is acquired, developed and provided to all stakeholders” Refer: QUALIFY QMS Documentation  Policy Manuals  ISMS  ISMS – Policy Manual Section: Information Security Policy Mahindra Satyam Confidential

Organizing Information Security Chief Information Security Officer Information Security Management Forum Core Group Managing Director Local Core Groups Refer: QUALIFY QMS Documentation  Policy Manuals  ISMS  ISMS – Policy Manual Section: Information Security Management Forum / Roles & Responsibilities Local core groups are constituted at each city for effective implementation of information security and business continuity. These local core groups are represented by the relevant stakeholders Mahindra Satyam Confidential

Mahindra Satyam Confidential Asset Management Assets classified as Physical, Software and Information Each carries a potential risk related to security based on the possible threats, asset based risk assessment is carried out the identified risks are mitigated through the implementation of controls Each asset should have an asset owner Information classification Data creation, storage and disposal Refer: QUALIFY QMS Documentation  Policy Manuals  ISMS  ISMS – Policy Manual Section: Asset classification and control Physical assets are capital items, computer hardware etc. Software assets are software licenses, applications; Information assets are financial, HR, and legal records etc. Based on the risks associated with each of the asset, controls are identified and implemented to ensure security to the information and data. Information that is created or obtained is classified based on the confidentiality. A project confidential information cannot be shared with any associate outside the project. Similarly information classified as Circle confidential cannot be shared beyond the circle. Any deviation from the confidentiality would amount to violation of information security policy. All information should be stored on Mahindra Satyam’s network or Mahindra Satyam’s equipment and should not be taken out of the premises without the prior approval of the AIC or RM as the case may be. Any hard copies after use should be destroyed. Mahindra Satyam Confidential

Human Resource Security Is the weakest link in maintaining information security Reference and background check Confidentiality (non-disclosure) and Intellectual Property Rights agreement Specific agreements based on business requirement Similar process for trainees, contract and temporary staff Awareness training to all associates Reporting Security Incidents through iSIMS Refer: QUALIFY QMS Documentation  Policy Manuals  ISMS  ISMS – Policy Manual Section: Personal Security For any organization human resource is the weakest link in ensuring information security and constitute a potential threat. At the time of joining a thorough reference and background checks for all the associates is carried out. All the associates also sign up Non-disclosure and IP rights agreement as part of the terms and conditions of the employment. In certain ODC and business engagements, the customer insists on specific agreements. At any point in time the associates should be aware of these terms and conditions because these would have legal binding and can lead to disciplinary actions. Trainees, contract and temporary staff also follow the same process of signing up agreements. To have an understanding of the security policies, each associate should undergo training and and as and when the policies undergo change should make themselves aware of such changes. In cases where the associates observe potential security violations and / or incidents that have the potential to become security incidents should report through the iSIMS system available in eSupport. iSIMS is an automated security incident tracking system that has the workflow to assign incidents for resolution and also escalation to higher levels of the management Mahindra Satyam Confidential

Physical and Environmental Security Physical security Physical security perimeter Physical entry control Securing offices, rooms and facilities & Working in secure areas Equipment security Equipment siting and protection Security of equipment – off premises such as laptops Secure disposal or re-use of equipment Refer: QUALIFY QMS Documentation  Policy Manuals  ISMS  ISMS – Policy Manual Section: Physical and Environmental Security As part of the Physical security perimeter, Mahindra Satyam has four levels of barriers namely, perimeter compound wall with entry / exit points manned by security personnel where applicable, eg. STC reception area manned by Mahindra Satyam employee / security entry to Mahindra Satyam office premises through proximity identity cards / biometric access specific access to secure areas of concern such as server rooms Physical entry control ensures that only authorized personnel are allowed access The facilities, work areas and offices are secured through proper physical access control; storage spaces within the work area that can be locked; physical frisking; restriction on photography (even mobile phone camera); no personal laptops etc Equipment siting and protection is ensured through the deployment of security personnel to prevent thefts; fire detection systems; sufficient power backup systems; restriction on eating, drinking and smoking at work place; suitable controls to handle the laptops; storage media formatting before re-use; physical destruction of the storage media before disposal Mahindra Satyam Confidential

Communications & operations management Email policy To ensure proper use of Email facility by Mahindra Satyam Associates and to prevent its misuse. Email is provided for associates to conduct business; Personal use is discouraged All Email messages created and stored are Mahindra Satyam’s Proprietory Information Mahindra Satyam retains the right to supervise, access, and review Associate’s electronic mails Authorized users must not allow anyone else to send or receive e-mail using their Email accounts Company Confidential Information shall not be shared except to the extent necessary Company-related information shall be sent only to those Associates concerned on a “need to know” basis No Associate are allowed to send objectionable material Auto forwarding an email from inside Mahindra Satyam to an outside network shall not be allowed A disciplinary process is in place to address any violation of the spirit of this guideline Sending emails to Public Internet Email accounts shall be restricted and controlled Refer: QUALIFY QMS Documentation  Policy Manuals  ISMS  ISMS – Policy Manual Section: Communications and operations management As per email policy confidential information should not be shared with external parties except on a need to know basis; objectionable material should not be send; certain attachments are restricted and are dropped at the gateway; mails to public email accounts is restricted Mahindra Satyam Confidential

Mahindra Satyam Confidential Access control Access control policy User access management Privilege management User password management User responsibilities Password use Unattended user equipment Internet / intranet access policy Application access control Refer: QUALIFY QMS Documentation  Policy Manuals  ISMS  ISMS – Policy Manual Section: Access Control Users in the network shall be authenticated by basic authentication mechanism i.e., through a unique user ID. User access management is driven through a documented procedure that enables privilege management and user password management User responsibilities are driven by selection of good security practices while formulating the password and ensure confidentiality; usage of password locks, system log off, screen saver to enforce information security while the system is not in use. Usage of internet resources is monitored by the N&S team and malicious sites are restricted; users are expected not to post objectionable material on the intranet sites of Mahindra Satyam and also not share the intranet site content with external parties Access to internal applications is restricted where applicable Mahindra Satyam Confidential

Mahindra Satyam Confidential iSIMS Information Security Incident Management System The iSIMS application is under the associate workbench that can be used for logging information security incidents. The necessary workflow to ensure tracking and closure of the incident is inbuilt Mahindra Satyam Confidential

“If you fail to plan, you plan to fail” What is Business Continuity Management ? “ Business Continuity Management is the process of anticipating incidents which will affect critical functions and preparing the organization to prevent and respond to disasters in a planned and rehearsed manner.” “If you fail to plan, you plan to fail” - Anonymous

Interruptions Impact of Disaster on our Business COSTS Productivity Loss Number of Employees impacted Lost Revenue Direct Loss Compensatory Payments Lost Future Revenues Investment Loss Interruptions Total Outage Costs COSTS Delayed Collections Billing Losses Missed Discounts Extra Expense Cost to Recover Overtime Expense Increased Fraud Risk Increased Error Rate Travel Expenses Temporary Employees Damaged Reputation Customer, Suppliers, Partners, Banks, Financial Markets Credit Ratings Penalties Contractual Regulatory Legal

Mahindra Satyam’s BCMS Model Cause Failure Mode Effect Fire • War • Power Outage • Explosion • Computer Virus • Strike • Hacking • Flood Telecommunication Failure Theft & Robbery Shortage of Critical Items Critical Server Breakdown Earthquake • Prolonged absence of Essential Public services Information Infrastructure Personnel Country Outage City Outage Site Outage

Contingency Plans Site Outage City Outage Country Outage Critical services from alternate site in the same city Critical services from alternate site in another city - Critical services from BC center @ Singapore Onsite/Offsite Mahindra Satyam leverages its multi-location presence across the world to provide alternate sites for the critical projects.

Business Continuity Planning in Projects BC Plan Development Maintenance Identify Critical Projects Best Practice / Lessons learnt Risk Assessment Recovery SLAs & Options Implementation & Testing Project Acquisition Project Initiation Project Execution Project Planning Project Closure Assess BCP requirements Vs cost

Business Continuity Management Identification of Applications or Support services critical for continuity as required by the customer. Mitigation plans to minimize impact Customer approved Business continuity plans to manage disaster Continuity of services from alternate sites Multi-site and multi-city presence to manage site, city and country outage scenario BC options based on recovery window (RTO) Completion of scheduled BC tests and retrospective meetings Support required from other stakeholders such as CS, N&S to be notified and to be documented in the Location specific BCP. Updated call tree details to be sent on a monthly basis Logistics to address contingency and resumption activities (movement to alternate site, seating arrangement, connectivity requirements, and accommodation and food if required) including for critical associates Refer: QUALIFY QMS Documentation  Policy Manuals  BCMS  BCMS – Policy Manual Mahindra Satyam Confidential

Mahindra Satyam Confidential BC Plan Options BC Plan I Recovery of Critical projects Site Outage and City Outage scenarios 24hr –72 hr recovery windows Shared infrastructure Project specific infrastructure at cost Site capacity up to 5% of primary site 15% capacity over 3 shifts, in a common operating environment Plan III <4 hours Project Plan II <12 hours Customer Cost Plan I <72 hours Mahindra Satyam Service Level The Business Unit plans are of three types, Plan I, II and III. Plan I is the Mahindra Satyam Basic plan which is already in place and measures of risk mitigation etc have already been taken. (Click on ‘Mahindra Satyam’ to elaborate the Plans) Plan II and Plan III are Client specific and Project specific plans respectively and dependant on the nature of the engagement and the type of project. BC Plan I - provides min.acceptable service levels for customers. BC Plan II, III - provides enhanced service levels at additional cost Mahindra Satyam Confidential

Mahindra Satyam Confidential Compliance Compliance with Legal requirement Data Privacy protection Third party software usage Safeguarding organizational records Prevention of misuse of information processing facilities Refer: QUALIFY QMS Documentation  Policy Manuals  ISMS  ISMS – Policy Manual Section: Compliance Mahindra Satyam Confidential

Why Information Security Is a Statutory requirement Avoid legal liability in case of security breach Customers need assurance Information is key to business and any breach can have long lasting impact on the organization success & growth Competitive advantage To ensure Confidentiality, Integrity and Availability To ensure continuity of services Mahindra Satyam Confidential

Mahindra Satyam Confidential Do’s and Don’ts Do’s Follow Mahindra Satyam specific password guidelines Change password if there is an indication of compromise Change default passwords on computers and devises Use MS Office Communicator for instant messaging Follow clear screen and clear desk policy Don’ts Share passwords – you could be liable for a breach Use another associate’s email account Forward business mails to public email accounts Open suspicious attachments Distribute email addresses to third parties Mahindra Satyam Confidential

Mahindra Satyam Confidential Do’s and Don’ts Do’s Follow information classification guidelines Periodically check for the anti-virus signature Safeguard portable devices against theft Report lost or stolen equipment immediately Use iSIMS to report Information security incidents Don’ts Send sensitive data through wireless devises Use external storage devises Turnoff or disable anti-virus Download software, audio/video files from internet Publish Mahindra Satyam IP on internet sites Mahindra Satyam Confidential

Mahindra Satyam Confidential Do’s and Don’ts Do’s Lock workstation when it is not being used Zip the attachments to optimize bandwidth Safeguard portable devices against theft Report lost or stolen equipment immediately Use iSIMS to report Information security incidents Don’ts Share customer reference and / or related information Install unauthorized software Send offensive or disruptive material through email Visit malicious sites on the internet Misuse resources and privileges Mahindra Satyam Confidential

Mahindra Satyam Confidential Do’s and Don’ts Do’s Be aware of the NDA Go through the Information Security Policy Manual Use proximity access card for access to the facility Ensure boot password for laptops Secure laptops when left unattended Don’ts Use photographic equipment within Mahindra Satyam premises Leave laptops unattended (shopping malls, parking etc) Discuss company confidential information in public Ignore security requirements while developing Software Disclose project related data to unintended parties Mahindra Satyam Confidential

Mahindra Satyam Confidential Do’s and Don’ts Do’s Maintain Confidentiality on Customer Name, Project & Documents Maintain project records as per record retention guidelines / contract Identify Mahindra Satyam’s and Customer’s IP while delivering services to claim proprietary rights on Mahindra Satyam IP when required Adhere to Personal Data Privacy obligations as per contract Be sensitive to Information Security policy and procedures Don’ts Commence performance of work Contract is signed Subcontract work without Customer’s written consent Use Open Source unless authorized by Customer in writing Refer to Customer / Customer Trademarks / Logos in presentations unless the customer is REFERENCE-ABLE Be ignorant to the security policy and procedures Mahindra Satyam Confidential

Mahindra Satyam Confidential Thank You Mahindra Satyam Confidential