Security

TCS provides consulting, IT solutions, products and services to its customers. Security is key to all of TCS' offerings. TCS' Security Management System is Certified on the globally recognized ISO 27001:2013 Information Security Management systems - Requirements standard and addresses key security controls. TCS has been certified "Enterprise wide" for ISO 27001:2013 security standards including compliance assessment for ISO 27017:2015 (Information Security Controls for Cloud Services) and ISO 27018:2019 (Protection of PII in Public Clouds as PII Processors) as well as for ISO 22301:2012 Business Continuity standards.

The TCS Security Management System applies uniformly to all TCS' operations, services and products / platforms including services provided through TCS own cloud or other cloud service providers. It defines set of controls across all locations from where operations related to TCS offerings are carried out. The TCS MasterCraft software's are developed under the Standards, Procedures and Guidelines of the TCS Security Management System.

Process Security

TCS MasterCraft software adheres to Secure Software Development Lifecycle guidelines as prescribed in the TCS' Information Security Management System. A summary of key security practices followed in the SSDLC is listed below

    All software requirements are evaluated for the CIA triad of Confidentiality, Integrity and Availability

    Threat Models are created for the software using the STRIDE approach

    All third party software components are continuously evaluated for open vulnerabilities.

    All code is continuously scanned through static application security testing (SAST).

    The software is regularly scanned through dynamic application security testing (DAST).

    Software is assessed for data privacy compliance requirements.

    All TCS Mastercraft Product associates regularly undergo Information Security trainings as applicable to their roles

Product Security

Security is incorporated in all the phases of the lifecycle. TCS Mastercraft uses the TCS SSA framework for the same. Security requirements are captured for all new applications. The software undergoes security design analysis which include threat modelling etc. Any change in software undergoes a change control procedure.

TCS MasterCraft software implements the following security principles under the CIA triad

    Confidentiality

    • Authentication - Access to software and its components are suitably authenticated
    • Authorization - Access to various software features are properly authorized using a RBAC (Role Based Access Control) framework and appropriate segregation of roles are implemented
    • Network Access Control - Access to software and its components are controlled using perimeter network controls

    Integrity

    • Data Security - Data is protected both at rest and in motion
    • Auditability - Appropriate audit of all key activities are maintained

    Availability

    • High availability - High availability and failover is baked into the software architecture for all its constituent components
    • Backup and Recovery - Backup routines and recovery procedures are defined
    • Disaster Recovery - Disaster Recovery processes are documented

High availability is provided out of the box in SaaS model and for On Prem deployments software has capability to be deployed in high availability mode.

The MasterCraft SaaS architecture uses a multi-tenant data model to host all its data. Data for each tenant is held separately. All user data is protected from unauthorized access. The MasterCraft SaaS software is hosted in India using TCS's cloud services.

This security policy was last updated on 2nd September 2020

©2024 Tata Consultancy Services Limited. All Rights Reserved.