Professional Documents
Culture Documents
VERSION 1.0
2018
This is a controlled document. Unauthorised access, copying and replication are
prohibited.
This document must not be copied in whole or in parts by any means, without the
written authorisation of the Infrastructure Services, TATA Consultancy Services
Limited.
This Encryption and Retention Guidelines, Version 1.0, is released for use in Internal IT IS
with effect from Mar’18
Softcopy of the latest version of the document is available in the Process Document
Repository.
Comments, suggestions or queries should be addressed to the Quality Head - IS, using the
Feedback Form at the end of this manual.
ABBREVIATIONS
IS Infrastructure Services
TABLE OF CONTENTS
This Guidelines are intended to establish the requirements for the application of encryption to data
and equipment as a means of protecting the confidentiality, integrity and availability of the TCS
Information. It also sets out any relevant standards which those controls must meet.
Scope
The Guidelines covers the application of encryption to IS Information Asset under the TCS Information
Classification. These resources are TCS Assets Managed by IS.
TCS Internal IT managed customer/ third-party locations or TCS asset at Client Location can use this
as a guideline if there is no Customer Policy / Guideline.
Guidelines
In order to mitigate the risk of disclosure or tampering with Classified Information through
interception, loss or theft of data or equipment, IS must deploy appropriate Encryption
security controls in conjunction with Security procedures.
Access control must be implemented to avoid unauthorised access of data from all IS
managed services and applications.
Data Encryption and Data Protection must be done across Data life cycle (As depicted in the
below Table.).
o Active & Online
o Active & Rest
o Data in Transit
o Data at Rest
7 Data at Rest Backup Storage (Disk) Data present in Backup Storage Devices (Disk
Based Backup Appliances) must be Encrypted,
8 Data at Rest Tapes Data present in Tapes must be Encrypted.
- All Data present in Application / Tool for Internal IT Services must be Encrypted at
Application / Tool Level if it is feasible
- Else configure and store application data on Storage or Servers with RAID level
protection storage [RAID 10, RAID 5 or RAID 6 (Dual Parity) or higher level
protection, excluding RAID 1(Mirror)]
- Data present in Storage Devices (SAN & NAS) must be configured with RAID level
protection [RAID 10 or RAID 5 or RAID 6 (Dual Parity) or higher level protection,
excluding RAID 1(Mirror)].
- Partition Level Disk Encryption must be enabled with the help of McAfee DES Tool for
Data present in Standalone Servers mainly for RAID 1 protection.
- Data present in Stand Alone Servers must be store on disk with RAID protection
levels [RAID 10 or RAID 5 or RAID 6 (Dual Parity) or higher level protection,
excluding RAID 1(Mirror)].
- For Standalone servers without Raid, McAfee DES (Disk encryption) solution is to be enabled
with pre-boot login option.
- Standalone Servers without Raid having Microsoft Windows operating system & Basic Disk
partition will be supported by McAfee DES (Dynamic partition will not be supported)
- Standalone Servers having Linux Operating system without RAID or RAID 1 (Mirror) has to be
encrypted by tools like LUKS (Open Source Linux Encryption tool) or Symantec PGP solution.
- For MAC laptops certified by TCS Wintel team McAfee MNE solution must be used to manage
encryption key. Encryption will be done using Native MAC Encryption feature.
- McAfee DES solution does not support Linux Operating system deployed on Laptops.
Symantec PGP solution or LUKS (Open Source Linux Encryption tool) shall be used to encrypt
laptops having Linux OS (eg. RHEL, Ubuntu, Centos).
Access to removable media (Pen Drive, External HDD, SD Card, etc.) will be
restricted & will be blocked using Active Directory policies. Device control tools likes
Symantec or McAfee must be deployed.
Portable storage (Removable Media CD/DVD) devices will be permissible only with encryption
using password based encryption tool at minimum.
All requirement of access to removable media to copy data will be based on approved
Change Request.
Few additional fields will be captured in the CR. Eg. Type of data to be copied (Company
related Personal like salary slip etc, Project, System Data Backup)
Data encryption needs to enable using Forcepoint DLP solution. DLP client needs to
installed and registered with DLP servers.
Other machines (where data has to be copied) should have same Forcepoint DLP
client registered with DLP servers, in this case user does not need to remember any
password. Data will not be retrievable from machines not having registered TCS
Forcepoint DLP client.
1) Locations where TCS Forcepoint DLP solution is not deployed due to local authority
approval pending.
2) Users having exception approval (with CR) for not installing TCS DLP client
3) Data copy required for having presentation, RFP, Demonstration outside TCS office
All Laptops / Desktops should be installed with McAfee FRP solution before enabling access
to removable media
All removable media used for Data copy should be encrypted with McAfee FRP solution & no
data should be copied without encryption
Authentication password will be defined by the user during device encryption & the
same will be required to decrypt the device
For the locations having TCS DLP client deployed, any data copy on removable drive
will be monitored for data leakage purpose & will be encrypted using McAfee FRP
solution.
Data in Transit over TCS Intranet / MPLS may be encrypted at Network level, if
feasible.
Network Level Encryption must be Enabled Data over Internet. Minimum 256 bit
encryption to be made available.
Data present in Backup Storage Devices (Disk Based Backup Appliances) may be
encrypted in case if backup data replication is in place if feasible. (having minimum
AES 256 bit Encryption)
All Tape backups taken should be encrypted as per Standard Backup Tools like
Veritas NetBackup or any other Backup Utility (having minimum AES 256 bit
Encryption).
* This includes Data present in any stage i.e. Active, Transit and Rest
- In Case of Tapes
If they are reused after the Current Retention period is over, the Erasure
process should be such that deleted data cannot be retrieved and the Log for
the same is to be maintained
If medias are not be reused immediately after the retention period is over it
should be overwritten by dummy data (should not include any PI or any
information) so that old data cannot be recovered, and the Log for the same
is to be maintained
If they are at End of Life then they should be Degaussed and eWasted /
Shredded to ensure that no information can be retrieved back
Magnetic and Flash Storage Drive / Solid State Drive Hard Disk
Retention
- Internal IT Infrastructure services to retain all types of faulty Hard Disk (Magnetic
Media or faulty Flash storage drive / Solid State Drive) from any form of devices
across all locations and ensure no faulty hard disk or magnetic media go outside.
- All hard disk and magnetic media used by Internal IT Infrastructure for POC or taken
on loan from vendor/3rd party needs to be Blancco and followed by CR process for
handover back to vendor.
- Data on Desktops / Laptops should be erased using Blancco Hard disk is going out of
TCS for any reason Or as per customer guidelines /requirements of ODC setup.
Shared Folders such as File server and Secure File Transfer Protocol (SFTP) should not
be used for storing personal data. In Exceptional Cases which has appropriate Business
Justification and Management Approval, same can be availed with the help of CR CTIS.
(Refer Annexure I for CTIS details)
Data when moved from production to non-production environment, the IS PII elements (DB
columns/Excel Columns/flat file content) should be masked.
Should use a uniform method of masking across all environments. Must have a central
hosting service solution for IS teams to mask the IS PII data even while sharing them in the
form of spreadsheets over the mails or shared folders.
Masking must not be reversible.
Creation of Shared Folder must follow CR Process (CTIS is as below) with consent
(Notification form is as below).
Accessing of Shared Folder must follow CR Process (CTIS is as below) with consent
(Notification form is as below).
Notification form – Change Summary (Access Rights-Access Rights and Access to location
NAS)
Notification Form
I Agree
Notification Form
I Agree
FEEDBACK FORM
Date:
Location / Centre:
From:
_______________________________________________________________________
Feedback details (Comments / Suggestions / Corrections / Queries)