Hexaware Acquires SMC Squared, a Leader in Building Global Capability Centers-Rolls Out GCC 2.0 Service Line. Learn More

Hexaware Corporate Security Program

Hexaware ’s Corporate Security programs are designed to protect customer information and our organizational assets, which include access to business-sensitive information (including personal information), the protection of which is crucial to Hexaware and its clients’ business interests.

Hexaware Industry Standards and Certifications

Hexaware’s security policies cover the management of security for both Hexaware’s internal operations and the services Hexaware provides to its customers, and apply to all Hexaware personnel, such as employees and contractors. These policies are aligned with the ISO/IEC 27001:2022 and ISO 22301:2019 Business Continuity Management System (BCMS) standards which are Certified all our Delivery Centers.
Hexaware certified/Assessed to international standards and as per our customer services such as the EU General Data Protection Regulation (GDPR), AICPA SSAE 18 (SOC1 Type II) , ISAE 3402 & SOC2 Type II, Payment Card Industry Data Security Standards (PCI DSS) Certification, Cyber Essentials, Health Information Trust Alliance (HITRUST) Certification, Health Insurance Portability and Accountability Act (HIPAA).

Hexaware Information Security Policy

Hexaware is committed to managing Information Security to ensure the Confidentiality, Integrity & Availability of Organizational and Customer Assets.

This Security Policy reiterates our commitment to protect all the information and assets that we own or are responsible for; thus, ensuring an efficient, safe, and secure working environment for Hexaware and its customers.

Hexaware has deployed a convergent security model to ensure:  

  • Protection of information and assets against unauthorized access by deploying adequate security controls covering physical, logical and people security
  • Compliance with legal and statutory / regulatory requirements across its global operations
  • Resilience of operations in line with business requirements and obligations to its stakeholders
  • Inclusion of security responsibilities of various functions / individuals to adhere to this Policy
  • Adequate security awareness and competence among associates at all levels to fulfill these responsibilities.
  • Providing information security risk management guidance
  • Guiding threat intelligence and vulnerability management operations
  • Governance, Risk and Compliance of security performance against appropriate targets and objectives, enabling continuous improvements.

This Policy is supported by Standards, Procedures and Guidelines (Security Management System) and will be made available to all stakeholders who are expected to contribute towards the effective implementation and deployment of these security norms.

The Security Management System is periodically reviewed to ensure its continuing applicability and relevance to our operations and evolving stakeholder expectations.

Leadership, Commitment & Governance

Effective governance and commitment to information security and data privacy are essential for organizational risk oversight and compliance. This includes roles spanning from the board to individual employees, ensuring adherence to security protocols and timely reporting of incidents.

Governance structure and leadership: The board holds ultimate responsibility for risk oversight, with dedicated committees prioritizing information security and privacy. The Information Security Management System is headed by CRO and managed by the Chief Information Security Officer (CISO), supported by a specialized governance team covering security, privacy compliance, and business resilience. All workforce members share responsibility for safeguarding information assets through secure practices and incident reporting.

Hexaware Information Security and its Classification Policy

Hexaware Information Security and its Classification Policy

Hexaware’s formal Information Protection Policy sets forth the requirements for classifying and managing the categorized information into five classes—Public, Internal, Confidential, Private and Commercial in Confidence, with each classification requiring corresponding levels of security controls, such as encryption requirements for non-Public data:

Hexaware Data Management and Retention

Hexaware has defined and implemented policies for managing data retention & safe disposal by the respective functions and delivery operations. These operational policies define requirements as per the in-country regulatory requirements, contractual obligations and management directives.

Physical and Environmental Controls

Hexaware Global Physical Security is responsible for defining, developing, implementing, and managing physical security for the protection of Hexaware’s employees, facilities and assets.

Hexaware Global Physical Security regularly performs facility site risk assessments to confirm that the correct and effective physical security controls are in place and maintained.

Hexaware has implemented the following protocols in every facility:

  • Physical access to facilities is limited to Hexaware employees, contractors, and authorized visitors are issued with identification cards that must be worn while on Hexaware premises.
  • Visitors are required to register before entry and must be escorted by Hexaware personnel in Hexaware facilities.
  • Security monitors the possession of keys/access cards and the ability to access facilities. Staff leaving Hexaware’s employment must return keys/cards and key/cards are deactivated upon termination.
  • Mixture of 24/7 onsite security officers or patrol officers, depending on the risk/protection level of the facility. In all cases officers are responsible for patrols, alarm response, and recording of physical security events.

Centrally managed electronic Access Control Systems with integrated intruder alarm capability and CCTV monitoring and recording. The access control system logs and CCTV recordings are retained for a period of 30-90 days as defined in Hexaware’s Record Retention Policy which are based on the facility’s function, risk level and local laws.

Hexaware Human Resources Security

Employee Screening

Hexaware engages an external screening agency to perform pre-employment background investigations for newly hired employees. Personnel screening in other countries varies according to local laws, employment regulations, and Hexaware defined policies.

Commitment to Confidentiality

Hexaware employees are required to maintain the confidentiality of customer data. Employees must sign a confidentiality agreement and comply with company policies concerning protection of confidential information as part of their initial terms of employment. Hexaware requires a written confidentiality agreement from each subcontractor before that subcontractor provides services.

Training and Awareness

Each employee mandated to complete information security and data protection awareness training upon hiring and every year thereafter. The course instructs employees on their obligations under Hexaware Information Security and privacy policies. This course also covers data privacy principles and data handling practices that may apply and are required by company policy.

Hexaware promotes security awareness and educates employees through regular newsletters and various security awareness campaigns.

Hexaware Access Control

Access control refers to the policies, procedures, and tools that govern access to and use of resources. Examples of resources include a cloud service, physical server, file, application, data in a database, and network device.

Password Management

Hexaware personnel are obligated to follow rules for password length, complexity, and other password requirements as per the internal Information security Management system (where required client mandated password policies are deployed). Employees must keep their authentication credentials, such as passwords, confidential data are always secured and are prohibited from sharing their individual account passwords with anyone by any means.

Access Review and Revocation

Hexaware performs regular reviews of network and operating system accounts with regard to the appropriate employee access levels. In the event of employee terminations, deaths, or resignations, Hexaware takes appropriate actions to promptly terminate logical and physical access.

Data Security

Hexaware’s corporate security controls can be grouped into three categories: administrative, physical, and technical security controls.

  • Administrative controls, including logical access control and human resource processes.
  • Physical controls designed to prevent unauthorized physical access to servers and data processing environments.
  • Technical controls, including secure configurations and encryption for data at rest and in transit.

Encryption

Encryption is the process of rendering data unreadable without the specific key to decrypt the data. Hexaware’s Information security management manual defines high-level requirements for protecting data via encryption and key management when data is at rest (in storage), data in transit and Motion.

Hexaware's Endpoint Device Security Policy

Hexaware has deployed a Next Gen EDR (End point detection & Recovery) tools. Also, All the assets are built with the approved OS.  Default Admin and USB rights are blocked. Bit Locker is enabled for all laptops and the company provides mobile devices.  In addition to this mobile device management solutions are implemented to prevent data leakage.

Hexaware Suppliers Security

Hexaware suppliers are required to protect the data and assets Hexaware entrusts to them. Suppliers are responsible for compliance with these standards, including ensuring that all personnel and subcontractors are bound by contractual terms consistent with the requirements of Hexaware’s standards. These standards cover a wide range of requirements in the following critical areas:

  • Personnel/human resources security
  • Business continuity and disaster recovery
  • Information security organization, policy, and procedures
  • Compliance and assessments
  • Security incident management and reporting
  • IT security standards
  • Data protection and privacy
  • Baseline physical and environmental security

 

Security Incident Policy and Operations

Hexaware’s Security Incident Management Policy defines requirements for reporting and responding to security information events and incidents.  Standard mail id Securityincidents@hexaware.com is published to report incidents by internal, customers and other third parties.

Hexaware incident response follows:

  • Investigate and validate that a security event has occurred.
  • Communicate with relevant parties and provide appropriate notifications.
  • Preserve evidence and forensic artifacts.
  • Document security event or incident and related response activities.
  • Contain security events or incidents.
  • Address the root cause of security events or incidents.
  • Escalate security events.

Notifications

If Hexaware determines a security incident involving assets managed by Hexaware has occurred, Hexaware will promptly notify impacted customers or other third parties in accordance with its contractual and regulatory requirements.

Data breach investigation and reporting: 

The Data Protection Officer leads incident investigations and reports findings with root cause analysis and corrective actions to relevant authorities. Data breaches are notified to the Data Protection Authority and affected data subjects within the prescribed timelines, with disciplinary actions taken against responsible employees as necessary.

Information Security Audit

The Objective of the information security audits, and control assessments are to identify and assess Risk related to Cyber security, Business Continuity, Data privacy and mitigate them to maintain the baseline security posture.

Hexaware Information Security Audit is to ensure compliance with Information Security Policies through a system of formal planned documented audits of all elements of Information Security. The primary objective of Information Security Audit (ISA) is to ensure the Information Security requirements that are committed in the Contractual Agreement with our clients are adhered to the Account Level and the project teams comply with our Information Security Policy, Process, and guidelines.

GRC teams are responsible for reviewing the information security clauses in the MSA and RFP. The team reviews the Project related Security documents such as DPIA, Business Impact Analysis document, Business Continuity Plan, BCP exercising, Risk reviews etc. RFP / Agreement / DDQ reviews etc.

Role of external/third party audits

External auditors and regulators play a crucial role in governance by conducting audits and assessments to evaluate the effectiveness of internal controls and assurance processes annually or as prescribed by standards.

Business Continuity Program

The scope of this framework is applicable to all functions, projects, cloud migration and management, services, and consulting, as per the contractual agreements, buildings, and locations of Hexaware technologies (both onsite and offshore locations as applicable).

Business Impact Analysis phase, the Recovery Time objective (RTO) is estimated considering site disaster scenario for various time duration Hexaware Technologies has locations in different cities that can be used for addressing city disasters.

The Business Continuity Plan addresses specific disaster events, which assumes that the primary site is suddenly inaccessible or must be vacated without warning. scenario details of development and business process service centers are mentioned in the section “Recovery Strategy”.  It also specifies the functional roles and responsibilities required to create, maintain, assess, and evaluate business continuity capability across LOBs and geographies in alignment with ISO 22301 international standard for business continuity management.