Infosys cybersecurity is an amalgamation of the cybersecurity strategy that supports our cybersecurity framework and a strong cyber governance program driven through the Information Security Council.
The strategy is designed to minimize cybersecurity risks and align to our business goals. It focuses on proactive enablement of business, besides ensuring continual improvement in the compliance posture through effective monitoring and management of cyber events. We believe that an effective security culture would complement our cybersecurity objectives by reducing enterprise risks. Infosys cybersecurity program ensures that required controls and processes are implemented, monitored, measured, and improved continuously to mitigate cyber risks across domains.
Infosys is committed to
- Protect the confidentiality, availability, and integrity of information assets from internal and external threats
- Ensure and maintain stakeholders trust and confidence about Cybersecurity
The executive Cybersecurity governing body is in place to direct and steer:
- Alignment of Cybersecurity Strategy and policy with business and IT strategy.
- Value delivery to stakeholders.
- Assurance that Cyber risks are being adequately addressed.
Cyber Security Strategy and Governance
Infosys Cyber Security is an amalgamation of Cyber security strategy that is aligned to the business goals, supporting Infosys cyber security framework – SEED and a strong cyber governance program that is driven through the information security council.
The high-level objectives of the Cybersecurity program at Infosys are:
- Proactive business security and employee experience
- Continuously improve security posture and compliance
- Effective management of cyber events and,
- Building a security culture
Infosys’ cyber security framework is built basis leading global security standards and frameworks such as the National Institute of Standards Technology (NIST) cyber security framework and ISO 27001 which is structured around the below four key areas:
Security management system
Governance tier to lead and manage cyber security program of Infosys. The domains in this tier are governance and management in nature for successful Orchestration of different domains of the Cyber Security Framework
Enterprise security layer
‘Defense in depth’ approach to secure information and information assets. The domains in this tier are based on the path followed by Information as it flows through different information layers within the organization
Evolve and transform
Set of domains that we are focusing on to evolve and transform within the Infosys Cyber Security Framework
Detect and respond
Capability to identify occurrence of a cyber security event, implement appropriate activities to take action, and restore services impaired due to such cyber security incidents
The framework also entails a comprehensive Cybersecurity maturity model which helps to ascertain the Cyber Security maturity as well as benchmark against industry peers on an ongoing basis.
This helps in continued oversight and commitment from the Board and Senior Management on an ongoing basis through the Information Security Council (ISC) and the cybersecurity sub-committee.
In keeping with the ‘defense in depth’ philosophy, we have deployed several layers of controls to ensure that we keep ours, as well as our clients’ data, secure and thereby uphold stakeholders’ trust at all times.
Cybersecurity Management and Reporting
The Cybersecurity practices at Infosys have evolved to look beyond compliance. The comprehensive Cybersecurity metrics program has been contributing to the continuous improvement of the existing security practices and in integrating Cybersecurity within the business processes.
Information management, being an essential part of good IT governance, is a cornerstone at Infosys and has helped provide the organization with a robust foundation. There is a concerted effort from top management to our end users as part of the development and implementation process. Additionally, care is taken to ensure that standardized policies or guidelines apply to and are practical for the organization’s culture, business, and operational practices. Cybersecurity requires participation from all spheres of the organization. senior management, information security practitioners, IT professionals, and users have a pivotal role to play in securing the assets of an organization. The success of Cybersecurity can only be achieved by full cooperation at all levels of an organization, both inside and outside and this is what defines the level of commitment here at Infosys.
As a final level of defense, we undergo many internal audits as well as external attestations and audits in a year at an organization level (e.g.: SSAE-18, ISO 27001) as well as client account audits to assess our security posture and compliance against our obligations on an ongoing basis.
There were no material cybersecurity incidents reported in Fiscal 2022.
Our industry contributions and thought leadership
Infosys promotes cybersecurity through various social media channels such as LinkedIn, Twitter, and YouTube; sharing our point of views, whitepapers, service offerings, articles written by our leaders, their interviews stating various perspectives, and podcasts through our corporate handles providing cybersecurity thought leadership. In addition to this we work with analysts such as PAC Group and industry bodies such as Data Security Council of India, Information Security Forum etc. to create joint thought leadership that is relevant to the industry practitioners. Our niche report “Invisible tech, Real impact.”, based on a study done in partnership with Interbrand (A top brand consultancy firm) estimates the impact on brand value due to data breaches. We also host various global chapters of the Infosys CISO advisory council regularly that aims to be a catalyst for innovation and transformation in the cybersecurity domain. The distinguished members of the council collaborate to discuss, strategize, and prepare roadmaps to address the current security challenges of member organization and help decipher the evolving industry trends. We therefore through various channels drive awareness of and appreciation for cyber security.
The vulnerability management program at Infosys follows best-in-class industry practices coupled with top-notch processes that have been evolving over the years. Rich experience of deftly managing end-to-end vulnerability life cycle of Infosys Network and the constant hunger to stay abreast of the latest tools, technologies and related market intelligence have acted as a catalyst in fortifying the overall vulnerability management program.
A robust enterprise vulnerability management program builds the foundation for healthy security hygiene of an organization. The following practices have been put in place at Infosys for,
- Real time asset discovery followed by instantaneous identification of vulnerabilities, misconfigurations, and timely remediation
- Automation of vulnerability, configuration compliance, security assessments and review for assets, applications, network devices, data, and other entities in real time
- Close coupling of detection and remediation processes; auto prioritization to reduce the turnaround time for closure of detected vulnerabilities
- Continuous monitoring of all public facing Infosys sites and assets for immediate detection of vulnerabilities, ports, or services
- Regular penetration testing assessments and production application testing for detection and remediation of vulnerabilities on a real time basis
The vulnerability remediation strategy of Infosys focuses on threat-based prioritization, vulnerability ageing analysis and continuous tracking for timely closure. We have successfully eliminated the ticketing system for vulnerability tracking by establishing a continuous detection and remediation cycle, where the IT teams are enabled and onboarded onto the vulnerability management platform. A cyber security awareness culture is nurtured, and teams are encouraged to proactively remediate the vulnerabilities reported on their assets or applications.
Supply Risk Management
A comprehensive supplier security risk management program at Infosys ensures effective management of potential security risks across the various stages of supplier engagement. The process comprises of,
- Categorization of the suppliers based on the nature of the services provided
- Defining standardized set of information security controls as applicable to each category of supplier
- Defining, maintaining, and amending relevant security clauses in the supplier contracts as applicable to each category of supplier
- Due diligence, security risk assessment and effective management of the information security risks associated with suppliers
Defining and monitoring of key security metrics for suppliers (e.g., background check, security awareness training completion, timely interventions with regard to information security incidents etc.) and periodic reporting to the management further strengthens the Infosys supplier security risk management program.
Cybersecurity skill management
With the increasing demand for Cybersecurity jobs and a skilled workforce, Infosys has taken several measures to counter the Cybersecurity talent crisis as well as in skilling, retaining, and diversifying its Security workforce in areas such as application Security / Secure development lifecycle.
Cybersecurity team members undergo technical as well as behavioral trainings on an ongoing basis. Infosys internal training programs, as well as external bodies with cybersecurity subject matter expertise, are leveraged for the same with a strong focus on learning through the classroom as well as on-the-job trainings.
- Over 3,150 professionals underwent Purdue training on cybersecurity
- Infosys utilizes its partnership with NIIT to have its professionals undergo a cybersecurity Master’s Program
Building and upholding positive cybersecurity culture
At Infosys, driving positive cybersecurity culture is a key constituent of our robust cybersecurity strategy. We achieve this by leveraging diverse information security awareness means / tools, including – information security campaigns, focused modules in awareness quizzes, encouraging employees to understand and adopt good security practices through week-long campaign using advisory emailers / posters, awareness sessions, SME talks, videos, among others. There is also an interactive 3D animated e-Learning program that helps drive positive security behavior.
Innovations for our clients
Infosys innovation-led offerings and capabilities:
Cyber Next platform powered Services help customers stay ahead of threat actors and proactively protect them from security risks. Our pre-engineered packaged and managed security services help monitor, detract and respond by getting deeper that visibility and actionable insight through threat intelligence and threat hunting. Our offerings ensure risk-based vulnerability management by providing a comprehensive single pane of glass posture view. We have made huge progress in the Cyber Next platform powered service delivery through various modules - Cyber Watch, Cyber Intel, Cyber Hunt, Cyber Scan, Cyber Gaze, Cyber Compass, Cyber Central that ensure comprehensive Managed Protection Detection and Response (MPDR) for our global customers.
Zero Trust Security architecture and solutions to navigate our customers to embrace zero trust security. Key innovation and offerings include Secure Access Service Edge (SASE) delivered as-a service. With SASE as-a Service, we ensure strengthened overall security through cloud delivered security controls and capabilities. Infosys innovation in policy standardization enforce controls at access level, accelerate rollout of service thereby reducing or eliminating legacy tools allowing our customers to reduce overall costs while enhancing end-user experience.
Secure Cloud transformation with Cobalt assets drive accelerated cloud adoption. With Secure Cloud reference architecture and Secure by Design principle we ensure security is embedded as part of cloud strategy, design, implementation, operations and automation.
- Analyst recognition: Positioned as a Leader- U.S, in “Cybersecurity - Solutions & Services 2021 ISG Provider Lens™ Study“
- Client testimonies: Infosys Cybersecurity services was recognized by two of our esteemed clients bpost and Equatex