Cybersecurity and information management

Infosys’ own Cybersecurity program is managed by the Information Security Group (ISG), which upholds the organization’s security posture, empowers internal teams with a culture of democratized cybersecurity, and delivers assurance and trust to all customers and stakeholders. Our practices look beyond compliance and include:

• Metrics program – Evaluates compliance, suggests improvements, and drives integration with business processes
• Standardized policies and guidelines aligned with the organization’s culture, business, and operational practices
• Internal audits
• External attestations and audits (e.g. SSAE-18 SOC 1 &SOC 2 Type II, ISO 27001)
• Client account audits
• AI governance reviews aligned with ISO 42001 and the NIST AI Risk Management Framework, addressing the agentic AI risk landscape
• Board-level oversight through periodic cybersecurity reviews

We promote cybersecurity through:

• Social media messaging
• Tie-ups with analysts (eg. PAC Group) and industry bodies (such as Data Security Council of India and Information Security Forum) to create relevant joint thought leadership
• Participation in public cybersecurity awareness initiatives led by non profits such as NASSCOM and DSCI
• Publishing a tech-centric report that provides insights into emerging technology trends such as agentic AI, post-quantum cryptography, etc. and how they can be applied to businesses
• Sessions with global chapters within Infosys and customer CISO councils

The vulnerability remediation strategy of Infosys focuses on threat-based prioritization, vulnerability ageing analysis and continuous tracking for timely closure. We have successfully eliminated the ticketing system for vulnerability tracking by establishing a continuous detection and remediation cycle, where the IT teams are enabled and onboarded onto the vulnerability management platform. A cybersecurity awareness culture is nurtured, and teams are encouraged to proactively remediate the vulnerabilities reported on their assets or applications.

The process comprises:

• Categorization of suppliers and sensitivity of data involved
• Defining a standardized set of information security, data privacy, and AI controls as applicable
• Defining, maintaining, and amending relevant security clauses in supplier contracts
• Due diligence and security risk assessment, including fourth-party visibility
• Continuous monitoring through security ratings and threat intelligence feeds, with explicit focus on 'harvest now, decrypt later' exposure across long-lived data and certificates
• Leverage SCA to identify opensource libraries with known vulnerabilities impacting the business applications

Defining and monitoring of key security metrics for suppliers (e.g., background check, security awareness training completion, timely interventions with regard to information security incidents, vulnerability remediation SLAs etc.),threat intel tracking and governance further strengthen the Infosys supplier security risk management program.

• 2,429 professionals were trained and 3,884 were certified across various cybersecurity domains
• Over 4,600 cybersecurity professionals were trained in AI specific trainings including AI Aware, AI Builder, AI for Leadership, Sentinel Copilot, and Simbian
• Cyber Aspire program for early-career talent
• NIIT's Cybersecurity Master's program
• Specialized tracks on zero trust, cloud security, OT/IoT security, agentic AI security, and post-quantum cryptography (PQC) aligned with NIST PQC standards
• Joint enablement with strategic partners (eg. Palo Alto Networks, Microsoft Purview, Zscaler, CrowdStrike, Sailpoint, etc.) covering the Cyber Next platform ecosystem
• Mandatory Information security and privacy awareness training for all employees

The Information Security Council and the Board endorses this culture, and a wide set of measures are in place to nurture it:

• Secure by Design principles adopted at organizational level through trainings and awareness-building campaigns
• Awareness campaigns delivered through diverse channels – Posters, cyber comics, employee handbook, caselets, cybersecurity scorecard, newsletter, advisories, emailers, push messages, annual mandatory awareness quiz, gamification, SME Cyber Talks, information security courses on the internal training platform, sessions, videos, podcasts, fireside chats, blogs, panel discussions, focused social engineering awareness, thought leadership messages, role-based awareness tracks for developers, administrators, leaders, and high-risk functions, with continuous simulated phishing and vishing exercises
• Annual flagship event – Cybersecurity Week
• Video-based, animated and interactive e-learning certification program