Build your business without borders, with our global compliance programs

Overview

Protecting customers’ privacy is a top priority for firms around the world. But data privacy standards differ widely from one country to the next with over 100 variations globally. CIO’s must protect the organization’s critical business apps and sensitive data regardless of the hosting model.

 

Many enterprises are moving to the cloud for its robust capabilities, including security. To maximize security benefits, there is still a need to adjust and evolve workloads to fully take advantage of the cloud platform.

 

As cloud adoption continues to grow, it’s the responsibility of security professionals to address a wide range of privacy, compliance, and other risks related to:

 

  1. where and how the organization stores sensitive data in the cloud,
  2. how the organization secures and monitors its networks for cloud services,
  3. which apps the organization hosts or sources from the cloud, and
  4. what endpoints and other devices the organization supports for cloud access.

 

Typical security and control features that most compliance certifications and regulations include identity federation, strong authentication, role delegation, privilege management, logging and alerting, encryption, customer key management, data discovery, and disaster recovery.

 

Take a look at all of our cloud services


Certifications

ISO/IEC 20000-1:2011

ISO/IEC 20000-1:2011

ISO/IEC 20000-1:2011 is the international best practice standard for ITSM. All requirements in ISO/IEC 20000 are generic and are applicable to all service providers, irrespective of the size, type or the nature of the services that are delivered.     Why is ISO/IEC 20000-1:2011 required? This enables organization to benchmark the delivery of managed services, assess performance levels and measure SLAs provided. This standard of service management systems is broadly based on ITIL set processes. ISO/IEC 20000s consists of several parts of which the first main part provides requirements for ITSM. This is majorly defined for those responsible for initiating, implementing or maintaining ITSM thus providing specifications for service management systems (SMS) in their organisation. Organizations can have their ITSM independently certified that they adhere to the standards of ISO/IEC 20000-1:2011. Certification permits managed services organizations to assure clients that their IT environments will be well managed, and enables outsourcing organizations to assure clients that they will receive high-quality IT services.     Is Tata Communications ISO/IEC 20000-1:2011 certified? Tata Communications’ ISO/IEC 20000-1:2011 certification is the culmination of meeting a number of requirements that comprises successful implementation of documentation and records management; a customer-first approach; and a complete establishment of well-defined policy, planning, and implementation. It consists of a number of specifications, including Requirements for a Management System, Planning and Implementing of Services, Service Delivery Process, Relationship Processes, Control Processes, Resolution Processes, and Release Process.    Review all of our global compliance programs
Learn more
ISO/IEC 20000-9:2015

ISO/IEC 20000-9:2015

ISO/IEC 20000-9:2015 is a part of an information technology series of standards. It provides recommendations on how to use ISO/IEC 20000-1:2011 by service providers who are delivering cloud services.     Why is ISO/IEC 20000-9:2015 required? The guidance provided by ISO/IEC 20000-9:2015 could be used by the cloud service providers of various deployment models like private, public, hybrid and community cloud. This is also useful for the customers subscribing to cloud services to host their workloads. The Standard of ISO/IEC Technical Rule 20000-9 could be implemented and certified together with the Base Standard ISO/IEC 20000-1 for IT Service Management. This guidance is represented as a set of 15 different scenarios that addresses the various activities taking place in the life cycle of cloud service. Each of the scenario listed includes references to the applicable and pertinent requirements that have been specified by ISO/IEC 20000-1. S01 Identify the context for service management of cloud services S02 Establish strategy and plan for management of cloud services S03 Provide a catalogue of cloud services S04 Identify and manage service requirements for cloud services S05 Design and develop a new cloud service S06 Establish a service relationship with the cloud customer S07 Establish a cloud service agreement S08 Onboarding the customer S09 Deliver and operate the cloud services S10 Monitor and report cloud services S11 Manage resources for cloud services S12 Check and improve the SMS and cloud services S13 Terminate a cloud service contract S14 Transfer a cloud service S15 Remove a cloud service   Is Tata Communications ISO/TR 20000-9:2015 certified? Tata Communications has achieved ISO/TR 20000-9: 2015 certification of Information Security Management System (ISMS) for the delivery of managed cloud services – IZO Private Cloud and IZO Cloud Storage by GSMC. ISO/IEC 27017: 2015 in-scope services: IZO Private Cloud & IZO Cloud Storage In-Scope services Compute Cloud services, Virtual Services, Auto Scaling Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV Storage/ Backup Block, File and ICS (Object) backup Scheduled data backup and data restoration Database Managed Oracle, MS-SQL, DB2 or MySQL database administration Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance Hypervisor VMware, Hyper-V and KVM Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more
ISO/IEC 27001:2013

ISO/IEC 27001:2013

ISO/IEC 27001:2013 is an international standard for the Information Security Management System (ISMS) best practices that provides a general overview of what should be conducted by an organization or enterprise in an effort to implement the concept of information security. This specifies the requirements for establishing, implementing, operating, monitoring and continually improving ISMS for any entity irrespective of its size.     Why is ISO/IEC 27001: 2013 required? The standard regulates some of ISMS implementation process as follows: All activities should be in accordance with the purpose and process of information security that are clearly defined and documented in policies or procedures. Existence of processes to verify all information security system elements through audit and reviews to ensure continuous improvement. All security measurements that being used in the ISMS as outcome of risk analysis should be implemented to eliminate or reduce the level of risks at an acceptable levels. Provide security controls that can be used by the organization during the implementation based on specific needs.   Description No. of Controls Context of the organization 8 Leadership 19 Planning 39 Support 28 Operation 9 Performance evaluation 29 Improvement 16 Total Management Controls 148 Management direction for information security 2 Organization of information security 7 Human resource security 6 Asset Management 10 Access control 13 Cryptography 2 Physical and environmental security 15 Operation Security 14 Communications Security 7 System acquisition, development and maintenance 13 Supplier relationships 5 Information security incident management 7 Information security aspects of business continuity management 4 Compliance 8 Total Operational Controls 113 Total Control Points 261 Is Tata Communications ISO/IEC 27001: 2013 certified? Tata Communications has achieved ISO/IEC 27001: 2013 certification of Information Security Management System (ISMS) covering our infrastructure, data centres, and services. These standards will be valuable to customers, who can now benefit from enhanced quality and information security standards.     TCL- ISO/IEC 20000-1:2011 & TCL- ISO/IEC 27001: 2013 in-scope services: Information Security Management System for service delivery and support operation of: Data centre services Managed hosting services Managed security services Managed cloud services Cloud security service Security consulting services Manages storage and backup services   Managed Hosting Services In-Scope services Operating System Microsoft windows, RHEL, OEL, Solaris, IBM‐AIX, SUSE Linux, Debian Linux, Ubuntu Linux, Cent OS, Fedora Network VPN Gateway, Load balancer, switches, router Storage/ Backup Shared and dedicated models, SAN, NAS and FC /iSCSI Database Oracle, MS-SQL, DB2 or MySQL database administration Middleware Middleware service is offered on applications including JBOSS; TOMCAT; Apache; WebLogic; WebSphere Load Balancer Static, Dynamic, Persistent: Radware, Citrix, SLB and GSLB, mSLB and mSLB with SSL off‐load Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   IZO Private Cloud In-Scope services Compute Cloud services, Virtual Services, Auto Scaling Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV Storage/Backup Block, File and ICS (Object) backup Scheduled data backup and data restoration Database Managed Oracle, MS-SQL, DB2 or MySQL database administration Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance Hypervisor VMware, Hyper-V and KVM Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more
ISO/IEC 27017:2015

ISO/IEC 27017:2015

ISO/IEC 27017:2015 chalks out guidelines for controls specific to information security that would be taken into account during the provisioning and deployment of cloud services. This guideline is relevant for both cloud service providers and the service consumers. The guidance is provided in 2-types: When there is separate guidance for cloud service providers and the service consumers When there is same guidance for cloud service providers and the service consumers   Why is ISO/IEC 27017: 2015 required? This provides supplementary recommendations for control lists specified in ISO/IEC 27002 which addresses information security threats and risk considerations. The controls are specific to cloud services unlike ISO/IEC 27002 that are intended to mitigate the risks that accompany the technical and operational features of cloud services. This control list comprises of 14 operational controls right from Management direction for information security to Information security aspects of business continuity management and Compliance. The additional list of controls include: Description Controls Relationship between cloud service customer and cloud service provider Shared roles and responsibilities within a cloud computing environment Responsibility for assets Removal of cloud service customer assets Access control of cloud service customer data in shared virtual environment Segregation in virtual computing environments Virtual machine hardening Operational procedures and responsibilities Administrator's operational security Logging and monitoring Monitoring of Cloud Services Network security management Alignment of security management for virtual and physical networks   Is Tata Communications ISO/IEC 27017:2015 certified? Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for the delivery of managed cloud services – IZO Private Cloud and IZO Cloud Storage by GSMC.   ISO/IEC 27017: 2015 in-scope services: IZO Private Cloud & IZO Cloud Storage In-Scope services Compute Cloud services, Virtual Services, Auto Scaling Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV Storage/ Backup Block, File and ICS (Object) backup Scheduled data backup and data restoration Database Managed Oracle, MS-SQL, DB2 or MySQL database administration Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance Hypervisor VMware, Hyper-V and KVM Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more
ISO/IEC 27018:2014

ISO/IEC 27018:2014

This Standard is designed to use as a reference for selecting PII protection controls within the process of implementing a cloud computing ISMS based on ISO/IEC 27001, or as a guidance document for implementing commonly accepted PII protection controls for CSPs. In particular, this International Standard has been based on ISO/IEC 27002, taking into consideration the specific risk environment(s) arising from those PII protection requirements which might apply to CSPs acting as PII processors.     Why is ISO/IEC 27018:2014 required? CSPs who process Personally Identifiable Information (PII) under contract to their customers have to operate their services in a fashion that allow both the contracting parties to adhere to the requirements of legislation which governs how PII is allowed to be processed (i.e. collected, used, transferred and disposed of) is sometimes referred to as data protection legislation.   A cloud service provider is a ‘PII processor’ The cloud service customer can range from a natural person, a ‘PII principal’, or An organization, a ‘PII controller’, processing PII relating to many PII principals   The additional list of controls include: Description Controls Consent and choice Obligation to co-operate regarding PII principals’ rights Purpose legitimacy and specification Public cloud PII processor’s purpose Public cloud PII processor’s commercial use Data minimization Secure erasure of temporary files Use, retention and disclosure limitation PII disclosure notification Openness, transparency and notice Disclosure of sub-contracted PII processing Accountability Notification of a data breach involving PII Retention period for administrative security policies and guidelines PII return, transfer and disposal Information security Confidentiality or non-disclosure agreements Restriction of the creation of hardcopy material Control and logging of data restoration Protecting data on storage media leaving the premises Use of unencrypted portable storage media and devices Encryption of PII transmitted over public data-transmission networks Secure disposal of hardcopy materials Unique use of user IDs Records of authorized users User ID management Contract measures Sub-contracted PII processing Access to data on pre-used data storage space Privacy compliance Geographical location of PII Intended destination of PII   Is Tata Communications ISO/IEC 20000-1:2011 certified? Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for protection of PII (Personally Identifiable Information) processed by GSMC for Managed Cloud Services – IZO Private Cloud and IZO Cloud Storage.     ISO/IEC 27018: 2014 in-scope services: IZO Private Cloud & IZO Cloud Storage In-Scope services Compute Cloud services, Virtual Services, Auto Scaling Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV Storage/Backup Block, File and ICS (Object) backup Scheduled data backup and data restoration Database Managed Oracle, MS-SQL, DB2 or MySQL database administration Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance Hypervisor VMware, Hyper-V and KVM Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more
SOC1

SOC1

SOC1 exercises controls at a service organization relevant to user entities internal control over financial reporting. To provide information to the auditor of a user entity’s financial statements about controls at a service organization that may be relevant to a user entity’s internal control over financial reporting. It enables the user auditor to perform risk assessment procedures, and if a type 2 report is provided, to assess the risk of material misstatement of financial statement assertions affected by the service organization’s processing.     Why is SOC1 compliance required? According to American Institute of CPAs (AICPA), all service organization reports operate to enable service organizations “that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant,”. The customers will periodically need to comply with audit requests that come from accounting firms outside, so the results of SOC testing can help make those audits run more smoothly.   Is Tata Communications SOC1 compliant? Tata Communications is committed to SOC1 standard for its Managed Hosting services. Managed Hosting Services In-Scope services Operating System Microsoft windows, RHEL, OEL, Solaris, IBM‐AIX, SUSE Linux, Debian Linux, Ubuntu Linux, Cent OS, Fedora Network VPN Gateway, Load balancer, switches, router Storage/ Backup Shared and dedicated models, SAN, NAS and FC /iSCSI Database Oracle, MS-SQL, DB2 or MySQL database administration Middleware Middleware service is offered on applications including JBOSS; TOMCAT; Apache; WebLogic; WebSphere Load Balancer Static, Dynamic, Persistent: Radware, Citrix, SLB and GSLB, mSLB and mSLB with SSL off‐load Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more
SOC2

SOC2

The increased awareness and adoption of cloud technology is simultaneously leading organization and CSPs to come up with assurance over the management and security of sensitive data. In order to satisfy stakeholders’ demands for assurance around internal controls intended to address touch-points relevant to Information security AICPA has developed the Service Organization Control (SOC) reporting framework. To support their risk assessments, user entities and business partners may request a SOC 2® report from the service organization.     Why is SOC2 required? SOC 2 reports permits cloud providers to communicate particulars about their services and the appropriate fit of the blueprint and operating efficiency of their controls, majorly Organizations that need to demonstrate how they process transactions and/or data on behalf of their customers Organizations that need to demonstrate how their security controls operate Organizations that need to demonstrate how their controls related to system availability function Organizations that need to demonstrate how their controls related to data privacy or confidentiality operate   All five Trust Services principles are not required to be assessed. Cloud providers may select the Trust Services principle(s) that best meet their reporting objectives.   Description criteria: The description criteria are used by management when preparing the description of the service organization's system and by the service auditor when evaluating the description. Trust services criteria: Service organization evaluates if the design and operating effectiveness of controls provides reasonable assurance that its service commitments and system requirements were achieved based on the trust services criteria relevant to the trust services category or categories included within the scope of the examination. The trust services criteria are classified into the following five categories: Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy.   Is Tata Communications SOC2 compliant? Tata Communications is committed to SOC2 standard for its Managed cloud services. Managed Cloud Services: IPC (IZO Private Cloud) is an enterprise cloud platform, offers a flexible, scalable and reliable cloud environment. It provides a flexible platform that allows end-users to create the appropriate combination of compute, network, security, storage, and traffic management services that can meet business needs, & have the flexibility to grow with business. The IPC service is available on two models within Tata Communications’ data centers. It includes Virtual Private Cloud (VPC), Dedicated Private Cloud (DPC) and Virtual Private Data Center (VPDC). MCS services are offered to customers from the GSMC facility in Chennai. Service Operations Team provides 24x7 monitoring and support for network intrusion detection and protection devices across a variety of platforms and technologies. The Service Operations Team in turn consists of Level 1(L1), Level 2 (L2) and Level 3 (L3) Engineers who manage the day to day operations of GSMC and analyze and resolve issues. Operations Engineering Team consists of competency leads also referred to as Technology Leads who are Service Organization Controls and Procedures covers control objectives for: Information Security Access Security Physical Security Facilities and Equipment Security Incident Management Problem Management Change Management Backup and Restoration Manage Third Party Services Software Licensing Manage Operations Human Resources   IZO Private Cloud In-Scope services Compute Cloud services, Virtual Services, Auto Scaling Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV Storage/Backup Block, File and ICS (Object) backup Scheduled data backup and data restoration Database Managed Oracle, MS-SQL, DB2 or MySQL database administration Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance Hypervisor VMware, Hyper-V and KVM Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more
MTCS

MTCS

MTCS is based on ISO 27001/02 Information Security Management System standards. The certification was prepared by the Multi-Tiered Cloud Security Working Group of the Cloud Computing Standards Coordinating Task Force. It was overseen by the Information Technology Standards Committee (ITSC).     Why do you need to adopt Multi-Tier Cloud Security? The Multi-Tier Cloud Security (MTCS) is the pioneering security standard globally that entails cloud security at several layers. The MTCS standard encourages adoption of cloud computing through the spectrum of various industries by providing detailed security service levels of Cloud Service Providers. Level 1 being the base and Level 3 being the most stringent, it is designed for companies with regulatory compliance requirements that addresses security risks to high impact IT systems using cloud services.   With the controls already in place, there might be few Industry specific regulations applied to supplement and address security risks and threats in high impact information systems using cloud services.   MTCS has a self-disclosure requirement, which means that providers are obliged to report on data retention, data sovereignty, data portability, liability, availability, business continuity, disaster recovery and incident management.     Is Tata Communications MTCS certified? Tata Communications has achieved the Level 3 MTCS certification, ensuring the highest possible level of security for enterprises moving data to the cloud in Singapore, supporting the provision of IZO Private Cloud and VPDC cloud services using Infrastructure as a Service (IaaS) model.   Cloud Governance Information security management Human resources Risk management Third party Legal and compliance Incident management Data governance Cloud Infrastructure security Audit logging and monitoring Secure configuration Security testing and monitoring System acquisition and development Encryption Cloud operations management Physical and environment security Operations Change management Business continuity planning and disaster recovery Cloud info security Cloud services administration Cloud user access Tenancy and customer isolation   IZO Private Cloud In-Scope services Compute Cloud services, Virtual Services, Auto Scaling Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV Storage/Backup Block, File and ICS (Object) backup Scheduled data backup and data restoration Database Managed Oracle, MS-SQL, DB2 or MySQL database administration Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance Hypervisor VMware, Hyper-V and KVM Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more
CSA STAR

CSA STAR

STAR comprehensively includes crucial principles of transparency, auditing, and harmonization of standards. STAR certification provides multiple benefits, including assessment of cloud technology against industry-established best practices and validation of security posture of cloud offerings.   Review our global compliance programs   How does CSA help align cloud security measure? The Cloud Security Alliance has created the Cloud Controls Matrix (CCM) which is a baseline set of security controls to help enterprises assess the risk associated with a cloud computing provider. CCM v3.0.1 is available as a free download to help limitations exist for encrypting data in storage, data in transit and key management. Domains of Cloud Control Matrix: There are 16 domains identified in the CCM and TCL has complied to the 133 controls of all 16 domains. They are: Domain Name No. of Controls Application & Interface Security; Application Security 4 Audit Assurance & Compliance; Audit Planning 3 Business Continuity Management & Operational Resilience; Business Continuity Planning 11 Change Control & Configuration Management; New Development / Acquisition 5 Data Security & Information Lifecycle Management Classification 7 Datacenter Security; Asset Management 9 Encryption & Key Management Entitlement 4 Governance and Risk Management; Baseline Requirements 11 Human Resources; Asset Returns 11 Identity & Access Management; Audit Tools Access 13 Infrastructure & Virtualization Security; Audit Logging / Intrusion Detection 13 Interoperability & Portability; APIs 5 Mobile Security; Anti-Malware 20 Security Incident Management, E-Discovery & Cloud Forensics Contact / Authority Maintenance 5 Supply Chain Management, Transparency and Accountability Data Quality and Integrity 9 Threat and Vulnerability Management Anti-Virus / Malicious Software 3   Review all our global compliance programs   Is Tata Communications aligned to CSA STAR? CSA STAR Self-Assessment is open to all cloud technology players and allows them to submit self-assessment reports which records adoption and compliance to CSA-published best practices. CSA CCM is a framework which provides organizations with the needed structure, detail and precision relating to information security exercises that are tailored-made to the cloud industry. To indicate TCL’s compliance with CSA best practices the Cloud Controls Matrix (CCM) was submitted, which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.  
Learn more
PCI DSS

PCI DSS

The PCI DSS ensures that organizations that accept or process payment transactions incorporate a set of operational and technical requirements help protect the safety of that data. The developed framework aims to payment data security breaches and fraud in entities that possess card holder data (CHD). This encompasses software developers and manufacturers of applications and devices used in those transactions.     How does it take form in Cloud Computing The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 12 requirements structure for securing cardholder data that is stored, processed and/ or transmitted by merchants and other organizations. Goals Requirement Controls Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 19 2. Do not use vendor-supplied defaults for system passwords and other security parameters 10 Protect Cardholder Data 3. Protect stored cardholder data 19 4. Encrypt transmission of cardholder data across open, public networks 3 Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 5 6. Develop and maintain secure systems and applications 25 Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8 8. Identify and authenticate access to system components 21 9. Restrict physical access to cardholder data 20 Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 28 11. Regularly test security systems and processes 12 Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 34   System components include network devices (both wired and wireless), servers and applications. Virtualization components and subset of system components comprises of VMs, virtual switches/routers, appliances, applications/desktops, and hypervisors within PCI DSS. Even if a cloud service provider environment is vetted for certain PCI DSS requirements, this validation does not automatically apply to the customer environments within that cloud service.     Is Tata Communications PCI-DSS Compliant? Tata Communications Ltd. is a Service Provider focusing Infrastructure as Service (IaaS) where hardware and network infrastructure is assessed. TCL does not directly store, transmit or process any cardholder data (CHD) and sensitive Authentication Data (SAD), however its customers may create / set up their own data environment which can be considered as CDE with required tool and configuration that can store, transmit or process cardholder data. All processing, transmission, storage and protection of customer’s data including CHD is neither responsibility of the entity as the entity doesn’t have Authorization to access their customer premise nor provide PCIDSS required tools for customers to meet PCI DSS compliance. Following services are covered as part of the infrastructure environment: NTP AV VPN SysLog Monitoring DHCP DNS FIM AD Patch Management VCenter Proxy   Review all of our global compliance programs
Learn more
HIPAA

HIPAA

Healthcare is a highly regulated environment, and the nature of cloud computing infrastructure escalates concerns over privacy, security, access and compliance. U.S Congress recognized that advances in electronic technology could erode the privacy of health information. To protect such information, United States of America enacted the Health Insurance Portability Accountability Act of 1996 (HIPAA). It is the first comprehensive Federal protection for the privacy of personal health information.     How does it take form in Cloud Computing? The HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) define crucial rules for individually identifiable health information. This information is called protected health information or PHI. A covered entity is a health plan, a health care clearinghouse, or a health care who electronically transmit any health information. When this covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. The covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules. Hosting an application in compliance with HIPAA-HITECH rules is a shared responsibility between the customer and TCL. A Business Associate Agreement (BAA), which clearly defines the respective responsibilities of TCL and the customer, must be signed.   What is HITECH? Health Information Technology for Economic and Clinical Health Act (HITECH) expanded the HIPAA rules in 2009. HIPAA and HITECH together establish a set of federal standards intended to protect the security and privacy of PHI. These provisions are included in what are known as the "Administrative Simplification" rules. HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. What are the HIPAA rules? The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.   Is Tata Communications HIPAA compliant? The scope of HIPAA compliance includes Managed Hosting Services offered by Tata Communications. Tata Communications’ Managed Hosting Service has been assessed to be compliant with the control requirements in alignment with the HIPAA Final Omnibus Rule pertaining to HIPAA Security Rule, HIPAA Privacy Rule and HIPAA Breach Notification Rule. The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability. Description No. of Controls Administrative Safeguards 24 Physical Safeguards 7 Technical Safeguards 8   HIPAA in-scope services: Managed Hosting Services (MHS) Managed Server Managed Operating System Managed Storage Managed Switch Managed Firewall Managed Backup Managed Load Balancer Managed Database Managed Middleware Managed Virtualization Managed Disaster Recovery (DR)   Managed Hosting Services In-Scope services Operating System Microsoft windows, RHEL, OEL, Solaris, IBM‐AIX, SUSE Linux, Debian Linux, Ubuntu Linux, Cent OS, Fedora Network VPN Gateway, Load balancer, switches, router Storage/Backup Shared and dedicated models, SAN, NAS and FC /iSCSI Database Oracle, MS-SQL, DB2 or MySQL database administration Middleware Middleware service is offered on applications including JBOSS; TOMCAT; Apache; WebLogic; WebSphere Load Balancer Static, Dynamic, Persistent: Radware, Citrix, SLB and GSLB, mSLB and mSLB with SSL off‐load Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more
GDPR

GDPR

The European Union (EU) has generally enforced stricter rules on data protection, but its 1995 Data Protection Directive is now outdated – it does not address the many ways in which data is stored, collected, and transferred today. This has necessitated the new EU General Data Protection Regulation (GDPR). GDPR comes into effect on May 25, 2018, with a two-fold objective. The first it to give EU residents more control over the use of their ‘personal data’. By strengthening data protection legislation and introducing stricter enforcement measures, the EU hopes to improve trust in the emerging digital economy. Secondly, the EU wants to give businesses a simpler, more transparent legal environment to operate. Review all of our global compliance programs Why is GDPR required? GDPR compliance is required by all organizations who have: A presence in an EU country. No presence in the EU but processes the personal data of European residents. More than 250 employees. Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional or includes certain types of sensitive personal data. This effectively means almost all organizations.     Is Tata Communications GDPR compliant? Tata Communications is committed to GDPR compliance across cloud services. We are also committed to helping our customers on their GDPR compliance journey by building robust privacy and security protection into our services. Our cloud and hosting solutions already have specific features and services which ensure compliance with GDPR: Access management Authentication Mangement Network management Dashboard view of activities on your resources Data encryption Data governance The shared responsibility model: Both the customer organization and Tata Communications have essential roles in ensuring GDPR compliance objectives. Organizations are directly responsible for their applications and data, data access and encryption. Partners, meanwhile, are responsible for the underlying infrastructure, physical access control and operational security.  
Learn more
BDSG

BDSG

On 1 February 2017, the German federal cabinet adopted a draft data protection bill. (“new BDSG”) to replace the existing Federal Data Protection Act of 2003. The new BDSG is intended to adapt the current German data protection law to the EU General Data Protection Regulation (“GDPR”). The planned implementation statute aims to supplement and further define the EU General Data Protection Regulation. The new BDSG includes specific requirements that deviate from the GDPR in some respects, including with respect to the appointment of a Data Protection Officer and the processing of employee personal data.   Review our global compliance programs   Is Tata Communications BDSG compliant? Companies operating in Germany should analyse the BDSG requirements and make sure that German operations comply with them. The scope of TCL’s BDSG assessment is limited to privacy and information security requirements of IPC and ICS services and their supporting infrastructure that are applicable to Data Processor. We have also assessed the controls related to physical security and environmental safeguards of Command Centre. We have also assessed the controls related to physical security and environmental safeguards of Chennai Command Centre.   Control Type No. of Controls Data Privacy 9 Technical and organizational Control 43   IZO Private Cloud In-Scope services Compute Cloud services, Virtual Services, Auto Scaling Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV Storage/Backup Block, File and ICS (Object) backup Scheduled data backup and data restoration Database Managed Oracle, MS-SQL, DB2 or MySQL database administration Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance Hypervisor VMware, Hyper-V and KVM Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth
Learn more
MeitY

MeitY

Digital India envisions creating high speed digital highways, ushering in a new era for banking and the creation of a transparent system to support e-governance, digital signatures, digital-friendly entrepreneurship and more – all in a bid to enable inclusive growth. To build the vital framework needed for this transformation journey, the Ministry of Electronics and Information Technology (MeitY) has empanelled Cloud Service Providers (CSPs) for Digital India initiatives based on strict criteria.   Requirement Criteria Service Provisioning 10 SLA Management 4 Operational Management 12 Data Management 8 User/Admin Portal 3 Integration Requirements 12 Data Center Facilities 10 Cloud Storage Service 6 Virtual Machine 30 Disaster Recovery & Business Continuity 8 Security 36 Legal Compliance 8 Management Reporting 8 Exit Management and Transition 7 Backup Services 10   Is Tata Communications MeitY accredited? Tata Communications is one of the global cloud service providers to achieve MeitY’s accreditation. With this accreditation, Tata Communications can deliver cloud services in India that provides truly innovative digital services to a wider range of organisations, many of them regulated and sensitive. This accreditation also empowers us to approach central, state, and local governments, as well as public sector bodies in India to choose us as their CSP to offer e-governance services. This includes IZO Private Cloud, IZO Cloud Storage, Government Community Cloud. IZO Private Cloud In-Scope services Compute Cloud services, Virtual Services, Auto Scaling Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV Storage/Backup Block, File and ICS (Object) backup Scheduled data backup and data restoration Database Managed Oracle, MS-SQL, DB2 or MySQL database administration Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance Hypervisor VMware, Hyper-V and KVM Load Balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM - SIGS, Managed and monitoring IDS/IPS, OAuth   Review all of our global compliance programs
Learn more

Certified Hosting & Cloud Services

Tata Communications provides Managed Hosting Services (MHS) and Managed cloud services – IZO Private Cloud and IZO Cloud Storage.  Managed Hosting Service (MHS) provides a fully managed, end‐to‐end IT solution to customers that include components (such as hardware, Operating system (OS), Database), along with IT services such as platform implementation and daily proactive service management. Managed Hosting Service affords the customers the leverage to reduce capital and operational costs and the IT administration complexity associated with the implementation and ongoing service management. TCL’s Managed Hosting Service also offers improved uptime and availability achieved through 24/7 management and monitoring from the central Global Service Management Centre (GSMC).  IZO™ Private Cloud is an enterprise cloud platform, offers a flexible, scalable and reliable cloud environment. It provides a flexible platform that allows end-users to create the appropriate combination of compute, network, security, storage, and traffic management services that can meet business needs, & have the flexibility to grow with business. The IPC service is available on two models within Tata Communications’ data centers. You can choose between Virtual Private Cloud (VPC) or Dedicated Private Cloud (DPC) models.  IZO™ Cloud Storage is based on object storage technology. It offers a flexible, scalable and reliable cloud storage environment with backed SLAs. The solution allows end-users to choose from an appropriate combination of storage policies for availability, durability and security of data that can meet various expectations on data resiliency and retention. The service can be delivered on a dedicated or a logically separated infrastructure within Tata Communications’ data centers. The service provides flexibility in support of real world workloads.   IZO™ Cloud Storage service has three variants mentioned below:    
Value BasedResilientGeo-resilient
Best suited forInfrequently accessed dataPeriodically accessed dataHighly critical data
Designed forFault ToleranceWithin the data centreWithin the data centreAcross data centre
 DID YOU KNOW?Managed cloud services are offered to customers from the GSMC facility in Chennai. Service Operations Team provides 24x7 monitoring and support for network intrusion detection and protection devices across a variety of platforms and technologies. The Service Operations Team in turn consists of Level 1(L1), Level 2 (L2) and Level 3 (L3) Engineers who manage the day to day operations of GSMC and analyse and resolve issues.

Downloads

Want to delve deeper into how Tata Communications can help your business thrive? Find out how with our in-depth advice and guides.

Contact us

Contact us to learn how we can help you unleash collaboration, creativity, and commercial innovation.