Engineering an integrity-driven and ethical first future
At Virtusa, our commitment to integrity and ethical conduct stands as the cornerstone of our organization’s values. We believe that every employee plays an essential role in upholding these principles and maintaining a workplace of trust and transparency.
Our policies provide a standard of behavior and guidance to ensure that our team members, our agents and business partners, do not knowingly or unknowingly compromise our core values embodied in our code of business conduct and ethics, the company’s policies, reputation, or brand name. Most importantly, we enforce this code and its policies to ensure that team members treat everyone with respect, fairness, and professionalism.
Virtusa’s sustainability committee is responsible for developing and executing our sustainability strategy.
The sustainability committee has the mandate to assist Virtusa’s leadership in:
- Embedding sustainability into the business strategy
- Developing, implementing, and monitoring interventions and related policies for sustainability
- Engaging with stakeholders by overseeing communications concerning sustainability
- Monitoring and assessing development and improvement of the organization’s understanding of sustainability
- Disclosing sustainability-related reports and information to internal and external stakeholders on a timely basis
Supply chain management
Our goal is to work with suppliers who demonstrate strong sustainability performance and support our sustainability ambitions and targets, such as achieving our net-zero targets. With this in mind, we have implemented policies and processes to minimize sustainability risks in our supply chain.
Our supplier code of conduct outlines the standards that suppliers are required to uphold.
We engage with our suppliers through surveys and sustainability ratings platforms to assess their sustainability maturity.
Ethics and compliance
Our core values—PIRL (passion, innovation, respect, and leadership), coupled with our ethics and compliance program—form the cornerstone of our business philosophy and provide the ethical standards by which we interact with our clients, contractors, and each other. Our ethics and compliance program is enforced through our code of business conduct and ethics, anti-bribery and corruption policies, and whistleblower reporting procedures, which apply to all employees, contractors, personnel, and agents across the globe. It reflects our commitment to uphold the highest standards of ethical conduct and our dedication to honesty and integrity, which have always been at the core of Virtusa’s organizational belief system.
Our compliance officer, who is also the general counsel, has overall responsibility for administering the ethics and compliance program.
Information security
Virtusa is unwavering in its commitment to security governance, recognizing its central role in safeguarding its operations and upholding the trust of its clients. Our approach to security governance is comprehensive and multi-faceted.
Information security management system (ISMS)
Virtusa has established a robust information security management system (ISMS), drawing upon industry-leading practices and standards, such as ISO 27001, HITRUST, CIS Benchmarks, National Institute of Standards and Technology (NIST), and client-specific security requirements. Our ISMS forms the bedrock of our security governance, ensuring the protection of sensitive data and adherence to stringent security protocols.
Information security forum (ISF)
Our information security forum (ISF) serves as the apex body for overseeing the implementation of the ISMS. Chaired by our chief information officer (CIO), the ISF brings together key stakeholders, including the chief information security officer (CISO), business information security officer (BISO), business heads, the compliance officer/general counsel, the data protection officer (DPO), and leaders of shared service functions. This forum convenes annually to review the effectiveness, suitability, and adequacy of our ISMS. The ISF’s recommendations are informed by technological advancements, changes in the business landscape, strategic objectives, and evolving regulatory requirements. This ensures that our security measures are dynamic and aligned with the latest threats and challenges.
Data privacy
We have a robust global privacy program led by our DPO, who is part of our legal and strategy function. The DPO oversees data privacy, governance, and compliance and is supported by a dedicated privacy management team. They are supported by a cross-functional privacy working group that includes key stakeholders from information security, legal, human resources, and other groups. The DPO also acts as a point of contact for data subjects and the supervisory and regulatory authorities.
Virtusa’s global privacy program is accredited with the TRUSTe Enterprise Privacy certificate from TrustArc and is certified for ISO27701:2019 certification. Additionally, as part of ISO27001 certification, HiTrust, and SOC 2 attestation, privacy controls are reviewed annually on adherence to international standard requirements. The privacy practices are aligned with the NIST Risk Management Framework and are assessed and validated annually.
Measures to ensure information security and data privacy
External penetration program
Data loss prevention
Security risk managemen
Software compliance
Periodic auditing
Vendor security risk management
Key elements of our approach to privacy compliance include:
- Management commitment and governance
- Leadership commitment
- Data protection officer
- Privacy working group
- Data privacy governance framework
- Measure and report
- Privacy certifications
- Regulatory compliance
- Ongoing monitoring of regulatory compliance landscape
- International data transfers
- Client contractual and obligations review
- Privacy program controls
- Personal data inventory
- Privacy risk assessments
- Third-party risk reviews
- Privacy awareness and training
- Transfer impact assessments
- Organizational and technical security safeguards
- Privacy policies and strategy
- Privacy statement, notices, and consent
- Records of processing activities
- Data retention and disposal
- Supplier data processing addendums, SCCs, and BAA
Business continuity
Our business continuity management system (BCMS), which is integrated into our enterprise risk management process, is certified to ISO 22301:2019, Security and resilience—business continuity management systems.
The BCMS team carries out annual BCM risk assessments, in line with ISO 22301, at the company, contract, asset, services, and geographic location levels. These risk assessments can happen more frequently, such as during client, external, and internal audits to safeguard against risks related to people, processes, technology, infrastructure, and services.
Our comprehensive business continuity plans define how to ensure continuity of critical services during crisis events that can disrupt our business as usual (BAU) operations. Every risk has an owner who is accountable for mitigation plans. In addition, a crisis response plan is in place, covering various crisis events, such as civil unrest, fires, floods, food poisonings, mass casualties, pandemics, terror attacks, active shootings, bomb threats, cyberattacks, critical IT infrastructure failures, power interruptions, mass attrition, nuclear emergencies, tsunamis, and earthquakes.
The plans outline the processes for managing crisis events and the risk owners’ associated responsibilities. The BCMS team and the Virtusa leadership are responsible for invoking and revoking the appropriate crisis response process in consideration of and in consultation with relevant stakeholders. The scenarios are also listed under the crisis response plans, which are tested periodically to validate their effectiveness and to make continual improvements.