Table of Contents
The goals of an IT policy outline the minimal standards required to safeguard the availability, confidentiality, and integrity of the data and systems used by an organization’s employees.
In order to decrease business risk and maximise return on investments and business prospects, the Information’s Confidentiality, Integrity, and Availability shall be secured. All significant choices, actions, and all activities taking place within the boundaries established by the organisation are governed and influenced by policies and Standard Operation Procedure (SOP).
Standard Operating Procedures (SOP) are specialised techniques used to put policies into practise with reference to the daily operations of the organisation. At least once a year, or if there is a change in the information security environment, this policy will be reviewed.
Our company relies heavily on information technology, and the purpose of this policy is to clearly define the standards for safeguarding information resources and appropriate computer usage.
This policy’s goal is to safeguard EcoXplore and its workers from persons who might take harmful or illegal actions that could expose the business to dangers including virus attacks, network system and service compromises, and other legal problems.
However, this policy is not intended to impose limitations that go against EcoXplore’s long-standing tradition of openness, trust, and integrity.
The Company is the owner of all systems related to the Internet, Intranet, and Extranet, including but not limited to computer hardware, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP. These systems are to be used for business purposes in serving the interests of the company, and customers during normal operations.
Everyone involved in the use of information and/or information systems, including employees and associates, must support and take part in efforts to maintain effective security. Every every computer user is responsible for being aware of these guidelines and following them. Acceptance of the terms in this policy is shown by logging into the Company’s computers and network.
All Company personnel, including employees, contractors, consultants, temporary employees, and all personnel affiliated with third parties, are subject to this policy. This policy applies to all equipment that the Company owns or leases.
The information that users create on business networks still belongs to the Company, despite the fact that EcoXplore’s network administration tries to maintain a decent level of privacy. Due to the need to protect the company’s network, management cannot guarantee the confidentiality of information stored on any company-owned network device.
- Employees must exercise reasonable discretion when deciding whether personal use is acceptable. In the absence of any rules, employees should consult their department supervisor or manager with any concerns they may have regarding personal use of Internet, intranet, or extranet systems.
- For the purposes of security and network maintenance, authorised staff of the Company and the outsourced IT provider may monitor equipment, systems, and network traffic.
- To ensure that this policy is being observed, the Company reserves the right to periodically audit networks and systems (including servers, workstations, and laptops).
- All business information must belong to the company and cannot be utilised for personal purposes by employees.
|Active Directory (AD)
|A directory service developed by Microsoft for Windows domain networks.
|Software of a computer system that is responsible for the management and coordination of all activities and the sharing of computer resources (e.g., database, middleware)
|Software program that performs a specific function directly for a user and can be executed without access to system control, monitoring or administrative privileges (e.g., Microsoft Business Central, HR systems, etc.).
|Domain Name System or Domain Name Service (DNS)
|An internet or network server that helps to point domain names or hostname to their associated Internet Protocol address.
|Access control process that involves the user providing two or more different types of three potential security factors (something only you know (e.g., password / PIN), something only you have (e.g., cryptographic identification device, token), something only you are (e.g., biometric).
- Information on systems connected to the Internet, the Intranet, and the Extranet should be marked as confidential on the user interface. Private firm information, corporate strategy, competitive intelligence, trade secrets, specifications, customer lists, and research data are just a few examples of confidential information. To prevent unauthorised access to this information, employees should take all required precautions.
- Workers should not share accounts and should keep their passwords safe. Authorized users are responsible for the security of their passwords and accounts. It is advised to update all passwords, both system-level and user-level, every 90 days.
- If employees are going to be away from their computers for an extended period of time, they must lock or log off from their specific computer systems and apps.
- Because of how vulnerable the information on portable computers is, more caution should be used with regards to their security. Unless posting occurs while performing work-related duties, any emails sent to third parties by employees of a company should include a disclaimer noting that the opinions expressed therein are solely their own and not necessarily those of the company.
- Approved virus-scanning software with an up-to-date anti-virus database must be running continuously on any systems used by the employee that are connected to the company’s Internet, Intranet, or Extranet, whether they are owned by the employee or the company.
- Employees must exercise extreme caution when opening email attachments from unfamiliar senders since they could be Trojan horse code, viruses, or email bombs.
- Only computers that belong to the company are permitted to link up to the internal network. Visitors are never permitted to connect their computers to the internal network for any purpose, including but not limited to access to shared files.
- The company may occasionally indicate certain websites should not be visited from supplied computers and laptops.
- No additional computer programme may be installed on corporate computers without the Management’s express approval.
- Employees will be given corporate email addresses in order to conduct business on behalf of the company, and cannot be used for personal correspondence.
- If a worker takes corporate computers out of the office, that worker is individually responsible for the laptops’ security and safety and must make sure they are transported and stored in a secure manner.
- The computers may only be used by workers for work-related purposes, may not be left unattended in any public area, and must be kept in private spaces in safe and secure locations that are only accessible to the employee. It is forbidden to share company-issued laptops with family members.
- The employee is required to take all additional reasonable precautions to secure the Company’s data and materials, including such safeguards the Company may impose from time to time.
- Employees are not to download files from the internet unless they are absolutely necessary for the business and only after they have followed the necessary security precautions.
- It is not permitted to utilise portable storage devices, such as thumb drives, DVD/CDs, and DVD/CD writers, on business computers unless specifically authorised.
1.6.1. Security Patch Management
To enable standard patch releases and updates to all information systems in compliance with the Vulnerability Management, a patch management lifecycle that includes monitoring and identification of when patches become available, patch testing and deployment, and patch effectiveness monitoring, must be established. For all information systems, a key security patch management plan must be implemented.
For the purposes of implementing, safeguarding, and enforcing multi-factor authentication, this section lays forth the minimum security criteria. In the following circumstances, multi-factor authentication (if available) shall be necessary:
- All users’ remote access to company networks.
- For the user, remote email access via (eg. Outlook Web Access or a Blackberry).
- Remote access to information systems with confidential data that are externally available (such as SharePoint).
- Access to all information systems on an administrative level.
- User access to all information systems that contain confidential information (apart from cases in which the confidential information is unstructured data that has been encrypted, such as user-generated business files); and
- Any other information systems or scenarios that the company determines through a risk assessment exercise are necessary.
The following actions are generally not allowed. When doing their legitimate job duties, employees may be exempt from these limitations (for instance, systems administration staff may need to deactivate a host’s network connection if it is interfering with production services).
Under no circumstances is a Company employee permitted to use Company-owned resources for any activity that is prohibited by local, state, federal, or international law.
The categories below aim to give a framework for behaviours that fall under the heading of unacceptable use but are by no means exhaustive.
1.8.1. System and Network Activities
The following activities are strictly prohibited, with no exceptions:
- The installation or distribution of “pirated” or other software products that are not properly licenced for use by the Company, as well as any other violations of the rights of any person or organisation protected by copyright, trade secret, patent, or other intellectual property, or by laws or regulations of a similar nature.
- It is strictly prohibited to install any copyrighted software for which the Company or the end user does not have an active licence, digitise and distribute photographs from magazines, books, or other sources, or make any other unauthorised copies of copyrighted material.
- It is against the law to export technology, technical data, encryption software, or software in contravention of national or international export control legislation. Any item that is in doubt should not be exported without first consulting the proper management.
- The introduction of harmful software (such as viruses, worms, Trojan horses, email bombs, etc.) into the server or network.
- Giving out your account password to someone else or permitting someone else to use your account. When work is being done at home, this applies to relatives and other members of the household.
- Actively engaging in the acquisition or transmission of materials that are prohibited by local legislation against sexual harassment or hostile work environments.
- Making false offers for goods, services, or money using any Company account.
- Making express or implied warranty claims unless doing so is a regular part of your job obligations.
- Causing network communication disruptions or security breaches. Security violations include, but are not limited to, accessing information for which the employee is not the intended receiver and signing into a server or account that the employee is not explicitly authorised to access, provided these tasks are included in the employee’s normal responsibilities. Network sniffing, pinged floods, packet spoofing, denial of service, and falsified routing information used for malicious purposes are all considered “disruption” for the purposes of this provision.
- Port scanning and security scanning are explicitly forbidden unless the Company has been notified in advance.
- Using any network monitoring software that intercepts data not meant for the employee’s host unless doing so is a regular part of the employee’s job or responsibility.
- Bypassing any host, network, or account security or user authentication.
- Interfering with or blocking access to any user other than the employee’s host (for instance, through a denial-of-service attack).
- Interfering with or disabling a user’s terminal session by using any programme, script, command, or message of any sort, whether locally or over the Internet, intranet, or extranet.
- Sharing personnel names or information with third parties unless necessary for work-related or contractual purposes.
1.8.2. Email and Communications Activities
- Sending unsolicited email messages, such as sending “junk mail” or other promotional materials to those who haven’t asked for them (email spam).
- Any type of email or instant message harassment, regardless of the content, regularity, or volume of messages.
- The unauthorised use or falsification of email header data.
- Using any email address other than the one associated with the post’s account to solicit emails with the goal to harass or elicit responses.
- Constructing or disseminating any kind of “chain letters,” “Ponzi,” or other pyramid scheme.
- Sending unsolicited email to other Internet/Intranet/Extranet service providers from within the Company’s networks in order to promote any service that is hosted by the Company or connected through its network.
- Spamming Usenet newsgroups by repeatedly posting identical or similar non-business-related content (newsgroup spam).
- All user-level passwords must be changed at least once every 90 days, including those for email, networks, applications, and so on.
- Each user must have a different password for each of their accounts if they have access to the system through group memberships or programmes.
- Emails and other kinds of electronic communication cannot contain passwords.
- The following rules as stated in Section 1.9.1 must be followed when creating user-level and system-level passwords:
1.9.1. Password Construction
A crucial component of computer security is passwords. They are the user accounts’ first line of defence. The entire corporate network of the company could be compromised by a bad password. Therefore, it is the responsibility of every employee of the company (including independent contractors and vendors having access to the company’s systems) to choose a secure password.
Passwords with poor security possess the following traits:
- There are no more than eight characters in the password.
- The password is a word from an English or foreign dictionary.
- The password is a word that is frequently used, such as names of loved ones, pets, friends, coworkers, fictional characters, etc.
- Commands, websites, businesses, hardware, and software; computer words and names.
- Birthdays and other private data like phone numbers and addresses.
- Word or number patterns such as 123321, aaabbb, qwerty, etc.
- Any of the aforementioned written backwards.
- Any of the aforementioned with a numeral either before or after it (e.g., secret1, 1secret).
The following qualities define the recommendation for strong passwords:
- Include both capital and lowercase letters (for example, a-z, A-Z);
- Include letters, numbers, and punctuation (for example, 0-9,!@#$%&*()_+|- =':”;’>?,./)
- Have a minimum of eight alphanumeric characters.
- Are not a word in any dialect, jargon, slang, or language.
- Are not based on identifying information, (eg. family names).
Never record your passwords down or save them online. Make an effort to make your passwords simple to remember. Making a password based on a song title, an affirmation, or another phrase is one approach to achieve this. This May Be One Way to Remember, for instance, and “TmB1w2R!” or “Tmb1W>r!,” or some other variant, may be the phrase and the password, respectively.
1.9.2. Password Protection
Use different passwords for different non-Company access points (such as your own ISP account, option trading, benefits, etc.). Avoid using the same password for different Company access requirements if possible. Choose different passwords, for instance, for the network and the accounting system.
Never divulge your company’s passwords to anyone, not even your secretaries or administrative assistants. Each and every password must be considered as sensitive, private company information.
Here is a list of best practices:
- NEVER tell a password over the phone, not even to your manager or your supervisor.
- Don’t share your password with family members
- Don’t reveal it to coworkers while on vacation
- Don’t reveal your password in an email message
- Don’t discuss your password in front of others
- Don’t hint at the format of your password (like “my family name”)
- Don’t reveal your password on questionnaires or security forms
- Do notify your IT Administrator if you suspect that your account has been compromised.
All employees, interns, contractors, vendors, and anybody using personal assets is subject to the BYOD and Acceptable Use Policy.
Policies are the organisational tool used to manage the problems with information assets’ availability, integrity, and confidentiality. Any information system (hardware or software), data, networks, and components that are owned or leased by or its designated representatives are considered information assets.
This device policy is applicable to, but not limited to, all gadgets and related media (such as USB thumb drives and external hard drives) that fall under the following categories:
- Other mobile/cellular phones
- Tablet computers
- Portable media devices
- Personal Digital Assistants
- Ultra-mobile PCs (UMPCs)
- Any personally owned device capable of storing organizational data and connecting to a network
- Before a device can access the corporate network and resources, it must be delivered to IT for proper job provisioning and configuration of typical apps, such as browsers, office productivity software, and security tools.
- Strong passwords are necessary to access the company network or resources in order to prevent unauthorised access, devices or corporate applications must be password protected utilising the device’s features. Please refer to the documentation’s “Password Policy” section for more information.
- A password or biometric recognition lock must be used on any device or application that accesses corporate resources.
- It is completely prohibited for jailbroken or rooted (Android) devices to connect to the network.
- Employees must notify IT staff as soon as they become aware that one of their devices has been compromised or misplaced.
- If an employee leaves the company, the device is lost, a policy violation, a virus, or another threat to the security of the firm’s data and technology infrastructure is discovered by IT, the corporate data on the employee’s device may be remotely erased.
- The employee must always use their gadgets ethically and in accordance with the company’s above-described acceptable usage policy.
- The employee is personally responsible for all expenses related to their device.
- The employee accepts full responsibility for risks such as, but not limited to, the partial or total loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.
Working remotely has been essential for maintaining business operations. Employees must be aware of the expectations for their work performance and preserve company information while working remotely, whether from an office or at home. Password and multi-factor authentication are used as security measures to protect access to the corporate network and data. To prevent security breaches, the company laptops used by the staff are configured correctly, and sufficient firewall and virus protection is installed and updated frequently. All workers who work remotely are subject to the same rules that apply to those who work in traditional offices.
Give employees the training they need to be able to do their jobs well while working remotely. This could involve instruction on how to utilise web meeting tools and basic IT software, as well as guidelines on how to dress when participating in web meetings with senior leadership teams or external parties.
Platforms like Zoom, Microsoft Team, and Google Meet are used for virtual meetings and presentations. These platforms must be online and accessible in order to prevent any reduction in production. Participation in meetings and discussions by remote team members helped the employee feel more connected. To ensure that remote workers get enough coaching and mentoring, schedule regular communication sessions. Include remote workers in frequent internal communications to give them a sense of corporate belonging and to keep them informed about company events.
1.11.3. Equipment and Cybersecurity
Before participating in any online web meetings, telecommuting employees are urged to verify their speaker and microphone and make sure they have a reliable internet connection. Employees must make sure that all technological difficulties related to remote work have been fixed and are aware of the organization’s technology expectations. Employees will be responsible for ensuring the security of the company’s confidential information and information that can be accessed from a distance. All corporate devices should be password-protected, and all data leaving those devices should be encrypted. Maintain an updated list of all your devices, and make sure that GPS tracking is enabled on all of them. Install software that allows you to remotely erase data from any stolen or lost devices. The following are the corporate VPN control measures:
- Only computers provided by the company will be allowed access to the VPN.
- Multi-factor authentication is necessary for VPN access.
- VPN access credentials shall be suspended upon worker termination.
- When utilising a VPN, staff members must take reasonable precautions to ensure the confidentiality of any data in line with IT Policy.
1.11.4. Confidential Information
When handling sensitive data, employees are not permitted to use public Wi-Fi. For information on the various levels of data confidentiality level, see Data Classification Section 1.13.
- All backup media and data need to be kept in a secure area with only authorised staff having access.
- The backup job status on servers needs to be checked daily to make sure it was successfully finished.
- Should the servers’ backup fail, a manual backup job needs to be done during lunch.
- To make sure the backup is in good shape, sample data recovery operations on each instance should be carried out quarterly.
- Users should only use the IT resources provided by the company (USB Hard Drives/Flash Drives, Network Shared Drives) to keep backups of their files and folders, email archives, and other data.
When it comes to information security, data categorization refers to how sensitive a piece of information is and how it would affect the business if it were to be revealed, changed, or destroyed without permission. Data classification aids in determining the right baseline security controls for protecting that data. Each piece of institutional data must be categorised into one of three sensitivity levels:
Information should be labelled as confidential when it poses a high risk to the company if it is improperly disclosed, altered, or destroyed. For Confidential Data, the highest level of security controls should be used.
When an unauthorised disclosure, change, or destruction of data could put the company at moderate risk, that data should be designated as restricted. For Restricted Data, a fair level of security controls should be used.
c. Public Data
Information should be labelled as public when there is little to no danger to the company from its unauthorised disclosure, alteration, or destruction. A certain amount of control is necessary to prevent unauthorised change or destruction of public data, even when little to no controls are necessary to ensure the confidentiality of public data.
- The hard drives of all computers must be encrypted.
- All server access is recorded and monitored.
- Antivirus software must be installed to stop malware infection that exposes data.
- A screen saver or lock must be activated after 20 minutes of inactivity to stop misuse while away for a brief period of time.
- Users should only be given access to their own computers. This is done to stop unauthorised users from altering system settings or loading unauthorised applications onto machines.
- Users are not permitted to disclose any internal information to outside third parties without their express consent.
- The user must abide with the Clean Desk Guidelines.
- Encryption will be required for all portable devices used to transport the data out.
- Email attachments containing sensitive personal information should be password-protected or encrypted to reduce the possibility of a breach that could have a negative impact on the person. It is best to communicate the password individually. In addition to the aforementioned general policy, all employees must observe the information security guidelines listed below.
All employees are required to keep all company information confidential. They have a responsibility to make sure that private information is kept safely and in compliance with the organization’s policy.
- No customer information may be shared or circulated to anybody who is not working on that topic, unless the management in charge of the information grants an exception.
- All sensitive information and documents must be quickly removed from fax machines and printers and must never be left unattended. All customer information should be retained in its individual files and preserved in a locked cabinet, together with any related materials and documents.
- The team in charge of handling customer information must decide the best way to handle all outgoing correspondence. This will take into account, among other things, the following: –
- Depending on the situation and the correspondence’s nature, whether email or faxing is acceptable. Password-protected or encrypted electronic files that are being sent out by an individual should be used if using normal mail or a courier is suitable given the situation. Whether it is required to telephone the recipient to let them know when to expect the pertinent letter before sending any correspondence. Whether the personnel should personally deliver the package. Deliveries of sensitive or confidential papers must be labelled “Confidential” and sealed.
- When disposed of, documents holding private or sensitive information must be shred. Before discarding, other documents should be torn up. This will assist prevent the accidental disclosure of information not intended for third parties.
The management in charge should take these additional security measures into consideration: –
- Restricting access to the servers’ electronic files so that only authorised workers can access them.
- Deciding that any newly created electronic files must be secured and should only be accessible to staff members who are actively working on them.
- Locking all of the file’s physical files and contents.
- Additional security precautions necessary in the situation, in consultation with the IT consultant regarding additional feasible security precautions.
Removal of documents and materials from company premises
- Documents or materials containing client information should not be taken out of the building unless absolutely essential (for example, during off-site meetings) or with the manager’s express permission.
- All records and materials containing client information that are taken from the business’s premises must be safely wrapped in closed, opaque bags. Such luggage may not be left unattended in public areas, and they must be stored in secure locations that are only accessible to company employees in private buildings.
To raise the organization’s overall level of IT security knowledge, a training programme in this area is established.
Information on IT security policies and standards, as well as individual responsibility for IT security and steps that should be taken to protect information system assets, are all included in the training programme.
At least once a year, the training programme is conducted and revised.
All users are to understand and adhere to the following policy while using any social media services.
- Access to the Internet must be utilised largely for professional or commercial purposes.
- When it’s feasible, use Multi-Factor Authentication on all accounts with strong passwords.
- Refrain from using social media while on company time or while using equipment we provide unless your manager has given the go-ahead or it is permitted by the company equipment policy. Never register on social networks, blogs, or other internet services for personal use using the company’s email addresses.
- Any personal social media use must not disrupt routine business operations, must not entail solicitation, must not be connected to any outside business activity conducted for profit, and must not pose a risk of embarrassment to the business or harm to its reputation or image.
- Don’t give a false or deceptive impression of yourself or the business. All assertions must be supported by evidence, and all statements must be accurate and not misleading.
- Make only insightful and polite comments.
- Preserve the secrecy of any private or confidential information belonging to the company.
- Don’t publish secret internal corporate communications, rules, procedures, or internal reports.
- Don’t share or “tip” off others to inside information so they can sell or acquire stocks or other securities.
- Remain focused on your area of specialisation and don’t be afraid to share your own, distinct viewpoints on open-ended company operations.
- The complete liability and responsibility for any content posted on social media services rests with the users. If users are unsure whether the content is relevant to the Company, they should speak with the Manager.
- Should any wrongdoing be discovered, IT reserves the right to promptly terminate the user’s email and internet access and notify Senior Management of the situation.
- The IT department must cooperate completely with any law enforcement organisation in the case of any misuse-related investigations. Users should be aware that the company will defend itself from any infringement brought on by illegal actions taken by any Users.
- Users should refrain from posting complaints about the company on any social networking site.
1.16.1. Non-approved Activities
Some of the activities that are automatically prohibited and/or approved owing to their nature and intended use fall into the categories listed below.
The following actions are not permitted, including but not limited to:
- Avoid discussing any subjects involving law, litigation, or any parties with whom the Company may be involved in a legal dispute.
- Avoid using social media when a crisis might be brewing in the subject matter. The IP address of the company may be used to identify anonymous remarks.
- Don’t use your personal accounts on social media to build company-specific profiles. By doing this, the follower base is diluted and scenarios are created where personal ownership of the profiles replaces corporate ownership. The Social Media Specialist solely works on behalf of the Marketing and Executive Team while creating the company’s social media platforms and profiles.
- Avoid making hateful remarks or spreading propaganda that is harmful, vulgar, intimidating, discriminating, harassing, or threatening.
- Avoid spamming the company’s followers by never uploading the same thing more than once or using any type of automatically generated content.
- Any potential violation of any intellectual property rights, such as but not limited to brand names, trade names, logos, copyrights, or trade secrets of any individual, company, or location.
- Any other material that is thought to be off-topic or to interfere with the objectives of the channel, its subscribers, and its sense of acceptance and community.
- Avoid posting content with fictitious or anonymous users.
1.16.2. Employee Protocol
The company has zero tolerance for any individual user who abuses social media platforms for any illegal behaviour or activities.
Users are required to abide by the aforementioned policy and bear full responsibility for any wrongdoing.
Users must cooperate with any inquiries and/or auditing tasks.
Users must notify their HOD and/or IT department if they find any non-compliant behaviour.
This policy’s objective is to specify the minimal security measures that should be used on all endpoints.
All computers must be running the company’s provided endpoint protection software, which must be configured in managed mode and have the AntiVirus and Anti-Ransomware protection features enabled. Managed mode enables a server to keep track of and manage the antivirus protection on the company’s computer and to push updates to the endpoints as needed.
Files must be inspected for harmful abnormalities as they are read or written in order for on-access file scanning to be enabled.
The endpoint security software (such as the antivirus engine or programme) cannot be more than one version older than the most recent version the vendor is promoting.
Updates to virus definition files and antivirus software must be automatically checked for and installed at least once every day.
Prior to choosing an IT service provider, a thorough investigation is made to ascertain their competence, dependability, performance history, and financial standing. The chosen service provider will be one with a track record of success working with businesses in the same sector.
Written agreements contain a complete description of the contractual terms and conditions controlling the positions, connections, duties, and obligations of each contracting party.
Any employee who is found to have broken this rule may face disciplinary action, up to and including termination of employment.
2.1.1 Employee Recruitment
Reference to IT Asset Assignment and Clearance Form for documentation of IT assets assigned or registered for new employees.
2.1.2 Employee Resignation & Termination
To ensure data confidentiality and availability, the exit process of the resigned and terminated employees must be handled with caution. Reference to IT Asset and Clearance Form for exit clearance of employees.
The process of regulating the distribution and upkeep of temporary software releases into server production environments is known as server patch management. It supports sustaining operational effectiveness and efficiency, overcoming security flaws, and preserving environmental stability.
Application, networking, hardware, and user-reported service request problems and disruptions in the use or execution of IT services are managed and controlled through the incident management process. Information security incidents are documented in incident reports.
The Data Protection Officer (DPO) and the manager in charge of the relevant client information must be notified right away of any security breaches of any kind, including those involving the company’s physical premises and the materials and information relating to client information, in order to take the necessary corrective action.
The DPO must determine the severity of the security breach and take any necessary action, including notifying the appropriate client, filing a police report, conducting additional research, and stepping up security measures.
The DPO must notify management of the security breach as soon as is reasonably possible and must keep management informed of all actions until the issue has been remedied. The Management is free to issue any instructions it sees proper for the incident’s resolution. Once the problem has been rectified, the DPO must report to Management and, if necessary, recommend corrective actions to stop similar situations from happening again. All of these occurrences, as well as the responses, must be documented.
2.3.1 Information Security Incident Response should include (but not limited to):
- Initial evaluation and reporting
- Detection and preliminary evaluation
- fact-based evaluation
- contain the damage and reduce risk (damage control)
- Notification of those affected
- Post-Information Security Incident Activity
- Lesson Acquired
- Preventive Steps
- Punitive measures and the gathering of evidence
2.3.2 Incident Report
- A trend analysis of previous incidences is carried out to aid in the recognition and prevention of problems that are similar.
- Performance, capacity, and utilisation indicators are tracked and analysed to make sure that IT infrastructure and systems can support business operations.Monitoring procedures are set up, and the proper thresholds are put into place to give people enough time to make plans and decide on extra resources.
- An incident report needs to be written and sent to the management of the company for review. the following information, without limitation: 1. Incident Specifics
- Actions taken for recovery Impact Assessment
To properly track changes made, every change to a system’s configuration or application must be documented. to effectively and predictably manage changes so that workers may make appropriate plans. To lessen negative effects on the user community and maximise the value of IT infrastructure, changes need to be well planned, closely monitored, and evaluated after implementation. Any modification to an existing service, upkeep on an existing service, or endeavour to install a new or improved service is considered a change.
2.4.1 Change Request Process
- Recognise Change
- Ask for the change request’s approval. Filling out and submitting a paper copy of the Change Request Form is recommended for reference.
- Accept the request for a change.
- Plan and Carry Out Change
- Examine and Finish Change
2.4.2 Type of Changes
- Application System Modifications
- System Configuration Modifications
- Measures for Security (Patch Management)
- Emergency Modifications
2.4.3 Emergency Changes
In order to proceed with the shortened and more urgent version of the change request process described below, a “emergency change,” which is defined as a repair to an existing breakage and/or a modification necessary to avert an impending breakage in the live environment, will be necessary.
Before being put into effect, all further modifications must first go through the change request approval process.
Regular updates include, for instance, adding a PC to the network. A “pre-approved change” may be marketed after changes have been approved. This means that any changes made in the future during the stated time frame will also be approved, maybe with constraints. IT Services keeps a record of changes that have been pre-approved.
Year & Month Purchased Equipment Running Number
|SVR – Server
|COM – Desktops
|LAP – Laptops
|MON – Monitor
|PTR – Printer
|UPS – UPS
|SWT – Switch
|RTR – Router
All workstations will be named according to the asset tag assigned with the above description except for workstations delegated for special purpose (e.g., print server).
A collection of documents known as IT documentation contains descriptions of every element of the company’s entire IT environment, including the applications and infrastructure created for internal use. It enables efficient IT operation and makes it simple to become accustomed to the present IT environment. These sections, among others, should be added to IT documentation as necessary to ensure that it is comprehensive:
- The IT department’s contact details
- A list of IT-related connections (such as a contract for Internet access or web hosting).
- A schematic of the logical network infrastructure
- A schematic of the physical network infrastructure
- Information and configurations for networking hardware, such as router and firewall
- Server configuration and specifications
- Backup plan
- Software licence usage and an overview
- A list of IT assets, such as workstations and printers
- List of internal or customised programmes with version history, if applicable
- Internal / customised application technical documentation (If Applicable)
- The internal or customised applications’ user manuals, if applicable)
Only equipment that meets either of the following criteria may be considered for upgrading or replacement in order to ensure that all IT equipment is fully utilised while also being adequate for general usage:
4.1.1 Desktop and Notebook
- Hardware that is no longer covered by the warranty from the original manufacturer.
- The hardware is broken and unable to be fixed.
- The cost of repair or part replacement exceeds the BER.
- The department’s head decided that the user’s present desktop or notebook no longer satisfies their needs because it lowers productivity.
- The vendor no longer supports the desktop or laptop operating system.
- Hardware that is no longer covered by the warranty from the original manufacturer.
- The hardware is broken and unable to be fixed.
- The cost of repair or replacement parts is the BER.
- The server’s specifications do not align with those of the software or operating system it is designed to run.
- The server no longer satisfies the business’s operational needs. (For instance, slow processing or limited storage)
4.1.3 Other IT Equipment
- The equipment is defective, no longer protected by the warranty from the original manufacturer, and BER is required for repair or part replacement.
- The machinery is broken and unable to be fixed.
- The apparatus no longer satisfies the business’s operational requirements.
In general, the company’s preconfigured software does not require replacement unless one of the following circumstances arises:
- The operating system’s most recent version and the software are incompatible.
- A defect that affects how the business operates is found, but there is no fix.
- The software no longer satisfies the organization’s operational requirements.
- The department head or IT administrator assessed that the new programme will significantly increase the employee’s productivity.
4.3.1 Asset Requisition
- The Company’s list of authorised vendors must be used for all IT asset requests.
- The company’s corporate PO Policy must be followed for all PO.
- Petty cash requisitions must be made in conformity with internal accounts rules.
4.3.2 Asset Disposal
- Before disposal, storage media must either be physically destroyed or have all data securely wiped.
- All disposals must be done in an environmentally appropriate way.
- Common office spaces, hallways outside meeting spaces, and the reception area may be monitored by CCTV for security reasons.
- Only the authorised staff may be given access to view CCTV data unless prior permission has been expressly granted by Management.
- The company may use CCTV video footage for security reasons or for other essential objectives, such as locating specific people for COVID19 contact tracing.
The PDPA guidelines will be followed while accessing and using the material.