IT Security Policy

8/3/2019 IT Security Policy

1/13

IT Security Policy Page 1 of 13

The IT Security Policy has been finalized and completed (Copy enclosed). You are requestedto please approve the inclusion of the IT Security policy as official document and allow

circulation of its copies to GHPL Department Heads and relevant staff involved for strict

compliance.

Assistant Manager (IS)

December 07, 2011

Managing Director/CEO


2/13



3/13


TABLE OF CONTENTS

Purpose of the Policy ...................................................................................................................... 4

Scope ............................................................................................................................................... 4

1. Software & Software Applications: ..................................................................................... 4

2. Backup and Recovery: ......................................................................................................... 53. IT Hardware Usage: ............................................................................................................. 6

4. Internet Access: .................................................................................................................... 7

5. E-mail Management: ............................................................................................................ 7

6. Network Security: ................................................................................................................ 9

7. Computer Usage: ................................................................................................................. 9

8. Non-Organization Personnel:............................................................................................. 10

9. Password Protection: .......................................................................................................... 10

10. Virus Protection: ................................................................................................................ 10Role Creation, Modification or Deletion Request Form ............................................................... 12

Acknowledgement ........................................................................................................................ 13


4/13


Purpose of the Policy

Government Holdings (Private) Limited provides IT infrastructure and computer facilities tofacilitate its employees in achieving the companys business goals. The purpose of the policy is

to educate, sensitize, identify the associated risks and highlight the responsible use of the ITinfrastructure to its users.

Inappropriate use of the IT infrastructure can expose the company to risks including virus

attacks, data security/integrity and legal issues. The policy is to protect the interest of employees

and the company. All users of the IT infrastructure are expected to be familiar with this policyand the consequences of its violation.

Scope

This policy applies to employees, person on deputation, consultants, persons affiliated with third

party and Internees working at Government Holdings Private Limited. The scope of this policy

includes the following information:-

1. Software & Software Applications2. Backup and Recovery3. IT Hardware Usage4. Internet Access5. Mail Management

6. Network Security7. Computer Usage8. Non-organization Personnel9. Password protection10.Virus Protection

1. Software & Software Applications: Installation, configuration and support of all softwares and software applications

used within GHPL shall be the responsibility of IT department.

Requirements for new software/software applications, modifications, enhancementsand upgrades of existing softwares should be discussed with the IT department toassess the detailed specification and implications.

Software licences record shall be maintained by the IT department to ensurecompliance with legislation.

Ten users licenses have been purchased from SAP Siemens Pakistan. Users aredivided into three categories.

S.# User Category Description

1. 7 Professional Users Full authorization, change , delete, edit, add

2. 2 Limited Professional Users Can only view/display the records.

3. 1 Developer user Used for customization of ABAP code.


5/13


Addition/Deletion or change in access authorizations in SAP finance and HRMmodules shall be approved by Director Finance/Chief Financial Officer on the

prescribed Authorization Request Form (Annex-A). While access authorizations of BIproduction Server shall be granted by the Director Technical.

Duplication of licensed softwares or related documentation for the use either oncompany premises or elsewhere shall only be allowed after written approval by Headof IT department.

Only those softwares approved by the Head of IT shall be installed in the officecomputers. Any personal software approved installed for use have to be registeredwith the IT Department. In the event the Head of IT Department believes, in his or

her sole discretion, that the personal software installed may harm the computer

equipment, he may direct the employee to remove the software from companys

computer equipment.

2.

Backup and Recovery: The backup schedule for servers is based on weekly and monthly basis which include

data, log and operating system backups. Weekly backup will include only Databasebackup of all SAP Servers while full System backup of all SAP server will be taken

up on monthly basis.

Tape cartridges or other removable media may be used for data backup and thefollowing strategy would be used for backing up data:

a. Full backup of all servers, folders and emails would be taken on twoexternal hard drives/tape cartridges. One of which would be placed in theserver room and the other one would be placed in a different physical

location. Doing this we will achieve two goals, first if server crashes thenone can recover all data from the external hard drives/tape cartridge placedin server room and second if that tape cartridge fails or server room faces a

natural disaster then one can recover the data from the tape cartridge

which was placed in the different physical location.

b. The remaining removable derives/cartridges may be used for export anddatabase backups.

The backup may be taken of the following servers, users folders and E-mails:a. SAP Servers Database.b.

Network Shared Directories.

c. Backup of Mailboxes of each user.d. Petrel Server database.


6/13


Security:Access to backup media, devices or backup systems software is restricted to

authorized staff. Requests for physical or system access by unauthorized staff requireprior approval of Head of the IT department.

Off-Site Storage:Copies of backups will be stored in a safe location, physically distant from the data

processing center to facilitate disaster recovery efforts.

Supporting Documentation:Documentation regarding the build and recovery of the implemented backup solution

must be maintained in locations that allow for access during disaster recovery efforts.

Tape and other backup media must be clearly labelled to reflect the data written to themedia and the date which the backup action occurred. Report regarding data backup

status will be sent to the concerned authority.

Disposal:Backup media will be physically destroyed in a secure manner that renders the stored

data irretrievable. Media destruction shall be conducted by authorized staff or by anapproved designate.

Restoration:Users that need files restored must submit a request to the IT Manager. Include

information about the file creation date, the name of the file, the last time it was

changed, and the date and time it was deleted or destroyed

3. IT Hardware Usage: Hardware may be defined as (Server Computers, Computer systems, Laptops,

Notebooks, Printers, Wireless Modems, Multimedia or any other hardware not

defined herein).

All IT equipments record including items (Addition, Deletion, Movement, allocationetc) shall be maintained by the IT department.

Requirements for new hardware should be discussed in advance with the Head of ITDepartment to assess the detailed specification.

The deployment of new equipment or re-deployment of existing equipment can onlybe undertaken with the approval of Head of IT.

The security and safekeeping of portable device such as laptops is the responsibilityof the employee using it.

All employees are responsible for the proper usage, care and cleanliness of the ITequipment under their use.

Any hardware issued to the employees must be handled with extra care and caution.If, due to negligence or mishandling, the hardware gets faulty/damaged then it is


7/13


employees responsibility to have it repaired at his/her own expense. Similarly, if

hardware gets irreparable damage, then the employee will be liable to pay the netdepreciated amount to the company. Net book value will be as of the date of damage.

4. Internet Access: Internet access is provided to staff to enable them to undertake company business

only. Use of the Internet for personal reasons should be of limited and infrequent, In

case of excess use of internet on personal work the internet facility may be withdrawn

any time without notification.

The company reserves the right to block user access to specific web sites, or group ofweb sites, without notice to staff.

While the company respects the privacy of individual staff, it reserves the right toassign a member of IT to track and log web access, including sites visited, if it

believes violation of these rules at any stage.

Staff are prohibited at all times from using the companys computers for shopping,trading in stocks, shares or other negotiable instruments, or participating in online

auctions.

Staff should not subscribe to chat rooms, dating agencies, messaging services or otheron-line subscription Internet sites.

Company retains the right to monitor Internet usage by staff. This right will beexercised solely through the IT Department only on instructions from Head of the IT.

It is forbidden to send any audio/video files or pictures (any kind of multimediafiles) from GHPL domain for private purposes. Limited exchange of private

multimedia files are allowed by putting in a public dedicated folder, the address of

which is available with the IT department.

5. E-mail Management: No e-mail may be sent or forwarded through a company computer for purposes that

violate company policies, for an illegal or criminal purpose.

The administrator of the e-mail system will not read staff e-mails unless authorizedby the Head of IT department solely for the purpose of safeguarding company

interest.

Users should compress large size files before attaching them with the E-Mail. Thiswill help to optimize the bandwidth.

Users should delete items from their inbox and outbox when they are no longerneeded. If a mail item needs to be retained it should be moved to an archive folder, adisk, or be printed. Unsolicited mail should be deleted immediately.


8/13


It is possible to receive a virus when receiving E-Mail, and some viruses areembedded in attachments. If you receive a suspicious E-Mail, do not open it, but

instead contact the IT Department.

Users should be aware that their deletion of electronic information will often noterase such information from the systems storage until it is overwritten with other

data and it may, in any case, still reside in the companys network either on variousback-up systems or other forms, and even if erased, may still exist in the form ofprint-outs.

Limited personal use of email is permitted. Managers should ensure there is no abuseof this privilege. Email to all staff should be used only when appropriate.

Staff should minimise the number of messages in their email in-box to ensuremaximum efficiency of the delivery system. Staff should utilise the archiving facility

within the Email system in accordance with current guidelines.

Company retains the right to access and view all Emails sent and received through theEmail system.

Every user should have the following disclaimer with each outgoing email after theirsignatures:

The information transmitted is intended only for the person or the entity to

which it is addressed and may contain confidential and/or privileged material.Any review, retransmission, disseminations or other use of, or taking of any

action in reliance upon, this information by person or entities other then the

intended recipient is prohibited. If you have received this in error, please

contact the sender and delete the material from your computer. Please note thatany views or opinions presented in this email are solely those of the author and

do not necessarily represent those of the company. Finally the recipient shall

check this email and any attachments for the presence of viruses. The companyaccepts no liability for any damage caused by virus transmitted by this email

Users may not discuss their opinions on religious/sectarian, or political matters. Usersmay not use email to propagate indiscipline in office matters. User may not use emailfor purposes of disrepute/ill repute of any individual or organization. Users may only

use proper official language in their emails.

Unsolicited e-mail messages to multiple users are prohibited unless explicitlyapproved by the concerned Head of Department. All messages must show accurately

from where and from whom the message originated. Inappropriate mass mailing ortalk requests such as multiple mailings to newsgroups, mailing lists, or individuals

(e.g., spamming, flooding, blogging, bombing or snerting) are serious

violations of IT policy.

The company reserves the right to refuse mail and other connections from outsidehosts that send unsolicited, mass or commercial messages, or messages that appear tocontain viruses to company or other users, and to filter, refuse or discard such

messages.


9/13


6. Network Security: Unauthorized attempts to gain privileged access or access to any account or computer

not belonging to you on any company computer or system are not permitted.

Creation of any program, Web form, or other mechanism that asks for a companyuser identity and password is prohibited.

Downloading, installing or running security programs or utilities which revealsweaknesses in the security of the network unless a job specifically requires it, is

strictly prohibited.

Computer and network accounts provide access to personal, confidential data.Therefore, individual accounts cannot be transferred to or used by another individual.Sharing accounts or passwords is strictly prohibited.

Each computer user is responsible for the security of any computer he/she connects tothe network. A computer seen to be attacking other systems will be taken off the

network, generally without notice, until it has been made secure.

For security and network maintenance purposes, IT department staff is authorized tomonitor equipment, systems and network traffic at any time.

GHPL reserves the right to audit networks and systems on a periodic basis to ensurecompliance with this policy.

Any user who finds a possible security lapse on any company system must report it tothe IT Department. .

User files on central company systems are kept as private as possible. Attempts toread another persons files will be treated with the utmost seriousness..

The use of removable devices (flash drives, CD-Disks, floppies) should be minimizedas these are also the potential sources of viruses, Trojans, leakage of information etc.

7. Computer Usage: Use of any company computer by an individual/ group other than an employee

requires approval from the Head of IT Department.

Use of the computers for commercial purposes other than those of the company isstrictly prohibited, beside explicitly approved by the Head of IT Department

Consuming gratuitously large amounts of system resources (print quotas and networkbandwidth) or by deliberately/Unintentionally crashing the machine(s) shall beavoided. Large jobs shall be run on shared systems after peak hours.

Playing online or computer games on official computers is prohibited. Copying,storing, displaying, or distributing copyrighted material using company computers orGHPL network without the express permission of the copyright owner, except as

otherwise allowed under the copyright law, is prohibited.


10/13


Copying, storing, displaying, or distributing pornographic material using companycomputers is prohibited. This prohibition extends to using company computers to

view web sites displaying such material. Computer users must ensure that theirsystems are properly shut down and turned off at the end of the day.

Installation/Removal of any software/hardware on the system without priorpermission from IT Head is not permitted.

Users are not allowed to change the system parameters such as computer name, IPaddress, Primary and Secondary DNS Server, Outlook setting etc.

The Head of HR/Admn department should notify the Head of IT aboutcreation/deletion of the staff e-mail accounts and system permissions.

8. Non-Organization Personnel: External or non-organization personnel are not permitted to access internal network

resources unless specifically approved in advance by the Head of IT Department.

9. Password Protection: Users are responsible for the security of their password; they should change their

passwords frequently for better security of their machines.

Passwords must be chosen which are difficult to guess. This means that passwordsmust not be related to one's job or personal life. For example, a car license plate

number, a spouse's name, or fragments of an address must not be used. This also

means passwords must not be a word found in the dictionary or some other part of

speech. For example, proper names, places, technical terms, and slang must not be

used. A good password may be a mixture of alphabets in upper & lower case alongwith numbers

Whenever a user is leaving his computer unattended, user must ensure that the systemis secured with a password-protected screensaver or by they should lock theircomputers using (control-alt-delete) command.

10.Virus Protection: Every PC/laptop machine should be fully protected by antivirus software, and end

users will not be authorized to remove/uninstall antivirus software installed by the IT

department. It is the responsibility of the end users to immediately report to the IT department of

any virus attacks on their computers.

Employees should virus-scan all media (including floppy disks, zip disks, flash driveand CDs) before first use.


11/13


Under no circumstances should employee attempt to disable or interfere with the virusscanning software. Any problems caused by an anti-virus shall be reported to the IT

department immediately.

Violations of these policies may result in the immediate suspension of computer account andnetwork access. Serious violations of the policy will be referred directly to management which

may result in disciplinary action.


12/13


Annex-A

Role Creation, Modification or Deletion Request Form

Request Date: ____________ Role Deleted: Yes / NO

Role Information:

Module Role Description

FICO

HCM

PS

JVA

Add Transactions:

S. NO. Transaction Code S. NO. Transaction Code S. NO. Transaction Code

1 6 11

2 7 123 8 13

4 9 14

5 10 15

Delete Transactions:

S. NO. Transaction Code S. NO. Transaction Code S. NO. Transaction Code

1 6 11

2 7 12

3 8 13

4 9 14

5 10 15

Approval Signatures:

User Manager Chief Financial Officer

For IT Department

Created/Modified/Delete By

Creation/Modification/Deletion DateCommunication Date

Remarks if any:


13/13


Acknowledgement

I have read and understood this policy statement:

(Signature) (Date)

IT Security Policy

Documents