IT Security Policy
IT security policy and Developments in Information and Communication Technologies (information communication technology) are transforming the Organaisation in dramatic ways. These developments are creating thereto unimaginable opportunies and possibilies, even as they post new challenges for a Organaisation like PROJECT STCH. In the garments production processes of today’s world, information and knowledge means a countless deal more than material resources and physical inputs. information communication technology has opened up the possibily of radically different information exchange patterns by facilating faster and more efficient distribution of information technology. We can visit more about C TPAT IT Security Policy
can be play a vigorous role in sustaining the culture of the PROJECT STCH ensuring a top grade of transparency and liabily in supremacy information communication technology. Information Technology Enabled Services (ES) have by now turned into major sectors of governance activy in the business world. Over the past one-and-half decades, these sectors have shown remarkable contribution to the growth of the Organaisation. In every sector of PROJECT STCH, information communication technology now playing an important ruless in optimizing the processes, thereby refining the qualy and efficiency of production, human endeavors and governance. PROJECT STCH has a comprehensive view of information communication technology as a vehicle for transforming PROJECT STCH into a most efficient and effective Organaisation in the market by implementing INFORMATION COMMUNICATION TECHNOLOGY in every sector for achieving the goal of the Organaisation.
Secury of systems for PROJECT STCH has therefore gained much greater in importance and ensure that such dangers are suitablely recognized and managed. Moreover Information and information technology systems are essential assets of the Organaisation and as well as for their customers and stake- holders. Information assets are dangerous when these are in wrong hand. Protection and maintenance of these assets are crical to the organizations’ sustainabily. Organaisation must take the responsibily of protecting the information from unauthorized system access, modification, disclosure and destruction to protect stake holder’s interest.
PROJECT STCH’s MIS team has prepared an Policy as a guideline for Information & Communication Technology (information communication technology) for Organaisation to be used as a minimum requirement and as appropriate to the grade of computerization of their operations.
Scope of IT Security Policy
This if Policy is a systematic approach to policies required to be formulated for and also to ensure secury of information and information systems. This Guideline covers all information technology that iare electronically made, received, stored, printed, scanned, and typed. The provisions of this Guideline apply to:
- PROJECT STCH for all of their systems
- All activies and operations required for ensuring data secury including facily design, physical secury, network secury as well as disaster recovery and business continuy planingning, use of hardware and software, data disposal, and protection of copyrights and other intellectual suitablety rights
Objectives of IT Security Policy
This Guideline defines the minimum requirements to which departments must adhere. The primary objectives of the Guideline are:
- To establish a standard Policy & Management for it security policy
- To help the Organaisation for secured and stable setup of s platform
- To establish a secured environment for the processing of data
- To identify information secury risks and their management
- To communicate the responsibilies for the protection of information
- Priorize information and information systems that are to be protected
- System user awareness and training regarding information secury
- Procedure of periodic review of the policy & secury measures
Physical Security Policy
PROJECT STCH requires that sound business and management practices to be implemented in the workplace to ensure that information and technology resources are correctly protected. is the duty of each departments to protect technology resources from unauthorized system access in terms of both physically hardware and data viewpoints. In fact the effective secury measure of assets in the garment factory is a responsibily held jointly by management and employees. Physical secury involves providing environmental guards as well as controlling physically system access to device and data. The following list of guards methods where believed to be practical and reasonable and reflective of sound business practices.
Physical Security Policy – Server Room Security
- Server room must have a glass enclosure wh lock and key wh a responsible person of the dept.
- Physical system access should be restrInformation Communication Technology, visors log must exist and to be maintained for server room.
- System access authorization chart must be maintained and reviewed on regular basis.
Environmental And Physical Security Policy
- Desktop screen must be locked and server room security must have password protected screen brand saver that should activate after 10 seconds.
- Administrative password of Operating procedure and kept in vault.
- System user creation request form should be maintained.
- Provision to replace the server room security whin quickest possible time in case of any disaster.
- server room security should be air-condioned. Power Generator should be in place to continue operations in case of power failure.
- UPS supply to the server during power failure.
- Suitable attention must be wh too many device.
- Channel alongside the wall to be prepared for allow all the cabling nedd to be in neat and safe posion wh the layout of power supply and data cables.
- Fire extinguisher needs to be placed outdoor of the server room security. This must be maintained and reviewed on an annual basis.
- Suitable earthen of electricy to be ensured.
Physical Security Policy And Guideline For Data Center
Data Center System access
- Data Centre must be restrInformation Communication Technology area and unauthorized system access is prohibed.
- Number of entrance into the Data Centre should be limed, locked and securedd.
- System access Authorization procedures should exist and apply to all persons (e.g employees and suppliers). Unauthorized individuals and cleaning crews must be escorted during their stay in the Data Centre.
- Organaisation should maintain System access Authorization list, documenting individuals who are authorized to system access the data centre, reviewed and latest periodically.
- System access log wh date and time, should be maintained documenting individuals who have system accessed the data centre.
- Visor Log should exist and need to be maintained.
- Secury guard should be available for 24 hours.
- There should be Emergency ex door available.
Data Center Physical Security
- Sufficient documentation is required regarding the physical layout of the data centre.
- Documentation regarding the layout of power supplies of the data center physical security and network connectivy to be prepared.
- Floors to be raised wh removable square blocks or channel alongside the wall to be prepared, which allow all the data and power cabling to be in neat and safe posion.
- Any system accessories, not related to data center physical security should not be allowed to be stored in the Data Centre.
- Existence of Closed Circu Television (CCTVs) camera is required and to be monored.
Data Centre must show the sign of “No eating, drinking or smoking.”
- Vehicles for any emergency purpose should always be available on se.
- Address and telephone or mobile numbers of all contact persons (e.g. Fire service, police station, service providers, supplier and all personal) should be available to cope wh any emergency suation.
- Suitable attention must be given wh regard to overloading of electrical outlets wh too many device. Suitable and practical usage of extension cords should be reviewed annually in the office environment.
- The following computer environmental controls to be installed.
- Uninterruptible power supply (UPS) wh backup uns
- Backup Power Supply
- Temperature and humidy measuring device
- Air condioners wh backup uns
- Water leakage precautions and water drainage system from
- Air condioner
- Emergency power cut-off swches
- Emergency lighting arrangement
- Dehumidifier to be installed
- Fire Protection
- The Data Centre wall/ceiling/door should be fire resistant.
- Fire suppression device should be installed.
- Procedures must exist for giving the immediate alarm of a fire, and reporting the fire services and to be periodically tested.
- There should be Fire detector below the raised floor, if is raised.
- Electric cables in the Data Centre must maintain a qualy and concealed.
- Any flammable ems should not be kept in the Data Centre.
Physical Secury Guideline for Other Computers
Computers in other departmentss
- The PC running the other departments must be placed in the office room which can be lock and key from outside environment and held by a responsible person.
- System access authorization list must be maintained and reviewed on regular basis.
- Operator must have the desktop password only known to him.
- PC must have password-protected screenbrand saver which should activate after 5 minute of inactivy.
- Power distribution board for the PC wh a circu breaker should be placed outside the enclosure and covered wh a box under lock and key held by the Operator.
- Power and other connecting cables for PCs must be kept securedd from physical damage.
- UPS for backup power supply to be placed in the enclosure.
- Power supply of the PC should be swched off before leaving the branch.
- Fire extinguishers wh expiry date mentioned, to be placed beside the Power distribution board. This must be maintained and reviewed on an annual basis.
- Suitable earthen of electricy to be ensured.
There is mechanism in place to encrypt and decrypt the highly sensive data traveling through WAN or public network.
Anti Virus Protection
- There should be Anti-Virus installed in each server and computer whether is connected to LAN or not.
- Virus auto protection or auto protection mode should be enabled.
- The antivirus software is always latest wh the latest virus definion file.
- All System users are well-trained and informed about computer virus and their protection mechanism.
- There are procedures in place, which require that all the incoming e-email messages are scanned for virus to protect virus infection to the Organaisation’s network.
Internet and e-email
- All Internet facily should be routed through a System lan firewall for PCs connected to network.
- Illegal, irrelevant and injurious traffic should not be routed.
- No System user should use personal e-email web-email account whout authorization of the network administrator.
- System user wh web browsing should not fry to system access unnecessary, irrelevant, web ses.
- System user wh web browsing should not download any file, software or any other shortcut whout the authorization of the net user administrator
Net User Administrator Grade Duties:
- Email server or exchange server should be password protected
- All the eemail ID should be password protected and used by 1 System user only.
- In case of group eemail ID, System user system access should be limed by the system administrator.
- Email databases should be backed up periodically.
- Suitable documentation should be maintained while creating, altering and giving system access permission to any group eemail ID.
- Virus protection should be ensured and black listed lOs and domains should be regularly managed.
- Only net user administrator should have the permission to delete email.
System user Duties
Email System user should not misuse the eemail account for personal or any other reasons
- System users should not go through junk emails.
- System users should not execute any file sent from any unknown System user or any unknown file format.
- System user should not sent same email to more then 20 System users at a time.
- System user should check the recipients list of any email suitablely to protect securedd data from unwanted recipients.
- System user should to send unnecessary and unwanted attach files.
- System user should handover his/ her System user ID and Password to the departments head over or email and net user administrator when they are leaving Organaisation or going for a holiday.
Application and Database Software:
PROJECT STCH has expert teem to develop customized software themselves. But most of the software systems are outsourced according to the need of the Organaisation and requirement of the buyers. policy enforces the following ruless for using outsourced system and software:
- Organaisation must use original software.
- Licenses must be renewed time to time to maintain performance.
Secury and stake holder’s interests:
The policies of the Organaisation lim the employee system access to the Organaisation’s information by System user ID and Password. Each of every System user ID is guided by customized authentication grade which is control by the administrators and each departments’s head. System user system access and authentication control is fully automated by the smart application software, Database Administration and Domain Name System.
Net User Administrator Duties:
- System user creation and system access authentication should be followed by Application and Departments rules.
- Each of System users should have a unique password protected System user ID.
System user Grade Duties
- System user must not share thefr System user ID and password wh others.
- Departments’s superiors should not recommend excessive system access to any System user.
- Any kind of error and failure should be informed to the application net user administrator.
Secury Seals for Application System users:
- Valid and allowed System user ID and Password is mandatory to system access any system in the Organaisation.
- There should keep detail profile for every correspondent System user ID.
- For every application should keeps stamps of System user ID for every activy in the database.
Shipping Documents, Forms and Data:
- Shipping forms, Documents and Data should be handled by only authenticated System users and employees.
- Data manipulations, Form filling and Documents printing should be done only by valid and active System user.
- Printings of shipping documents should be done only in a separated printer which is restrInformation Communication Technology from the system access of unauthorized employees.
- Printed documents, forms, etc should be handled by only authenticated employees, kept in a securedd separated place and shattered after use.
Adjust or Rescind System user System access:
- Organaisation should the procedure to adjust or rescind System user system access to the applications.
- Every departments should review departmentsal organogram every month and update every body’s system access permission.
IT Disaster Recovery Plan Checklist
The BCP should take into account the backup and recovery process. Keeping this into consideration this part covers BCP, Disaster Recovery Planing and Backup / Restore planing.
It Security Policy – Business Continuy Planing (BCP)
There must be a Business Continuy Planing (in line wh business) for H’ in place.
- All the documents related to business continuy and it disaster recovery plan checklist must be kept in a safe/securedd off se location. One copy can be stored in the office for ready reference.
- BCP must contains the followings:
- Action planing for i) during office hours disaster, ii) outside office hours disaster, and iii) immediate and long term action planing in the line wh business
- Emergency contacts, address and phone numbers including venders
- Crab list of ems such as backup tapes, laptop or notebooks etc.
- Disaster recovery se map
- Review of BCP must be done at least once a year.
IT Disaster Recovery Plan Checklist With Planing
- A Disaster Recovery Se (DRS) must be in place replicating the data center physical security (Production Se).
- DR se must be at a minimum of 10 kilometers (radius) of distance from the ‘production’ se.
- DR se is equipped wh compatible hardware and telecommunications device to support the live systems in the event of a it disaster recovery plan checklist.
- Physical and environmental secury at the DR se is appropriate.
- Information secury is suitablely maintained throughout the failback and DR recovery process.
- An up-to-date and tested copy of the DR planing is securedly held off- se. DR planings exist for all the crical services where DR requirement is agreed wh the business.
- DR test is successfully carried out at least once a year.
- DR Test documentation should include at a minimum:
- Scope – defines scope of planingned tests – expected success creria
- Planing – detailed actions wh timetable
- Test Results
It Security Policy – Service Provider Management
- There should be Service Grade Deed between the supplier and Organaisation.
- The Annual Maintenance Contact (AMC) wh the supplier should be active and currently in force.
- The System user se should ensure that the device does not contain sensive live data when hardware are taken by the suppliers for servicing / repair.
- Service Contracts wh all service providers including third-party suppliers should include:
- Measurable service/deliverables
- Timing/schedules, i.e. service grades
- Confidentialy clause
- Contact person names (on daily operations and relationship grades)
- Roles and responsibilies of contracting parties, including an escalation matrix
- Renewal period
- Modification clause
- Frequency of service reporting
- Termination clause
- Warranties, including service suppliers’ employee liabilies, 3rd party liabilies and the related remedies
- Geographical locations covered
- Ownership of hardware and software
- Documentation to be maintained (e.g. logs of changes, records of reviewing event logs)
- Aud rights of system access (internal aud, external aud, other aud as may be appropriate).
It Security Policy – Out Sourcing
Outsourcing activies to be evaluated based on the following practices:
- The objective behind Outsourcing
- The economic viabily
- The risks and secury concerns
- Arrangements for obtaining the source code for the software
It Security Policy – Backup E Restore
- There is a documented back up procedure.
- Backup copies of information are stored off-se at a geographically separate and safe environment.
- There is at least one backup copy kept on-se for time crical delivery.
- The backup cycle is based on the following:
- At least 6-days (week) daily cycle
- At least 6-month monthly cycle
- At least 1-year yearly cycle
- The backup e restore media is sent off-se immediately after the backs up have been taken.
- The backup e restore log sheet is maintained; checked & signed by supervisor
- The backup inventory is maintained, checked & signed by supervisor.
- The abily to restore from backup media is tested at least quarterly as a part of it security policy
- Backup e restore Media must be labeled suitablely indicating contents, date etc.
Engr. Kh. Mashiur Rahman, Garments Auto Machine Technologist, Web: www.autogarment.com, Email: [email protected], Cell: +88 017 92 52 53 54