SaFi Bank Space : WIP - IT (Internal) General Policy

Created by User c613f, last modified by User 6e250 on Feb 07, 2023

Document Name:

I.T. General Policy

Document Version:

V1.0

Effectivity Date:

February 15, 2023

History of Amendments:

DRAFT

Prepared by:

Joey Reyno

Approved by:

Ion Mudreac

RASCI MATRIX

R - Responsible (the person/s who must ensure that the task is completed/doer of the task). At least one per task

A - Accountable (the person who is ultimately answerable for the overall activity or task.) There should only be one per task

S - Support (the person/s who can help/facilitate in the execution of the task).

C - Consult or Approver (the person/s that needs feedback and contribute to the activity).

I  - Inform (the person/s or groups who must be kept up to date on what is happening in this task).

Combined - single role performing multiple functions.

 

RASCI MATRIX for IT Policy

TASK/ACTIVITY

IT Service Team

HR

User

Management

Updating of Acceptable use Policy

R + A

I

 

 

Cascading of Policy

I

R + A

 

 

Acceptance of the Policy

I

I

 R + A

 

Approval

 

 

 R + A

 

  1. OBJECTIVE

To establish standard guidelines for I.T. Equipment and proper usage

 

  1. SCOPE

This policy covers the acceptable use of equipment such as laptops, personal computers, media and other I.T. peripherals as well as userids, accounts, access keys, and badges

 

A. Acceptable Use of IT Office Equipment

 

The Acceptable Use policy covers the usage and security of office equipment. This also includes the use of email, internet, voice/VoIP and mobile IT equipment.

  1. All office equipment such as telephones, printers, scanners, photocopiers, and other IT equipment, is the property of the company and is to be used for business-related activities only.

  2. Only authorized Users are permitted to use the equipment. Any unauthorized use will be subject to removal of access to the company's computing environments or subject to disciplinary action.

  3. The IT department will monitor the usage of all office equipment and reserves the right to restrict or prohibit the use of any equipment to protect the company's assets or information.

  4. Users must immediately report to the IT Service Team for any violations, events or incidents such as:

    1. Unauthorized access - any potential unauthorized access to company IT resources

    2. Security incident - any suspected unauthorized access, use, and/or compromised confidential data 

    3. Data Loss Incident - any failure (intentional or unintentional) destruction of data

    4. Technology Incident - any event that may cause system failure, interruption and loss in availability of company resources

    5. Policy Violation -  any potential violation of this company's policies, procedures and standards

5. In case of violation, the IT Service Team has the right to restrict access, execute ‘remote wipe' if necessary (Note: in conjunction with HR/Line Managers)

 

B. Proper use of laptops,  hardware and software, office systems, network and internet resources

 

  1. All laptops, desktop PCs, and other mobile devices are the property of the company and are equipped with antivirus, firewall, threat detection and protection

  2. All laptops, desktop PCs, and other mobile devices are enrolled into the company's mobile device management system and are kept up-to-date with security patches and system/software updates

  3. All laptops and desktop PCs primary storage should be on the cloud with the technology provided by the IT Service Team.

  4. All hardware must be approved by IT Management before it will be allowed to connect to the company's internal network.

  5. Only the standard software approved by Department Heads will be allowed on the company's equipment and installed by authorized IT Service Team.

  6. All equipment must be used in accordance with the manufacturer's instructions and with proper care and maintenance. Any technical issues, malfunctions or defects should be reported immediately to the IT Service Team.

  7. End users shall be responsible to keep all assigned equipment clean free of dust, debris, and other contaminants. Regular preventive maintenance will be scheduled by the IT Service Team.

  8. All equipment must be used in a safe and secure manner to protect the unit and sensitive information. All equipment must be password protected and all data must be backed up regularly.

  9. All office systems, including email, file servers, and databases, must be used in accordance with the company's IT policies and procedures. Any unauthorized access or misuse of these systems will be subject to disciplinary action.

  10. Users are responsible for the cost of any damage or loss of laptops and other mobile devices resulting from misuse or neglect.

  11. Users should not engage in activities that may degrade the performance of company information resources, obtain access or resources beyond those allocated and circumvent the company's IT security measures.

  12. The company's internet or networking resources must only be used for business-related activities. The following activities are not allowed:

    1. Playing recreational games

    2. Using streaming media

    3. Accessing personal social media

    4. Attempting unauthorized access or entry to any network or computing devices accessible from the internet

    5. Other activities that violate the company's policies

 

All new Users should undergo security and awareness training. Users have to acknowledge and agree to adhere to the company's IT policy before they are granted access to company resources

 

Clean/Clear Desk Policy

 

  1. Users should log off from the network services or applications if they are no longer needed.

  2. Users should lock their pcs and laptops if unattended or if they go away from their workstations or workspaces.

  3. Passwords must not be posted on or under a computer, must not store in plain text on their laptops or mobile devices.

  4. Copies of confidential documents should be removed from printers and fax machines.

 

C. Guidelines on safety of user IDs and passwords, badge cards

 

  1. User IDs and passwords, and hardware security keys are the primary means of identifying and authenticating Users and are to be used only by the assigned User. Sharing user IDs and passwords, and hardware security keys is strictly prohibited and subject to disciplinary action.

  2. All user IDs and passwords, and hardware security keys must be kept confidential at all times. Users are responsible for ensuring that their user IDs and passwords are not disclosed to anyone, including family members and friends.

  3. Users must change their passwords at least every 90 days and must use alphanumeric characters such as combinations of letters, numbers, and special characters. Avoid using passwords that contain personal information such as names, birthdates, etc.

  4. Users are responsible for their assigned accounts and for actions taken with their accounts. Users must immediately report any suspicious activity or unauthorized access attempts to their user IDs and passwords to the IT Service Team.

  5. Badge cards are the primary means of accessing the company's premises and must be kept at all times. Sharing badge cards is strictly prohibited and will result in disciplinary action.

  6. Users must badge in and out of the company's premises or access-controlled areas. Piggy-backing, tailgating, door propping and any activities that will circumvent the access security controls are prohibited.

  7. Badge cards must be returned to the company when an User leaves the company as part of the offboarding process.

  8. The IT Service Team will monitor the usage of all user IDs and passwords and badge cards, and reserves the right to disable or revoke access to any user IDs and passwords and badge cards if it is necessary to protect the company's assets and security.

  9. In case of lost, stolen access cards and/or keys, this should be reported to the IT Service Team. User may be charged a service fee if access cards are lost, stolen or not returned

 

D. Policy on when an IT released office equipment i.e. laptop is lost or damaged

 

  1. All IT office equipment, including laptops, is the property of the company and must be used and cared for in accordance with company policies and procedures.

  2. In the event that a company owned equipment is lost or damaged, the User must immediately report the incident to the IT Service Team.

  3. If the equipment is lost or stolen, the user must report the incident to the Barangay authorities and file a police report. A copy of the police report should be submitted to the IT Service Team.

  4. The user will be responsible for the cost of any damage or loss of equipment resulting from misuse or neglect. The cost of repair or replacement will be determined by the IT department.

  5. The IT department will conduct an investigation to determine the cause of the damage or loss.   If the damage to the equipment is due to normal wear and tear, the IT Service Team will provide a service unit and/or replacement at no cost to the user.

  6. Any equipment that is no longer needed or is no longer in working condition must be reported to the IT department for assessment and proper disposal.

 

All users, contractors and consultants are responsible for exercising good judgement in the proper use of information, IT equipment and computing resources in accordance with the company policies and standards. 

 

SafiBank

Vesion 1.0 Jan 24, 2023