SaFi Bank Space : IT Operations Policy

Created by User b6b4a, last modified on Mar 14, 2023

This policy is in compliance with BSP MORB 148 IT Risk Management, Appendix 77 (IT Operations Standards and Guidelines) - https://morb.bsp.gov.ph/appendix-77/

(blue star) Purpose

The purpose of the IT Operations policy are:

  • To establish the IT operational framework of the bank.

  • To establish the standards and procedures for IT operational processes.

  • To organize IT operations management to support the Bank.

(blue star) Objective

To achieve its purpose, SaFi Bank, referred to as “The Bank”, aims implement these objectives:

  • Enable a risk management processes that promote sound and controlled operation of IT environments.

  • Ensure that IT operations process and store information in a timely, reliable, secure, and resilient manner.

  • Ensure the current and planned infrastructure is sufficient to accomplish the strategic plans.

(blue star) Scope

  • This policy shall apply to SaFi Bank.

  • This policy shall cover provisions and guidelines on IT operational framework which includes standards and guidelines in managing IT operations and risks.

  • This policy establishes the roles and responsibilities to the management of IT operations.

(blue star) Policy

(blue star) Technology Inventory

Principles

  • All IT resources should be listed in a single inventory.

  • Perform and maintain an up-to-date inventory.

Roles and Responsibilities

  • Head of Service Management

    • Drives the inventory process.

    • Establish the inventory for network elements and endpoint devices.

  • Network Engineers

    • Performs the inventory of network elements (server’s, firewalls, switches, etc.) in the infrastructure.

    • Maintain and ensure up to date inventory

  • Desktop Supports

    • Performs the inventory of endpoints (laptops, tablets, etc.) in the infrastructure.

    • Maintain and ensure up to date inventory

Statement of Policy

  • Head of Service Management should establish a single inventory solution (asset management) for network elements and endpoint devices.

  • Inventory solution should log the information about the equipment/device including the dates procured up to disposal.

  • Head of Service Management cascade the inventory solution to Network Engineers and Desktop Supports teams.

  • Network Engineers should input all the network elements used in the infrastructure and ensure up to date inventory.

  • Desktop Supports should input all the endpoint devices in the infrastructure and ensure up to date inventory.

  • Inventory check should be regularly performed every 6 months.

Hardware Inventory

All hardware used should be listed in snipe-it as the asset management tool.

Software Inventory

IT Operations - Technology Inventory Software

Network Components and Topology

SFB On-Premise Servers

Safi Office WIFI Network

Data Flow Diagram

IT Operation - Technology Inventory - Data Flow Diagram

Device labeling

All devices to be used in the Bank should be labeled. Labels should have the following information:

  • Device Type: Network Element, Equipment, or Endpoints

Device Type

Network Element

Equipment

Endpoints

Examples

Switches

Servers

Laptops

WiFi Routers

IDS / IPS

Tablets

Access Points

Gateways

Mac's

CCTV Camera

CCTV Server

Monitors

and others

and others

and others

  • Device ID: Nomenclature SFB-DeviceType(Year)-DeviceCode-<number of equipment>

Example: SFB-E23-MBP-10 which means

SaFi Bank(SFB) managed endpoint procured this 2023(E23) a macbook pro(MBP) and the 10th device deployed this year (10)

Device Type

Network Element (NE)

Equipment

Endpoints

Device Code

Switches (SW)

Servers (SV)

Macbook Pro (MBP)

Macbook Air (MBA)

WiFi Routers (WR)

IDS / IPS (Sec)

iPad (IP)

Access Points (AP)

Gateways (GW)

Mac Mini (MM)

CCTV Camera (CC)

CCTV Server (CS)

Monitors (M)

  • Device Owner: Employee Number

(blue star) Data Center

Principles

  • Critical IT equipments and network elements must have continuous uninterruptible power supply (UPS)

  • All computer cabling must be organized using structured cabling system.

  • Data Center must have HVAC systems.

  • All IT equipments, network elements, and endpoint devices must be in raised floors.

  • Data Center must have fire suppression devices near and easily accessible.

  • Data Center must be 24/7 monitored by video surveillance.

Roles and Responsibilities

  • Head of Service Management

    • Drives the Data Center management.

    • Ensure the principles is followed in the operations of equipments or network elements.

  • Network Engineers

    • Ensure the installation, deployment, and operation of network equipments and other elements should be aligned with the principles.

  • Desktop Supports

    • Ensure the provision, deployment, and operation of endpoint devices should be aligned with the principles.

Statement of Policy

  • Head of Service Management should oversight the Operation Center operations.

  • Network Engineers and Desktop Supports should establish a standard procedure to manage their devices in the Operation Center.

  • Access to the Operation Center should only be given to assigned and carefully selected engineers to perform the tasks.

  • All activities should be documented and logged for access monitoring.

  • All planned activities should be reviewed and approved by Head of Service Management.

(blue star) Preventive Maintenance

Principles

  • All maintenance activities must follow a predetermined schedule with proper planning.

  • All maintenance activities must be recorded and logged for review.

  • Maintenance activities must be allocated with enough resources and coordinated schedule with production.

  • Maintenance activities must be informed to all impacted employee’s and customers.

  • Written logs during maintenance must be kept.

Roles and Responsibilities

  • Head of Service Management

    • Oversight the maintenance activities

    • Approves the maintenance plan

  • Network Engineers and Desktop Supports

    • Create maintenance plan for the activities.

    • Record all activities during maintenance.

    • Gather logs after the maintenance period.

Statement of Policy

  • Head of Service Management should plan for the schedule of preventive maintenance for the year.

  • Network Engineers and Desktop Supports should document a planned activities in the maintenance plan.

  • Maintenance plan should be approved by Head of Service Management

  • Planned preventive maintenance activities should be informed to impacted employee’s and customers 1 month in advance.

  • All activities during maintenance should be recorded and logged chronologically in the maintenance report.

  • Logs during the maintenance period should be collected after the maintenance schedule for review.

(blue star) Change Management

Principles

  • A change is a project, initiative or solution to improve the way work gets done or solve a problem.

  • A change must be reviewed and approved by IT management, supporting IT Team, Cybersecurity Team, IT Audit team, Business Owners.

Roles and Responsibilities

  • Chief Technology Officer (CTO), Head of Technology, Head of Service Management, Head of QA Testing, Head of IT Security, and IT Audit Guild should review the planned change.

  • Head of Technology should ensure the development operations is not highly affected by the change.

  • Head of Service Management should ensure that the IT services should not be disrupted by the change.

  • Head of QA Testing should ensure testing strategy is ready to validate all is working as expected after the change.

  • Head of IT Security should ensure the security is maintained with the change.

  • IT Audit should ensure that all process is followed and compliant with agreed change process.

  • Business Owners should approve the planned change.

Statement of Policy

  • IT Team who proposes the change should create an implementation plan to of all changes to be made in the infrastructure.

  • Implementation plan should have the step by step procedures to be performed by specific persons or team responsible to implement.

  • Implementation plan should be reviewed and approved by the Business Owners and reviewed by IT Management Team (CTO, Head of Technology, Head of Service Management, Head of QA Testing, Head of IT Security, and IT Audit Guild)

  • Implementation plan should be approved 3 weeks before the target implementation date.

  • Implementation plan past due the 3 week cut off will be moved to next week.

  • Change should be notified to impacted users.

  • All activities in the change implementation should be documented chronologically by the IT team.

(blue star) Patch Management

Principles

  • IT Infrastructure must be up-to-date with latest security patches.

  • Bug fix and/or feature enhancement updates should be reviewed prior to application.

  • All patches, bug fixes, and feature updates should be tested to work prior to deployment.

  • Application of patches and updates must follow change management policy.

Roles and Responsibilities

  • IT Team who proposes to patch or update should provide implementation plan for the patch/update.

  • IT Team who proposes to patch or update should have a documented proof of tested patch or update.

Statement of Policy

  • IT Team who maintains system/application should monitor all product bulletins for up-to-date information new versions.

  • IT Team must ensure that the system/application is up-to-date with latest versions aligned with business requirements.

  • IT Security Team should ensure that all system/application has up-to-date security patches.

  • All previous binary installers and packages should be archived by the IT Team who planned the maintain the system/application.

Emergency Change

  • Emergency Change is only allowed if the patch is:

    • Security Update

    • Hotfix for a critical bug

    • Incident related fixes

  • Emergency Change should follow change management policy.

(blue star) Network Management

Principles

  • Network design and diagrams should be kept up-to-date.

  • Network standards and operating procedures should formally documented and reviewed every 6 months.

  • Network should be monitored on a continuous basis.

Roles and Responsibilities

  • Head of Service Management drives the network operations center.

  • IT Network Engineers manage all network operations and document the process.

  • IT Security Team supports the IT Network Engineers to secure the network operations.

Statement of Policy

  • IT Network Team should document standards and operating procedures in network management process.

  • IT Network Team should update network design and diagrams for every change implemented in the infrastructure.

  • IT Security Team should check for security vulnerabilities in the change.

  • IT Security and Network Team should monitor the network infrastructure for activities and vulnerabilities.

  • Head of Service Management should plan the network operations strategy and update the management for operational status and progress.

(blue star) Disposal

Principles

  • Units must be assessed before disposal.

  • Data within the units should be purged or destroyed.

Roles and Responsibilities

  • Head of Service Management drive the disposal process.

  • IT Service Management Team should document standards and operating procedures in disposal management.

Statement of Policy

  • Service Management Team shall evaluate and assess the equipment for disposal.

    The following factors shall determine units that are subject for disposal:

    • Units that are more than five (5) years old

    • Lapsed of the standard 3-years warranty period

    • Unavailable parts for repair

    • Units that are no longer functional and beyond repair

    • Obsolete software that are no longer in used or no longer upgradeable to latest version

  • Any equipment with storage media such as servers, pc, laptops, and external drives that contain client’s information and confidential data shall be purged after the five (5) year retention period and subject for approval by the Chief Technology Officer (CTO)/Management.

  • Units confirmed for disposal shall be coordinated to Finance for proper documentation of company asset and inventory to update the company books

  • Units that undergo disposal shall have certification or attestation that data has been completely purged or destroyed by way of degaussing or similar process of data wiping not less than three (3) pass. I.T. Department may require external degaussing or data cleanup service, if necessary, as part of the disposal process.

Exception Handling

  • I.T. Equipment and peripherals supplied by vendors (i.e., Telco networking equipment and peripherals with configuration data) are not accounted or excluded as part of this policy

(blue star) Access Control

Principles

  • Ensure the confidentiality, integrity, and availability of IT systems and resources by access control and monitoring.

  • Ensure compliance by conducting audits regularly.

Roles and Responsibilities

  • Head of Service Management drive the access management.

  • IT Service Management Team should document standards and operating procedures in access management process.

  • IT Service Management is responsible for the implementation and enforcement of this policy.

  • IT Service Management must establish a process for the creation, management, and revocation of user accounts and access to IT systems and resources.

Statement of Policy

  • User account creation:

    • All user accounts must be created and approved by the designated IT administrator or an authorized representative.

    • Each user account must be assigned a unique username and password, and the password must meet the organization's password complexity requirements.

    • Users must not share their account credentials with any other individual.

  • Password management:

    • Passwords must be changed at least every 90 days or immediately if there is a suspicion of compromise.

    • Passwords must not be written down or stored in plain text.

    • Passwords must not be easily guessable, such as using personal information or commonly used words.

  • Access revocation:

    • Access to IT systems and resources must be revoked immediately upon termination of employment or contract.

    • Access to IT systems and resources must be revoked immediately if there is a suspicion of compromise or unauthorized access.

    • Access to IT systems and resources must be reviewed and revoked as necessary on a regular basis.

(blue star) Incident Response

Principles

  • Ensure the confidentiality, integrity, and availability of IT systems and resources by quickly identifying and mitigating security incidents.

  • Ensure immediate response to lessen the disruption of operation.

Roles and Responsibilities

  • The IT Incident Management is responsible for the implementation and enforcement of this policy.

  • The IT Incident Management must establish a process for incident identification, response, and reporting.

  • The IT Incident Management must conduct regular audits to ensure compliance with this policy.

Statement of Policy

  • Incident identification:

    • All employees, contractors, and other individuals must be trained to recognize security incidents and report them to the designated IT administrator or an authorized representative.

    • Security incidents must be reported immediately to the designated IT administrator or an authorized representative.

    • Security incidents must be classified based on their severity and impact.

  • Incident response:

    • The IT Incident Management must establish a process for responding to security incidents, including incident classification, escalation, and communication.

    • The IT Incident Management must establish procedures for preserving evidence and conducting investigations.

    • The IT Incident Management must establish procedures for containing and mitigating security incidents.

  • Incident reporting:

    • The IT Incident Management must establish a process for reporting security incidents to the appropriate authorities, including the BSP.

    • The IT Incident Management must establish procedures for documenting and analyzing security incidents.

    • The IT Incident Management must establish procedures for communicating security incidents to affected parties.

(blue star) Data Backup and Retention

Principles

  • Ensure the confidentiality, integrity, and availability of critical data by regularly creating and testing backups of that data.

  • Ensure immediate response to lessen the disruption of operation.

Roles and Responsibilities

  • The IT Service Management is responsible for the implementation and enforcement of this policy.

  • The IT Service Management must establish a process for creating, storing, and recovering backups of critical data.

  • The IT Service Management must conduct regular audits to ensure compliance with this policy.

Statement of Policy

  • Data backup:

    • The organization must regularly create backups of critical data.

    • Backups must be made at least daily, and stored off-site in a secure location.

    • Backups must be encrypted to protect the data from unauthorized access.

    • Backups must be tested regularly to ensure that they are complete and can be used for recovery.

  • Data recovery:

    • The organization must establish procedures for recovering data from backups in the event of data loss or corruption.

    • The organization must test the data recovery procedures regularly to ensure that they are effective.

    • The organization must establish procedures for restoring data from backups in the event of a disaster or other disruption.

  • Data retention:

    • The organization must retain backups for a minimum of six months for non financial records and 5 years for financial related records or as required by regulatory authorities.

    • The organization must establish procedures for securely disposing of backups that are no longer needed.

(blue star) User Support and Help Desk

Principles

  • Ensure continuous business operations.

  • Ensure immediate response to lessen the disruption of user activity.

  • Improve user experience.

  • Issues should not be handled on a first come first serve basis.

Roles and Responsibilities

  • Head of Service Management is the overall driver of this policy.

  • The IT Service Management is responsible for the implementation and operation of this policy.

  • The IT Service Management must establish a process, standards and guidelines for user support, tracking, and help desk operations.

  • The IT Service Management must conduct regular audits to ensure compliance with this policy.

Statement of Policy

  • IT Service Management should track all issues raised using issue tracking system.

  • Each issues should be monitored by how long the issue is raised until its fixed.

  • Issues should be assessed and prioritized with severity.

  • All issues in every week is consolidated and discussed on retrospective meetings to strategize and identify improvement points to improve user experience.

  • Metrics should be established using Mean Time metrics (refer to https://www.atlassian.com/incident-management/kpis/common-metrics#:~:text=What%20is%20mean%20time%20to%20respond%3F,first%20alerted%20to%20that%20failure.)

  • IT Service Management Team should manage all the issues and perform retrospective in every end of week for continuous improvement.

  • IT Service Management Team should use the Mean Time metrics as operational KPI.