This policy is in compliance with BSP MORB 148 IT Risk Management, Appendix 77 (IT Operations Standards and Guidelines) - https://morb.bsp.gov.ph/appendix-77/
Purpose
The purpose of the IT Operations policy are:
To establish the IT operational framework of the bank.
To establish the standards and procedures for IT operational processes.
To organize IT operations management to support the Bank.
Objective
To achieve its purpose, SaFi Bank, referred to as “The Bank”, aims implement these objectives:
Enable a risk management processes that promote sound and controlled operation of IT environments.
Ensure that IT operations process and store information in a timely, reliable, secure, and resilient manner.
Ensure the current and planned infrastructure is sufficient to accomplish the strategic plans.
Scope
This policy shall apply to SaFi Bank.
This policy shall cover provisions and guidelines on IT operational framework which includes standards and guidelines in managing IT operations and risks.
This policy establishes the roles and responsibilities to the management of IT operations.
Policy
Technology Inventory
Principles
All IT resources should be listed in a single inventory.
Perform and maintain an up-to-date inventory.
Roles and Responsibilities
Head of Service Management
Drives the inventory process.
Establish the inventory for network elements and endpoint devices.
Network Engineers
Performs the inventory of network elements (server’s, firewalls, switches, etc.) in the infrastructure.
Maintain and ensure up to date inventory
Desktop Supports
Performs the inventory of endpoints (laptops, tablets, etc.) in the infrastructure.
Maintain and ensure up to date inventory
Statement of Policy
Head of Service Management should establish a single inventory solution (asset management) for network elements and endpoint devices.
Inventory solution should log the information about the equipment/device including the dates procured up to disposal.
Head of Service Management cascade the inventory solution to Network Engineers and Desktop Supports teams.
Network Engineers should input all the network elements used in the infrastructure and ensure up to date inventory.
Desktop Supports should input all the endpoint devices in the infrastructure and ensure up to date inventory.
Inventory check should be regularly performed every 6 months.
Hardware Inventory
All hardware used should be listed in snipe-it as the asset management tool.
Software Inventory
IT Operations - Technology Inventory Software
Network Components and Topology
Data Flow Diagram
IT Operation - Technology Inventory - Data Flow Diagram
Device labeling
All devices to be used in the Bank should be labeled. Labels should have the following information:
Device Type: Network Element, Equipment, or Endpoints
Device Type | Network Element | Equipment | Endpoints |
---|---|---|---|
Examples | Switches | Servers | Laptops |
WiFi Routers | IDS / IPS | Tablets | |
Access Points | Gateways | Mac's | |
CCTV Camera | CCTV Server | Monitors | |
and others | and others | and others |
Device ID: Nomenclature SFB-DeviceType(Year)-DeviceCode-<number of equipment>
Example: SFB-E23-MBP-10 which means
SaFi Bank(SFB) managed endpoint procured this 2023(E23) a macbook pro(MBP) and the 10th device deployed this year (10)
Device Type | Network Element (NE) | Equipment | Endpoints |
---|---|---|---|
Device Code | Switches (SW) | Servers (SV) | Macbook Pro (MBP) Macbook Air (MBA) |
WiFi Routers (WR) | IDS / IPS (Sec) | iPad (IP) | |
Access Points (AP) | Gateways (GW) | Mac Mini (MM) | |
CCTV Camera (CC) | CCTV Server (CS) | Monitors (M) |
Device Owner: Employee Number
Data Center
Principles
Critical IT equipments and network elements must have continuous uninterruptible power supply (UPS)
All computer cabling must be organized using structured cabling system.
Data Center must have HVAC systems.
All IT equipments, network elements, and endpoint devices must be in raised floors.
Data Center must have fire suppression devices near and easily accessible.
Data Center must be 24/7 monitored by video surveillance.
Roles and Responsibilities
Head of Service Management
Drives the Data Center management.
Ensure the principles is followed in the operations of equipments or network elements.
Network Engineers
Ensure the installation, deployment, and operation of network equipments and other elements should be aligned with the principles.
Desktop Supports
Ensure the provision, deployment, and operation of endpoint devices should be aligned with the principles.
Statement of Policy
Head of Service Management should oversight the Operation Center operations.
Network Engineers and Desktop Supports should establish a standard procedure to manage their devices in the Operation Center.
Access to the Operation Center should only be given to assigned and carefully selected engineers to perform the tasks.
All activities should be documented and logged for access monitoring.
All planned activities should be reviewed and approved by Head of Service Management.
Preventive Maintenance
Principles
All maintenance activities must follow a predetermined schedule with proper planning.
All maintenance activities must be recorded and logged for review.
Maintenance activities must be allocated with enough resources and coordinated schedule with production.
Maintenance activities must be informed to all impacted employee’s and customers.
Written logs during maintenance must be kept.
Roles and Responsibilities
Head of Service Management
Oversight the maintenance activities
Approves the maintenance plan
Network Engineers and Desktop Supports
Create maintenance plan for the activities.
Record all activities during maintenance.
Gather logs after the maintenance period.
Statement of Policy
Head of Service Management should plan for the schedule of preventive maintenance for the year.
Network Engineers and Desktop Supports should document a planned activities in the maintenance plan.
Maintenance plan should be approved by Head of Service Management
Planned preventive maintenance activities should be informed to impacted employee’s and customers 1 month in advance.
All activities during maintenance should be recorded and logged chronologically in the maintenance report.
Logs during the maintenance period should be collected after the maintenance schedule for review.
Change Management
Principles
A change is a project, initiative or solution to improve the way work gets done or solve a problem.
A change must be reviewed and approved by IT management, supporting IT Team, Cybersecurity Team, IT Audit team, Business Owners.
Roles and Responsibilities
Chief Technology Officer (CTO), Head of Technology, Head of Service Management, Head of QA Testing, Head of IT Security, and IT Audit Guild should review the planned change.
Head of Technology should ensure the development operations is not highly affected by the change.
Head of Service Management should ensure that the IT services should not be disrupted by the change.
Head of QA Testing should ensure testing strategy is ready to validate all is working as expected after the change.
Head of IT Security should ensure the security is maintained with the change.
IT Audit should ensure that all process is followed and compliant with agreed change process.
Business Owners should approve the planned change.
Statement of Policy
IT Team who proposes the change should create an implementation plan to of all changes to be made in the infrastructure.
Implementation plan should have the step by step procedures to be performed by specific persons or team responsible to implement.
Implementation plan should be reviewed and approved by the Business Owners and reviewed by IT Management Team (CTO, Head of Technology, Head of Service Management, Head of QA Testing, Head of IT Security, and IT Audit Guild)
Implementation plan should be approved 3 weeks before the target implementation date.
Implementation plan past due the 3 week cut off will be moved to next week.
Change should be notified to impacted users.
All activities in the change implementation should be documented chronologically by the IT team.
Patch Management
Principles
IT Infrastructure must be up-to-date with latest security patches.
Bug fix and/or feature enhancement updates should be reviewed prior to application.
All patches, bug fixes, and feature updates should be tested to work prior to deployment.
Application of patches and updates must follow change management policy.
Roles and Responsibilities
IT Team who proposes to patch or update should provide implementation plan for the patch/update.
IT Team who proposes to patch or update should have a documented proof of tested patch or update.
Statement of Policy
IT Team who maintains system/application should monitor all product bulletins for up-to-date information new versions.
IT Team must ensure that the system/application is up-to-date with latest versions aligned with business requirements.
IT Security Team should ensure that all system/application has up-to-date security patches.
All previous binary installers and packages should be archived by the IT Team who planned the maintain the system/application.
Emergency Change
Emergency Change is only allowed if the patch is:
Security Update
Hotfix for a critical bug
Incident related fixes
Emergency Change should follow change management policy.
Network Management
Principles
Network design and diagrams should be kept up-to-date.
Network standards and operating procedures should formally documented and reviewed every 6 months.
Network should be monitored on a continuous basis.
Roles and Responsibilities
Head of Service Management drives the network operations center.
IT Network Engineers manage all network operations and document the process.
IT Security Team supports the IT Network Engineers to secure the network operations.
Statement of Policy
IT Network Team should document standards and operating procedures in network management process.
IT Network Team should update network design and diagrams for every change implemented in the infrastructure.
IT Security Team should check for security vulnerabilities in the change.
IT Security and Network Team should monitor the network infrastructure for activities and vulnerabilities.
Head of Service Management should plan the network operations strategy and update the management for operational status and progress.
Disposal
Principles
Units must be assessed before disposal.
Data within the units should be purged or destroyed.
Roles and Responsibilities
Head of Service Management drive the disposal process.
IT Service Management Team should document standards and operating procedures in disposal management.
Statement of Policy
Service Management Team shall evaluate and assess the equipment for disposal.
The following factors shall determine units that are subject for disposal:
Units that are more than five (5) years old
Lapsed of the standard 3-years warranty period
Unavailable parts for repair
Units that are no longer functional and beyond repair
Obsolete software that are no longer in used or no longer upgradeable to latest version
Any equipment with storage media such as servers, pc, laptops, and external drives that contain client’s information and confidential data shall be purged after the five (5) year retention period and subject for approval by the Chief Technology Officer (CTO)/Management.
Units confirmed for disposal shall be coordinated to Finance for proper documentation of company asset and inventory to update the company books
Units that undergo disposal shall have certification or attestation that data has been completely purged or destroyed by way of degaussing or similar process of data wiping not less than three (3) pass. I.T. Department may require external degaussing or data cleanup service, if necessary, as part of the disposal process.
Exception Handling
I.T. Equipment and peripherals supplied by vendors (i.e., Telco networking equipment and peripherals with configuration data) are not accounted or excluded as part of this policy
Access Control
Principles
Ensure the confidentiality, integrity, and availability of IT systems and resources by access control and monitoring.
Ensure compliance by conducting audits regularly.
Roles and Responsibilities
Head of Service Management drive the access management.
IT Service Management Team should document standards and operating procedures in access management process.
IT Service Management is responsible for the implementation and enforcement of this policy.
IT Service Management must establish a process for the creation, management, and revocation of user accounts and access to IT systems and resources.
Statement of Policy
User account creation:
All user accounts must be created and approved by the designated IT administrator or an authorized representative.
Each user account must be assigned a unique username and password, and the password must meet the organization's password complexity requirements.
Users must not share their account credentials with any other individual.
Password management:
Passwords must be changed at least every 90 days or immediately if there is a suspicion of compromise.
Passwords must not be written down or stored in plain text.
Passwords must not be easily guessable, such as using personal information or commonly used words.
Access revocation:
Access to IT systems and resources must be revoked immediately upon termination of employment or contract.
Access to IT systems and resources must be revoked immediately if there is a suspicion of compromise or unauthorized access.
Access to IT systems and resources must be reviewed and revoked as necessary on a regular basis.
Incident Response
Principles
Ensure the confidentiality, integrity, and availability of IT systems and resources by quickly identifying and mitigating security incidents.
Ensure immediate response to lessen the disruption of operation.
Roles and Responsibilities
The IT Incident Management is responsible for the implementation and enforcement of this policy.
The IT Incident Management must establish a process for incident identification, response, and reporting.
The IT Incident Management must conduct regular audits to ensure compliance with this policy.
Statement of Policy
Incident identification:
All employees, contractors, and other individuals must be trained to recognize security incidents and report them to the designated IT administrator or an authorized representative.
Security incidents must be reported immediately to the designated IT administrator or an authorized representative.
Security incidents must be classified based on their severity and impact.
Incident response:
The IT Incident Management must establish a process for responding to security incidents, including incident classification, escalation, and communication.
The IT Incident Management must establish procedures for preserving evidence and conducting investigations.
The IT Incident Management must establish procedures for containing and mitigating security incidents.
Incident reporting:
The IT Incident Management must establish a process for reporting security incidents to the appropriate authorities, including the BSP.
The IT Incident Management must establish procedures for documenting and analyzing security incidents.
The IT Incident Management must establish procedures for communicating security incidents to affected parties.
Data Backup and Retention
Principles
Ensure the confidentiality, integrity, and availability of critical data by regularly creating and testing backups of that data.
Ensure immediate response to lessen the disruption of operation.
Roles and Responsibilities
The IT Service Management is responsible for the implementation and enforcement of this policy.
The IT Service Management must establish a process for creating, storing, and recovering backups of critical data.
The IT Service Management must conduct regular audits to ensure compliance with this policy.
Statement of Policy
Data backup:
The organization must regularly create backups of critical data.
Backups must be made at least daily, and stored off-site in a secure location.
Backups must be encrypted to protect the data from unauthorized access.
Backups must be tested regularly to ensure that they are complete and can be used for recovery.
Data recovery:
The organization must establish procedures for recovering data from backups in the event of data loss or corruption.
The organization must test the data recovery procedures regularly to ensure that they are effective.
The organization must establish procedures for restoring data from backups in the event of a disaster or other disruption.
Data retention:
The organization must retain backups for a minimum of six months for non financial records and 5 years for financial related records or as required by regulatory authorities.
The organization must establish procedures for securely disposing of backups that are no longer needed.
User Support and Help Desk
Principles
Ensure continuous business operations.
Ensure immediate response to lessen the disruption of user activity.
Improve user experience.
Issues should not be handled on a first come first serve basis.
Roles and Responsibilities
Head of Service Management is the overall driver of this policy.
The IT Service Management is responsible for the implementation and operation of this policy.
The IT Service Management must establish a process, standards and guidelines for user support, tracking, and help desk operations.
The IT Service Management must conduct regular audits to ensure compliance with this policy.
Statement of Policy
IT Service Management should track all issues raised using issue tracking system.
Each issues should be monitored by how long the issue is raised until its fixed.
Issues should be assessed and prioritized with severity.
All issues in every week is consolidated and discussed on retrospective meetings to strategize and identify improvement points to improve user experience.
Metrics should be established using Mean Time metrics (refer to https://www.atlassian.com/incident-management/kpis/common-metrics#:~:text=What%20is%20mean%20time%20to%20respond%3F,first%20alerted%20to%20that%20failure.)
IT Service Management Team should manage all the issues and perform retrospective in every end of week for continuous improvement.
IT Service Management Team should use the Mean Time metrics as operational KPI.