SaFi Bank Space : IT Policies

Created by User b6b4a, last modified on Mar 09, 2023

  • Development and Acquisition c/o Jideo Pena (Unlicensed) Medel Vecina (Unlicensed)

    • Systems Development

      • Development standards

      • System control standards

      • Quality assurance standards

      • Standard procedures for spreadsheet/database reports

      • Programming standards

    • Systems Acquisition

      • Proper software composition analysis

      • Defined guidelines and procedures on installation, use, maintenance and retirement (a.k.a. playbooks or run books)

    • Systems Change Management (related to IT Ops, but focuses on build releases not deployment to production)

      • Standard change management procedure

      • Authorization and approval procedure

      • Change report

      • Audit trails for any type of change

      • Procedures for emergency changes

    • System Testing

      • Standard acceptance process

      • Standard System, User Acceptance, and Performance testing

    • System Migration (System Update)

      • Secured library of package updates

      • Standard package integrity check procedure

      • Standard version control process

    • Application build and source code maintenance

      • Standard building procedure

      • Access control in building process

      • Escrow agreements for applications without copy of source code.

    • Systems Documentation

      • User manuals

      • Documentation standard process

      • Access control to documents

    • Disposal

      • Standard disposal procedures for surplus or obsolete software, hardware or data

      • Retention policies for disposed items

      • Data and Information destruction process

  • IT Operations (IT Ops) c/o Lucky La Torre (Unlicensed) User 6e250 User c613f

    • Technology Inventory

      • Hardware

      • Software

        • For SRE/DevOps - create an inventory of open source software installed and running in GKE. Example like opensource apps that we integrate in our systems - Monitoring and Observability Stack, Sonarqube etc. Inventory should include column if software is saas or paas or opensource

      • Network Components and Topology

      • Data Flow Diagram

        • This is for SRE - (e.g. Cloudflare → Tyk → Load balancer → Istio → Microservice → Databases)

      • Media

    • Preventive Maintenance

      • Standard procedure for preventive maintenance

    • Operations Change Management (related to system change management but focuses on deployment to production)

      • Minimum standards governing a change process

        • For SRE, briefly explain the CICD Process to Production

      • Change management framework

        • Explain how DevOps Framework is used as a guiding framework.

    • Patch Management

      • For SRE, this is done using Terraform versioning. PR Approval, applying of Terraform plans. More on maintenance e.g. GKE Upgrade, Database version upgrade

      • Patch testing procedures

      • Implementation procedures

      • Version control procedures

    • Conversions

      • Standard conversion guidelines

      • Conversion process

    • Network Management Controls

      • Network guidelines and standard procedures

      • Network monitoring, analysis, and controls.

    • Disposal of Media

      • Disposal and destruction of media procedure

    • Imaging

      • Standard imaging process

    • Event / Problem Management

      • Day to day event / problem manage procedures

        • For SRE, how we will utilize Pagerduty for Incident Response Management.

        • Machine triggered and human triggered incidents (triggered by Monitoring, how ticket will be created and who will be assigned)

      • Event response escalation procedures

        • For SRE, how will the dev and incident will be escalated? Where?

      • BCP

        • For SRE, how is HA setup for crucial services?

        • How will we utilize repeatable code using IAC ? e

      • Day to day operation audit trails

        • For SRE, post mortem procedures for SRE

    • User Support / Help Desk

      • User Support and Help Desk Processes

      • Record and Track Procedures

      • Issue management

      • Knowledge base

      • Access control to users

    • Scheduling

      • Policies and procedure for job schedules

      • Prioritization of job stream process

    • Systems and Data Back-up

      • Back up standard procedures

        • For SRE, how are the data backed up in Google Cloud?

      • Back up management process

      • Disposal of backup processes

    • Systems Reliability, Availability and Recoverability

      • Systems Availability Guidelines

        • For SRE, are we using high availability procedures in GKE? How reliable are the apps in terms of latencies/uptime?

        • For SRE, define RTO, RPO.

      • Technology Recovery Plan

        • SRE Playbooks.

      • Recovery Site

        • Site in context, is pertaining to which provider and region we will recover.

      • Disaster Recovery Testing

        • How often and what are the processes for DR exercise, for SRE?

  • Information Security (IT Cybersecurity) c/o User b6b4a

  • IT Governance / Management c/o Ion Mudreac Jideo Pena (Unlicensed)

    • IT Governance Policy

      • IT Management structure

      • Roles, Responsibilities and Expectations per squads

      • Delineation of functions per squads

    • IT Management Policy

      • IT KPI

      • OKR

      • Operational Management

Reference: https://morb.bsp.gov.ph/148-information-technology-risk-management/

Call User b6b4a for guidance, questions, inquiries, and violent reactions 😂

Attachments:

image-20230123-065622.png (image/png)