Upload
lyn-serwaah-gorni
View
221
Download
0
Embed Size (px)
Citation preview
HONEYWELL GROUP
INFORMATION TECHNOLOGY POLICY
FRAMEWORK
1
CONTENTS
PAGE
1. INTRODUCTION 4
2. STRATEGIC ARRANGEMENT 52.1 Information Technology Strategic Steering Committee 5
2.1.1 Membership2.1.2 Functions2.1.3 Relationship
2.2 Group Information Technology Structure 72.2.1 Structure2.2.2 Functions2.2.3 Service Provision Payments2.2.4 Agreement of Charge-out rates
2.3 Unit Company’s IT Departments 82.3.1 Structure2.3.2 Relationship
3. HARDWARE 103.1 Server Machines 103.2 Client /Desktop Computers 103.3 Printers 103.4 Power conditioners (Stabilizers) 113.5 Stand-by Power Generators/UPS 113.6 Hardware House-Keeping 113.7 Hardware Maintenance 113.8 Hardware Management 12
4. SOFTWARE 134.1 Operating Systems 13
4.1.1 Network Operating System4.1.2 Client/Desktop Operating Systems
4.2 Data Administration/Database Administration and Database Management Systems 144.2.1 Database4.2.2 Database Management System4.2.3 Data Administrators4.2.4 Database Administrator4.2.5 Data Housing4.2.6 Database Management Systems
4.3 Application Software 164.3.1 Systems Acquisition4.3.2 In-house Development4.3.3 Software Change Control Process
4.4 Business Solutions Suite 214.4.1 Accounting Information systems 4.4.2 Customer Information Systems
2
4.4.3 Human Resource Information systems 4.4.4 Architectural and Real Estate Information Systems4.4.5 Power Engineering Information Systems4.4.6 Oil and Gas Information management systems policies4.4.7 Hotel/Hospitality Management Information Systems
4.5 Software Maintenances 27
5 HUMANWARE 285.1 Personnel Policies 285.2 Human Resource Management Software 285.3 Workplace Hazards 295.4 Personnel Security 29
6 TELECOMMUNICATIONS 316.1 Networks for the Group 31
6.4.1 Types6.4.2 Local Area Network6.4.3 Intranet6.4.4 E-Mail6.4.5 Wide Area Network6.4.6 Internet
6.5 Workplace Policies 386.5.1 Telephone6.5.2 Radios
6.3 Mobile Computing/Alternative Workplace 386.3.1 Notebooks and Laptops6.3.2 Cell Phones
6.4 Electronic Commerce 396.4.1 E-Commerce Technology6.4.2 E-commerce Security
7 COMPUTER SECURITY AND INTERNAL CONTROL 417.1 Physical Security 417.2 Logical Security 447.3 Data balancing and Validation Security 467.4 Disaster Recovery and Contingency Planning 547.5 Internet Security 577.6 Network Environment Security 597.7 Virus Security 61
8 INTELLECTUAL PROPERTY 668.1 Information Asset 66
SUMMARY 69
3
CHAPTER 1
INTRODUCTION
These policies represent the corporate philosophy of the Honeywell Group as regards
Information Technology. They are general goals and directives of how the information
technology processes of the Group would be run by management. These policies may give rise to
some information technology operational policies in the future to guide the day -to- day
operations of information within the Group.
The policies shall be regularly updated to reflect the imports of the generation.
Business Systems procedures that would be generated from these policies are expected to reflect
the spirit (intent) of the policy statements. Procedures should be reviewed more frequently than
the policies.
4
CHAPTER 2
STRATEGIC ARRANGEMENT
2.1 INFORMATION TECHNOLOGY STRATEGIC STEERING
COMMITTEE
2.1.1 MEMBERSHIP
For effective governance, it is recommended that business people chair the steering committees. The Chairman of the Group, on his part, will ratify decisions taken. In respect of the Group IT Steering Committee, the recommended composition is as follows:
1. Group Managing Director or GED (Business Development)Chairman
2. GED (Innovation & Systems)Member
3. Nominated representatives from each unit companyMembers
4. Head - Process, IT, and Quality Secretary
At the company level, membership of the Unit Company IT Steering Committee will comprise:
1. Managing Director Chairman2. 1 Nominated Executive Director Member3. 1 – 2 Departmental/Unit Heads Members4. Corporate Office representative Member5. IT Manager or Manager supervising IT Secretary
2.1.2 FUNCTIONS OF THE COMMITTEE(S)
IT decisions which have Group-wide implications or impact, and require major capital expenditures will be handled by the Group IT Steering Committee. Otherwise, respective unit company IT Steering Committees are responsible.
Each IT Steering Committee will be governed by the following terms of reference: To recommend short- and medium-range plans for IT that would enhance staff productivity and improve the cost profile of the Group
To ensure adherence to the Group IT Policy and Standards
To assess and align management information needs of each business unit with corporate objectives
5
To prioritise and recommend to top management the IT projects to be embarked upon and align these with the corporate vision and business objectives of the Group or the unit companies
To recommend the appropriate levels of IT expenditure and capability that fit the business profile of the Group and unit companies
To prioritise proposals for major IT investments and ensure investments in IT are efficiently and effectively deployed
To evaluate proposals for major IT projects, to short-list and make recommendations to top management on vendor selection
To monitor the implementation of IT projects
To elevate the role of IT to a business-enabler from that of a basic support tool within the Group
To ensure IT propagation and increased utilisation of IT resources in order to maximise the benefits derivable from all IT investments
Other activities that the committee will perform will include:
Reviewing and recommending appropriate IT budgets to top management
Final point of resolution for all IT-related conflicts among end-users
To set the pace and direction for exploiting and deploying new or emerging technologies
Forum for debating new and major IT projects in terms of:- Business impact- Investment and value- Resources to deliver the systems in agreed time-frames
2.1.3 RELATIONSHIP
The Group IT Steering Committee should receive the appropriate management
information from the Corporate Office, unit companies and internal audit units in order to
coordinate and monitor the Group’s Information Technology resources effectively. The
committee also should monitor performance and institute appropriate action to achieve
desired results. The Committee will meet once every quarter. The Committee will
forward through the Group Executive Director (Innovation and Systems) to the Chairman
for the Chairman’s ratification of all major decisions especially those that will lead to a
6
review of the approved IT Policy and expenditure on major projects. Formal minutes of
the Steering Committee meetings should also be maintained to document the
Committee’s activities and decisions and such should be copied to the Chairman and
Chief Executives of Unit Companies.
2.2 GROUP INFORMATION TECHNOLOGY STRUCTURE
2.2.1 GROUP IT STRUCTURE
A Group Information Technology Division (resident at the Corporate Office) will be
set up, reporting directly to the IT Strategic Committee. A Corporate Office IT
Manager should head this Division.
2.2.2 FUNCTIONS
Functions Of the Group IT Division are:
IT human resource base for all unit companies
Implementation of the IT Policies
Development of mechanisms for the implementation of the policies
IT Literacy training office
IT Research base for the Group
Maintenance of the Group’s intranet, extranet, e-mail systems and Internet
web sites, and liaison with the ISPs.
Implementation of the IT initiatives for the Group as approved by the IT
Strategic Committee
Development of IT Security awareness programme
Development and implementation of the Group and unit Company’s
disaster recovery and business continuity plans
Conduct IT risk assessment and business impact analysis
Implementation of office automation tools for all unit companies
7
Implementation of automated work flow e-commerce systems for the
Group
2.2.3 SERVICE PROVISION PAYMENTS
Policy: Each unit company shall be billed for IT services rendered to it by
the Corporate Office IT Division. To ensure accurate charge-out
arrangement, the IT Division should put a software in place for user’s
activity logging.
2.2.4 AGREEMENT OF CHARGE-OUT RATES
Policy: Charge-out rates shall be agreed between the IT Steering
Committee and the Unit Company’s Chief Executives.
2.3 UNIT COMPANY’S IT DEPARTMENTS
2.3.1 STRUCTURE
Each unit Company will have an Information Technology unit headed by a
resident IT Officer with the following responsibilities:-
Help desk functions
Local Area Network Administration
User query and problem response
Assist users in their basic Computing requirements
Systems Maintenance functions
2.3.2 RELATIONSHIP
8
Reporting Relationship
The Head of the Unit Company IT Unit has a dual reporting relationship
as follows:-
Reports to the Data Administrator (FC or MD) of the unit company on
issues regarding the Unit Company’s database depending on the
infrastructural size of the unit company.
Reports to the Group IT Manager on all other technical
implementation processes. In view of this, a monthly IT position report
should be prepared by the Unit Company’s IT Officer and forwarded
to the Group IT Manager.
The Unit Company’s IT Officer by virtue of being resident in the unit
company is under the direct employment of the unit company and
therefore partakes of all risks and rewards incidental to the
employment in the unit company rests on him.
9
CHAPTER 3
HARDWARE POLICY
3.1 SERVER MACHINES
Types of Server machines to be used
Policy: All Computing Server machines must be branded computers
Acquisition of Branded Servers
Policy: Brands should be agreed at the Group Level with the
manufacturers directly or with the authorized distributors.
3.2 CLIENT/DESKTOP COMPUTERS
Types of Desktop Computers to be used
Policy: Desktop or client computers should be branded or cloned.
3.3 PRINTERS
Class of printers for hard copy output
Policy: Network printers must be used in all unit companies. Printers to be
acquired shall be those with capability of serving multiple users.
Single User Printers
Policy: Single user printers shall be made available only to officers who
handle most confidential information. This is to guarantee the
confidentiality of their hard copy reports.
10
3.4 POWER CONDITIONERS (STABILIZERS)
Centralization of power stabilization
Policy: Central stabilizers should be acquired for each LAN installation,
except where it is not feasible.
3.5 STAND-BY POWER GENERATORS /UPS
Centralization of alternative power supply
Policy: Alternative power supplies such as generating sets and UPSs
should be centralized at each unit company.
3.6 HARDWARE HOUSEKEEPING POLICIES
Entrance to the Server rooms
Policy: There must be special dust collecting rugs at the entrance of each
Server room.
Policy: Computer room floors must be treated with anti-static compounds.
Policy: Dust covers should be used on all systems and users must cover
their computer equipments before leaving the offices for the day.
3.7 HARDWARE MAINTENANCE
Outsource of hardware maintenance
Policy: Maintenance agreement must be outsourced to competent
engineering companies. The Corporate Office IT department to cover all
unit companies must strike a comprehensive maintenance agreement for
the maintenance of all hardware equipments annually. This should be
11
formalized in a Service level agreement between the service provider and
the Corporate Office IT Department.
Service level agreement for outsource arrangement
Policy: The contents of any hardware maintenance agreement should
include the following;
The service provider must comply with our security policies
The service provider must have a fidelity insurance arrangement in
place.
The service provider’s maintenance activities must be under the
supervision of our staff.
3.8 HARDWARE MANAGEMENT
Provision of Hardware Management Software
Policy : A hardware library/management software shall be made available
by the Group IT Division for its own use. This software shall be used for
the tracking and management of all computing and telecommunications
hardware in the Group.
Unauthorised use of equipments
Policy: Computer hardware repairs and maintenance shall be carried out
by the IT Staff and/or outsourced vendors. No other staff is allowed for
such. A breach of this policy will lead to sanctions applicable to the
individual as stipulated by management.
12
CHAPTER 4
SOFTWARE POLICY
4.1 OPERATING SYSTEMS
4.1.1 NETWORK OPERATING SYSTEM
Policy : Attributes of a Network Operating System to be used within the Group
includes
User friendly (for normal Networks)
Highly secured (not necessarily user friendly) for highly sensitive
Networks
Combination of both
Activity logging and reporting facilities
Recovery facilities from system errors
System file and accounting management
Resource scheduling facilities
Software control parameters like
Data management
Resource management
Job management and
Priority settings
4.1.2 CLIENTS & DESKTOP OPERATING SYSTEMS
Policy: Attributes of Desk top Operating system to be used includes
User friendly
Activity logging and reporting facilities
13
4.2. DATA ADMINISTRATION / DATABASE ADMINISTRATION AND DATABASE MANAGEMENT SYSTEMS
4.2.1 DEFINITION OF A DATABASE
A database is a collection of data organized into files that makes it easy for users
to sort and retrieve information. Databases are usually organized into objects
known as tables, which are groups of data that all have something in common. It
is a collection of files that contain the data content of an organization’s business
transactions.
4.2.2 DEFINITION OF A DATABASE MANAGEMENT SYSTEM
This is a container for the collection of computerized data files that allows users
to perform operations on the files. It is a combination of data, its structure, and
the complex software system that supports access to the contents, modification of
the structure and interaction with database client applications. The use of DBMS
can lead to the creation of systems that are accurate, efficient, reliable and secure.
4.2.3 DATA ADMINISTRATORS
The data owners in the unit companies.e.g
FC for Finance data
Head of Sales and Marketing, for sales data
Project manager, for project data
Head of Human resource and Admin, for HR data
Functions of a Data Administrator (staff function)
States how access to his data should be granted for implementation by
the DBMS Administrator
14
He determines back-up and recovery requirements
He specifies data retention/retirement policies where it is not covered
in this policy.
4.2.4 DATABASE ADMINISTRATORS
The Corporate Office IT Dept staff or unit coy IT Staff Functions includes
Specifying logical (ie computer based) and physical data definition
and classifications
Preparing programs to create data and advising users on data
collection procedures, specifying validation and edit criteria
Making the database available to all users as established by the
Data Administrators
Documentation of the database structure
Implementation of data access rights as instructed by the Data
Administrator
Implementing data retention and retirement policies
Determining programmer requirements for database tools; testing
and evaluating programmer and database optimization tools
4.2.5 DATA HOUSING
Policy: Each unit company’s database should be housed in a database Server
in the unit company premises.
Policy: A central database of all unit companies to be housed in a Server at
the Corporate Office.
15
Database Replication:
Policy: Each unit company’s database should be replicated on a daily
basis (at night only) with that of the corporate office.
Retirement of data
Policy: Data is to be retained in the corporate data warehouse for 10
years before retirement.
Policy: Data retired will be stored in a permanent back-up media.
Retrieval of retired data
Policy: Retrieval of retired data can only be made with the approval of
the unit Company‘s Chief Executive or the Chairman.
4.2.6 DATABASE MANAGEMENT SYSTEMS
Policy: All data should be housed in a central industrial strength (Network)
database management system that supports Relational Database Model.
Policy: There should be a data warehouse at the Corporate Office to
warehouse data resident on all unit company’s DBMS. OLAP and Data
mining facilities should be provided at the Corporate Office and made
available to unit company end-users.
Policy: Where an application has its own DBMS, separate from the
company’s central DBMS, the data warehouse facility at the corporate office
should be used to achieve integration and top management decision support
exercise.
16
4.3 APPLICATION SOFTWARE
4.3.1 SYSTEMS ACQUISITION
Acquisition of applications
Policy: Except where absolutely unnecessary, application software should
be acquired.
Membership of Software acquisition project team
Policy: All software acquisition process should be handled by a project
team made up of a minimum of the following
The direct end user /beneficiary of the software
A member of the Group IT Committee
The Head of the Group IT Division
An IT staff from either the Unit company
The Internal Auditor
Documentation required for acquired systems
Policy: Before approving the acquisition of any software for any unit
company of the Group, the project team must ensure that it has appropriate
documentation so that persons unacquainted with it can use it. Such
documentation must be prepared even when standard software such as
spreadsheet program is employed.
Vendor provided written integrity statements
Policy: For each software procured, the project team must obtain a written
integrity statement from the involved vendor or local representative. This
statement must provide assurances that the software in question does not
contain undocumented features, does not contain hidden mechanisms that
could be used to compromise the software’s security and will not require
17
for modification or abandonment of controls found in the operating system
under which it runs. The vendor must confirm that the software is an
original copy and not pirated and indemnify the company against any legal
action.
Third Party Software Source code
Policy: Where possible, vendor software source code should be acquired
along with the object code. Where the going concern of the software
manufacturer may be in question, arrangements should be made to have
the source code stored in an escrow account with a bank.
4.3.2 IN-HOUSE DEVELOPMENT
Who develops Application in-house
Policy: Where it is necessary to develop an application in-house to solve a
particular business problem, the Corporate Office IT department should do
this, working directly with the project team as constituted above.
Compliance with Group systems Development conventions
Policy: Corporate Office Management and the IT head must ensure that
all software development and software maintenance activities performed
by in-house staff, subscribes to the Group’s policies, standards, procedures
and other systems development conventions.
18
Major Systems Changes and Privacy Impact Review Committee
Policy: Every major systems development or enhancement project, which
could materially affect the privacy of individuals, must be reviewed in
advance by the IT Steering Committee. This Committee must:
(a) Determine whether individuals will be placed "at risk" or "at a
disadvantage" as a result of the project,
(b) as necessary, recommend remedial measures, and
(c) if necessary, recommend the cancellation of the project.
Documentation of all in-house developed software
Policy: All in-house developed software must have detailed
documentation to enable anyone unacquainted with it to run it.
Documents for all in-house developed applications
Policy : The life cycle methodology should specify which documentation
shall be generated during each phase. The outputs of SDLC documentation
activities are typically categorized into two major types: process and
product, as follows:
Process Documentation – Process documentation communicates
status and direction. It addresses the actions required for developing
implementing and maintaining the system. Examples include project
plans, time lines, funds required, procedures to be followed and project
review reports.
Product Documentation – Product documentation describes the
system itself, what it is, how it is operated and how long it is to be
maintained.
19
Examples include user manuals, operations manuals, maintenance
manuals, requirement documents and design documents
Separation between production and development environment
Policy: Any in-house business application in development must be kept
strictly separate from the production environment. If existing facilities
permit it, this separation must be achieved via physically separate
computer systems.
In-house development staff access to production environment
Policy: Business application software development staff must not be
permitted to access production information. The only exception is the
production information relevant to the particular application software on
which they are currently working.
4.3.3 SOFTWARE CHANGE CONTROL PROCESS
Formal change control procedure required for all production systems
Policy: Formal change control procedure must be employed before
movement of in-house developed software from the test environment to
production.
Prohibition against trap doors to circumvent access controls
Policy: Programmers and other technically oriented staff must refrain
from installing trap doors that circumvent the authorized access control
mechanisms found in the operating system and/or access control package.
20
Incorporation of Security into Systems Development Life Cycle
Policy: For all business application systems, security must be considered
by systems designers and developers from the beginning of the systems
design process through conversion to a production system.
Required Reporting of Software Malfunctions
Policy: All apparent software malfunctions must be immediately reported
to unit Company’s IT Officers or the Head, Group IT Division.
Risk Assessments Required for Production Information Systems
Policy: All "production" computer information systems must be
periodically evaluated by the Information Technology Department to
determine the minimum set of controls required to reduce risk to an
acceptable level.
4.4 BUSINESS SOLUTIONS SUITE
4.4.1 ACCOUNTING INFORMATION SYSTEMS POLICIES
Implementation of an Accounting Information System
Policy: An Enterprise Resource Application (ERP) must be implemented
in all unit Companies of the Group.
Qualities of the ERP
The application must have facilities to run on a client/Server
environment.
It must have facilities for Electronic Data Interchange (EDI)
It must be sitting on an Industrial strength Database management
system.
21
It must be implemented at the Unit Company level and at the
Corporate Office.
It must have facilities for provision of on-line real time accounting
and management information.
4.4.2 CUSTOMER INFORMATION SYSTEMS POLICIES
Installation of a Customer Information System
Policy: A customer Information System for the whole Group shall be
developed in-house or acquired based on the recommendations of the
Group IT Division and approval of the IT Steering Committee. Where an
approved ERP contains a Customer Information System, no other
Customer Information System should be used.
Use of the Customer Information System
Policy: The Customer Information System shall be used for the following
purposes
To capture and process trading transactions of customers
To provide customer statement of accounts, trading accounts,
customer trading aging and every other information deemed
necessary by the Sales and Marketing Departments of all unit
Companies.
Trend analysis
Identification and prioritization of unit Company’s Customers
based on their trading volume for Group Cross-selling purposes.
Qualities of the Customer Information System to be Deployed
The Customer Information System application to be used by the Group
should have the following qualities:-
22
Client/Server Application: It must be an application for a Client
Server environment
Database: It must be able to sit on the Industrial strength Database
approved for the Group
It must have adequate logical access security features as stated in
the Computer Security section of this manual.
It must have data warehouse and data mining facilities
It must be accessible to all unit Company’s MD’s, Marketing
Manager’s/Directors and the Chairman
The application must be integrated with all information systems
used by the Group.
Implementation of the Customer Information System
The Corporate Office Server shall house the back-end, while the necessary
decision makers like the Chairman’s PC shall house the front end.
Each unit Company’s application Server shall house the Back-end while
the Sales and Marketing Department’s PCs shall house the front end.
The Group’s back-end must be integrated to each of the unit company’s
back-end and data replicated as stated in the Database policy section of
this manual.
Any Customer classified as a cross-selling customer will be made
available to a section of the database, which is accessible to all necessary
users within the Group.
4.4.3 HUMAN RESOURCE INFORMATION SYSTEMS POLICIES
Policy: Human Resource applications shall be made available (acquired or
developed in-house) for the Human Resource Management personnel.
23
Qualities of the Group’s Human resource application
Policy: The Human resource application to be used by the Group shall
have the following qualities
Supports Client/Server environment.
Sits on a DBMS that has the qualities as stated in the DBMS
policies.
The database should be capable of interfacing with the Accounting
information systems and the Group’s data warehouse.
Must support collaborative technologies. This is to ensure that the
Human Resource Management are brought together under one
umbrella.
The application must be integrated with all other information
systems used by the group.
Implementation of the Human Resource Application
The application back end shall sit on the Group Office IT Division’s
Server while the Front end shall be available to all Human Resource
personnel in the Corporate Office and in each of the unit companies.
Each unit Company shall have direct control of their HR data in their
database while the Group database shall contain all unit companies’ data
Human Resource Data Mining
Policy: Human Resource data mining and Decision Support
facilities shall be made available to all Human Resource Managers
in each unit Company by the Group IT Division as and how they
want it.
4.4.4 ARCHITECTURAL AND REAL ESTATE INFORMATION SYSTEMS
24
Policy : The Group shall maintain a Real Estate Information system to take care of
the real estate unit company’s activities. Such an information system to be
adopted and implemented shall possess the following qualities:-
It must be an application that runs on a client/server environment
It be scalable and have a Web Application interface
4.4.5 POWER ENGINEERING INFORMATION SYSTEMS POLICIES
To take care of the unique business of the unit Companies in the Power
Engineering business, the Group shall adopt and implement a power engineering
Management Information system.
Policy : The power engineering information system shall have the following
features:
It must be suited for a client/Server environment
It must be equipped with simulation modules for conducting a wide array
of system studies
It must have powerful analytical options and alternative techniques for
analyzing utility and industrial power systems.
It must have user-defined diagram drawing options together with filter
options
It must have flexible plotting facilities and graph customization tools
If it has built-in database, such a database management system must be
ODBC (Open database connectivity) compliant. Such a database must be
able to interface with our data warehouse
4.4.6 OIL AND GAS INFORMATION MANAGEMENT SYSTEMS POLICIES
Policy: Where the ERP does not take care of a unique aspect of the unit
companies in the Oil and Gas marketing business, an Oil & Gas information
management system will be deployed. Such an application must have the
following features:
It must be suitable for a client/server environment
25
It must have the facility to manage and monitor the forecasting and
reporting of oil volumes
It must have facilities like deal tickets that manages complete details of
each crude oil contract.
If it has built-in database, such a database management system must be
ODBC (Open database connectivity) compliant. Such a database must be
able to interface with our data warehouse
4.4.7 HOTEL/HOSPITALITY MANAGEMENT INFORMATION SYSTEMS
POLICIES
Policy : The Group shall maintain a Hotel/Hospitality management
Informations systems to take care of the unit company in the
hospitality business.
Qualities of the Hotel/Hospitality Management Information system to be used
Policy: The Hotel/Hospitality management information system to be used
shall have the following qualities in the minimum;
It must be an application for a client/server environment
It must be sitting on an industrial strength database management system
It must be able to interface with the Accounting Information system
application in use by the Group.
It must have facilities for web reservations. This means that its database
must be tightly integrated to our web page to handle bookings from the
Internet.
It must have a multi-currency transaction and conversion facility
It must be able to operate multiple locations in the same hotel; tower,
villas, cabins, resorts, rental management, extended stay properties etc.
It must provide for electronic performance support facilities (ie on-line
context sensitive help)
The front end must be dynamic enough and have the ability to provide,
real time current status report such as
Check ins and check outs due
House keeping status26
Room availability/bookings
It must conform to all requirements of the International Association of
Hospitality Accountants (IAHA)
4.5 SOFTWARE MAINTENANCE
Outsource of software maintenance
Policy: Maintenance agreement must be outsourced to competent software
companies. The Corporate Office IT department to cover all unit
companies must strike a comprehensive maintenance agreement for the
maintenance and troubleshooting of all software annually. This should be
formalized in a Service level agreement between the service provider and
the Corporate Office IT Department.
Service level agreement for outsource arrangement
Policy: The contents of any software maintenance agreement should
include the following;
The service provider must comply with our security policies
The service provider must have a fidelity insurance arrangement in
place.
The service provider’s maintenance activities must be under the
supervision of our staff.
27
CHAPTER 5
HUMANWARE POLICIES
5.1 PERSONNEL POLICIES
Personnel Compliance to policies
Policy: All staff of the Honeywell Group must comply with the dictates of
the policy statements. Non-compliance provides a ground for disciplinary
action including termination. Management must inform staff that the
policies are serious matters deserving their continued attention.
Personnel Handbook
Policy: Major issues from this policy will be made available in the
employee handbook.
Information Technology Training Required for All Information Workers
Policy: All employees, consultants, and contractors must be provided with
sufficient training and supporting reference materials to enable them
perform their work effectively.
5.2 HUMAN RESOURCE MANAGEMENT SOFTWARE
Provision of a Human Resource Management Software
Policy: A Human Resource Management software shall be made available
for the Group Human Resource Management.
Qualities of the Group Human Resource Application
Policy: The qualities of the software shall be as stipulated in the Software
policy portion of this document.
28
5.3 WORKPLACE HAZARD
Workers Have Right to Know All Workplace Hazards
Policy: Workers have a right to know the nature of all hazards that they may
confront in the workplace. Management must inform workers about the
existence of these hazards, provide safeguards to lessen the risk to workers,
and train workers in the proper use of these safeguards.
Work According to Information Security Policies & Procedures
Policy: Every worker must understand Honeywell Group’s policies and
procedures about information technology, and must agree in writing to
perform his or her work according to such policies and procedures
Clear Definition of Third Party Information Security Responsibilities
Policy: Where an aspect of our IT process is outsourced to third parties,
such third party staff must be made aware of their information security
responsibilities via specific language appearing in contracts which define
their relationship with us.
5.4 PERSONNEL SECURITY
Avoid Actual and Apparent Conflict of Interest
Policy: All workers must avoid the actual or apparent conflict of interest in
their business-related dealings with the Honeywell Group. Should there be
any doubt as to the existence of a potential conflict of interest, the worker
must consult his or her manager.
Disciplinary Measures for Information Security Non-Compliance
Policy: Non-compliance with information security policies, standards, or
procedures is grounds for disciplinary action including termination.
29
Management must inform workers that information security is a serious matter
deserving their continued attention.
Disciplinary Measures for Various Information Security Violations
Policy: Assuming the action is inadvertent or accidental, first violations of
information security policies or procedures must result in a warning. Second
violations involving the same matter must result in a letter being placed in the
involved worker's personnel file. Third violations involving the same matter
must result in a five-day suspension without pay. Fourth violations involving
the same must result in dismissal. Willful or intentional violations, regardless
of the number of violations, may result in disciplinary action up to and
including dismissal.
Reliance on a Single Person for Important Systems Expertise
Policy: Expertise in important computer- or communications-related areas
must be possessed by at least two available persons. Having such back-up
expertise prevents undue interruptions in systems service, and also increases
the likelihood that unauthorized and abusive acts will be noticed.
Honesty and Emotional Stability Tests for Computer-Related Workers
Policy: All workers to be placed in computer-related positions of trust must
first pass honesty and emotional stability tests which the Human Resources
Department of the Unit Company or the Corporate Office will approve.
30
CHAPTER 6
TELECOMMUNICATIONS POLICY
6.1 NETWORKS FOR THE GROUP
6.1.1 TYPES
Policy: The Honeywell Group will adopt the following types of Networks
Local Area Networks (LAN) for office buildings
Wide Area Networks (WAN) for connections between branches and unit
companies located outside a state
Metropolitan Area Networks (MAN) for connections between branches
and unit companies within a city like Lagos.
Internet, for world wide connections
6.1.2 LOCAL AREA NETWORK
LAN Policy
Policy: Each unit company’s computers must be connected on a Local
Area Network.
Physical components of Unit Company’s LANs
Transmission Media
Policy: Each unit Company’s LAN shall be cabled with
bounded media such as twisted pair wires and fibre optics.
Policy: Twisted pair wires to be used must be a minimum of
category 5 cables.
Policy: Fibre optic cables must be used for backbone
connections in the LAN.
31
LAN Topology
Communication topology specifies the location of nodes within a
Network, the ways in which the nodes will be linked, and the data
transmission capabilities of the links between the nodes.
Honeywell Group LAN Topology
Each unit Company’s LAN must adopt the star topology. (i.e.
where Nodes in the network are connected to a point-to-point
configuration using a central hub).
Hubs Structure
Hubs and concentrators for LAN installations must be the
intelligent ones.
LAN Security
LAN Security Planning
The Network Security plan should be prepared by the Group IT
Division, reflecting all unit companies and approved by the IT
Steering Committee. Such a plan should encompass all
interconnected unit companies.
No unit Company’s LAN security interest should be harmful to
other.
LAN Security plan should take into account all LAN resources
including;
Workstations
Host computers and Servers
32
Interconnected devices (Routers, Gateways,
bridges, repeaters, hubs etc)
Terminal Servers
Networking application software
Network cables
Information in files and databases
6.1.3 INTRANET POLICY
The Honeywell Group shall implement and maintain a Group-wide
intranet.
Definition:
An Intranet is an internal information system based on Internet
technology, web services, communication protocols etc. The
Intranet is a technology that allows an organization to define itself
as a whole entity, a group, where everyone knows their roles, and
everyone is working on the improvement and health of the
organization.
Objective of the Group wide Intranet
The objective of having a Group wide intranet will be to empower
personnel through more timely and less costly information flow.
Intranet Service Tools
Policy : Each unit Company must have a Mail/Communication
Server for the intranet arrangement.
Intranet Security
Policy : The security of the Group intranet shall be as stated in the
Computer Security policy section of this manual.
33
6.1.4 E-MAIL POLICY
Privacy Expectations and Electronic Mail
Policy : The e-mail system is the property of The Honeywell Group, and
ALL copies of messages created, sent, received or stored on the system are
and remain the property of the Group. These messages are not the private
property of employees and there should not be any expectation of personal
privacy by any employee irrespective of any such designation either by the
sender or the recipient, including those designated as ‘private’.
Review of e-mail information
Policy : The Group maintains the right to review, audit, intercept, access,
monitor, delete and disclose all messages created, received, sent or stored
on the e-mail system for any purpose. By using the Group’s e-mail system,
an employee recognizes the foregoing rights of the Group and consents to
them.
Personal Use of Electronic Mail Systems
Policy : Electronic mail systems are intended to be used primarily for
business purposes. Any personal use must not interfere with normal
business activities, must not involve solicitation, must not be associated
with any profit-oriented outside business activity, and must not potentially
embarrass the Honeywell Group or any of its unit Companies.
Unauthorised use of the e-mail system includes transmitting or storing
offensive material; compromising the security of information contained on
the Group’s computers; conducting or soliciting for political, personal,
religious or charitable causes or other commercial ventures outside the
34
scope of the user’s employment and the user’s responsibilities to the
Group.
Sending of Offensive Messages
Policy : The e-mail system is not to be used to create,
send, receive, or store any offensive or disruptive
messages, or materials that infringe the copyright or other
intellectual property rights of any third parties. Message
considered offensive includes those that contain sexual
implications, racial slurs, gender specific comments,
defamatory statements etc
Confidentiality of e-mail messages
Policy : Not withstanding the Group’s right to retrieve and
read e-mail messages, such messages should be treated as
confidential by other employees and accessed only by the
intended recipients. Employees should only disclose
information or messages obtained from the e-mail system
to recipients authorized to have such information.
Employees are not authorized to retrieve or read any e-
mail messages that are not addressed to them.
Punishment for Violation
Policy : Any employee, who violates this policy or uses the
e-mail system for any purpose deemed improper or
unreasonable by his/her unit Company or the Group, will
be subject to disciplinary action up to and including
termination.
35
6.1.5 WIDE AREA NETWORK (WAN) POLICIES
Wide area connection of unit companies
Policy : All unit companies must be connected together with the
Corporate Office in a Wide Area Network.
Transmission media for WAN
Policy : All WAN connection must be made using unbounded
transmission media such as VSAT (Very Small Aperture
Terminals), Satellite microwave, radio frequency and infrared.
6.1.6 INTERNET POLICY
Internet Gateway
Policy : The Internet gateway of the group will be at the Corporate
Office, maintained by the Group IT Division.
Internet security
Policy : All unit companies and the Group as a whole shall adopt
the policy on Internet security as specified in the Computer
Security section.
Protection of the Intranet from the unprotected Network
Policy : Firewalls shall be used to protect the Group’s WAN from
the Internet. Firewalls to be used must have at least the following
properties;
All traffic from inside to outside and vice versa, must be
through the firewall. This should not be limited to logical
controls, but must also be physically enforced.
36
Only authorized traffic, as defined at the Computer security
policy section will be allowed to pass.
The firewall must be such that it is immune to penetration
Traffic is exchanged through the firewall at the application
layer only
The firewall architecture should be configured according to the
‘minimal art philosophy’.
The firewall architecture should deploy strong authentication
for management of its components
The firewall architecture should hide the structure of the
internal WAN.
The firewall architecture provides an audit trail of all
communications to or through the firewall system and will
generate alarms when suspicious activity is detected.
The Group’s host System, which provides support for
incoming service requests from the public network, are sitting
outside the firewall.
The firewall defends itself from direct attack
Other Communications Policy
Use of Voice Recognition systems
Policy : Use of voice recognition systems can be made at the Group
level with the recommendation of the IT Steering Committee and
the approval of the Chairman.
Use of speech-based applications shall be strictly for business
purposes.
37
6.2 WORKPLACE POLICY
6.2.1 TELEPHONE
Policy : Unit companies shall provide the following:
PABX with features compactable with telephony and computing
systems and approved by the Group IT Strategic Committee
At least two (2) Functional telephone lines
Functional phone sets on all personnel’s desk
Functional direct telephone lines on the desk of all Executive
Management staff and marketing related offices
Functional telephone land lines are to be provided in the homes of
all Executive Management staff
Expenses on the use of the telephones provided by Companies shall be
borne by the unit Companies in accordance with applicable limits.
6.2.2 RADIOS
Policy :Where conventional, reliable telephone service is not available,
unit companies shall provide telephony equipments capable of voice, text
and video interactions. The Group IT Strategic Committee shall approve
specifications for this facility.
6.3 MOBILE COMPUTING/ALTERNATIVE WORKPLACE POLICY
6.3.1 NOTEBOOKS AND LAPTOPS
Ownership of Mobile computing tools
38
Policy : All Executive Management and mobile staff shall be provided
with notebooks, web-enabled cell phones etc.
Policy : Any mobile computing tool such as notebooks, web-enabled cell
phones etc made available to staff of the Honeywell Group remain the
property of the Group and must be returned if the staff is leaving the
Group.
6.3.2 CELL PHONE/PAGER USAGE
Policy : All Executive Management staff shall be provided with cell
phones. Senior Managers who are mobile or perform marketing related
functions shall be provided a cell phone. Other mobile/marketing related
staff shall be provided with a pager.
Expenses on the use of cell phones and pagers provided by Companies
shall be borne by the unit Companies in accordance with applicable limits.
6.4 ELECTRONIC COMMERCE POLICY
Our definition of electronic commerce is the use of technology to enhance the process of
commercial transactions between the Honeywell Group, its customers and business
partners.
6.4.1 E-COMMERCE TECHNOLOGY POLICIES
The enabling technology to be used for e-commerce (depending on the
situation) within the group includes all or any of the following;
Multi media technology
Proprietary networks
Web browsers
The Internet
Automatic teller machines/Home banking39
Electronic Data Interchange (EDI)
E-commerce Architecture
Policy : The architecture for our e-commerce businesses using the
Internet Technology shall be 3-tier architecture.
3-tier architecture arrangement
Policy : For any e-commerce arrangement within the group via the
web, two servers and a provision for a client must be used as
follows;
Client computer using a web browser is responsible for display
and validation
A Web Server that handles application processing
A database Server responsible for information storage.
This means that the web Server must not house our
data.
6.4.2 E-COMMERCE SECURITY POLICIES
Encryption of data
Policy :Every data being sent or received from our Server must be
encrypted using the public key infrastructure.
Digital Signatures
Policy :All officers responsible for transacting business electronically on
behalf of their unit companies must have digital signatures equally
encrypted.
Use of Certificate Authorities
40
Policy : To enhance the reliance of e-commerce trading partners, we shall
make use of Certificate Authorities to certify our sites for e-commerce
trading.
41
CHAPTER 7
COMPUTER SECURITY & INTERNAL CONTROL POLICY
7.1 PHYSICAL SECURITY POLICIES
Physical security policies in this context has to do with the measures to protect the
Honeywell Group from loss of computer processing capabilities caused by theft, fire,
flood, malicious destruction and mechanical power failures.
Location of Computer Processing Rooms
Policy : Computer Server rooms must not be located near an airport or in a
building directly under flight part.
Policy : Computer Server rooms for each unit company must not be in an
area harboring businesses that produce or use explosives or chemicals
susceptible to explosion.
Policy : The Server rooms should not be located at the roof of the office
buildings, nor the basements
Policy : Server room floors should be regularly treated with antistatic
compounds.
Policy : The Computer Server rooms must not be unduly advertised.
Therefore such notices as ‘Computer room, out of bound’ should not be
placed.
Access to the computer room
Policy : Only Computer room staff should have access to the computer
rooms within each unit company. Access to the Server rooms by other
staff should be with the approval of the Chief Executive Officer of the unit
company.
42
Badges Must Be Worn in Visible Places when in any unit Company’s premises
Policy :Whenever in any of the Honeywell Group’s unit Company’s
buildings or facilities, all persons must wear an identification badge on
their outer garments so that the information on the badge is clearly visible.
No 'Piggybacking' Through Controlled Doors Permitted
Policy :Physical access controls for each unit Company’s buildings are
intended to restrict the entry of unauthorized persons. Workers must not
permit unknown or unauthorized persons to pass through doors, gates, and
other entrances to restricted areas at the same time when authorized
persons go through these entrances. While this may at first seem rude, it is
essential if the security of the Company premises and workers is to be
maintained.
Identification and Sign-In Process Required for All Visitors
Policy : All visitors must show picture identification and sign-in prior to
gaining access to restricted areas.
Physical Security Measures for Computers & Communications Systems
Policy : Buildings which house any of the Honeywell Group’s computers
or communications systems must be protected with physical security
measures that prevent unauthorized persons from gaining access.
Adequate Construction for Computer or Communications Centers
Policy : New and remodeled computer or communications centers must be
constructed so that they are protected against fire, water damage,
vandalism, and other threats known to occur, or that are likely to occur at
the involved locations.
43
No Signs Indicating Location of Computer or Communications Center
Policy :There must be no signs indicating the location of computer or
communications centers.
Computer Center Fire Resistance and Self-Closing Openings
Policy :Firewalls surrounding computer facilities must be non-combustible
and resistant to fire for at least one (1) hour. All openings to these walls
should be self-closing and likewise rated at one hour.
Computer-Assisted Equipment Tracking
Policy :All Company’s computer and communications equipment must
have a unique computer-readable identifier attached to it such that
physical inventories can be efficiently and regularly conducted.
Positioning Workstations to Reduce Risk of Overlooking
Policy :All workstation screens handling sensitive information must be
positioned such that unauthorized persons cannot readily look over the
shoulder of the person using the workstation.
Changing Physical Access Control Codes on Worker Termination
Policy : In the event that a worker is terminating his or her relationship
with the Honeywell Group, all physical security access codes known by
the worker must be deactivated or changed. For example, the serial
number recorded on a magnetic stripe attached to an identification badge
must be changed before the badge is reissued to another worker.
44
7.2 LOGICAL SECURITY POLICIES
Operating System Security
Independent Security Systems for Each Computer System
Policy : The security of a computer system must never be entirely dependent on
the security of another computer system.
Periodic Review & Reauthorisation of Access Privileges
Policy : The system privileges granted to all users must be re-evaluated by
management every six (6) months.
Tools To Determine Security Status Of System
Policy: The Network Operating system must include sufficient automated tools
to assist the security administrator in verifying the security status of the computer.
These tools must include mechanisms for the correction of security problems.
This should be used as one of the criteria for evaluation of a networked operating
system.
Reporting Changes in User Duties to Systems Security Administration
Policy : Management must promptly report all significant changes in end-user
duties or employment status to the computer system security administrators or any
other responsible officer in the IT Department within the unit Company, handling
the user-IDs of the affected persons.
Transfer of Information Custodian Duties After Employee Terminations
Policy : When a staff leaves a position, both computer resident files and paper
files must be promptly reviewed by his or her immediate manager to determine
45
who should become the custodian of such files, and/or the appropriate methods to
be used for file disposal. The computer user's manager must then promptly
reassign the computer user's duties as well as specifically delegate responsibility
for information formerly in the computer user's possession.
Computer System Logs Must Support Audits
Policy : Logs of computer security relevant events must provide sufficient data to
support comprehensive audits of the effectiveness of, and compliance with
security measures.
Required Retention Period of Logs
Policy: Logs of major computer security relevant events must be retained for at
least three (3) months. During this period, logs must be secured such that they
cannot be modified, and such that only authorized persons can read them. These
logs are important for error correction, forensic auditing, security breach
recovery, and related efforts.
Retention of Access Control Privilege Logs
Policy : Computerized records reflecting the access privileges of each user on the
network must be securely maintained for a reasonable period of time.
Resistance of Logs Against Deactivation, Modification, or Deletion
Policy : Mechanisms to detect and record significant computer security events
must be resistant to attacks. These attacks include attempts to deactivate, modify,
or delete the logging software and/or the logs themselves
Persons Authorized to View Logs
Policy: All system and application logs must be maintained in a form that cannot
readily be viewed by unauthorized persons. A person is unauthorized if he or she
46
is not a member of the internal audit staff, IT Department, systems management
staff, or if he or she does not need to have such access to perform regular duties.
Unauthorized users must obtain written permission from the IT Manager within
the Unit Company or Internal Auditor prior to being granted access.
Regular and Prompt Review of System Logs
Policy : To allow proper remedial action, computer operations or any other
responsible officer in the IT Department must review records reflecting security
relevant events in a periodic and timely manner.
7.3 DATA BALANCING AND VALIDATION SECURITY POLICIES
Right of Management to Examine Data Stored on the Honeywell Group’s
computer Systems
Policy : All messages sent over The Honeywell Group’s computer and
communications systems are the property of Honeywell Group. To properly
maintain and manage this property, management reserves the right to examine
all data stored in or transmitted by these systems. Since the Company's
computer and communication systems must be used for business purposes
only, workers should have no expectation of privacy associated with the
information they store in or send through these systems.
Confidentiality Agreements Required for All Honeywell Group’s Staff
Policy : All employees, consultants, contractors, and temporaries must sign a
confidentiality agreement at the time they join the Honeywell Groups.
Notification of Suspected Loss or Disclosure of Sensitive Information
47
Policy: If secret, confidential, or private data is lost, is disclosed to
unauthorized parties, or is suspected of being lost or disclosed to unauthorized
parties, its owner and the Head of IT Department must be notified
immediately.
Disclosure of Information System Control Specifics to Third Parties
Policy: Workers must not disclose to any persons outside the Honeywell
Group either the information system controls that are in use or the way in
which they are implemented. Exceptions will be made only if the permission
of the Information Technology Manager under the authority of the Managing
Director is first obtained.
48
Disclosure of Information About Information System Vulnerabilities
Policy : Specific information about information system vulnerabilities, such as
the specifics of a recent system break-in, must NOT be distributed to persons
who do not have a demonstrable need-to-know.
Information Access Control Systems and the Mosaic Theory
Policy: If the Company’s sensitive information is resident on a computer
system, and if users are permitted to request all or part of this information
through on-line facilities, special access controls must be in force. These
access controls must protect the information so that a series of permissible
requests for information will not collectively reveal information that is
otherwise restricted. Like a mosaic made of glass fragments, separate pieces
of information must not be readily susceptible to assemble or create a larger
picture. In many instances, this means that aggregate sets of information may
not be segmented into separate access-controlled sets of information without
running an undue risk of unauthorized disclosure.
Four Category Data Classification Scheme
Policy: Data must be broken into four sensitivity classifications with separate
handling requirements: SECRET, CONFIDENTIAL, PRIVATE, and
UNCLASSIFIED. This standard data sensitivity classification system must be
used throughout The Honeywell Group. These classifications are defined as
follows:
A) SECRET: This classification applies to the most sensitive business
information, which is intended strictly for use within each unit
Company in the Honeywell Group.
49
Its unauthorized disclosure could seriously and adversely impact
the Company’s, Equity holders, business partners, and/or its
customers.
B) CONFIDENTIAL: This classification applies to less sensitive
business information, which is intended for use within the
Company. Its unauthorized disclosure could adversely impact the
Company, its Equity holders, business partners, and/or its
customers.
C) PRIVATE: This classification applies to personal
information, which is intended for use within the Company.
Its unauthorized disclosure could seriously and adversely
impact the Company and/or its employees.
D) UNCLASSIFIED: This classification applies to all other
information which does not clearly fit into any of the above
three classifications. While its unauthorized disclosure is
against policy, it is not expected to seriously or adversely
impact any unit Company within the Honeywell Group, its
employees, its Equity holders, business partners, and/or its
customers.
50
Comprehensive Data Classification System Labelling Requirements
Policy: All tape reels, floppy disks, and other computer storage media containing
secret, confidential, or private information must be externally labeled (marked)
with the appropriate sensitivity classification.
Labeling and Presentation of Sensitive Information to Computer Users
Policy: If information is either secret, confidential, or private, all instances in
which it is displayed on a screen or otherwise presented to a computer user must
involve an indication of the information's sensitivity.
Destruction of Intermediate Products Containing Sensitive Information
Policy: If a copy machine jams or malfunctions when workers are making copies
of secret information, they must not leave the machine until all copies of the
information are removed from the machine or destroyed beyond recognition.
Destruction of Waste Copies of Sensitive Information
Policy: All waste copies of secret information that are generated in the course of
copying, printing, or otherwise handling such information must be destroyed
according to approved procedures. (A paper shredding machine is recommended)
Delivery of Sensitive Computer Output to Intended Recipients
Policy: Private, confidential, or secret computer output must be personally
delivered to the person(s) designated to receive it. Such output should never be
delivered to an unattended desk, or left out in the open in an unoccupied office.
Alternatively, it may be made available to only the designated recipients via
lockers or other secured methods.
Log Book Reflecting Movement of Secret Documents
51
Policy: When secret information is involved, a log must be kept reflecting the
number of copies made, the location of the copies, the names of the recipients, the
addresses of the recipients, and any persons viewing the copies. This log must be
maintained as long as such information retains a secret sensitivity classification.
This log must also be classified as secret.
Encryption Required for Sending Secret Information by Fax
Policy: Secret information must NOT be sent by facsimile (fax) unless the
transmission is encrypted using methods approved by the management of the unit
Company and/or the IT Steering committee.
Password Required for Sending Secret Information by Fax
Policy: Secret information must not be sent by facsimile (fax) unless a password
is successfully provided by the receiving machine prior to the initiation of a
transmission
Removal of Sensitive Information From Company Premises
Policy: Secret, confidential, and private information may not be removed from
the Company’s premises unless there has been approval from the information's
owner. This policy includes portable computers with hard disks, floppy disks,
hard-copy output, paper memos, and the like. An exception is made for
authorized off-site back-ups.
Retention Period Required for All Sensitive Information
Policy: A retention period must be assigned to all secret information, regardless
of the form that the information takes (paper documents, computer files, etc.).
Service Vendors and Destruction/Concealment of Sensitive Information
Policy: Before computer magnetic storage media is returned to a vendor for trade-
in, servicing, or disposal, all the Company’s secret, confidential, or private
52
information must be destroyed or concealed according to methods approved by
the Group Information Technology Division.
53
Destruction of Sensitive Information on Computer Storage Media
Policy: All secret, confidential, and private information stored on magnetic
storage media (such as tape reels or floppy disks) must be destroyed using
zeroization programs (which overwrite the information repeatedly with zeros and
ones). It is not sufficient simply to "erase" files from computer magnetic storage
media. Alternatively, degaussers, shredders, or other equipment approved by the
Information Technology Division may be used.
Zeroization Required for Erasure of Sensitive Information
Policy: When sensitive information is erased from disk, tape, or other magnetic
storage media, it must be followed by a repeated overwrite operation, which
prevents the data from being scavenged.
Approved Methods for Hardcopy Sensitive Information Disposal
Policy: When it is disposed of, all secret, confidential, or private information in
hardcopy form (paper, microfilm, microfiche, etc.) must be either shredded or
incinerated.
Destruction of Records or Information Requires Management Approval
Policy : Workers must not destroy or dispose of potentially important Company’s
records or information without specific advance management approval.
Unauthorized destruction or disposal of the Company’s records or information
will subject the perpetrator to disciplinary action including termination and
prosecution. Records and information must be retained if: (1) they are likely to be
needed in the future, (2) regulation or statute requires their retention, or (3) they
are likely to be needed for the investigation or prosecution of unauthorized,
illegal, or abusive acts.
Nature and Location of Confidential Information
54
Policy: Information about the nature and location of each Unit Companys’
information, such as that found in a data dictionary, is confidential and must only
be disclosed to those who have a demonstrable need-to-know.
Location of Data Processing Centers Considered Confidential
Policy : The computer center's physical address is confidential and must not be
disclosed to those without a demonstrable need-to-know.
Isolate Systems Containing Secret Information from Network
Policy : The Company’s computer systems containing secret information must not
be connected to any network or any other computer.
Establishment and Use of Control Override Facilities
Policy : Management must establish control override facilities to be used in those
exceptional circumstances where controls must be compromised to maintain on-
going business operations. The ability to use these override facilities must be
severely restricted, and the facilities must be used only when absolutely
necessary.
Management Definition of Circumstances for Use of Control Overrides
Policy : Management must clearly communicate to workers the specific
circumstances when it is permissible to override controls. Override procedures
and mechanisms must only be used to remedy extraordinary conditions that are
not otherwise resolvable in the ordinary course of business activities.
Avoidance of Communication Network Central Point of Failure
Policy : The Group IT Division must design the communications networks so that
no single point of failure, such as a central switching center, could disrupt
network service.
Management Notification of Information Integrity Controls Failure
55
Policy : If controls which assure the integrity of information fail, if such controls
are suspected of failing, or if such controls are not available, management must be
notified of these facts each time they are presented with the involved information.
Authorization Required for All Production System Input Transactions
Policy : Methods must be in place to ensure that all input to production computer
systems, which have been submitted for processing, has been properly authorized.
Input Data Validation and Rejected Item Handling
Policy : All transactions to be input to a multi-user computer system must first be
subjected to reasonableness checks, edit checks, and/or validation checks.
Transactions which fail such checks must either be: (a) rejected with a notification
of the rejection sent to the submitter, (b) corrected and resubmitted, or (c)
suspended pending further investigation.
Clean Desks and Working Areas
Policy : Outside of regular working hours, all workers must clean their desks and
working areas such that all sensitive or valuable data is properly secured.
Input Devices
Voice Recognition Systems
Policy : Voice enabled systems can be used as input device based on the
recommendation of the IT Committee for the Group.
7.4 DISASTER RECOVERY AND CONTINGENCY PLANNING POLICIESDISASTEREach unit company’s management will in conjunction with the Group IT Division make
the following unwanted events definition as follows:
a) Non-disaster
56
b) Disaster
c) Catastrophe
Fire Alarm
Policy : Fire alarm systems must be made available in the Computer rooms
Framework for Segmenting Information Resources by Recovery Priority
Policy : The Group’s Information Technology Division must establish and use
a logical framework for segmenting information resources by recovery
priority. This will in turn allow the most critical information resources to be
recovered first. All unit Companies and departments must use this same
framework when preparing information systems contingency plans.
Five Category Application Criticality Classification Scheme
Policy : All production computer applications must be placed into one of five
criticality classifications, each with separate handling requirements: highly
critical, critical, priority, required, and deferrable. This criticality
classification system must be used throughout the Group, and must form an
integral part of the system contingency planning process.
Organization and Maintenance of Computer Emergency Response Team
Policy : Management of each unit company in conjunction with the Group IT
Division must organize and maintain an in-house computer emergency
response team (CERT) that will provide accelerated problem notification,
damage control, and problem correction services in the event of computer
related emergencies such as virus infestations, hacker break-ins, and the like.
Cross Training for Staff in Critical Technical Jobs
Policy: At all times, at least two staff members should be able to provide
essential technical services for information systems critical to their
57
Company’s business. If less than two staff members can provide these
essential technical services, management must initiate cross training,
additional hiring, outsourcing, or other remedial actions.
Preparation and Maintenance of Computer Disaster Recovery Plans
Policy : The Group IT Division, in conjunction with each unit Company’s
Management must prepare, periodically update, and regularly test a disaster
recovery plan that will allow all critical computer and communication systems
to be available in the event of a major loss such as a flood, earthquake, or
tornado.
Business Continuity Planning Process
Policy : A standard organization-wide process for developing and maintaining
business and computer contingency plans must exist and be observed
Computer and Communications System Contingency Plan Testing
Policy: To the extent practical and feasible, computer and communication
system contingency plans must be tested at regular intervals to assure that they
are still relevant and effective. Each such test must be followed by a brief
report to each unit Company’s top management detailing the results of the test
and any remedial actions that will be taken.
Preventive Maintenance on Computer and Communication Systems
Policy: Preventive maintenance must be regularly performed on all computer
and communications systems such that risk of failure is kept to a reasonably
low probability.
What Data to Back-Up and Minimum Back-Up Frequency
58
Policy : All sensitive, valuable, or critical information resident on the Group’s
computer systems must be periodically backed-up. Such back-up processes
must be performed at least monthly.
Two Copies of Sensitive, Critical, or Valuable Information
Policy : All microcomputer (PC) and workstation users must make at least one
(1) back-up copy on separate data storage media of every sensitive, critical, or
valuable file, which has been changed. These back-up copies must be made at
the time when changes are made.
Off-Site Storage of Back-Up Media
Policy : Back-ups of sensitive, critical, and valuable information must be
stored in an environmentally protected and access-controlled site/unit
company separate from the site/unit company where the original copies reside.
Regular Testing of Archival Storage Data Media
Policy : Sensitive, critical, or valuable information stored on computer media
for a prolonged period of time must be tested at least annually to ensure that
the information is recoverable.
Preservation of Data Held in Archival Storage
Policy: Computer media storage procedures must assure that sensitive,
critical, or valuable information stored for prolonged periods of time is not
lost due to deterioration. For instance, management must copy data to
different storage media if the original back-up media is showing signs of
undue deterioration.
Storage of Hardware and Software Specification
59
Policy: the Group IT division should maintain and keep a storage of
specification of all important hardware and software package in use
throughout the Group.
7.5 INTERNET SECURITY
Firewalls
Policy: Firewalls must be made available at the unit company level and at
the Corporate Office.
Unit Company Firewalls
Policy: Unit company firewalls will be used to protect the LAN
from other LANS within the Group.
Corporate Office Firewalls
Policy: The Corporate Office firewalls, which sit on the Groups
Internet gateway at the Corporate Office shall be used to protect
the Groups WAN from the outside Networks.
Qualities of the Firewall
Policy: Any firewall in use within the Group must have the
following qualities;
It should be able to support a deny of services except those
specifically permitted
The firewall should be able to support our security policies
It should contain hooks or slots for installing advanced
authentication measures
It should employ filtering techniques to permit or deny services to
specified host systems
60
It should use proxy services so that advanced authentication
measures can be employed and centralized at the firewall.
Content-Inspection Software
Policy: Content-Inspection software must be made available between the
Group’s Internal Network and the Internet. Such a software must have the
following capabilities;
A content inspection environment separate from the Network
environment
Ability to delete files suspected as virus
All files from the Internet must pass through the software.
Anti-Virus Software
Policy: As stated in the Network Environment Security Section,
there must be an anti-virus software within the Internet gateways.
Intranet Security
Policy: The Intranet security mechanisms to be adopted must reflect the
following elements;
Integrity: Whatever data is received must be exactly what was
sent?
Reliability: No matter what was sent or received, it must be such
that users can reply on the integrity of the data?
Availability: Users should be able to access the data reliably when
they need it?
Intranet Security Mechanisms
61
Policy: The following mechanisms must be adopted amongst others to
secure the intranet
Encryption
Authentication
Annual Information Security Planning Process Required
Policy: Working in conjunction with the responsible management, the Group
Information Technology Division must annually prepare plans for the
improvement of information security on all our major Company information
systems.
7.6 NETWORK ENVIRONMENTAL SECURITY
Policy: Access Control Packages Required for Computers on the Network
If workers leave the power for their computers turned on during non-business hours,
and if such computers are connected to a network, the computers must be protected
by an access control system approved and implemented by the Group Information
Technology Division.
Trading Partner Agreement Required Prior to Use of EDI
Policy: Prior to the use of Electronic Data Interchange (EDI) with any third
party, a trading partner agreement, fixing the terms and conditions of EDI use,
must be negotiated. This agreement must be approved by the Group’s legal
counsel prior to using any EDI systems for business transactions.
Large Networks Must Be Divided into Separate Domains
Policy: All large networks crossing national or Unit Company’s boundaries
must have separately-defined logical domains, each protected with a defined
security perimeter and access control mechanisms.
62
Dial-Up Connections Must Always Utilize Firewalls
Policy: All dial-up lines connected to the Honeywell Group’s internal
networks and/or multi-user computer systems must pass through an additional
access control point (firewall) before users can reach a log-in banner.
Secret Data Sent Over Networks Must Be Encrypted
Policy: If secret data is to be transmitted over any communication network, it
must be sent in encrypted form.
Secret Information Must Be Encrypted When Not In Active Use
Policy: All computerized secret information must be encrypted when not in
active use (for example, when not manipulated by software or viewed by an
authorized user).
Encryption Key Management Systems and Separation of Duties
Policy: The Honeywell Group’s encryption systems must be designed such
that no single person has full knowledge of any single encryption key. This
must be achieved by separation of duties and dual control. Separation of
duties refers to use of more than one individual to handle a certain important
activity, while dual control means that two people must be simultaneously
present for an important activity to be accomplished.
63
Secret Information Must Be Encrypted When Not In Active Use
Policy : All computerized secret information must be encrypted when not in active
use (for example, when not manipulated by software or viewed by an authorized
user).
Protection for Encryption Key Generation Materials
Policy: Whenever encryption is used, materials to develop encryption keys as
well as hardcopy versions of keys must be kept locked when not in use.
Protective measures to prevent these keying materials from falling into the wrong
hands must be observed throughout the lifecycle of the information protected by
the keys.
Deletion of Readable Data After Encrypted Version Has Been Made
Policy: Whenever encryption is used, workers must not delete the sole readable
version of data unless they have first demonstrated that the encryption process is
able to re-establish a readable version of the data.
Explicit Assignment of Encryption Key Management Functions
Policy: The owner(s) of data protected via encryption must explicitly assign
responsibility for the encryption key management to be used to protect this data.
64
7.7 VIRUS SECURITY
Users Must Not Attempt to Eradicate Computer Viruses
Policy : A computer virus is an unauthorized program that replicates itself and
spreads onto various data storage media (floppy disks, magnetic tapes, etc.) and/or
across a network. The symptoms of virus infection include much slower
computer response time, unexplainable loss of files, changed modification dates
for files, increased file sizes, and total failure of computers. Because viruses have
become very complex, users must not attempt to eradicate them from their
systems. If users suspect infection by a computer virus, they must stop using the
involved computer and immediately call the Information Technology Department.
Testing for Viruses Prior to Use on The Honeywell Group’s Systems
Policy : To prevent infection by computer viruses, workers must not use any
software, which has been provided by a person or organization other than a
known and trusted supplier. The only exception to this is when such software has
first been tested and approved by the unit Company’s Information Technology
Department or the Group’s Information Technology Division.
Initial Back-Up Copies of Microcomputer Software
Policy: All microcomputer software must be copied prior to its initial usage, and
such copies must be stored in a safe place. These master copies must not be used
for ordinary business activities, but must be reserved for recovery from computer
virus infections, hard disk crashes, and other computer problems. These master
copies must also be stored in a secure location.
Testing for Virus Prior to Distribution to Third Parties
65
Policy : Prior to distributing any software to third parties, Honeywell Group’s
staff must first have subjected the software in question to extensive testing,
including tests to identify the presence of computer viruses.
Provision Of Anti-Virus Software
Policy: An anti-virus software must be licensed at the Group level
and made available for all unit Company’s Network. Such a
license must be a Network license.
This anti-virus software must be regularly updated to take care of
new variants.
Provision Of Firewall
Policy: The firewall as described in the Internet security section of
this manual should be implemented to avoid virus infestation as
much as possible.
Provision of Content Inspection Software
Policy: To guard against new virus variants, a Network based
Content-Inspection Software must be licensed at the Group Office
and made available to all Computers in the Group.
Virus Administrative Security
Floppy Drives
Policy: Due to its high rate as a source of virus, floppy drives of
user’s PCs should be disabled except that of unit heads.
Disablement of Unit Head’s floppy drives
Policy : Where a unit head’s PC is infected by a virus and upon
investigation, it was discovered that it was from a floppy disk, such
66
a PC’s floppy drive should be permanently disabled by the IT
Department within the unit Company of the Group IT Division.
Immediate Reporting of Suspected Computer Virus Infestation
Policy: Computer viruses can spread quickly and need to be
eradicated as soon as possible to limit serious damage to computers
and data. Accordingly, if workers report a computer virus
infestation to the Information Technology Department immediately
after it is noticed, even if their negligence was a contributing
factor, no disciplinary action will be taken. The only exception to
this early reporting amnesty will be those circumstances where a
worker knowingly caused a computer virus to be introduced into
the Company’s systems. However, if a report of a known
infestation is not promptly made, and if an investigation reveals
that certain workers were aware of the infestation, these workers
will be subject to disciplinary action including termination.
Assignment of Responsibility for Information Asset Controls
Policy: Management must specifically assign responsibility for the
control measures protecting every major information asset.
Overview of Tasks Performed by Information Security Unit of the IT
Department
Policy: The Information Security Unit is responsible for
establishing and maintaining organization-wide information
security policies, standards, guidelines, and procedures.
Adequate Information Security Insurance Coverage Must Be Maintained
67
Policy: Adequate insurance coverage must be obtained and kept in
force for every major threat facing the confidentiality, integrity,
and availability of information handled by Honeywell Group’s
computer and communication systems.
Internal Audit Review of Information System Controls
Policy: The Internal Audit Department must periodically review
the adequacy of information system controls as well as compliance
with such controls.
Periodic Independent Review of Information System Controls
Policy: Independent third-party review of the adequacy of and compliance
with information system controls must be periodically obtained.
Criteria for Assigning Information Ownership
Policy: If there are several potential information owners, higher-level
management must assign ownership responsibility to the single individual
who makes the greatest use of the information.
Security Responsibilities of Information Custodians
Policy: Information custodians are responsible for defining specific control
procedures, administering information access controls, implementing and
maintaining cost-effective information control measures, and providing
recovery capabilities consistent with the instructions of information owners.
Security Responsibilities of Information Users
Policy: All users of information belonging to Honeywell Group must comply
with the control requirements specified by the information's owner and/or
custodian. Users may be employees, temporaries, contractors, consultants, or
third parties with whom special arrangements have been made.
68
69
CHAPTER 8
INTELLECTUAL PROPERTY RIGHTS POLICY
8.1 INFORMATION ASSET
Information as an important asset to the Honeywell Group
Policy: Information is an important Company asset. Accurate, timely,
relevant and properly protected information is absolutely essential to the
Honeywell Group’s business. To ensure that information is properly
handled, all accesses to, uses of, and processing of each unit company’s
information must be consistent with the related information systems
policies and standards.
Intellectual property
Policy: All applications developed in-house by the employees of the
Honeywell Group remain the property of the Honeywell Group and not
that of the individual developers.
Copyright Notices on Computer Programs and Documentation
Policy: All computer programs and program documentation owned by the
Honeywell Group must include appropriate copyright notices.
Software Licensing
Policy: All software resident in any computer in use for the business
transactions of the Honeywell Group must have appropriate license.
Corporate Office Management must make adequate arrangements with the
vendors for additional licensed copies, if and when additional copies are
needed for business activities.
70
Periodic review of software licensing agreements
Policy: The agreements for all computer programs licensed from third
parties must be periodically reviewed for compliance by the Group
internal auditing staff.
Ordering Authorized Copies of Software Needed for Business Activities
Policy: The Honeywell Group will provide sufficient number of licensed
copies of software such that workers can get their work done in an
expedient and effective manner. Management must make appropriate
arrangements with the involved vendors for additional licensed copies, if
and when additional copies are needed for business activities.
Internal Reporting of Information Security Violations & Problems
Policy: All staff of the Honeywell Group have a duty to report all
information security violations and problems to the Information
Technology Department of their unit companies and/or the Information
Technology Division of the Group on a timely basis so that prompt
remedial action may be taken.
External Reporting of Information Security Violations
Policy: If required by law or regulation, Unit Company’s management
must always promptly report information security violations to external
authorities through the Group IT Division. If not required to do so, in
conjunction with the Corporate Office Legal department, Unit Company
management must weigh the pros and cons of such reporting before
actually reporting any violations.
71
Annual Analysis of Information Security Violations & Problems
Policy: An annual analysis of reported information security problems and
violations must be prepared by the Group Information Technology
Division and forwarded to the Unit Company’s Chief Executives and to
the IT Steering Committee
Compliance With Industry Specific Information Security Standards
Policy: Each Unit Company’s IT staff must employ industry-specific
information security standards. No exceptions are permitted unless it can
be demonstrated that the costs of using a standard exceed the benefits, or
that use of a standard will clearly impede the Company 's business
activities.
Software and/or Data Exchanges with Third Parties Require Agreements
Policy : Exchanges of software and/or data between the Company and any
third party may not proceed unless a written agreement has first been
signed. Such an agreement must specify the terms of the exchange, as
well as the ways in which the software and/or data is to be handled and
protected.
72
SUMMARY
Any Telecommunication equipment, software, hardware and IT process already in place in any
unit company that does not meet up with the standards and specifications of this policy shall not
be outrightly discarded. Rather, the Group IT Division is mandated with the approval of this
policy to upgrade it (if possible) to meet up with the dictates of this policy document.
Where it is not feasible to upgrade and it is not possible to keep it in its present state, it should be
discarded.
73