IT SECURITY POLICY To ensure data security and backup system, only authorized person to handle his/ her computer. IT manager is responsible to maintain all computer troubleshooting and data management systems. To be easy access, all computers are under the LAN system/ individual Modem. To be strong the IT system, the below IT procedure is established.
TOP 12 IT SECURITY POLICY POINTS
- Authorized User: Only an authorized person is allowed to use the computer and after completion of daily works, this person is responsible to properly shut down the computer. The designated system users must provide an individually assigned password for all systems.
- Password: Individual accounts and passwords shall be created for users to access the system. IT manager is responsible to change the PASSWORD in every three months. All passwords shall be preserved by IT for further modification or any forgetting case. System IT administrator must ensure suspended password after 3 (three) failed access attempts.
- Change of Password: The password of all users must change after 4 weeks.
- Monitoring: Access to computer systems shall be monitored and reviewed periodically i.e., each month by the IT department.
- Anti- Virus: Firewalls/anti-virus/tampering prevention software shall be used to allow the system to both log and detect viruses, security violations, and tampering. IT department autorun the anti-virus software daily at each computer.
- Hardware Security: Hardware security shall be controlled and monitored (e.g. controlling workstation, security server, password-protected screen severs) by the IT department.
- Data Recovery: IT department shall keep weekly / daily backup in a secured place to protect its IT systems, which include a full IT disaster recovery plan to prepare for any unforeseen incidents.
- Removable Disk: To ensure computer security, the IT department shall alert all users to scan the removable disk before use.
- Security of Information: Every account holder shall be honorable to the company’s internal data system. Nobody is allowed to share the internal data with other companies/competitors until top management authorization. If IT / anybody can detect such a user, management shall take serious action against the account holder.
- Personal Work: Nobody is allowed to perform personal activity/ web browsing/ web e-mail checking during the working period by using company property. The company will take serious action if anyone does such activity.
- Violation of IT Security: If any unauthorized person uses the computer without proper authorization from IT Manager. IT Manager is responsible for the regular audit of IT system regarding unauthorized access or attempt to access and will take necessary action accordingly.
- Management meeting: The Company shall regularly hold meetings that shall be attended by senior management to address information technology issues, including system security. The system administrator must conduct meeting with senior management for IT issues.
Invalid Password attempts: The System administrator will set up in the systemic invalid password attempts and file access with file access.
DISCIPLINARY PROCEDURE FOR IT SYSTEM VIOLATION
If any complaint or claim comes from any source against any employee or outsider involvement the IT policy system violation. IT Manager is responsible to investigate the case with the Disciplinary Action Committee of the facility which consists of 03 (three) members. After investigation, if raised complaint/ claim comes true, Admin/HR Department provides a warning letter or verbal warning or terminates & hands over the defaulter who so ever to the Local Law enforcement authority depends on the nature of the claim/ violation against the violation of IT Security System. Every employee/ defaulter has the provision for his/ herself defend / grievances for low category claim/violation in written so far.
All-access shall be prohibited for the employee if someone is terminated for violating the IT security System and that all company security property is retrieved (e.g. PHOTO ID card, keys, alarm code, access cards or computer access, etc.). A final cheque shall not be issued to the employee until all company security property is returned.