MZM (CEPZ) LIMITED
PLOT # 08 – 09, SECTOR # 2/A, CEPZ,
Chittagong, Bangladesh.
Tel: 880–031–740353-4,
Fax: 880-031-250369.
Information & Network Security
Policy
|
Number of Revision
|
Revision Date
|
1
|
12-06-2013
|
2
|
07-05-2014
|
3
|
15-04-2015
|
4
|
25-06-2016
|
5
|
24-09-2017
|
6
|
08-10-2018
|
Issue
Number- 5
Name
|
Signature
|
Date
|
|
Prepared By:
|
Anwar Hossain
IT In-Charge
|
||
Responsible for
Implementation:
|
Kazi Masud Ahmad AGM (HR,
Admin & Compliance)
|
||
Approved By:
|
Mr. Omar Faroque
Executive Director
|
Table
of Contents
SL. No
|
Table of
Contents
|
Page
|
1
|
Overview
|
3
|
2
|
Purpose
|
3
|
3
|
Scope
|
3
|
4
|
Types
of Policies
|
4
|
A
|
Network
System Policy
|
4
|
B
|
IT Assets Policy
|
4
|
I. Mail Server
|
6
|
|
II. DTS
Server
|
7
|
|
III. CCTV Server
|
8
|
|
IV. Tally
Server
|
9
|
|
V. File Server
|
9
|
|
C
|
Accounts Setup Policy
|
11
|
I. Create Computer/ Laptop Login ID
|
11
|
|
II. Create E-Mail Account
|
11
|
|
III. Internet Access User
|
11
|
|
D
|
Computer Maintenance Policy
|
12
|
E
|
Backup System Policy
|
12
|
I. Mail Backup
|
12
|
|
II. File/Data Backup
|
12
|
|
III. DTS Database Backup
|
13
|
|
IV. Tally Data Backup
|
13
|
|
V. CCTV Data Backup
|
13
|
|
F
|
Others Security Policy
|
13
|
I.
Login Fail after 3 attempts
|
13
|
|
II.
Antivirus Software
|
14
|
|
G
|
Recovery Policy
|
14
|
H
|
Violation Policy
|
15
|
1.
Overview
Consistent standards for network access and authentication are critical to the company's information security and are often required by regulations or third-party agreements. Any user accessing the company's computer systems has the ability to affect the security of all users of the network. An appropriate Network Access and Authentication Policy reduces risk of a security incident by requiring consistent application of authentication and access standards across the network.
Consistent standards for network access and authentication are critical to the company's information security and are often required by regulations or third-party agreements. Any user accessing the company's computer systems has the ability to affect the security of all users of the network. An appropriate Network Access and Authentication Policy reduces risk of a security incident by requiring consistent application of authentication and access standards across the network.
2. Purpose
The purpose of this policy is to describe what steps must be taken to ensure that users connecting to the corporate network are authenticated in an appropriate manner, in compliance with company standards, and are given the least amount of access required to perform their job function. This policy specifies what constitutes appropriate use of network accounts and authentication standards.
3. Scope
The scope of this policy includes all users who have access to company-owned or company-provided computers or require access to the corporate network and/or systems. This policy applies not only to employees, but also to guests, contractors, and anyone requiring access to the corporate network. Public access to the company's externally-reachable systems, such as its corporate website or public web applications, are specifically excluded from this policy.
4.
Type of Policies
Type of policies is
included the following key point of an organization which describe below.
A). Network System Policy
|
D) Computer Maintenance Policy
|
G) Recovery Policy
|
B) IT Assets Policy
|
E) Backup System Policy
|
|
C) Account Setup Policy
|
F) Other Security Policy
|
A. Network System
Policy
The Network system is designed to share
data among the network computer by using network devices which is controlled
from IT room and distributed accordingly by network topology rules so that data
can be transfer from one node to another through the network system without
interrupt the other resources and security.
B. IT Assets
Policy
IT
Assets and Accessories Purchasing Policy
IT Assets will be purchased based on
management Approval, IT accessories will be purchased based on department head
approval. IT Section role is to ensure the quality of the product.
Department wise IT
Assets Summary
Dept. Name
|
Computer/ Server
|
Printer
|
Scanner & Photo copy
Machine(PCM)
|
Laptop
|
CCTV
|
Card Punch Machine
|
Management
|
1
|
3
|
1
|
1
|
||
IT
|
1 (5 Server)
|
1
|
1
|
|||
Accounts
|
5
|
2
|
2
|
2
|
||
PPIC
|
1
|
|||||
HR
|
8
|
3
|
1 PCM
|
|||
Commercial
|
6
|
2
|
1
- 1 PCM
|
2
|
||
Warehouse
|
4
|
1
|
1
|
|||
Production
|
6
|
1
|
2
|
9
|
||
Sample
|
1
|
|||||
Purchase
|
1
|
|||||
MNT
|
1
|
|||||
Security
|
1
|
|||||
Other
|
1
|
27
|
||||
Total
|
33 + 5
|
11
|
3S– 2PCM
|
11
|
31
|
10
|
Table 1: Details list of Computer & others
computer devices
Below is the summary of IT Assets: -
Name
|
Quantity
|
Name
|
Quantity
|
Server
|
6
|
Printer
|
11
|
Desktop Computer
|
35
|
Photo Copy Machine
|
2
|
Laptop
|
10
|
Scanner
|
3
|
CCTV Camera
|
31
|
Card Punch Machine
|
10
|
Network Switch
|
10
|
Wi-Fi Router
|
6
|
Table 2: IT Assets Chart
Servers: -
Server are maintained as per company requirement
and data security to process the daily transactions and achieve the company
productivity and goal.
Below is the summary
of Servers: -
Name
|
Quantity
|
Name
|
Quantity
|
Mail Server
|
1
|
CCTV Server
|
2
|
File Server
|
1
|
Tally Server
|
1
|
DTS Server
|
1
|
||
Table 3: Details list of Server Computer
I. Mail Server:
Mail server is configured by using Debian Linux 7, which is completely
control all the companies mails both incoming and outing. This is most secure Operation
system for mail server. Server configuration is RAM 16 GB, CPU Xeon E3-1220 v5
@ 3.00 GHz 4 Core, HDD 2 TB and Debian Linux 7
Figure 1: Main
Server Configuration
II. DTS (Data Tracking System) Server
This Data Tracking Software is developed and maintain by own developer of
the company. DTS server collect data from different DTS Module see the figure 1.
Only permitted user can allow accessing the data from DTS server. User
creation, permission and modification control by Database Administrator. Only
admin user can create different type of DTS user depends on user requirement
and which module they want to used.
Module
|
Attendance System
|
Admin Panel
|
Payroll System
|
House Keeping
|
Master
|
Table 4: DTS module
Server configuration is RAM
8 GB, CPU i5, 3.30 GHZ, HDD 500 GB and OS Windows’s 7 Ultimate.
Figure 2: User permission Entry
Form
III.CCTV
Server
CCTV Server is design & configured to
surveillance of our company and recorded all the CCTV data from different
location of the company and also able to monitor the all the CCTV places from
CCTV server locally and remotely from the company. MZM have total 21 CCTV
Camera.
CCTV
Server Configured with DVR system, HDD 8 TB.
IV. Tally Server
We also maintain Tally server to
communicate daily transaction from accounts & store process and central
reserve the data system policy by using this server. Tally software is used
mostly accounts and store department, Respective department Head maintain tally
user as their working area such as which department they want to log In, so
user creation and any permission given by department Head.
Tally Server Configuration RAM 8 GB, CPU Core
i7, 3.40 GHZ, HDD 500 GB and OS Windows’s 7 Professional
VII. File Server
All user important files centrally stored in to the File Server computer.
Each user has separate login account by which they can access File Server for updating
daily file and folder. One user cannot access other user’s Folders. Only system
admin can access all users directory and system admin set the directory access
permission for users. Every department has a separate directory for their
internal data share. One department’s local share directory is restricted from
other department’s users.
File Server configuration is RAM 16 GB, CPU Xeon 3.00 GHZ, HDD 2 TB and
OS windows server 2012 r2.
Figure 3: Directory allocations in the File Server.
C. Accounts Setup Policy
I.
Create
Computer / Laptop Login ID
After allocation of Computer / Laptop, IT section will set Login Account
and password for computers /Laptops. Two login accounts are set in every
computer / Laptop. One for system admin & another is for user login. User
login account set to limited privilege. The following key point controlled
1.
External USB storage devices are restricted. So that there is
less possibility for virus effect on user’s workstation and data theft.
2.
Unauthorized attempts of Login three times in a row, the system
will be lock for 30 Minutes and system administrator is able to unlock the
system.
II. Create E-mail Account:
-
New E-Mail account will be created based on Management approval. Each
user has separate login ID & password, IT section change email password in
every 3 months for security purpose.
Due to security reasons, WEB Mail facility is restricted for users. IT
section will ensure restricted web mail & web admin facilities. IT section
will keep back up of all user mail in our central data backup server. For
controlling mail spam and internet viruses we have configured Spam filtering option
to protect harmful or spam mail into mail server.
For configuring Company
E-Mail account in mobile will based on Management Approval.
III. Internet Access User: -
Company using Aamra Networks has Internet service provider. Based on MIKROTIK
firewall IT section configure LAN & internet traffic control. Centrally we
are maintaining total bandwidth according to user permission and controlled
bandwidth set for specific users, based on their daily work. A user cannot
cross the maximum limit of bandwidth assign to him. Thus we are able to utilize
our total bandwidth properly.
To control misuse / Social
network websites are blocked, following sites are the blocked
www.facebook.com , www.azadijobs.com , www.bdjobs.com
, www.prothom-alojobs.com , www.msn.com
, www.hotmail.com , www.yahoo.com
, login.yahoo.com, www.gmail.com
, www.google.com , www.google.com.bd ,
D. Computer
Maintenance Policy
IT section is maintaining complete list of
all IT assets/ and user details. It is containing the details of all user workstation,
services and others information.
The following computer devices are checked monthly
basis.
1.
Clean computer by blower based on time table.
2.
Proper power connection through UPS is plugged or not.
3.
UPS battery checked and duration of UPS backup.
4.
Computer power supply, RAM, Mouse, keyboard and others
peripheral devices.
5.
Network cable connection, all internal switches are working
or not.
E. Backup System Policy
I. Mail Backup
There two types of mail
backup, Internal and External Backup
Internal (auto) Backup: - Backup taken
by user at the time of closing e-mail system will ask for auto backup, once
user click yes, backup data stored in the user computer.
External Backup: - Backup is
taken by IT section, backup data stored it the external Hard Disk.
II. Files / Data Backup:-
There two types of mail
backup, Internal and External Backup
Backup by user: - Every user
are allocated the data backup place in data server, every day user has to copy
and paste the files / data in their respective folder in Data server. IT
section will ensure respective user only having access to their folder only,
one users can’t access other users folder.
Backup by IT Section: - Every week IT
section will copy the data/ files in external hard disk. This Hard disk will be
kept with IT section every day after backup completed.
III. DTS Database Backup
Every day IT section will take DTS data
backup from DTS server where backup stored both Server PC and external USB
storage device also. Data Backup included all DTS module. Maximum 90 days
backup reserved in to Hard Disk.
IV. Tally Data Backup
Every day IT section takes Tally data
backup from Tally Server where backup stored both Tally Server PC and external
USB storage device also.
V. CCTV Data Backup:
We have 21 CCTV cameras installed at
various important factory locations. Authorized person can monitor CCTV through
LAN and WAN. IT section will keep 45
days CCTV backup.
F. Others Security Policy
I. Login Fail after 3 attempt:-
Repeated 3 time’s login failures, computer login id will be locked, the user has to contact IT Section within 30 mints. IT person will check and unlock the computer login.
I. Login Fail after 3 attempt:-
Repeated 3 time’s login failures, computer login id will be locked, the user has to contact IT Section within 30 mints. IT person will check and unlock the computer login.
II.
Antivirus Software
All
the computer and laptop users are using “Kaspersky Security Canter” commercial/
Industrial version license. Which is managed computers, administration Server
Task, Application Management and remote installation etc. Kaspersky application
used to protect any viruses, typically through real time defences and periodic
scanning. Kaspersky software has evolved
to cover other threats, including Trojans, spyware, and other malware.
G. Recovery Policy
Recovery
system takes for the following incident in the system.
1.
Deleting files
accidentally
2.
Viruses and malware
3. Damages of hard
drive
4. Power failures
5.
Theft of computer
6. Spilling coffee
and other water damages
7. Fire accidents
and explosions
In all the above cases IT takes recovery planning by regular backup.
1.
Detail data stored
on the systems, its criticality, and its confidentiality. So the details data
we keep in External Hard disk data is stored.
2.
In that case of equipment
replacement Plan we find what equipment is required to begin to provide
services and in order in which it is necessary, and note where to purchase the
equipment. Finally replacement of the equipment.
H.
Violation Policy
Violation detection and
notification:
1.
When an employee
detects or suspects a violation of Organization regarding IT policy, the
employee should inform the issue IT department.
2.
If the suspect or
detect issues are really found to be correct to violate the IT system then as
soon it should be investigate.
3.
If it is confirmed,
that the found issues is really violated the IT policy then immediate action
with the help of admin & HR department.
4.
If the violation is
related with user Id then affected ID connection with be disconnect with
permission of HR/Admin department.
5.
If any violation
occurred by intentionally its facts & finds will be detect as as off
managing Director Order.
6.
If anything is
critical/major; it should be notify to the M.D. by IT Head.
7.
IT Head will take
corrective action as company IT policy.
8.
Condition of
Information Access control and IT Security all reserves right by the IT Head.
N.B: For above mentioned
rules, if you have faced any problem, please feel free to inform IT department.
We are always with you to provide our valuable support.
Violations,
complaints, or questions about these policies should be directed to <it@mzmbd.com>
No comments:
Post a Comment