IT Security Policies
Uploaded by
p.dhana6IT Security Policies
Uploaded by
p.dhana6INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Information Security Policy Document
Version 1.0
Sep 2021
IT Policies –V1 P a g e 1 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Message from Management
My Dear Colleagues
Digital technologies are changing the world and at ITL also we have embarked on a journey to digitally
transform us.
One of the key competitive and valuable assets for any organization as we all know is information and
it needs to be suitably protected at all times. Information can exist in many forms. It can be printed or
written on paper, stored electronically, or any other means. Whatever form information takes, or
means by which it is shared or stored, it should always be protected.
I am pleased to share ITL’s security policies with you all. The objective of ITL’ information security
policies is to lay down guidelines that need to be followed by all of us to ensure security of our
information.
These policies are applicable to all persons working in or for all Sonalika group companies, including
third party resources or anyone who has been granted access to Sonalika’ s IT systems and /or key
data and information. Head of IT is designated as the owner of this document and these policies would
be reviewed at least once every year. In addition, compliance with the policies would be monitored /
audited on a regular basis.
Any employee or associate found to have violated this policy might be subjected to disciplinary action,
up to and including termination of employment. Employees are also expected to report any violations
to their line Manager and/or the policy owner.
I urge each of you to ensure that you and your teams and partners comply with these policies at all
times
Best Wishes
Raman Mittal
Executive Director
IT Policies –V1 P a g e 2 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Contents
Sr. No Policy Description Page No.
1 Acceptable Usage Policy 04-07
2 Asset Management Policy 08-11
3 Password Policy 12-15
4 Email Policy 16-18
5 Internet Policy 19-21
6 IT Asset Management at the time of Exit of Employee 22-22
7 Print Guidelines 23-24
8 Clear Desk Clear Screen Policy 25-26
9 Mobile Device Management Policy 27-28
10 Electronic Data Transfer Policy/Procedure 29-30
11 Access Control Policy 31-32
12 Security Awareness and Training Policy 33-33
13 Application Access Management 34-35
14 Policy for Data Centre Management 36-37
15 Patch Management Policy 38-40
16 Change Control Policy 41-43
17 Incident Management Policy 44-45
18 Outsource & External Facility Policy 46-46
19 Encryption Policy 47-47
VA (Vulnerability Assessment) /PT (Penetration Testing) and 48-48
20 Code Review Policy
21 Cloud Services Access Policy 49-49
22 Baseline Hardening Guidelines 50-51
23 Exception Management 52-52
24 Electronic Data Archival Policy 53-54
25 Audit and Logging Policy 55-56
26 Asset Scrap Policy 57-58
27 Remote Access Management 59-59
28 Backup Policy 60-64
29 Physical and Environment Control Policy 65-66
30 Data Classification and Handling Policy 67-68
31 Social Media Policy 69-70
32 IT Risk Management Framework 71-75
33 Application Security Policy/Guidelines 76-78
33 Application Development Guidelines – C# Coding 79-90
IT Policies –V1 P a g e 3 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Acceptable Usage Policy
Objective
The objective of this policy is to outline the acceptable use of IT assets of company. These rules are in
place to protect the employee and company. Inappropriate use exposes company to risks including
virus attacks, compromise of network systems and services, and legal issues.
Scope
This policy applies to the use of information, electronic and computing devices, and network resources
to conduct company business or interact with internal networks and business systems, whether
owned or leased by company, the employee, or a third party. All employees, contractors, consultants,
temporary, and other workers at company are responsible for exercising good decision regarding
appropriate use of information, electronic devices, and network.
Policy
Company provides various IT assets to various business users and IT team to conduct business of
ITL.
While company desires to provide a reasonable level of privacy, users should be aware that the
data/information they create/store on any system/hard copy remains the property of company.
Though IT team will take all measures to protect the company network and systems, management
cannot guarantee the confidentiality of individual / personal information stored by the employees
on any digital device belonging to the Company.
For security and network maintenance purposes, only authorized individuals within IT team are
allowed to monitor equipment, systems and network traffic at all times.
The employee shall take due care and necessary approvals while disposing off/ destroying
Confidential Information.
The employee shall not use company’s IT facilities for any profit making or commercial activity
other than that of company.
The employee shall promptly advise their immediate supervisor and IT team, if they discover that
there is any security risk.
Unauthorized copying of copyrighted material including, but not limited to, installation of any
licensed software without formal approval from IT is strictly prohibited.
Introduction of malicious programs into the network or server (e.g., viruses, worms, etc.) is strictly
prohibited.
Revealing one’s account password to others or allowing use of your account by others is
prohibited. This includes family and other household members when work is being done at home.
Using a company provided computing asset to engage in procuring or transmitting material that
is in violation of sexual harassment or any other laws is strictly prohibited.
Making fraudulent offers of products, items, or services using any IT system of the company is
prohibited.
Disruptions to network communication and security breaches are strictly prohibited. Security
breaches include, but are not limited to, accessing data of which the employee is not an intended
IT Policies –V1 P a g e 4 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
recipient or logging into a server or account that the employee is not expressly authorized to
access, unless these duties are within the scope of regular duties. For purposes of this section,
“disruption” includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial
of service, and forged routing information for malicious purposes. Port scanning or security
scanning is expressly prohibited unless done by network Security Team or getting done by external
parties with written approvals.
Executing any form of network monitoring which will intercept data not intended for the
employee’s host is prohibited, unless this activity is a part of the employee’s normal job/duty.
Providing information about, or lists of, ITL employees, to parties outside company is prohibited
unless approved by the HOD or management.
Users are permitted to use only those network addresses which are issued to them by IT team
Users must not download, install or run security programs or utilities that reveal weaknesses in
the security of a system. For example, users must not run password or license cracking programs,
packet sniffers, network mapping tools, or port scanners while connected in any manner to the
company’s network infrastructure
Users must not install network hardware or software that provides network services without head
IT’s approval
Management reserves the right to disclose all communications, including and not limited to text
and voice, to law enforcement agencies or other third parties in compliance with legal, statutory
and regulatory requirement
Users shall collect their printouts immediately from the printer
Discussion of Confidential and Secret Information over phone is prohibited
Registering using company’s email id on public sites like Zomato, Swiggy, Amazon, Flipkart,
Facebook, Twitter etc. is prohibited
A number of policies has been formulated as below. A summary of these policies is mentioned
below. All users and IT team member are to go thru this document and detailed polices and ensure
adherence all times.
General Use and Ownership Policy
Password Policy
Email Policy
Internet Policy
Social Media Policy
Clear Desk Policy
Electronic Data Transfer Policy
Backup Policy
Encryption Policy
Security Training and Awareness Policy
Print Guidelines
A Summary of these polices as below. For detailed policy, please refer to this document in detail.
General Use and Ownership:
IT Policies –V1 P a g e 5 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Company proprietary information stored on electronic and computing devices whether
owned or leased by company, the employee or a third party, remains the sole property of
company. You must ensure through legal or technical means that proprietary information is
protected.
You have a responsibility to promptly report the theft, loss or unauthorized disclosure of
company proprietary information.
Company reserves the right to audit networks and systems on a periodic basis to ensure
compliance with this policy.
Password Policy:
This policy is to ensure secure use of Company’s IT assets (Hardware/Software) by setting up
of rules for IT Team and Users for deployment of strong passwords and for changing them
periodically to make sure that only authorized people can access those assets and data.
All Employees must change their password on 1st login
All Employees need to change their passwords every 6 weeks (42 days).
Email Policy:
The Policy is applicable to all the email users of Organization
This Email Policy is applicable to Employee from Grade N1 to L10.
Email id will be created as [email protected] ,in case same name exist
then id will be created as [email protected]. The numeric value will
increase if same first name and last name occurs and will be issued on first in first serve.
Internet Policy:
This policy applies to all our employees, contractors, and partners who access our network or
computers
Username and Password is unique to the user and is given to the User to log in to the Internet
Portal in the office
To monitor Internet usage, IT will monitor the logs of browsing history.
Sharing the Username and Password with another employee, visitor, or guest is prohibited
Social Media Policy:-
This policy applies to all Employees, contractors & Stakeholders and all types of social media.
For social media all content must be relevant, meet specified goals or purposes and add value
to Company’s brand.
Content must be polite and respectful.
Clear Desk Policy:-
IT Policies –V1 P a g e 6 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
This policy applies to all company Employees, Contractors and Third Party Employees, who
have access to IT assets or any information in Company.
Employees are required to secure all sensitive/confidential information in their work space at
the end the work day or when they are expected to be away from their work space for an
extended period of time. This includes both electronic and physical hard copy information.
Electronic Data Transfer Policy:-
This policy applies to all our employees, contractors, and partners.
IT department will create the access control (Read, Read/Write, and Full Access) to user based
on approval of User HOD for Data Transfer with in Company.
Portable media (USB Storage etc.) is not allowed on company assets. If anyone requires the
same, he / she will have to get HOD approval / Management giving detailed business reasons
and send the approval to IT. IT will then provide the access
Backup Policy for End computing /User Files:-
The backup standard data format would be Excel, docs, PPT, PDF .
Maximum data backup size would be 5 GB per user.
Concerned department HOD would have to provide to IT Department the list of users who
have important data that is required to be backed up for business continuity.
Encryption Policy:-
This policy applies to all company Employees, Contractors and Third Party Employees, who
have access to IT assets or any information in Company.
This policy is to protect confidentiality, authenticity and integrity of company’s information
that is transferred through internal or external devices and network.
Security Training and Awareness Policy:-
This policy applies to all company Employees, Contractors and Third Party Employees, who
have access to IT assets or any information in Company.
This policy is to ensure that users are aware of Information Security threats, concerns and are
adequately trained to support organizational Security policy in the course of their normal
work.
Print Guidelines:-
Printers are to be used for printing official documents that are relevant to the day-to-day
conduct of business at International Tractors Ltd. Printers should not be used to print
personal documents
IT Policies –V1 P a g e 7 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Asset Policy
Objective
The objective of this policy is to ensure the timely delivery of the asset to the new joined employee
and replacement of the asset of the existing employee.
Scope
The Asset Management policy covers the procurement and allocation of the Hardware and Software
asset for the business users. All IT hardware/ Software will be purchased in accordance with
International Tractors Limited procurement protocols by Commercial Dept. HSP/NCR with technical
inputs from IT
Policy
Laptop & Desktop and workstation Configuration details for procurement of the new asset with
respect to designation of the employee would be as follows. In case any higher configuration or
change in configuration is required in Laptop/Desktop /Workstation, special approval will be
required from Management
Asset Asset Description Grade
th
i3 11 Gen ; 8 GB RAM ; 14” ; 1 TB ; Win
Below L4 – L6
10 Pro Preloaded
i3 10th Gen ; 8 GB RAM ; 14” ; 512 SSD ;
Laptop L7-L8
Win 10 Pro Preloaded
i5 10th Gen ; 8 GB RAM ; 14” ; 512 SSD ;
L9-L10
Win 10 Pro Preloaded
Intel Corei3, 10th Gen. (10100), 4GB
All Grades (as per
Desktop DDR4 RAM, 1TB HDD, 19.5 inch display,
requirement)
Win. 10 Pro Pre-loaded,
Intel® Xeon® W-1250P (6 Core, 12M
cache, base 4.1GHz, up to 4.8GHz), 64GB
2X32GB DDR4 2666MHz or 2933MHz,
All Grades (as per
Workstation 1TB 7200rpm SATA 3.5” HDD, Nvidia
requirement)
Quadro P2200, 5GB, 4 DP (Precision
3640), Windows 10 Pro Preloaded, Dell
21.5” Monitor
Any change Configuration revision needs to be approved from management, IT will propose the
same on regular frequency annually at least based on performance and upgrades
HR department will raise the requirement to IT department for the new asset of the new joined
employees via email.
As per their request IT department will make the approval note for Management approval.
After Management approval, IT department will submit the approval to commercial department
IT Policies –V1 P a g e 8 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
with purchase request.
Commercial department will finalize the product /asset after negotiation and release the purchase
order to vendor.
Delivery of the assets as per the purchase order submitted by the Vendor to ITL.
IT will arrange to collect these assets from OTT store & will install the operating system, default
S/W (Like acrobat reader, McAfee for all users) and any specific S/W (Like Team center & NX for
design users) on the asset received.
In Case of MS Office or any specific Software is required, HR or user will need to send approval as
follows:
Client End Software Description Approval
Profile Which needs extensive MS Formulas Based on Management
MS Excel and features (Accounts , Purchase ,Sales and approval taken by Concerned
Specific users if any) need evaluation from IT department/HR/IT
Profile Which needs extensive MS Formulas Based on Management
and features (GM and Above) need approval taken by Concerned
MS Office evaluation from IT department/HR/IT
HOD / as per business
SAP Front End Based on IT evaluation of profile need requirement
Based on Management
Any Specific approval taken by Concerned
Software Based on IT evaluation of profile need department/HR/IT
Once the approval for software is received as above, IT will arrange to install the S/W on user asset
IT team will keep record of the software installation done (along with approvals) for procurements
of S/W through Commercial department every quarter as per management approval.
IT need to maintain the record for the hardware and software assets which has given to the
business users with the following details:
- Standard Computer Name (Assigned at the time of installation)
- Employee Code, Name, Department
- FAR (Fixed Asset Register) Number (Bill no and Date information fetched from FAR No)
- IP Address
- Location for the asset
- Make, Model, Serial Number, Description
- IT Asset Tag Number
- Installation Date
- Operating System information
- Detail of the Hardware Assets will be shared with HR department for updating the asset
information in the system issued to the employee.
- IT department will ensure to deliver the ready to use asset to user within 2 working days after
receiving of asset.
Software inventory records must include the following details:
- Product Name, Part No (for example MS Office, 112-09811)
IT Policies –V1 P a g e 9 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
- Version detail (for example Standard version 2019)
- Date of Purchase
- License Details (for example Perpetual, Subscription)
Process for the Procurement and allocation of the asset would be below:
SLA for procurement is 40 in Days* as per process, HR needs to forecast joining of next 60days
Delivery time considered as per current practice, any delay observed in delivery may vary the
SLA
Replacement of the asset for the existing employee
Replacement of the asset for the existing employee can be in following cases
o Asset has become old and evaluated by IT for the replacement due to technical reasons.
o Asset is physical damaged and not usable if BER (Beyond Economic repair – Cost of repair
is more than 60% -65% the same would be recovered from the employee.
o User has lost the asset. The cost of new asset would be recovered form employee
o Any Wave off for physical damage and lost case for recovery needs management approval
with justification.
In case of replacement of the existing asset with new one, concerned user has to submit the
request to IT
IT will evaluate the asset wrt ageing / working condition of the asset as per guidelines as below
IT Policies –V1 P a g e 10 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Sr. No. Asset Type Aging Remarks
1 Laptop 4 Yrs. Replaced with New asset with
2 Desktop 6 Yrs. Management approval
In case asset age has crossed the guidelines, IT will evaluate and process replacement the existing
asset with new one after management approval.
Special approval will be taken from Management in case of replacement of existing asset before
aging of the asset and Existing asset will be handed over to IT to be reissued to other employees
(If the asset is in working order).
In case theft, damage, lost Asset Procurement process will be followed for procurement of assets.
IT Policies –V1 P a g e 11 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Password Policy
Objective
The objective of this policy is to ensure secure use of Company’s IT assets (Hardware/Software) by setting
up of rules for IT Team and Users for deployment of strong passwords and for changing them periodically
to make sure that only authorized people can access those assets and data.
Scope
This Policy is applicable to all hardware and software assets in the organization and is categorized in
four categories as below:
1. End user equipment and applications – Desktops, Laptops, Workstations, Email, Web Applications
2. Network and Security Devices – Firewall, UTM, Wi-Fi, Switches, Network Printers
3. Software Applications
4. Data Centre Equipment – Servers , Storages, Chassis
Policy:
Password Policy for Desktops, Laptops, Workstations, Email, Web Applications:
Guidelines for IT Admin
Every Desktop, Laptop, Workstation must be configured with only following two Windows login
accounts:
a) Local administrator b) User’s Active directory account
Minimum Password length has to be 8 Characters and must include at least 1 alphabet in upper
case, 1 alphabet in lower case, 1 number and 1 special letter.
All Operating system Guest accounts must be disabled.
Local Administrator password must be different for all departments (i.e., separate administrator
password for Purchase, HRD, R&D, Assembly & DDC departments etc.)
The Local administrator Password must be changed once in a year. ITSM Manager will ensure to
change of password.
All Local administrator accounts password must be managed by ITSM Manager
Local administrator Password cannot be shared with anyone.
Guidelines for Users
All Employees must change their password on 1st login
All Employees need to change their passwords every 6 weeks (42 days). This includes passwords
for system login (Active directory), email login and various applications (TMS, DMS, SIPS, Employee
portal, Darwin Box, Fiori, Supplier portal etc.)
At the end of 37 days system will generate a reminder notification for 5 days to remind users to
change their password, until the password is changed by user. The password will expire after 42
IT Policies –V1 P a g e 12 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
days if no action is taken by user. ( Only applicable for AD/Domain Users)
The minimum password age is 1 day (i.e. if user has changed his / her password, user will be able
to change it again after 24 hrs).
Users need to login to the web link of application to change the respective application password.
Minimum Password length has to be 8 Characters and must include at least 1 alphabet in upper
case, 1 alphabet in lower case, 1 number and 1 special letter. Examples for password are;
Ayht@451, 1#Now45@, Rdks@#628!
Last 5 passwords cannot be used. The system will remember the history of 5 user password, so if
any user set his password Juyh@451, system will allow user to keep the same password Juyh@451
only after 5-time successful change of passwords.
If you believe your password may have been compromised, please change the password
immediately and report the incident to IT Support Team by email to [email protected] or
call at 01882522-464, 800.
Password Policy for Firewall, UTM Wi-Fi, Switches, Network Printers
Guidelines for IT Admin:
All Firewall , UTM, Wi-Fi, Network Switches admin password will be managed by Network Manager
and network printer, plotters password by ITSM manager.
All Firewall, UTM, Wi-Fi, Network Switches and network printer (MFP) & plotters default login
password must be changed at the time of installation & configuration.
All admin password (Firewall/UTM Wi-Fi, Network Switch and MFP) must be changed every 90
days.
All Wi-Fi access point password must be changed every 180 days.
Minimum Password length has to be 10 characters and password should contain at least 1 alphabet
in upper case, 1 alphabet in lower case, 1 number and 1 special letter
Last 5 passwords cannot be repeated
Password cannot be shared with anyone.
Password Policy for Application S/W:
Guidelines for IT Admin:
All Application Passwords will be managed by the Application Manager and Email admin
passwords by the Datacentre Administrator.
All Email admin Control and application admin control default password must be changed at the
time of go-live or installation.
All default Database credentials must be changed after installation and configuration.
All admin password must be changed every 45 days.
Minimum Password length has to be 10 characters and password should contain at least 1
alphabet in upper case, 1 alphabet in lower case, 1 number and 1 special letter
Last 5 passwords cannot be repeated
All Web based applications should have MFA (Multifactor authentication) like two-factor
IT Policies –V1 P a g e 13 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
authentication using CAPTCHA or OTP etc.
Password cannot be shared with anyone.
Password Policy for Servers /Storages/Chassis:
Guidelines for IT Admin:
All Server Operating System administrator, Sidadm (i.e., shpadm, s4padm, shdadm, shqadm,
daaadm) & root password must be changed every 45 days.
All concerned Application Managers have to update the new password in their application
configuration (if applicable)
All Guest login Account in Microsoft Windows Server and Sapadm, Shdxsa, sapsdt+ user login
account in Linux /AIX must be set disabled/False.
All Storages, chassis and Server ILO/ IDRAC (admin/root login password must be changed in
90 days.
Some server administrator and Database User account passwords are exempted in password
policy due to application dependency on it. Application functionality is likely to be
disturbed/stopped if there is any change in the administrator/admin password. Details of
these exempted servers and application is as follows:
Design Server: SA (SQL login account), Infodba (used in pool manager, webserver &
active workspace configuration)
SAP Server: Operating System login account (Daaadm, prdadm, sapadm, sapsdt,
SAPServiceDAA, SAPServicePRD, c11adm, sapservicec11,
administrator)
Vector Server: Operating System Login account (Administrator)
Retail Server: Database Server: Operating System Login Account (Administrator),
SQL Login accounts
Application Servers: Operating System Login Account (Administrator)
Backup Server: Operating System administrator Account/Active directory Service
account (dpmadm, bkpadm)
Note: These passwords are exempted in the first revision of policy, all concerned application
admin will workaround to mitigate the challenges in changing the password. Any changes
done in this exempted list will be recorded & updatation will be done in next revision of the
policy.
All Server, Storages Password must be managed by the Datacentre Manager and SAP S4H
users Sidadm must be changed by Application Manager.
In Case of any Application Manager requires administrator password and / or Remote desktop
protocol (RDP) of the server, they must provide approval from IT HOD mentioning the purpose
and time period. RDP access will be given only through VPN.
All RDP/VPN login account provided to External resource (Vendors) must be deactivated after
IT Policies –V1 P a g e 14 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
final handover & Sign of project.
Password cannot be shared with anyone.
Minimum Password length has to be 8 characters and password should contain at least 1
alphabet in upper case, 1 alphabet in lower case, 1 number and 1 special letter
Last 5 passwords cannot be repeated
Passwords Withdrawal:
If any Employee resigns from his job, all the relevant user passwords (Email, AD, TMS, DMS,
Employee portal or any other application or system) must be changed by the respective
application owner on or before the last working day of the employee. HR department must
ensure to share the list of such employee with IT department well in time.
In Case of Resignation of IT Manager, Application owner or Datacenter Administrator, all
administrator passwords should be changed and shared with the person who is taking
handover
Master Custodian of Admin Passwords (Admin of admin /Super Admin)
HOD IT will be the Master Custodian of all admin passwords.
It is the responsibility of the respective ITSM Manager, Network Manager, Application
Manager and Datacenter Manager as the case maybe to share all the admin password details
with HOD IT whenever a new Server, Storage, Application, Wi-Fi, Switch, or Firewall Device
etc. is set on production or in case any password is changed.
All the password detail must be available in the form of Hard copies & kept in a sealed
envelope signed by concerned IT Admin & HOD IT. The envelope must be stored in a fire proof
cabinet.
Enforcement
It is the responsibility of the IT Team & end user to ensure enforcement with the policies as
above. Any employee found to be in violation of, or to have violated, this policy may be subject
to disciplinary action as per HR Policy.
IT Policies –V1 P a g e 15 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
E-mail Policy
Objective
The objective of this policy is to detail the usages guidelines for accessing company’s email system.
This policy aims to reduce the risk of email related security incidents and enable faster good business
communications.
Scope
The Policy is applicable to all the email users of Organization (Plant, Noida, Delhi, Sales & Customer
Care, Rotavator, ICML, IAFL, and Solis) and all the domain names (Sonalika.com,
Sonalikaindustries.com, Solstractor.in, Atfl.co.in, Solisworld.com, Worldtracs.com, Yanmar-solis.com,
Agrinewgen.vc) or any other domain that is provisioned in future
Policy:
This policy is categorized in following three sections:
1. Email ID Activation Process
2. Email ID Deactivation Process
3. Email Usages Guidelines
Email ID Activation Process:
This Email Policy is applicable to Employee from Grade N1 to L10.
HR Department will take management approval for the activation of Email id for new joined
employee along with the Asset approval. If any Exiting employee have requirement of an email id,
he will arrange to provide management approval authorized by concerned H.O.D
The HR department will submit the email creation request along with management approval to
the IT department through Help me portal. Existing users can directly Contact IT service Desk for
Email ID Creation after taking management approval. All the request without management
approval will not be processed.
Following details are mandatory to submit by the requester to create an Email ID;
Employee First name, Middle name, Last name or Surname, Employee Code, Department &
Section, Location, Contact No.
IT department will ensure to create the email id same day and share the detail (Login Id/email id,
password, Email webmail address) with the requestor through email and through phone call.
Email id will be crated as [email protected] ,in case same name exist then
id will be created as [email protected]. The numeric value will increase if
same first name and last name occurs and will be issued on first in first serve.
Email id will be generated in the respective domain in which employee joined (i.e., for Sonalika
employee @Sonalika.com and for ATFL @atfl.co.in), in case of employee transfer to other domain,
Employee email id will be changed to respective domain. HR Department will share the detail of
IT Policies –V1 P a g e 16 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
such employee. In such case exiting id will be deleted, if user needs old email data, it will be
transferred to his computers.
In Case an employee needs more than two email id with different domain he must provide
management approval mentioning the detail of requirement.
IT will keep the record to new created email id’s along with management approval submitted by
HRD and other department and will process the procurement addition of email id’s monthly.
Generic Email will be given only based on Management Approval.
Email ID Deactivation Process:
IT will disable the email id’s, in which no activity (Login, Send/Receive) performed by user for 45
days and will be deleted permanently after 60 days.
HR Department will ensure to share the details of resigned /on notice employee with IT
department through Help me Portal. In case any urgency HR department can email to IT
department for deactivation of email id.
IT will ensure the deactivate the email id on the mentioned date and will update to requestor via
Email.
In case of Email forwarding of left employee to another employee, request has to submit to IT
H.O.D by concerned department. If Email data transfer is required by concerned department, they
have to mention in email forwarding request.
This forwarding of email will be valid for 30 days of employee last working day. After that email
account will be deleted from server along with data.
Email Usages Guidelines:
Email Handling:
Every user needs to login to the webmail link to access their email. The webmail is the easiest way
to operate email id equipped with all the features (Like calendar, Meetings, Chat, Office suite, out
of office notification, task etc.)
For Microsoft Outlook, user will take commercial approval from management.
To enable user fast response Email access can be configured on User’s Mobile.
Send email to only concerned person and avoid to put email address who are not related to
subjected email.
If you are on leave or out of office for specific time, set autoresponder on, this will generate
notification to sender that you are unavailable for date & time you mentioned in autoresponder.
User may take IT help to use this functionality.
Email user has to periodically manage the mailbox by deleting old circular, cc/ bcc emails and old
emails), No email to retain in inbox or sent folder that is older than 1yr. If there is an important
email and is older than 1yr, create a folder (like important emails) and move such important emails
to this folder.
In Case Email user forget the password, User need to send email to IT department from his
colleague or H.O.D official email id. User must change his password after receiving new password.
Do’s and Don’ts for Users
IT Policies –V1 P a g e 17 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Always check & verify the identity of sender (like [email protected]) before replying or taking
action on email.
Do not write your email password anywhere at your work place.
In case you are accessing your email id on another device (desktop, laptop, workstation), do not
click on “save password pop” window.
Do not use your official email on ecommerce websites like Amazon, Flipkart, and Myntra, social
website like Facebook or for Subscribing to newsletters.
Do not click on any suspicious link received in emails (like click here to win prize or money, click
here to change password). These links contain virus like malware, spam, Trojan that may affect user
data & computer.
Design and DDC user have access to send internal domain only and with maximum 2 MB email
attachment. If any user needs external access and / or larger limit on email attachment,
management approval would be required after authorisation by HOD.
Email User are not allowed to send email attachments that contains following files extensions
(‘com’ or ‘zip’ or ‘rar’ or ‘dwg’ or ‘inp’ or ‘ppf’ or ‘dxf’ or ‘stp’ or ‘prt’ or ‘dwl’ or ‘cae’ or ‘fem’ or
‘hm’ or ‘cmd’ or ‘mf2’ or ‘mf1’ or ‘igs’ or ‘dwf or ‘sim’).
Users are prohibited from knowingly or intentionally broadcasting emails containing false,
inaccurate, abusive, offensive or illegal material.
Users are prohibited from knowingly or willfully using official email for personal Use.
IT Policies –V1 P a g e 18 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Internet Policy
Objective
The objective of this policy is to provide guidelines for acceptable use of the organization’s Internet
network to give Internet usage to enhance work productivity and efficiency and ensure safety and
security of the Internet network, organizational data.
Scope
This internet policy applies to all our employees, contractors, and partners who access our network or
computers (ITL, ICML, Rotavator, Agro, AFL, NCR Location / Offices). It covers the activation /
deactivation process, department wise access matrix and Internet Usage Guidelines.
Internet ID Creation Process: -
Internet access is not allowed in R&D and will be provided only based on the Management
approval after authorisation by HOD.
For other departments, HR department will raise an online request to the IT department for
Internet Access for newly joined employees.
In case an existing employee needs internet access, he / she will have to send a formal request
giving Employee Name, Employee Code, AD Login, Email ID, Access Required, Location, Contact
Number. The request has to be approved by HOD.
Based on the request, IT department will create the Internet ID
Internet Login ID will be as their AD Login (for example as16237) and password will be set as per
Password Policy
A Notification auto email would be triggered to HR / User with their credentials.
The sites permitted for access will be as per Table 1.
Internet ID Creation process is depicted as follows
IT Policies –V1 P a g e 19 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Table 1
Sites permitted for access (Department Wise Internet Access Matrix)
Department Web Category Approval
HRD General Business, Social Media, Job Sites
General Business, Finance sites (Legal, Online
Finance
Payments, Bank, Official Custom Sites)
Limited Access (Search Engines, Design
Design Application Domains, Hotel and train
booking)
General Business, Social Media, Email HOD
Directors Office
Domains, e commerce, Religious, Approval
General Business, Social Media, e commerce,
CSR
religious
Marketing & General Business, Social Media, Auctions &
Branding Classified Ads, Advertisement,
Others General Business
General Business: Search engines, Travels and Hotel Booking, Health &
Medicines, Image Search, Information Technology, Technological Domains,
Educational, Government, vehicles, Video Conference.
In Case any special Site / Domain access required other than above Matrix –
Separate management approval is required
IT Policies –V1 P a g e 20 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Internet ID Deactivation Process: -
The HR department would raise request to the IT department in Full & Final Portal or via email for
deactivation of the Internet ID of the users who have submitted resignation.
As per HR’s request, IT department will deactivate the Internet ID on same day and send a
confirmation e-mail to HR.
Internet Usages Policy / Guidelines
Username and Password is unique to the user and is given to the User to log in to the Internet
Portal in the office
To monitor Internet usage, IT will monitor the logs of browsing history.
Sharing the Username and Password with another employee, visitor, or guest is prohibited
A visitor or guest user who wants to use the office Internet will be given a Guest login on based
the request.
Username and password allotted to an employee will be deleted upon
resignation/termination/retirement from the organization as per the HR Process.
Internet Users are not allowed to use their internet ID on any other system.
Users are not allowed to access any prohibited content
IT Reserve the right to maintain and monitor the logs of the browsing history of every user who is
using the Internet.
If someone has unintentionally connected to a site / domain that contains harmful content / virus
i.e., hacking, gambling, illegal activities, Malware, Virus or any other non-business relevant
domains which is not secure then you need to immediately disconnect the PC from network and
inform IT Service Desk.
Following activities are prohibited on the ITL Internet network:
Viewing Online movies, Playing Games
Accessing, displaying, uploading, downloading, storing, recording, or distributing any kind of
pornographic or sexually explicit material
Accessing potentially dangerous websites that can compromise the safety of our network and
computers.
Downloading images, videos, and documents which are not relevant to business.
Engaging in any criminal or illegal activity or violating the law.
Accessing Dark Net
Confidential information about ITL in a personal online posting, upload, or transmission –
including financial information and information related to customers, business plans, policies,
staff, and/or internal discussion.
Users may not knowingly or wilfully create or propagate any virus, worm, Trojan horse, or
other destructive program code.
Downloading, copying or pirating software and electronic files that are copyrighted or without
authorization
Sending or posting information that is defamatory to the company, its products/services, colleagues
and/or customer
IT Policies –V1 P a g e 21 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
IT Asset Management at the time of Exit of Employee
Objective of the Policy
The objective of the policy is to lay out guidelines for the process of taking back IT assets in case of
exit (resignation or retirement) of employees.
Scope of the Policy
This policy applies to all of employees of Sonalika Group.
Policy and Procedure
Whenever an employee leaves the organization (either by resignation or retirement), HR will
inform IT at least one week in advance from of the last day of the employee.
HR would enter the details in the Employee support system for informing and getting clearance
from IT for all IT assets issued to employee.
IT SPOC for the location (as per list circulated by Head IT) will process the request and provide the
list of IT assets to user so that he / she can return the same. This will include desktop, laptop,
printer etc. as the case may be.
All the field employees will be required to submit their IT assets at Noida office
IT SPOC will receive the assets from user and update hardware inventory list.
All licenses allocated to be user will be deallocated and IT SPOC will update the software inventory
list.
IT SPOC will also ensure that e-mail and internet access is deactivated for the user as per date
mentioned by HR (or HOD of the employee).
Once all IT assets are received and e-mail and internet access is deactivated, IT SPOC will inform
Head IT. Head IT will verify the work done by the IT team and approve the request after work
completion verification. In case of non-completion of the work by IT SPOC, Head IT will ensure
that IT SPOC completes the work.
Once Head IT approves the action taken by IT SPOC, notification will go to HR regarding the full
and final clearance as regards IT assets of the employee.
If Asset allocation within the department need approval of HOD and HR.
In case of self-purchase of assets by users’ needs management approval.
IT Assets needs to be handed over to IT Department , before clear F/F , In case user left without
information , HR will be provided his/her assets to IT.
IT Policies –V1 P a g e 22 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Print Guidelines
Overview
Printers are to be used for printing official documents that are relevant to the day-to-day
conduct of business at International Tractors Ltd. Printers should not be used to print
personal documents.
Guidelines
Do not print multiple copies of the same document – the printer is not a copier and
typically costs more per page to use. If you need multiple copies, print one copy on the
printer and use the photocopier to make additional copies.
If you print something, please pick it up from printer immediately. If you no longer want
any print, please dispose it of appropriately using Shredder.
If you come across an unclaimed print job, please dispose it thru Shredder.
Make efforts to limit paper usage by taking advantage of duplex printing (i.e. double-sided
printing) features offered by some printers and other optimization features (e.g. printing
two PowerPoint slides per page versus only one per page).
Make efforts to limit toner use by selecting light toner and lower dpi default print settings.
Avoid printing large files, as this puts a drain on network resources and interferes with the
ability of others to use the printer.
Please report any planned large print jobs to the IT department so that the most
appropriate printer can be selected and other users can be notified.
If printing a job in excess of 25 pages, please be at the printer to collect it when it comes
out to ensure adequate paper supply for the job and that the output tray is not overfull
(i.e. you may need to remove some of the output before the print job is finished).
Avoid printing e-mail messages. This is wasteful. Instead, use the folders and archiving
functionality in your e-mail application to organize and view your messages.
Avoiding printing a document just to see what it looks like. This is wasteful.
Avoid re-using paper in laser printers, as this can lead to paper jams and other problems
with the machine.
Many printers do not support certain paper types, including vellum, transparencies,
adhesive labels, tracing paper, card stock, or thicker paper. If you need to use any of the
paper types, consult with IT to find out which machines can handle these specialty print
jobs.
Color printing is typically not required by general business users. Given this selective need,
as well as the high cost per page to print color copies, the number of color-capable printers
available has been minimized. You are strongly encouraged to avoid printing in color when
monochrome (black) will do.
Printer paper and Toner cartridges is available with Stores of respective locations.
IT Policies –V1 P a g e 23 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
If you encounter a physical problem with the printer (paper jam, out of toner, etc.) and
are not “trained” in how to fix the problem, please do not try. Instead, report the problem
to IT helpdesk or ask a trained co-worker for help.
Report any malfunction of any printing device to IT helpdesk as soon as possible.
IT Policies –V1 P a g e 24 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Clear Desk Clear Screen Policy
Objective
The objective of this policy is to document protocols that establish requirements on how employees
should handle company information and materials within the office. This policy aims to ensure that
confidential information and sensitive materials are locked when they are not in use.
Scope
This policy applies to all company Employees, Contractors and Third Party Employees, who have access
to IT assets or any information in Company.
IT Clear Desk Policy
Employees are required to secure all sensitive/confidential information in their work space at the
end the work day or when they are expected to be away from their work space for an extended
period of time. This includes both electronic and physical hard copy information.
Laptops, workstations. PCs must be locked (logged out or shut down) when unattended and at the
end of the work day.
Portable devices like laptops and tablets that may remain in the office overnight must be shut
down and stored away.
Users must shut down their Desktop / Workstation / Printers / Plotters when they leave for the
day.
Mass storage devices such as CD, DVD, USB drives, or external hard drives must be treated as
sensitive material and locked away when not in use.
Printing physical copies should be reserved for moments of absolute necessity. Documents should
be viewed, shared and managed electronically whenever possible. Printed materials must be
immediately removed from printers or Plotter machines.
All sensitive documents that need to be destroyed must be placed in the designated shredder bins
for destruction, or placed in the locked confidential disposal bins.
File cabinets and drawers containing sensitive information must be kept closed and locked when
unattended and not in use.
Passwords must not be written down or stored anywhere in the office
Keys and physical access cards must not be left unattended anywhere in the office.
Unattended work areas should be clear of any information whether it is in electronic or paper
form.
Photocopiers shall be appropriately protected for misuse during and after working hours.
Whiteboards in meeting rooms or conference halls shall be erased as soon as the discussions/
presentations are over.
Information in presentation computers or departmental laptops for training or electronic media
in meeting rooms or conference halls must be deleted as soon as the presentation is over.
Enforcement
It is the responsibility of each Department Manager or Equivalent to ensure enforcement with the
IT Policies –V1 P a g e 25 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
policies above.
If you notice that any of your devices or documents have gone missing, or if you believe your work
space has been tampered with in any way, please notify ITL Security @ 01882522250 immediately
along with informing IT helpdesk
IT Policies –V1 P a g e 26 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Mobile Device Management Policy
Objective
The objective of Mobile device management (MDM) policy is to help mitigating mobile device security
threats and data breaches. Whether devices are personally or company-owned, this policy also aims
at making employees aware of the mobile security risks and possible actions that they need to take to
mitigate the risks.
Scope
Mobile device as per this policy would include:
Laptop and notebook computers
Smartphones
Tablet
This policy will apply to all employees, including contractors, part-time and full-time staff who access
company data or any system (for example e-mail, Company Portal, any Software application) on a
mobile device.
There are two main categories of mobile devices being used by employees - Company Owned and
personal devices as part of bring your Own Device (BYOD)
General Guidelines for mobile devices usages:
Users are not allowed to install, uninstall and format the any software (including operating
system) on company owned devices. This will be only done by IT department.
In case user’s use BYOD for company work, they are responsible for the all the software
compliance which include operating system, antivirus and office suite. Users are advised not
to load pirated software or illegal content on their BYOD.
Mobile users should take adequate caution when mobile computing facilities are used in
public places, meeting rooms and other unprotected areas.
Users shall ensure that the documents they are studying/drafting on their mobile devices
cannot be viewed by anyone else.
All personal devices (BYOD - Bring your own device) must be installed with an antivirus before
browsing /accessing company data.
All personal devices (BYOD - Bring your own device) must be kept up to date with
manufacturer or network provided patches. As a good practice, patch levels should be
updated at least once a month.
Users will only load corporate data that is essential to their role onto their mobile device(s).
Company’s Software Applications must only be installed from official platform-owner
approved sources, for details and verification user can contact IT helpdesk
IT Policies –V1 P a g e 27 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Users must be cautious about the merging of personal and work email accounts on their
mobile phone. They must take particular care to ensure that company data is only sent
through the corporate email system.
Mobile devices should not be left unattended. In case a mobile device is lost, it should be
immediately reported to HOD IT and IT helpdesk. IT admin will ensure to change the
application password of user profile. IT will use wipe out company data on mobile phone to
prevent data from unauthorised access.
In case of damage to mobile device or theft case, concern user will be responsible and liable
to bear the loss of damage or theft.
Company laptops must not be checked in airline luggage systems. To avoid damage and theft,
these computers must remain in the possession of the traveller as hand luggage.
Company laptops / Mobile devices should not be left unattended in cars or in train / bus or
any public transport.
Do not keep mobile devices in the trunk of car as jerks may lead to damage to device.
IT Policies –V1 P a g e 28 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Electronic Data Transfer Policy/Procedure
Objective
The objective of this policy is to detail the guidelines for accessing and sharing company’s Data. This
policy aims to reduce the risk of data security incidents.
Scope
This Data Transfer policy applies to all our employees, contractors, and partners (ITL, ICML, Rotavator,
Agro, AFL, NCR Location / Offices).
Types of Data Sharing
Data transfer form one machine to other within the company using Central File Server(All type of
data)
Data transfer through Email within or outside the company (Documents, MIS, reports, Project
plans etc.)
Data transfer through Web and Cloud Portal with external agencies (using Vaultize, or FTP) Data
transfer from Portable Media with external agencies (using Pen Drive, Memory Cards, Mobiles,
External Hard disk etc.)
Type / Nature of Data that can be shared and Departments who can use Data Sharing
Type / Nature of Data that can be
Data Sharing Type shared Departments who can use this
Share any data within the company
Central File Server (Hoshiarpur, NCR) All Departments
Share any data with Internal and
Email External people All Departments
For Design Related or any sensitive
R&D Design
data sharing with external agencies
Web and Cloud Portal
Account data sharing external
auditor Account department
For Field users to share the data with
Portable Media external agencies Authorized Users only
Procedure to be followed
User has to initiate request for sharing of data on the format (as given in Annexure 1).
Design department head need to verify and approve the data sharing request.
Once R&D head authorizes the request, the same will be forward to IT Department
IT SPOC will get the same authorized from head-IT after verification of data in terms of request
and to be shared.
IT Head may reject the request if any discrepancies are found.
IT Policies –V1 P a g e 29 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
After verification from IT Head, final approval will be obtained from management.
Once final approval is granted, IT SPOC will encrypt the described data and will upload on the FTP
and will share the URL with the receipt
The data shared will be available for next 24 hours only, IT department will remove data from FTP
on next day.
Logs of the transfer need to be retained as per logs retention procedure
Guidelines
IT department will create the access control (Read, Read/Write, and Full Access) to user based on
approval of User HOD for Data Transfer with in Company.
Portable media (USB Storage etc.) is not allowed on company assets. If anyone requires the same,
he / she will have to get HOD approval with detail business reason and send to IT. IT will then
provide the access
User should ensure that they transfer / Upload only company related data to File Servers.
Data Transfer / sharing through Email should be done according to Email Policy only.
Data Transfer / sharing from any Laptop, PC to internet should be done according to internet policy
only.
In case of Portable media, such as USBs and portable drives, being used for data sharing, the same
should be password protected.
Data transfer with External parties likes vendors, distributors, Supplier and auditors should always
be through Vaultize Portal according to Process as per Vaultize user manual available on Sonalika
Portal.
IT Policies –V1 P a g e 30 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Access Control Policy
Objective
The purpose of this policy is to set a standard and require procedures for managing, reviewing and
validating user access to information systems.
Scope
This policy is applicable to all employees, contractors, suppliers and dealers of company.
Level of Access Control
Application: it cover all applications like Email, SAP, Teamcenter, Employee Portal, data
sharing portal ,fileservers and others.
Server: it cover server Operating System, Server Admin console.
Network: it cover internet, Wi-Fi, network switches, UTM, DLP.
Physical: it cover all Biometrics like attendance machine.
Types of Access granted
User Level Access: All type of access granted after User HOD and IT HOD approval according
to business need.
Individual User Accounts, Temporary User Account.
For Generic id creation and Contractor Account, management approval also required.
Admin Level Access: All access granted according to role and responsibility after IT HOD
approval.
Guidelines
IT team will develop procedures that will ensure that prior to granting access to sensitive systems and
data, all new joiners have received induction and training that includes their responsibilities for
protecting confidential information
1) IT team will keep a written records of IT system access requests, changes, terminations and
transfers for six months after full and final settlement.
2) User Account Creation and deletion process should be followed as per applicable Account
Management procedures for application, database, operating system, network etc.
3) System privileges on each computer platform will be restricted and controlled. ‘Guest user’
account of each system will be disabled.
4) Redundant and unused user accounts will be removed periodically.
5) For third party employees User ID with expiration date that coincides with the relevant project /
tenure conclusion will be created.
6) HR will notify IT about the resignation, transfer or termination of any employee of the organization
without any delay to immediately terminate all facility and system access rights.
7) All Datacentre and network room entry points will be secured with biometric control and a list if
authorized persons pasted near the gate. A register will be maintained for recording access of all
other persons (after getting e-mail based approval for access from IT HOD)
IT Policies –V1 P a g e 31 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
8) All the information a user has access to on any of the ITL servers must be considered proprietary
to ITL and must be fully protected at all times.
9) Tampering of any data on any of the ITL servers is strictly forbidden and will result in disciplinary
actions.
10) A user must not read or copy any information that is stored on the server.
11) A user must not grant/revoke access to any other user.
12) A user must not change any privileged account credentials.
13) A user must not install any software or patch on the server. Any installation must be fully endorsed
and must follow the Change Control procedure.
14) A user must not run any command or application that may inadvertently affect the server
performance.
15) A server must not be shut down or rebooted by a user unless deemed absolutely necessary.
16) Unless deemed necessary the server configuration must not be tampered by a member. Any
changes to the server must be documented.
17) The user must understand the importance and criticality of each of the servers under their domain
and must ensure that the system executes the operational capability under acceptable standards
IT Policies –V1 P a g e 32 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Security Training and Awareness Policy
Objective
The objective of this policy is to ensure that users are aware of Information Security threats, concerns
and are adequately trained to support organizational Security policy in the course of their normal work.
Scope
This policy applies to all company Employees, Contractors and Third Party Employees, who have access
to IT assets or any information in Company.
Policy
Management would communicate to all users the need for information security and importance
of Information Security Policy and security awareness sessions
IT along with HR will conduct security awareness / training for users in the organization, including
third party users such as onsite vendors, security staff etc. IT department will plan and circulate
Security awareness calendar to all users.
Information security awareness would be part of the orientation program for new joiners. New
Joiner would be imparted training in IT security basics and awareness program on company’s IT
Security Policies and procedures by conducting awareness sessions.
IT security team would be imparted training on detailed IT security technology, standards and best
practices.
Respective departmental managers would need to ensure that their team members are training
on information security and attend security awareness sessions.
IT security team will do periodic review of training material to ensure that training is current and
relevant
IT Policies –V1 P a g e 33 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Application Access Management Policy
Objective
The objective of this policy is to ensure the ITL has adequate controls to restrict access to application,
system and data.
Scope
All suppliers, employees, consultants, contractors, dealers, distributors and authorized users
accessing ITL IT systems and applications.
All IT systems or applications managed by ITL that store, process or transmit information, including
network and computer hardware, software and applications, mobile devices, and
telecommunication systems.
All company offices and third-party access from home and remote location.
Guiding Principles – General Requirements
The company will provide access privileges to applications based on the following principles:
Need to know – users or resources will be granted access to application that are necessary to fulfill
their roles and responsibilities.
Least privilege – users or resources will be provided with the minimum privileges necessary to
fulfill their roles and responsibilities.
Requests for users’ accounts and access privileges must be approved by Business/HOD and
verified by IT admin and approved by H.O.D IT.
Requests for special accounts and privileges (such as vendor accounts, application and service
accounts, system administration accounts, shared / generic accounts, test accounts and remote
access) must be approved by Business/HOD and verified by IT admin and approved by H.O.D IT.
Where possible, the company will set user accounts to automatically expire at a pre-set date. More
specifically,
When temporary access is required, such access will be removed immediately after the user has
completed the task for which the access was granted.
User accounts assigned to contractors will be set to expire according to the contract’s expiry date.
User accounts will be disabled after 45days of inactivity.
User accounts and access control will be disabled on change Role/Transfer case.
Access rights will be immediately disabled or removed when the user is terminated or resigned.
A verification of the user’s identity must be performed by the IT Help Desk before granting a new
password.
Existing user accounts and access rights will be reviewed at least annually to detect inactive accounts
and accounts with excessive privileges. Examples of accounts with excessive privileges include:
IT Policies –V1 P a g e 34 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
An active account assigned to external contractors, vendors or employees that no longer work for
the organization.
An active account with access rights for which the user’s role and responsibilities do not require
access. For example, users that do not have authority or responsibility to approve expenses should
not have access with approval permissions within a financial system.
System administrative rights or permissions (including permissions to change the security settings
or performance settings of a system) granted to a user who is not an administrator.
Guiding Principles – Privileged Accounts
A nominative and individual privileged user account must be created for administrator accounts
(such as “first name. last name.”), instead of generic administrator account names.
Privileged user accounts must be verified by concerned application IT admin approved by H.O.D
IT.
IT Contractors and Vendors
For the protection of company data, contractor / vendor representatives will be required to sign
a Non-disclosure Agreement (“NDA”) prior to obtaining approval to access company systems and
applications. Prior to granting access rights to a contractor / vendor, the concern IT admin will
verify this requirement.
The name of the contractor / vendor representative must be communicated to the IT Help Desk
at least 1 business days before the person needs access or terminate.
The concern IT admin will maintain a current list of external contractors or vendors having access
to company systems.
Access Control Requirements
All users must use a unique ID to access company systems and applications. Passwords must be
set in accordance with the Password Policy.
System and application sessions must automatically session out after 20 minutes of inactivity or
depends on business needs and scope.
Access control request and approval workflow manage in HELPME portal. (Delete)
IT Policies –V1 P a g e 35 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Policy for Data Centre Management
Objective:
The security of the equipment and data in the Data Centre is of critical importance to the proper
functioning of Sonalika Group. The systems and data must be protected and remain reliable at all
times. Objective of this policy is to lay down guidelines for people and material movement in
Datacentre.
Policy Guidelines:
Access to the Data Centre
All IT employees who require regular access to the Data Centre must obtain an approval from
Head IT.
Such persons name will then have to be added to the authorization list by Data centre Admin.
All such persons will have to be given biometric access to the Data Centre by Data centre Admin.
A Data Centre authorization list containing the details of each person who is authorized to enter
will be maintained at the Data Centre by Data centre Admin
Access rights should be revoked immediately for staff who leave the employment of the ITL.
Anyone who does not have authorization will be considered a visitor. This will include employees,
vendors, contractors and others. All visitors to the Data Centre must adhere to the following
guidelines:
o Visitors details must logged in giving in and out time when entering and exiting the Data
Centre in the Visitor Access Register maintained by Data centre Admin. The purpose of the
visit must be documented.
o Visitors must be accompanied at all times by an authorized employee while in the Data Centre.
Guidelines while in the Data Centre
No food or drink is allowed within the Data Centre
No Hazardous materials are allowed within the Data Centre
All packing material must be removed from computer equipment/components outside before
being moved into the Data Centre. This includes cardboard, paper wrap, plastic, wood and other
such material
No cutting of any material (pipes, floor tiles etc.) shall be performed inside the Data Centre unless
special arrangements are made and approved by IT Lead.
Shutdown Activity
All shutdowns in the Data Centre should have been approved by the IT Head.
Before the shutdown activity is carried out, employees across the organization must be informed
by a circular about the non-availability of the applications which will be impacted by the
shutdown.
IT Policies –V1 P a g e 36 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Equipment in the Data Centre
Data centre Admin will keep an updated list of all equipment in the Datacentre.
Any change in any equipment must be approved by IT head
Whenever equipment has to be moved in or out of the Data Centre, proper approval must be
taken for the same.
In cases of movement of equipment, proper records should be maintained in the inward-outward
register.
Clock Synchronization
Clock synchronization would be applicable to systems like SAP production systems: HANA, ECC,
BI, & others
Clock synchronization of systems at Data Centre will be done manually and SAP production server
would be taken as the reference for the same.
The variance that can be tolerated should be within +/- 2 minutes in comparison to the SAP
production server.
A checklist regarding this would be filled daily by the Data Centre team.
A weekly review would be conducted to ensure that the systems are synchronized and the
variance is within the tolerance limits defined.
The Data Centre team would be responsible to carry out this procedure appropriately.
These Data Centre Guidelines needs to be displayed outside Data Centre in Hoshiarpur and all server
rooms.
IT Policies –V1 P a g e 37 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Patch Management Policy
Objective
Patch Management Policy is a set of steps and procedures aimed towards managing and mitigating
vulnerabilities in company’s assets through a regular and well-documented patching process. A patch
management policy lists the guidelines and requirements for the proper management of
vulnerabilities and involves various phases such as testing, deploying, and documenting the security
patches applied to organization’s endpoints.
Scope
This policy applies to all company Information technology Assets. (Desktop, laptops, workstations,
Servers, storages, network devices, Applications)
Process
Endpoints (Desktop / Laptop / Workstation)
Servers and Network Devices
Application (Quality, Development, Production)
Emergency Security Patching (Zero day)
Endpoints (Desktop / Laptop / Workstation)
At the time of Operating system installation (New or re-installation) of desktop, laptop,
workstation, it is mandatory to IT Engineer to update the OS with all the latest available updates
and patches. – (As per the OS Compliance) For Windows 8 and 10.
All the patches (Hotfix, Security update, service pack, Cumulative update) will be updated and
applied first on test system of same environment (OS type, version, service pack) with the help of
patch management software and after testing will be deployed on production system. (Applicable
only for Patch Management System)
Before applying any patch to User Pc’s IT admin will take prior approval form IT Manager and
H.O.D IT with the report of successful patching on test system. (Applicable only for Patch
Management System)
All the update patch history (Test system and Production system) will be documented by Patch
management admin. (Only applicable for manage engine application) Test lab would be created.
(Only applicable for patch management system)
Servers and Network Devices:
At the time of Server Operating system installation (New or re-installation) it is mandatory to
Datacentre admin to update the OS with all the latest available updates and patches. (Windows,
Linux,) by OEM.
IT Policies –V1 P a g e 38 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Some crucial patches like firmware update will only be done if it is recommended by OEM and
verifying the end-to-end impact. (e.g., some firmware update on device may not supported by the
depended devices), in such case firmware will be updated after complete case study of impact.
All the Network devices (Firewall, UTM, and Managed Switch) will be updated with the
recommendation of OEM and complete case study of impact.
All the patches will be first applied on Test, Development and Quality system before applying on
production systems / application (Servers / Applications / DB)
Application (Quality, Development, Production)
All the patches will be tested on development and quality system before Appling on production
system.
Application backup is mandatory before applying patches.
Before applying patch to system IT admin will take IT H.O.D approval.
Emergency Security Patching (Zero day) (OS, DB, Application, Network, Servers, Storages)
Any emergency security patching recommended and verified by OEM will be done with high
priority.
Before applying emergency security patching same will be tested on test, dev and quality system.
Policy / Procedure
All company digital assets, systems applications should be patched and updated against any
security vulnerability.
Offline Users will be updated available patches manually.
IT Spoc will verify the installed patches and maintain the record for the same and IT Manager will
review the same monthly.
IT will not manage the field user asset’s which is their owned devices.
Before applying the patches IT will take the backup (Application / OS / network / DB) and take the
approval from HOD IT.
Application Patch Management, IT will check the compatibility of new version of application in
case of upgradation available.
The patching scope includes; operating system, applications, database systems, Network active
devices.
Patches must be successfully tested on non-production systems (test system) prior to being
loaded on production systems.
All patches must obtain the appropriate change control approval prior to deployment on
production systems (For all IT Assets)
Patching shall be performed during an authorized maintenance time window unless there is an
urgent situation.
IT Policies –V1 P a g e 39 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Critical system (Production System, Network device (UTM, Firewall) data shall be backed up prior
to installation of new patches or firmware.
Patching process is a joint responsibility of both system’s administrator and application’s
administrator. They will work closely to ensure the successful completion of patching task. (Only
in application case)
Users’ Managed Assets
Users managed assets like PCs and laptops will be patched adequately by IT team. User is not
responsible for the patching process; however, users should adhere to IT and Information Security
communications with regards to any associated responsibilities like bringing the device to IT (in
case device required), restarting the machine.
Some users’ managed assets may have some extra administrative privileges that are granted to
its users like the ability to install, uninstall programs/updates, these granted users are responsible
to adhere to IT and Information Security constrains and communications with regards to patching
and to execute them as needed. Violators will be revoked their administrative privilege and
disciplinary actions will be taken against them as per the HR Policy.
Note:-
Policy is applicable for IT Assets Owned only
Detail Audit of Patch management will be done once in a Year prior approval form IT HOD.
IT Policies –V1 P a g e 40 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Change Control Policy
Objective
Change Control refers to a formal process for ensuring changes to IT systems are authorized
and documented. The objective of change control policy is to ensure that all changes that are
made in IT system across the organization are done in a thoughtful way that minimize negative
impact to services and customers.
Scope
Change control policy would apply to all changes, upgrades, or modifications to the
production environment of any software, hardware or network device. This would include any
modifications, additions or changes to the environmental touch points.
Modifications made to non-production systems (such as testing environments with no impact on
production IT Services) are outside the scope of this policy.
This policy would apply to all the employees of the Sonalika Group
Need of Change Control
Changes to the production environment arise from many circumstances, such as:
User requests for changes in any software application
Changes in any hardware or network devices like Server, UTM, Router etc.
Upgradation or enhancement or replacement of software, hardware or network device
Maintenance of equipment
Environmental changes related to data center, UPS room, Network Room wrt Electrical, access
control, Air conditioning, fire extinguishers etc.
Change Control Process
Members of the IT Team (SAP/Custom Tech/Infrastructure/Retail) are responsible for pro-
active planning in managing their areas in the production environment.
Submission of Change Request in case of Software Applications
Business user will raise a request with IT department for any new requirements or
modifications in the existing application.
IT will raise a ticket for the user requirement in Employee Support System.
After ticket creation notification via email and Employee portal will go to the HOD of the
requester for the approval of the requirement.
After requester HOD approves, a notification via email and Employee portal will go to
concerned Application group lead (SAP, Retail, Plant application etc) to process the
IT Policies –V1 P a g e 41 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
business requirement. Notification will include (Requester Name, Code, Department,
description of the call).
As per the nature of the call Application section head will assign call to the respective
consultant / team member / 3rd party. Notification via email and Employee portal will go
to the consultant regarding the requirement.
Timelines for the completion of the requirement will be fixed after evaluation by the IT
consultant / team member and given to user via email.
After completion of the work by the consultant / team member a notification via email/
Employee portal goes to business user regarding the testing.
Business user after performing UAT (User Acceptance Testing) will update status in
employee portal with their approval or remarks if any. The notification of testing ok
remarks will go to IT consultant via email.
After receiving testing confirmation remarks from user, IT consultant / team member will
get the approval of concerned Application lead to move the requirement to production
environment.
In case of SAP, IT consultant / team member will create the transport request and submit
to SAP section head for approval via Employee portal. SAP section head after receiving TR
Request notification will forward to Basis consultant / team member to move the TR into
the production environment. Basis Consultant / team member will receive the TR
notification via email/employee portal and transport the request into the production
environment. After posting changes into the production environment, Basis consultant /
team member will inform SAP section head and the consultant / team member who
worked upon the requirement via email. The format for the Notification to move TR will
be as below:
Sr No TR Name TR Description Business Justification/Requirement
After the requirement is moved to production environment, business user will be
informed via email and employee portal for the completion of the requirement and ticket
shall be closed by IT.
Submission of Change Request in case of Network devices, servers and other hardware and
any environmental changes
Changes will be classified into three categories: High, Medium, and Low.
Classificat Description Approval Required
ion
High An emergency change is one that involves services Approval Required with
which are already impaired and requires utmost reason to set for the High
urgency to resolve. Root-cause analysis must be priority call
performed to determine if the issue can be
prevented in the future.
IT Policies –V1 P a g e 42 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Medium A Major change is one that has medium to high risk Approval Required with
for critical services, involves unknown risks, and reason to set the medium
involves downtime. priority call
Low A routine change follows pre-determined processes Approval Required with
and can be performed with zero impact on users. reason to set for the low
priority call.
A Change request form will be filled by the data center admin / concerned lead
The scope and purpose of the activity needs to mentioned on the change request form.
IT HOD approval will be required to approve the same before the defined activity is initiated..
In case of any Environmental changes at data center, UPS room, Network Room wrt (electrical, air
conditioning, fire extinguisher, CCTV), IT lead will raise a request to the concerned department via
email.
Concerned department will evaluate and fix the issue within a stipulated time given and inform IT
via email.
IT verify and revert the same and give their closure remarks after successful completion.
In case of non-repairable things management approval will be taken for the procurement.
IT lead will keep a record of all the changes in Employee Support portal.
Format for any change request in all cases will be as given in Annexure 2.
All the filled change request forms will be kept by SPOC of their respective areas (SAP/Custom
Tech/Infrastructure/Retail)
Audit of change management request
IT HOD will nominate a SPOC for the audit of the change requests submitted at various section of IT
and SPOC will ensure on a monthly basis that all changes were properly authorized and tested prior
to implementation. SPOC will give a formal report of the same to IT HOD.
IT Policies –V1 P a g e 43 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Incident Management Policy
Objective
Objective of this policy is to lay down guidelines and actions that need to be taken to respond to and
resolve critical incidents. This also includes how incidents should be detected and communicated, who
would be responsible and what steps should be taken to resolve the incident.
Scope
This Policy is applicable to all IT hardware and software assets in the organization, Assets include:
Applications – Email, SAP, Retail Apps, Design Suite, Database Servers and all other software
applications
Network and Security Devices - Firewall, UTM, Wi-Fi, Switches, Network Printers
Data Centre Equipment - Servers, Storages, Chassis
End User Asset- Desktop, Laptop, Workstation & printers
Policy Description:
Incident identification/ Categorisation
Based on severity and impact of incident, all incidents should be categorised as High (P1); Medium
(P2) and Low (P3)
• High (P1): These include incidents like Fire incident, Critical Systems Down, Business critical
applications not accessible, where there is direct impact on production or sales; major IT security
incident etc.
• Medium (P2): These include incidents that have significant impact but may not be not a
production or sales outage but affects user’s experience significantly (e.g., slow performance),
virus attack on some individual machine etc.
• Low (P3): These include incidents that do not interrupt group of users or the business but
individual computer, printer etc.
Annexure 3 at the end of this policy gives the Incident Management Response and Resolution Time
based on Severity Ratings
Annexure 4 at the end of this policy gives details of Escalation Matrix and Contact Details
Incident logging, assignment and resolution
Incident source can be categorised into two categories viz. (a) Informed by End User and (b)
informed by IT Administrator
Incidents Informed by End user:
IT Policies –V1 P a g e 44 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
• User will register call at IT helpdesk through phone call or email.
• IT Helpdesk Engineer will register the call in Call Management System and will assign the call to
Engineer (depending upon the nature/type of call logged and its severity)
• The User will get an information about ticket that has been logged in (i.e., Engineer details,
contact number to whom call will be assigned) through email or call.
• The Engineer will also get an information of the assigned call (i.e., Name and contact number of
User and type of issue reported)
• After receiving call from IT Helpdesk, IT engineer will start working on call based on the priority
of the call/User.
• The Engineer will arrange to fix the issue by taking remote access of the user device or by visiting
user desk.
• If there is requirement of any part to fix the reported issue, IT Engineer will inform the user to
create the indent
• IT Engineer will update the user about the closure date (day/time) to fix the incident reported.
• Based on the priority of call IT Engineer will arrange standby option for reported issue.
Incidents informed by IT Administration:
• The incident source will be review of daily checklists, Manual system performance monitoring
and issues reported by Users.
• IT Admin will categorise the incident severity level (i.e., High, Medium and Low).
• IT admin will report the incident details to IT Manager & HOD IT via Email or call.
• IT Admin will discuss and make plan with IT Manager to fix the issue.
• After reporting the incident to IT Manager and IT HOD, IT admin will start working for incident
resolution.
• IT Manager will arrange the resources when an incident requires contribution of Multiple IT
Admin to fix the incident)
• In case an incident requires support from third party, IT Manager will report to HOD IT with the
details for required support. IT HOD will arrange the support based on the priority of incident.
• In case of warranty and AMC (Annual maintenance contract), IT admin will arrange to log the call
with concerned OEM/Vendor to fix the issue reported with defined SLA (service level agreement)
• In case of replacement of any part, IT admin will take follow up with OEM/Vendor till part
replaced.
• In Case of fire call matrix as per Annexure 5 will be followed:
•
Incident Closure
• An incident will be closed once the issue is resolved and the user has acknowledged the resolution.
• All the High and medium priority incidents will be documented in RCA (Root cause analysis) format
as given in Annexure 6.
IT Policies –V1 P a g e 45 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Outsourcing and External Facility Policy
Objective
This policy is to ensure suitable control over security exposures and risk on services provided by
external or third parties. The Outsourcing and external facility policy sets out the conditions that are
required to maintain the security of the organization’s information and systems when third parties are
involved in our operations.
Scope
This policy is applicable to all contractors, third party agencies and associates of company, who may
require access to all applications & any system.
Policy
Company IT systems / IT assets/Applications, remote access/in-house access will only be
accessible via the Local area network (LAN) or VPN (Virtual private network) except where outside
access is provided (E-mail, Web Applications)
A formal NDA between ITL and the Outsourcer will be signed before giving any access to any ITL
System & Application. NDA will be route through secretarial department.
All Outsourcer required any access to critical business information and systems shall be signed
from IT HOD.
IT admin will verify the request and provide login credentials to authorized Outsourcer after
approval from IT HOD.
Authorized Outsourcer must protect their login credentials and must not share them with anyone
for any reason.
In case of Remote access/Team Viewer/Any desk of Company asset through non company asset
(Rented, employee personal laptop), Remote access policy will be applicable.
ITL IT will provide a single point of contact for outsourcer (remote access/in-house access), this
single point of contact will insure the applicability of all IT policies.
Each outsourcer must provide the list of all resources working for ITL, This list must be updated &
provided to ITL with in 24 hrs.(in case, if there is any change of resources)
Outsourcer must follow the all IT polices of ITL
IT Policies –V1 P a g e 46 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Encryption Policy
Objective
The objective of this policy is to protect confidentiality, authenticity and integrity of company’s
information that is transferred through internal or external devices and network.
Scope
This policy applies to all company Employees, Contractors and Third-Party Employees, who have access
to IT assets or any information in Company.
Policy
IT department shall ensure that all laptops and other devices containing sensitive information
must consistently employ drive encryption, for all files, and boot protection.
Encryption software is necessary to transfer ‘confidential’ information over the internal or
external (Public) networks.
IT shall ensure that passwords always be encrypted when held in storage for any significant period
of time or when transmitted over networks. This will prevent them from being disclosed to
unauthorized parties.
Cryptographic algorithms, keys lengths and key strength used to protect specific information
should be appropriately chosen depending upon the time frame for which that information is
valid.
Effectiveness of cryptography control shall be reviewed periodically.
IT Policies –V1 P a g e 47 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
VA (Vulnerability Assessment) /PT (Penetration Testing) and Code Review
Policy
Objective
Vulnerability assessment (VA) is a systematic technical approach to find the security loopholes in a
network or software system. Aim is to find all possible loopholes with the objective that none of the
loopholes are missed. Penetration test (PT) is an approach to actually explore and exploit those
vulnerabilities. This process confirms whether the vulnerability really exists and to further prove that
exploiting it can result in damage to the application or network. Code Review is about analysing the
source code of application developed in-house to ensure that there are no vulnerabilities in the source
code.
The purpose of the VA PT & Code Review Policy is to establish rules for the review, evaluation,
application, and verification of system updates to mitigate vulnerabilities in the IT environment and
the risks associated with them
Scope
VA/PT should be done for all Information technology Assets like Firewall, Router, Core Switch, Wireless
Controller, WIFI Routers, UTM, Servers, Storage, and applications including mobile Apps. Code review
should be done for all in house developed applications or developed via company through third party.
Policy
Vulnerability assessment scanning and Penetration testing of the internal network, external
network, and all hosted / external / internal applications should be conducted at least once in a
year or after any significant changes to the environment.
In addition, before launching any new critical application, VA/PT and code review (if applicable)
should be carried out.
IT admin or application owner will be responsible for ensuring that any exploitable vulnerabilities
found during a penetration test or during code review will have to be corrected and re-tested to
verify the vulnerability was corrected.
A formal report of VA PT and code review and actions taken thereof has to be submitted by Head
of IT to management annually.
IT Policies –V1 P a g e 48 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Cloud Services Access Policy
Objective
The objective of this policy is to make sure that the provisioning of cloud services is in accordance with
the business and security requirements
Scope
This policy is applicable to all Cloud Services provided by IT at ITL.
Policy
Use of cloud services like websites, Storage, Applications etc. for work purposes must be formally
authorized / evaluated by IT.
Personal cloud services accounts like Dropbox, Google Drive, and I Cloud etc. may not be used for
the storage, manipulation or exchange of company-related communications or company-owned
data.
Any employee needing cloud service will have to send a formal request to IT after getting the same
approved by his / her HOD.
IT admin will verify the request and provide login credentials for approved Cloud services after
approval from IT HOD.
Password policy for cloud services will be the same as per ITL password Policy.
Authorized Employees must protect their login credentials and must not share them with anyone
for any reason.
A formal NDA and Service Contract between ITL and the Cloud Services Providers will have to be
signed before using any Services on Cloud Platform.
NDA will be routed through secretarial department and Service Contract will be routed through IT
department.
Business Continuity Plan will be defined in the Service Contract along with SLA.
IT department will carry out annual partner evaluation on the basis of SLA, Performance and
availability.
IT Policies –V1 P a g e 49 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Baseline Hardening Policy / Guidelines
Objective
Systems hardening is a collection of tools, techniques, and best practices to reduce vulnerability in
technology applications, systems, infrastructure, firmware, and other areas. The goal of systems
hardening is to reduce security risk by eliminating potential attack vectors and reducing the system’s
attack surface by removing unnecessary programs, accounts, applications, ports, permissions, access,
etc.
Scope
This Policy is applicable to all hardware, network and software assets in the organization.
Types of System Hardening
Application hardening
Operating system hardening
Server hardening
Database hardening
Network hardening
Application Hardening:
Application Administrator should:
Restrict access to applications based on user roles where ever possible (as per application control
Policy)
Remove all default passwords
Set Application passwords including password rotation, length, etc. as per the password policy.
Regularly inspect integration with other applications and systems, and remove, or reduce
unnecessary integration components and privileges
Operating System Hardening (Client):
IT Administrator should:
Regularly apply OS updates, service packs, and patches automatically / Manually
Remove unnecessary drivers, file sharing, libraries, software, services, and functionality
Tighten registry and other systems permissions
Log all activity, errors, and warnings; implement privileged user controls.
Operating System Hardening (Servers):
Server Administrator should:
IT Policies –V1 P a g e 50 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Put all servers in a secure datacentre
Regularly apply OS updates, service packs, and patches Manually
Remove unnecessary drivers, file sharing, libraries, software, services, and functionality
Tighten registry and other systems permissions
Log all activity, errors, and warnings; implement privileged user controls.
Always harden servers before connecting them to the internet or external networks
Avoid installing unnecessary software on a server
Ensure super user and administrative shares are properly set up, and that rights and access are
limited in line with the principle of least privilege
Never test hardening on production servers
Database Hardening
DB Administrator should:
Create admin restrictions, such as by controlling privileged access including what dev / admin
users can do in a database
Regularly apply DB updates, service packs, and patches Manually
Turn on node checking to verify applications and users
Encrypt database information—both in transit and at rest
Enforce secure passwords
Introduce role-based access control (RBAC) privileges
Remove unused accounts
Network Hardening
Security Administrator should:
Ensure firewall / core switch , router , edge switch , WLC , Access Point are properly configured
and that all rules are regularly audited
Regularly apply any updates and patches Manually
Secure remote access points and users
Block any unused or unneeded open network ports
Disable and remove unnecessary protocols and services
Implement access lists
Encrypt network traffic
Give remote access on VPN only
IT Policies –V1 P a g e 51 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Exception Management Policy
Objective
The aim of this to lay out guidelines for any exceptions to IT policy.
Scope
This policy is applicable to all users and vendors / contractors who access ITL IT Systems.
Policy Guidelines
All users are expected to follow IT policies at all times.
In case any user wishes to have any exception to any IT Policy be IT Asset configuration or access,
any Application or software access, Internet access, Email access, DLP or Data Transfer or any other
policy as the case may be, user will have to send a formal request to HOD giving reasons for the
same.
All such requests will have to be approved by Management.
IT team will provide access after approval from management is obtained.
IT Lead will prepare a monthly summary of all exceptions for the month and send to management
for information.
All exceptions will be formally reviewed in the month of March every year and re approval will
have to be sought from management annually.
IT Policies –V1 P a g e 52 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Electronic Data Archival Policy
Objective
The objective of this policy is lay out guidelines for handling and maintaining record of various
documents including Project data, commercial and legal documents in IT in secure form.
Scope
The policy will be applicable to all IT employees of organization.
Data/Record Categories
Agreements: It covers all agreements regarding any IT procurement, IT Support & Maintenance
contracts etc.
Documents: It covers all documents related to IT Projects, IT services, Audits etc.
Application Data: Its cover all applications data including e-mail.
Source Code for all developed applications.
Employee backup data
Mode of Archival
Soft copy: To be kept in secured folders.
Physical: Record to be archived in physical form.
Guidelines
IT Admin shall be responsible ensuring the safe upkeep of all documents both in hard and soft
copy.
Signed original copies of all agreements regarding IT procurement, IT Support & Maintenance
contracts, IT services agreements, etc. should be kept in file cabinets with proper labelling so as
to enable quick identification of the records. Soft copy of the same should be kept in a secure
folder.
All original license documents should be kept in file cabinets with proper labelling so as to enable
quick identification of the records. Soft copy of the same should be kept in a secure folder.
All agreements should be maintained as per revision version.
Only authorized person should be allowed to access Archived data. Head of IT will approve
and review the list on an annual basis or at the time of resignation or retirement of an
employee.
IT admin will ensure Old Application data is archived on server till data migration process from
old to new application is not completed 100%.
Application data backup should be done according data backup policy.
IT Applications admin should ensure that version is maintained for source code of all
applications at centralized server location.
In case of data related to employees, IT admin will ensure the same is kept in secure folders
IT Policies –V1 P a g e 53 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
and regular back up is taken. For employees who resign or retire, data should be kept as per
guidelines of HOD of the respective department.
IT Policies –V1 P a g e 54 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Audit and Logging Policy
Overview
To provide accurate and comprehensive audit logs in order to detect and react to inappropriate access
to, or use of, information systems or data. Without appropriate audit logging, an attacker's /
unauthorised access / system logs activities can go unnoticed, and evidence of whether or not the
attack led to a breach can be inconclusive.
Purpose
The purpose of this SOP to record the set of instruction to be adhered by IT Team for handling of logs
and enable the control of any incident.
Policy
Types of Audit & Logging: -
Event logging
Protection of log information
Administrator and operator logs
Clock synchronization
Event logging: Record information about, errors, events in excel format and save this information at
central location for Servers, Network devices.
Protection of log information: The logs must be protected, so that they cannot be removed or
modified by any persons the same is protected with password.
Administrator and operator logs: Privileges of administrators and operators of systems are
different from the normal user privileges; all system logs will not be accessible to users account other
than the administrator.
Clock synchronization: All systems should be configured with the same time and date; otherwise, if
an incident occurs and we want to carry out a traceability test of what has happened in the different
systems involved, it can be difficult if each one has a different configuration. Therefore, the ideal
scenario would be that systems have a synchronized time, and this can be achieved in an automated
manner with domain controller time.
Logs Handling Procedure
Logs
IT Policies –V1 P a g e 55 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Logs here are referred to as the events generated by the system that provide necessary inputs to
analysis and audit of the incident. The logs covered are FTP Logs, UTM Logs and Server Logs, Network
devices.
FTP Logs – Logs from File transfer protocol being used by organization to transfer data to external
agencies after the complete approval process
UTM Logs - Unifies threat management system logs are from UTM boxes installed across locations
and capture information related to spam mails, Virus, Intrusion prevention and detection, internal
usage, block and denial of access etc.
Server Logs - These logs capture information related to system events, security events, application
events which are recorded by windows server operating system by default.
Guidelines
Log retention frequency will be minimum 1 months.
Administrator or any member of IT is not allowed to delete, edit or alter these logs by any means.
IT team will monitor logs on daily basis.
In case any error is observed or any incident is observed, the IT team member responsible for
monitoring logs will immediately alert the concerned IT team members and IT HOD.
IT HOD will ensure that necessary action is taken on all incidents.
IT Policies –V1 P a g e 56 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Asset Scrap Policy
Objective
The objective of this policy is to ensure secure disposal of old and / or unusable IT equipment owned
by the organization.
Scope
The Asset Scrap policy covers the disposal of the Hardware equipment of the business users. All IT
hardware will be scrapped in accordance with International Tractors Limited disposal protocols by
Commercial Department with the inputs from IT and it is applicable to Sonalika Group
(HSP/NCR/Rotavator and all India corporate offices). The equipment must be disposed of safely in an
environmentally sustainable way.
IT Asset Types
Following are the main types of IT assets and their minimum useful life before these assets can be
considered for scrapping. After the minimum useful life if the assets performance severely degrades
or repairs becomes uneconomical, they can be scrapped
Sr. No. Asset Type Minimum Useful Life
1 Laptop 4 Yrs.
2 Desktop 6 Yrs.
3 Workstation 6 yrs.
4 Printer, Plotter 5 yrs.
5 Scanner 5 yrs.
6 Server 6 Yrs.
7 Firewall/UTMs 8 Yrs.
8 Routers 5 Yrs.
9 Switches 6 Yrs.
10 Storage tapes 3 Yrs.
11 Back up device 6 yrs.
Asset Scrap process
IT assets can be scrapped in following conditions
a) The minimum useful life of IT Asset is over and the assets performance is severely
degraded
b) Asset is out of warranty and cost of repairing is more than 50 % of cost of new asset
In Case of Laptop/Desktop/Work Station, the user of the asset should determine the level of
IT Policies –V1 P a g e 57 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
sensitivity of the data stored on the device and ensure from IT that all his/her data has been
backed up on other device.
IT will check and ensure before disposal of the asset that if any part of the scrapped asset can be
further used then it will be segregated and will use in terms of the
repair/upgradation/replacement of the other asset.
IT will make the approval note and get Management approval to scrap the assets.
After Management approval, IT department will submit the approval to commercial department.
Commercial department will finalize the Vendor to pick scrap material from concerned location.
Scrap asset wrt quantity and weight will be handover to vendor in presence of IT, P&M and
Security.
The bills of material will be processed by P&M for the Gate out of the items.
E-Waste Disposal
IT assets are defined as hazardous waste due to the metals and chemicals used in their
manufacturing, and arrangements for their disposal must be handled in compliance with the
Vendor/Company following E-waste Management rules policies.
IT equipment must never be disposed of through general waste routes.
We must ensure that e-waste disposal is done in a responsible and scientific manner through
authorized channels only.
Responsibilities
P&M must ensure that shortlisted vendor must follow E Waste Management Rules.
IT is responsible for the physically damage of the HDD or any other storage media before disposal
of the asset to avoid any data leakage.
Vendor would be responsible for the appropriate destruction or disposal of equipment in
compliance with e-waste regulations.
Vendor must confirm to IT that their e-waste disposal is done in a responsible and scientific
manner through authorized channels.
IT Policies –V1 P a g e 58 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Remote Access Management Policy
Objective
This policy aims to establish guidelines for providing remote access (from home or any other non-
office location) to company IT systems / IT assets. Preventing unauthorized access to company data
from insecure networks is of utmost importance to company. This policy is designed to ensure
remotely working employees have the ability to securely connect to the corporate network without
fear of any data leakage threat and to provide the Company with an additional means of monitoring
and controlling access to the internal network.
Scope
This policy is applicable to all employees, contractors, and associates of company, who may require
remote access to any desktop, workstation, server, and storage and network device. This policy is for
accessing the IT systems / data which is not accessible thru e-mail and portal.
Policy
Company IT systems / IT assets remote desktop access will only be accessible via the Local area
network (LAN) or VPN (Virtual private network) except where outside access is provided (e-mail,
employee portal, web application and websites)
For users who are working from home (WFH), user PC (workstation, desktop) access will be granted
through VPN only. This includes access to any server, switch, router, desktop, workstation or
specific application.
User would have to provide Remote access request with requirement details and time period for
which remote access is required after approval of HOD to IT as per format in Annexure 7 at the
end of this policy.
IT admin will verify the request and provide login credentials to authorized user after approval
from IT HOD.
Authorized users must protect their login credentials and must not share them with anyone.
Any computer that needs to be connected to company internal network remotely must be
equipped with the latest anti-virus software.
In case of remote access of any Company asset through non company asset (for example Rented
or employee’s personal laptop), the system that is accessing has to have McAfee End point security
(DLP, MCP) to ensure data security.
In case there is requirement to connect via team viewer or Any Desk or any such software (for
example in case when OEMs/Vendors deny using ITL’s VPN and McAfee End point security), such
requirements will be categorized as special cases and will be verified by IT admin & approved by
H.O.D IT for specific time and reason.
Remote Access accounts (VPN Login ID) used by vendors must only be enabled for specific time
period and must be disabled immediately thereafter.
IT admin will be responsible for deactivation of the access after task for which access was granted
is completed.
IT Policies –V1 P a g e 59 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Backup Policy
Objective
The objective of this policy is to maintain data integrity and availability of the Organization's IT
Resources to prevent loss of data and to facilitate the restoration of the IT Resources and business
processes.
This backup policy aims to put a pre-defined, set schedule whereby information from business
applications such as Microsoft SQL database, S4H database Email server databases, Application Source
code, Network Component (Firewall/UTM/Switches Configuration) and user files are copied to disk
and/or tape to ensure data recoverability in the event of accidental data deletion, corrupted
information or some kind of a system outage and the restoration process.
Scope
This Policy is applicable to users at Hoshiarpur (HSP), and NCR (Delhi and Noida) offices.
The Policy is categorized in three sections as:
1. Backup Policy for End computing /User Files
2. Backup Policy for Application Server Configuration, Network Switches, Firewall, UTM configuration
3. Backup Policy for Database Server (SQL, HANA, Email), File Server
Policy:
1. Backup Policy for End computing /User Files
Guidelines for Users
Concerned department HOD would have to provide to IT Department the list of users who have
important data that is required to be backed up for business continuity.
IT will share the details of backup folder with user by email (folder name, location)
Users would be required to put their important data in the folders configured by IT department &
would need to update the folder periodically.
The backup standard data format would be Excel, docs, PPT, PDF
Maximum data backup size would be 5 GB per user.
User cannot change the folder name or location of the backup folder.
This backup policy is not applicable for R&D, DDC, Vendor Development, Manufacturing
Engineering and Cost Engineering department as dedicated Centralized file server for these
department users is already in place with backup.
Guidelines for Restoration of User data:
IT Policies –V1 P a g e 60 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
User would be required to submit a data restore form (approved by concerned HOD) to IT
department mentioning the purpose and detail of data restoration.
IT will validate the Restore request and if it is approved (b IT HOD), restore the data within three
days after submission of request by user. In case of restore request is not approved, IT will inform
the user by email mentioning the reason of non-approval.
IT will restore the latest available data kept in the folder of user computer configured by IT
department. There will be no restoration of data kept at any other location of computer.
Guidelines for IT Admin
ITSM team member will have to ensure that at the time of new system installation
(Laptop/desktop/workstation) or reinstallation of operating system, following disk partition size
and drive letters be used:
- 500 GB Disk: C: 200 GB, D: 150 GB, E: 150 GB
- 1000 GB Disk: C: 200 GB, D: 400 GB, E: 400 GB
Backup Manager will ensure that the user files are backed up once in a week. The retention period
of backup would be 1 month from the date of backup.
Backup media (Last night backup) would be required to be kept at secondary site.
2. Backup Policy for Application Server Configuration, Network Switch, Firewall, UTM
configuration
Respective Backup Manager appointed at that location will ensure the successful completion of
scheduled backup.
All the Application Server Managers have to share details of application directory and source code
files/folder along with specific location with Backup Manager.
Backup manager must ensure the backup of application and source code on daily bases.
Network Manager must ensure the backup of Network Switches, Firewall and UTM configuration
once in a month. Network Manager will provide this backup data to Backup Manager
Backup manager will ensure data backup is kept in a Fire proof Cabinet at a secure location
3. Backup Policy for Database Server (SQL, S4H, Email), File Servers
Backup Policy for Database Server (SQL, S4H, and Email) and file servers is categorized in following
three section:
a) Hoshiarpur Datacenter
b) Noida Datacenter
c) Delhi Datacenter
a) Hoshiarpur Datacenter:
In HSP Datacenter following database server backup and file server backup will be done:
IT Policies –V1 P a g e 61 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
SAP S4H (Production, Development, Quality)
SAP ECC6 -ITL (Production)
SAP ECC6-ITL (HR)
SAP ECC6 -RTV (Production)
SAP ECC6- ICML (Production)
Retail System -(Production)
OFM (Oracle Fusion Middleware) – (Production)
Vectors Server
AFL – Production
MS Exchange
File Server- RTV & ITL
Digital Publication
MacAfee EPO
Tally
Active Directory
The backup type, frequency, retention period and restoration test schedule will be as follows:
Server Description Backup Type Backup Frequency Retention Period Restore
(Days) Test
Incremental Full Daily Monthly Quarterly
SAP S4H (PRD, DEV, S4H Database Every 15 Daily 7 90 (PRD) Quarterly
Quality) Min
SAP ECC6-ITL (HR) SQL Database - Daily 7 90 Quarterly
SAP ECC6 -RTV SQL Database - Daily 7 30 Quarterly
(Production)
SAP ECC6- ICML SQL Database - Daily 7 90 Quarterly
(Production)
SAP ECC6 -ITL SQL Database - Weekly - 90 Quarterly
(Production)
Retail System SQL Database - Daily 7 90 Quarterly
(Production)
Vectors Server SQL Database - Daily 7 90 Quarterly
AFL – Production SQL Database - Daily 7 90 Quarterly
MS Exchange EDB Database Every 4 hrs. Weekly - 90 Quarterly
File Server- RTV File Backup - Daily 7 60 Quarterly
File Server- ITL File Backup - Mon-Wed- 90 Quarterly
Sat
Digital Publication SQL Database - Daily 7 90 Quarterly
MacAfee EPO SQL Database - Monthly - 60 Quarterly
Tally Database Daily 7 Quarterly
Active Directory System State Daily 7 Quarterly
IT Policies –V1 P a g e 62 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
b) Noida Datacenter
In Noida Datacenter following database server backup and file server backup will be done:
Siemens Team Center (Production)
File Server
The backup type, frequency, retention period and restoration test schedule will be as follows:
Server Backup Backup Frequency Retention Period Restore
Description Type Full Incremental Daily Monthly Test
Volume Quarterly
Siemens Team
data, config
Center
data Daily - 14
Siemens Team Quarterly
Center-
Production, Dev, SQL
Test Database Daily - 14
File Server File Backup Weekly Daily 4 - Quarterly
c) Delhi Datacenter
In Delhi Datacenter following file server & Cache Server backup will be done:
File Server
Cache Server for Team Center
The backup type, frequency, retention period and restoration test schedule will be as follows:
Server Description Backup Backup Frequency Retention Restore
Type Period Test
Incremental Full Daily Monthly
File Server File - Daily
Backup 7
Cache Server for VM - Daily
Team Center 7
Guidelines for Backup Managers
Backup Manager will ensure successful completion of scheduled job of each server
The backup restore activity will have to be recorded on the Backup Restore form verified by
Application Manager/Network Manager and approved by HOD IT.
IT Policies –V1 P a g e 63 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Backup Manager will check the logs and share the status of backup’s checklist on daily basis in by
sending email to HOD IT.
To ensure successful backup, if there is requirement to add or replace backup device (Tape drive
and data Cartridges), Backup manager will share the requirement details to HOD IT for approval.
Application Manager and Network Manager with the help of Backup Manager will be required to
perform a restore test as per frequency mentioned in this policy.
Backup Restoration details will have to be recorded in Backup restore test form verified by
application manager and approved by HOD IT
IT Policies –V1 P a g e 64 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Physical and Environment Control Policy
Objective
Physical and environment control policy refers to the measures taken to protect the physical
environment and infrastructure that is housing the information system resources, including hardware,
software, and other networking devices against threats such as theft, fire, flood, intentional
destruction, unintentional damage, mechanical equipment failure, and power failures. The objective
of this policy is to prevent unauthorized access or damage to IT services.
Scope
This policy applies to all the areas where we have IT assets of the Sonalika Group
Guidelines
All computer equipment that provides access to ITL information should be kept secure. The user
who has been allocated the equipment will be responsible for safe keep of the equipment. In case
of data Centre equipment, Datacenter admin will be responsible while in case of network
equipment, network admin will be responsible. In case any equipment (say printer or laptop) is
issued to a department, HOD will be responsible for security of equipment.
Servers and equipment that store or process key information should be located in physically
secured areas.
Entry to secured areas should be restricted to authorized users:
All access to datacenter should be as per Data Centre management policy.
Employees should not lend their digital card to anyone, or allow anyone to follow them through
card-controlled doors (tail gating)
Cabling in IT Department
Cables in IT should be underground wherever possible.
Wherever possible, cabling within buildings should be installed in ceiling and secure ducts.
Ducts and entry points should be secure and should be inspected annually for signs of damage or
interference by IT Admin.
A log of these inspections should be retained by Head of Networks and Infrastructure.
Wireless Access Points
Wherever possible, wireless access points should be installed at a high level to make them less
exposed and more secure from theft or tampering.
Communications Racks and Wiring Cabinets
All communications equipment should be kept secure, either in locked rooms or in racks and
cabinets with locks.
IT Policies –V1 P a g e 65 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Keys to communications rooms, racks and cabinets should be held securely by IT SPOC so that
they are not available to individuals who are unauthorized to access network devices.
Environmental Controls
Data centers should be protected by appropriate air conditioning and very early smoke detection
(VESDA) systems.
Temperature in data centers should be monitored by Operations staff, and undue variances
reported immediately to the IT Admin.
Equipment should be protected from power failures or electrical anomalies. Data centers should
be protected by suitable local stand-by power supplies (uninterrupted power supply).
Data Center should be inspected annually to assess security risks and hazards arising from
environmental conditions. A log of these inspections should be retained by Data center admin.
Equipment Maintenance
Equipment should be maintained in accordance with manufacturers' recommendations.
All faults (or suspected faults) should be recorded and all changes should be logged in the Change
Management System. All regular maintenance checks should also be recorded by IT Admin.
Disposal of equipment should be done as per the IT disposal policy
IT Policies –V1 P a g e 66 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Data Classification and Handling Policy
Objective
Objective of this policy is to define classification of data in the organization and to ensure an
appropriate level of protection as per the classification.
Scope
This Policy is applicable to all data in the organization
Policy Description:
All information / data should be identified and classified based on the criticality and sensitivity.
The Information that should be labelled must include non-electronic media (e.g.: physical
documents) and electronic media (e.g.: e-mails, Word Documents, power point slides etc.). The
physical labelling format should be easily distinguishable and readable
While deciding the classification level for information, the associated legal and statutory
requirements should also be considered.
The information owner is responsible for adherence to all the policies and controls to ensure the
security of the information asset. The information owner is the person who is creator of
information or who is using information to fulfil his job responsibilities and should do the
classification.
Following data classification labels should be used :
Data Classification Label Description
Highly sensitive information whose unauthorized disclosure /use could
substantially or critically impact business. Generally, access of such information is
restricted to management and few other senior members of organizations. For
Secret
example – R&D information, discussions between management members,
mergers and acquisitions etc. Information cannot be shared with anybody beyond
the management and senior leaders without written approval of management.
Sensitive information whose unauthorized disclosure /use could cause serious
competitive damage to the organization, e.g. sales plan, budgets, reviews,
Confidential customer and vendor lists, price lists, BOM, quality parameters etc. Information
cannot be shared with anybody beyond the authorized persons without written
approval of HOD.
Information that can be shared with all employees or general public or anybody.
No Classification
IT Policies –V1 P a g e 67 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
From a practical perspective, since most of the documents would fall in category – No
Classification, there is no need to mention that on documents or data with an assumption that
documents not classified have an implicit classification of No Classification
Confidential and secret documents no longer required, should be shredded.
Devices containing sensitive information should be physically destroyed when no longer required.
Photocopying of CONFIDENTIAL or SECRET documents must only be done either by the
Information Owner or Custodian and record should be maintained for the same. Owner or
custodian of information should be responsible for maintaining the record of photocopying.
Information which is No Classification labelled can be stored in a cabinet, which may not be locked
All ITL specific printed, handwritten, or other paper manifestations of sensitive information must
have an easily noticeable sensitivity label on each page. We can use stamps indicating Secret or
Confidential.
High Sensitivity Areas such as Data Center and back-up storage centres will have to be given a high
classification as a whole, because some of the data that is handled or stored is SECRET or
CONFIDENTIAL. These areas will need to be provided a higher degree of physical security.
If any support service task or maintenance task needs to be performed on equipment holding
“SECRET” Information then it should be done under observation of information owner.
If support service or maintenance task of equipment holding “SECRET or CONFIDENTIAL”
information is performed by third party, IT manager will ensure no spy ware like key logger has
been installed by the third party. Appropriate tools need to be run immediately after the service
by third party to detect such spy ware.
Printed documents with information labelled as “SECRET or CONFIDENTIAL” should be stored in a
locked cabinet.
All documents and records must be retained for the prescribed period, as required by
organization, laws of land, statutory and legal bodies.
All employees should be guided to ensure that when they leave their desks they clear desk from
all documents, when not working at them.
Information should be erased from any equipment (typically an Information Asset) prior to
disposal or re-use.
IT Policies –V1 P a g e 68 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Social Media Policy
Objective
The objective of this policy is to provide guidelines to use social media for company employees,
contractor and stakeholder. Social media is a place where people exchange information, opinions and
experiences to learn, develop and have fun. Whether you’re handling a corporate social media
account or using one of your own accounts, you should remain productive and avoid damaging the
organization in any way. This policy provides practical advice to avoid issues that might arise by
careless use of social media in the workplace.
Scope
This policy applies to all Employees, contractors & Stakeholders and all types of social media.
Policy & Guidelines
Definition of social media
Social media or social networking includes all forms of online publishing and discussions, including
but not limited to: blogs, wikis, file-sharing, user-generated video and audio, social networks and
other social networking applications like Facebook, Twitter, YouTube, WhatsApp and LinkedIn etc.
Authorized users
Employees must be authorized by company’s approved authorities, based on employee job
responsibilities, to engage in work-time social media sites.
All employees must identify themselves as employees of company when posting to company
social media.
Content guidelines
For social media all content must be relevant, meet specified goals or purposes and add value to
Company’s brand.
All content must conform to all appropriate laws and regulations of the country, as well as
guidelines adopted by and governing the Company including privacy laws.
Content must be polite and respectful.
All messaging should maintain the same tone as if interacting with someone in person on behalf
of the Company.
Editorial control
Company is authorized to remove any content that does not meet the rules and guidelines of this
policy or may be illegal or offensive. Removal of such information will be done without permission
of the author or without any advance warning.
IT Policies –V1 P a g e 69 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Company expects all public users (non-employees, non-contractor, and non-stakeholders) to
accept any guidelines issued by company for social media postings and Company reserves the
right to take the same action as mentioned above in removing offensive or illegal content.
Social media comments from public users that require response will be addressed in a timely but
thoughtful, and respectful manner.
Personal Rules & Guidelines
Social networking sites have blurred the line between private and public activity. In many ways,
today’s social media pages have replaced the written letters of the past but are more visible. Your
social media posts—even if you intend them to be solely personal messages to your friends or
family—can be easily circulated beyond your intended audience. This content, therefore,
represents you and the Company to the outside world.
Employees are expected to follow these guidelines and policies to provide a clear line between
‘you’ as the individual and ‘you’ as an employee of Company.
Company respects the right of employees to use social media forums for self-publishing and self-
expression on personal time but unless specifically authorized by department head, employees
are not permitted to use forms of social media during working hours or at any time on company
computers or any other company-supplied devices unless the employee is authorized to speak on
the Company's behalf.
Employees will be held personally liable for any commentary that is considered defamatory,
obscene, and proprietary by any offended party using company computers or company’s provided
devices.
Employees are prohibited from harassing, discriminating or disparaging against any employee or
anyone affiliated with or doing business with Company.
Employees are prohibited from posting Company name, trademark or logo or any Company-
privileged information, including but not limited to: copyrighted information or company-issued
documents unless authorized by Company.
Employees shall use a respectful and polite tone.
Employees shall avoid speaking on matters outside their field of expertise. Everyone should be
careful not to answer questions or make statements that fall under somebody else’s responsibility.
___________________________________________________________________
IT Policies –V1 P a g e 70 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
IT Risk Management Framework
Objective
The Objective of this Policy is to lay out framework, approach and process for Risk
management at ITL.
IT Risk management will enable ITL to accomplish its business objectives by better securing
the IT systems that store, process, or transmit organizational information and enable
management to make well-informed decisions.
Approach and Process
ITL shall continuously monitor for any change in the threat environment and make any adjustment
necessary to maintain an acceptable level of risk. The ITL risk management process Includes:
• Step 1 : Key Information Asset Identification
• Step 2 : Threat, Vulnerability and Risk Identification
• Step 3 : List down Controls in Place
• Step 4 : Carry out Business Impact Assessment
• Step 5 : Prepare Risk Treatment Plan
• Step 6 : Carry out Ongoing Risk Management
Details of each of these as below
Key Information Asset Identification
Information Assets will be identified during meetings with key business managers and process owners
within ITL. Head of IT and his team will create an asset list. Where possible / appropriate, information
assets will be grouped together to simplify the management of the risk. The asset list shall contain:
• Type of asset – Hardware, Software, Application, Network, Others
• Name and description of the asset
• Asset number
• Location of the asset
• Owner of the asset
Additional information related to the operational environment of the IT systems will also be
documented including
• Functional requirements of the IT systems (Applications)
• List of Users of the system (e.g., system/admin/IT users who provide technical support to
the IT system; application users who use the IT system to perform business functions)
• Security policies governing the IT system
IT Policies –V1 P a g e 71 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
• Flow of information pertaining to the IT systems (e.g., system interfaces, system input and
output flowchart)
• Technical controls used for the IT system (e.g., built-in or add-on security features that
support identification and authentication, access control, encryption etc.)
• Management controls used for the IT system (e.g., security policies)
• Operational controls used for the IT system (e.g., backup, off-site storage; user account
establishment and deletion procedures etc.)
• Physical security environment of the IT system (e.g., office / plant security, data center
security)
• Environmental security implemented for the IT system processing environment (e.g.
controls for humidity, temperature, corrosion etc.).
Threat, Vulnerability and Risk Identification
• A threat is something against what we’re trying to protect our assets. Common Threat-
Sources include:
• Natural Threats—Floods, earthquakes, landslides, lightening, and other such events.
• Human Threats—Events that are either enabled by or caused by human beings, such as
unintentional acts (inadvertent data deletion) or deliberate actions (network based attacks,
malicious software upload, unauthorized access to confidential information).
• Environmental Threats—Long-term power failure, pollution, chemicals, liquid leakage.
•
• Vulnerability is a flaw or weakness or gap in the system security procedures, design,
implementation, or internal controls that can be exploited by threats to gain unauthorized
access to an asset. For potential list of vulnerabilities, sources that will be considered
include Security advisories from OEMs or Government and other agencies, PT / VA reports,
social media / news etc.
•
• Risk is the potential for loss, damage or destruction of an asset as a result of a threat
exploiting a vulnerability. List of all threats and vulnerabilities will be prepared by Head of
IT. Based on threats and vulnerabilities, all the risks will be identified. Head of IT will
document the risks in a risk register giving list of identified risks, likelihood and
consequences of the risks occurring, the actions we will take or are taking to reduce those
risks and who is responsible for managing them.
List down Controls in Place
In this step, aim will be to document the controls that have been implemented, or are
planned for implementation, by ITL to minimize or eliminate the likelihood of a threat’s
exercising a system vulnerability.
Controls that will be considered will be both technical and nontechnical controls.
• Technical controls are the safeguards that are incorporated into computer hardware,
software, or firmware (e.g., access control mechanisms, identification and authentication
IT Policies –V1 P a g e 72 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
mechanisms, encryption methods, and intrusion detection / prevention system, UTM, High
Availability etc.).
• Non-Technical controls are management and operational controls, such as security policies,
procedures, physical and manual controls, surveillance systems, backups, DR etc.
Controls will be categorized as preventive or detective.
• Preventive controls inhibit attempts to violate security policy and include such controls as
access control enforcement, encryption, authentication, UTM policies, Anti-Virus, SOD,
physical controls.
• Detective controls warn of violations or attempted violations of security policy and include
such controls as internal audits, audit trails, SIEM tools, intrusion detection methods, NMS,
physical inventory
List of current or planned controls will be documented as part of this step.
Carry out Business Impact Assessment
Business Impact Analysis (BIA) will be performed to analyze how the risks may impact ITL. In
BIA, the current state of ITL will be assessed against each risk and a Risk score will be
computed for each Asset.
Risk score will be based on considering the magnitude of Impact of the risk and likelihood of
Risk.
The Magnitude of Risk Impact for each risk will be computed as follows:
Risk Impact Rating Description
Rating
Impact of this risk on the business is almost nil or quite low either
1-Very Low in terms of the loss of tangible assets or resources or in terms of
2-Low affecting ITL’s mission, reputation or interest.
Impact of this risk on the business is likely to be quite less and may
3-Medium result in some loss of tangible assets, resources or could slightly
affect ITL’s mission, reputation, or interest or may result in human
injury.
Impact of this risk on the business is likely to be high or severe and
4 – High may result in significant loss of tangible assets or resources, or
5 – Very High significantly affect ITL’s mission, reputation, or interest or may
result in human death or severe injury.
For each risk, likelihood rating will be as per the following table:
IT Policies –V1 P a g e 73 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Risk Likelihood Rating Description
Rating
1-Very Low It is improbable that the vulnerabilities will be exploited as
the controls in place are considered to offer excellent
protection.
2-Low It is unlikely that the vulnerabilities will be exploited as the
protection in place is considered to be reasonably good.
3-Medium It is possible that the vulnerabilities will be exploited though
some protection is in place.
4-High It is highly possible that the vulnerabilities will be exploited
as there is little or no protection in place
5-Very High It is almost certain that the vulnerabilities will be exploited
as there are no controls in place or it has happened in the
past.
Risk score will then be calculated as follows
Risk score = Risk Impact Rating x Risk Likelihood Rating
Risk Score will be then be used to determine Risk value rating as follows:
Risk Score Risk Value Rating Description
Rating
1-8 Low The low level of risk does not justify additional
controls being put in place. No further action
necessary.
9-15 Medium Management will apply their judgement to decide
whether or not the risks are acceptable. Actions will
be taken as approved by management.
16-25 High Management will approve appropriate actions as a
priority.
Preparation of Risk Treatment Plan
All risks that result in LOW risk value rating shall automatically be accepted and no further
action shall be required.
IT Policies –V1 P a g e 74 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
All Risks that result in a MEDIUM or HIGH shall be reviewed for further management action.
The Head of IT shall review all such risks with the Asset Owners to decide an appropriate risk
treatment action.
Risks measured as HIGH will result in a business case being made to the IT security
committee with options to avoid, mitigate, accept or transfer the risk. Thus the decision on
which risks are acceptable, or not, will ultimately be recommended by the IT security
committee to management.
Head of IT will establish and maintain the risk treatment plan in order to achieve the
identified control objectives. Risk treatment plan shall identify priorities based upon the
perceived risk, and considers funding, responsibilities, actions and estimated date of
completion.
The Risk Treatment Plan will detail the following:
• Risk, threat and vulnerability from the risk assessment
• The Asset(s) at risk if applicable
• Owner of the Risk
• Proposed management action (Avoid, Mitigate, Accept, Transfer)
• Priority for mitigation
• Proposed controls and actions to be carried out to Avoid, Mitigate risks
• Budget / resource requirement.
• Proposed time frame for completion of the proposed actions.
• Personal Responsible for carrying out actions.
Head of IT is responsible for tracking and chasing the progress of risk treatments, and
updating the Risk Treatment Plan with progress and updated actions. IT Security Committee
will review the Risk Treatment Plan regularly (at least 2 times per year) and ensure that
actions are being implemented and closed in a timely manner. If required, the IT Security
Committee will discuss pending points or the points where actions is slow with the
appropriate functions to ensure actions are dealt with.
Carry out Ongoing Risk Management
ITL will carry out risk management as per risk framework on an annual basis. All new critical
information assets will be subjected to risk assessment as part of the process.
IT Policies –V1 P a g e 75 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Application Security Policy
Objective:
The objective of the Application Security Policy is to avoid inadvertent release of confidential or
sensitive information, minimize risks to users and the Sonalika Group, and ensure the availability of
critical applications. To ensure application availability and reliability, all applications should be secured
regardless of the type of information they utilize.
Scope:
The Application Security Policy will apply to applications developed by Sonalika Group team or by third
party developers on behalf of SONALIKA GROUP as well as to those acquired from outside providers.
All applications will be subject to this policy regardless of whether the application is hosted on
SONALIKA GROUP data centre or elsewhere.
General Guidelines:
To keep risk to an acceptable level, SONALIKA GROUP shall ensure that the proper security
controls will be implemented for each application. All security controls should be proportional to
the confidentiality, integrity, and availability requirements of the data processed by the
application.
Application Lead and application developers are expected to use their professional judgment in
managing risks to the information, systems and applications they or their teams develop or get
developed.
SONALIKA GROUP IT application Team Lead shall ensure that all developers and contractors shall
implement application security standards to have effective controls over systems they directly
manage.
Logs for the server, application and web services should be collected and maintained in a viewable
format for a period of 3 months.
IT Team lead shall lay out clear rules and processes for reviewing, removing, and granting
authorizations.
Each individual user (whether a developer, administrator, or user) should have a unique set of
credentials (user name / password) for accessing a computer application.
Application Development
Applications being developed or being modified should follow the standardized application
lifecycle established by the SONALIKA GROUP IT team Application Lead.
Security must be included in the design, development or deployment of an application.
Risk assessment should be conducted to ensure that the proposed application will not introduce
risk to the IT environment and Information assets.
Secure coding practices shall be followed for all application development.
When developing applications, input, output and processing validation assessment must be
undertaken to ensure information is not corrupted during processing.
IT Policies –V1 P a g e 76 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Developers should not develop or test an application in production systems.
During development and testing, applications shall not have access to live production data.
Applications will be subject to testing prior to being introduced to live environment, to ensure
that data is being processed correctly, ensuring the integrity of the data being input, processed
and output.
Change control procedures are to be followed when implementing the application into Live
environment.
IT Team lead shall ensure that authorizations for access to applications for individuals who have
left SONALIKA GROUP or transferred to another department, or have assumed new job duties
shall be removed / changed immediately.
Changes to Application Software
From time to time, software patches and upgrades are issued to application software, to fix
performance and security issues, and to enhance functionality. Critical updates shall be applied
to all applicable machines in a timely manner.
All changes to the existing standard software builds and application software shall be made in
compliance with applicable Change Control Procedures.
All patches and upgrades to the existing standard software builds and application software will
be tested before they are applied to production environment and machines.
The Information Security Manager will ensure that all critical patches are applied in a timely,
managed and controlled manner.
Application Maintenance
Only authorised software maintenance personnel will be permitted to carry out maintenance
tasks.
In case an application is maintained by 3rd party or support is required from 3rd party for a
specific period or issue, a contract and a confidentiality agreement must exist with the software
maintenance company prior to any work being carried out.
Normal operating controls such as supervision, restriction of access to operational data, and
controls over the ability to take soft or hard copies of the data, will apply
In case any remote access is given to 3rd party for development or maintenance of an application,
3rd party will have to follow all the IT security guidelines of SONALIKA GROUP.
Application-level Authentication
Some applications require their own authentication within the application. Where possible, they
should not use an embedded authentication database in order to limit the number of places
authentication information is stored, however it is accepted that most of the chosen database
applications behave in this way.
Where possible, applications that require authentication should be configured to use Windows
Active Directory authentication or equivalent directory service.
The developer must ensure that default passwords on databases with embedded authentication
IT Policies –V1 P a g e 77 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
are changed after installation.
Default passwords on applications must be changed on first login.
Passwords within Applications must have the appropriate complexity as defined in the password
policy.
Access to application system files should be controlled.
All passwords stored in application should be encrypted.
All web based applications should have 2 level authentication (with SMS or e-mail based OTP
being 2nd factor)
To ensure that bots do not access the application, all web based applications should have
Captcha.
Authenticated users should have access to only be allowed to access the information they require
(principle of least privilege and Segregation of Duties).
Application Service Accounts
Some applications will require a Microsoft Windows service account, application logon account
or Windows logon account. These accounts must be subject to the same security rules as the
operating system accounts.
Accounts used by applications shall have passwords of at least 8 characters in length and require
a combination of alpha numeric text in line with policy of SONALIKA GROUP.
IT application lead shall ensure that accounts used by applications must not use the default
password provided for that application after the installation process.
Accounts used by applications should not use the default username provided for that application.
Critical applications using Windows Account passwords shall be configured with the ‘Password
Never Expires’ flag set.
Accounts used by applications shall be given the least possible privileges and rights necessary to
allow the required functionality of the applications.
Where privileges and rights are granted to accounts used by applications, these privileges and
rights are to be reviewed on regular basis to ensure that privileges and rights that are no longer
required are removed.
Application Documentation
IT application lead shall maintain a full inventory of all applications including authentication and
authorization systems, the data classification and level of criticality for each application.
IT application lead will be responsible to ensure that all the documentation – technical and user
documentation – is prepared and reviewed before an application goes live.
IT application lead will be responsible to ensure that all the documentation– technical and user
documentation – of all existing applications is kept up to date at all times and is available in a
shared folder.
IT Policies –V1 P a g e 78 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Application Development Guidelines: C# Coding
Objective:
Objective of this policy is to lay down guidelines for developing software application and class libraries
in .NET using C# as a language so that at ITL we have consistent coding styles and formatting.
Scope:
These guidelines will be applicable for all software being developed whether by ITL IT team or by 3 rd
party developers.
Coding standards
Coding standards are a set of guidelines used for programming language that recommends
programming style and best practices to achieve it. The coding standards generally covers indentation,
comments, naming conventions, programming practices, file structure within project, architectural
best practices etc.
ITL Software developers should follow these guidelines at all times as this will:
Reduce the overall cost and time for software development.
Lead to increase in productivity of developers.
Increase the readability of source code written.
Reduce the number of bugs
Reduce maintenance efforts.
Make it easier for old and new developers to maintain and modify the code.
Naming Conventions
There are three type of naming conventions generally used while doing C# programming,
Pascal Convention – First character of all word is in upper case and other characters are in
lower case.
Example: HelloWorld
Camel Case Convention – The first character of all words, except the first word, is upper case
and other characters are lower case. Example: helloWorld
Hungarian Case Convention – The data type as prefix is used to define the variable by
developers long ago. This convention is not used anywhere now a day’s except local variable
declaration. Example:string m_sName; string strName; int iAge;
ITL developers will be required to use Pascal Convention. Some examples as below:
Naming Conventions
IT Policies –V1 P a g e 79 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Correct /
Sr.
Module Description Recommended Naming Wrong Naming Convention
No
Convention
public class HelloWorld public class helloWorld
Use Pascal conventions
1. Class { {
for defining class name
} }
public void
public void addNumbers(int
AddNumbers(int first,
Use Pascal conventions first, int second)
2. Method int second)
for defining class name {
{
}
}
public interface
Use Prefix “I” with Camel public interface Iemployee
IEmployee
3. Interface Casing to define {
{
Interface }
}
Use Hungarian
Meaningful, descriptive string fName
Local string firstName int
4. words to name variables. string name string _firstName
Variables salary
Do int sal
not use abbreviations
Member variables must
private IEmployee
be prefix with underscore
_employeeService = null private IEmployee empService
(_
Member private UserRole = null
5. ) so that they can be
Variables userRole private UserRole usrRole
identified by other local
private UserGroup private UserGroup usrGrp
variables and
userGroup
Constants
Prefix Boolean variables private bool private bool accepted
Boolean
6. with _isAccepted private bool finished private
variables
“is” or some private bool _isFinished bool isFinished
<CompanyName>
.<ProductName>
.<ModuleName>
Example: Example:
The namespace should be
Namespa ABC.SchoolManagemen BusinessLayer
7. logical grouping of classes
ce t.BusinessLayer DataAccessLayer
with specific pattern
ABC.SchoolManagemen WebUI
t.DataAccessLayer
ABC.SchoolManagemen
t.WebUI
Filename should match public class HelloWorld public class HelloWorld
8. File Name with class name i.e. { {
Pascal name } }
IT Policies –V1 P a g e 80 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
The Filename must be: Filename: helloworld.cs
HelloWorld.cs
Control Prefix Naming Conventions
ITL developers while developing web and window application should use prefixes for UI elements as
below:
Sr.No Control Prefix
1 Label Lbl
2 TextBox Txt
3 DataGrid Grd
4 Button btn
5 ImageButton imb
6 Hyperlink hyp
7 DropDownList ddl
8 ListBox lst
9 DataList dtl
10 Repeater rep
11 Checkbox chk
12 CheckBoxList cbl
13 RadioButton rdo
14 RadioButtonList rbl
15 Image img
16 Panel pnl
17 PlaceHolder phd
18 Table tbl
19 Validators val
Code Indentation and Comments
To ensure that code is easier to read, ITL developers will be required to follow guidelines as below:
Use default code editor setting provided by Microsoft Visual Studio.
Write only one statement and declaration per line.
Add one blank line space between each method.
Use parentheses to understand the code written.
Use xml commenting to describe functions, class and constructor.
IT Policies –V1 P a g e 81 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Use Tab for indentation.
Use one blank line to separate logical groups of code.
Use #region and #endregion to group related piece of code as per below
o Private Member
o Private Properties
o Public Properties
o Constructors
o Event Handlers/Action Methods
o Private Methods
o Public Methods
Do not write comments for every line of code and every variable declared.
Use // or /// for comments avoid using /* … */
If you have to use some complex for any reason, document it very well with sufficient
comments.
If all variables and method names are meaningful, that would make the code very readable
and will not need many comments.
Good Programming Practices
Following are some of the Good programming practices that ITL developers should follow at all times:
Avoid writing long functions. The typical function should have max 40-50 lines of code. If
method has more than 50 line of code, you must consider re factoring into separate private
methods.
Avoid writing long class files. The typical class file should contain 600-700 lines of code. If the
class file has more than 700 line of code, you must create partial class. The partial class
combines code into single unit after compilation.
Don’t have number of classes in single file. Create a separate file for each class.
Avoid the use of var in place of dynamic.
Add a whitespace around operators, like +, -, ==, etc.
IT Policies –V1 P a g e 82 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Always succeed the keywords if, else, do, while, for and foreach, with opening and closing
parentheses, even though the language does not require it.
The method name should have meaningful name so that it cannot mislead names. The
meaningful method name doesn’t need code comments.
1. Good: private void SaveAddress(Address address) {}
2. Bad:
3. // This method used to save address
4. private void Save(Address address) {}
The method or function should have only single responsibility (one job). Don’t try to
combine multiple functionalities into single function.
1. Good: public void UpdateAddress(Address address) {}
2. public void InsertAddress(Address address) {}
3. Bad: public void SaveAddress(Address address) {
4. if (address.AddressId == 0) {} else {}
5. }
Controller Actions in MVC should have meaningful names and each action have single
responsibility only.
1. Good: public class EmployeeController: Controller {
2. public ActionResult Index() {}
3. public ActionResult Create() {}
4. [HttpPost]
5. public ActionResult Create(EmployeeModel employee) {}
6. public ActionResult Edit(int id) {}
7. [HttpPut]
8. public ActionResult Update(EmployeeModel employee) {}
9. [HttpDelete]
10. public JsonResult Delete(int id) {}
11. }
IT Policies –V1 P a g e 83 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
12. Bad: public class EmployeeController: Controller {
13. public ActionResult GetAll() {}
14. public ActionResult CreateEmployee() {}
15. [HttpPost]
16. public ActionResult CreateEmployee(EmployeeModel employee) {}
17. public ActionResult EditEmployee(int id) {}
18. [HttpPut]
19. public ActionResult UpdateEmployee(EmployeeModel employee) {}
20. [HttpDelete]
21. public JsonResult EmployeeDelete(int id) {}
22. }
In above example you are talking about employee then there should no action method name with
Employee prefix or extension
Avoid using common type system. Use the language specific aliases
1. Good:
2. int age;
3. string firstName;
4. object addressInfo;
5. Bad:
6. System.Int32 age; String firstName;
7. Object addressInfo;
Do not hardcode string or numbers; instead, create separate file sfor constants and put all
constants into that or declare constants on top of file and refer these constants into your
code.
You can also put some constants like database connection, logger file name, SMTP information
variables etc. in form of key and value pair in config file.
Don’t hardcode strings. Use resource files.
While comparing string, convert string variables into Upper or Lower case
IT Policies –V1 P a g e 84 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
1. Good: if (firstName.ToLower() == "yogesh") {}
2. if (firstName.ToUpper() == “YOGESH”) {}
3. Bad: if (firstName == “rohit”) {}
Use String.Empty instead of “”
1. Good: if (firstName == String.Empty) {}
2. Bad: if (firstName == “”) {}
Use enums wherever required. Don’t use numbers or strings to indicate discrete values.
1. Good: public enum LoggerType {
2. Event,
3. File,
4. Database
5. }
6. public void LogException(string message, LoggerType loggerType) {
7. switch (loggerType) {
8. case LoggerType.Event:
9. // Do something break;
10. case LoggerType.File:
11. // Do something break;
12. case LoggerType.Database:
13. // Do something break;
14. default:
15. // Do something break;
16. }
17. }
18. Bad: public void LogException(string message, LoggerType loggerType) {
19. switch (loggerType) {
20. case "Event":
IT Policies –V1 P a g e 85 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
21. // Do something break;
22. case "File":
23. // Do something break;
24. case "Database":
25. // Do something break;
26. default:
27. // Do something break;
28. }
29. }
The event handler should not contain the code to perform the required action. Instead call
another private or public method from the event handler. Keep event handler or action
method as clean as possible.
Never hardcode a path or drive name in code. Get the application path programmatically and
use relative path. Use input or output classes System.IO) to achieve this.
Always do null check for objects and complex objects before accessing them.
1. Good: public Contact GetContactDetails(Address address) {
2. if (address != null && address.Contact != null) {
3. return address.Contact;
4. }
5. }
6. Bad: public Contact GetContactDetails(Address address) {
7. return address.Contact;
8. }
Error message to end use should be user friendly and self-explanatory but log the actual
exception details using logger. Create constants for this and use them in application.
1. Good:
2. “Error occurred while connecting to database. Please contact administrator.” “Your
session has been expired. Please login again.”
3. Bad:
IT Policies –V1 P a g e 86 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
4. “Error in Application.”
5. “There is an error in application.”
Avoid public methods and properties to expose, unless they really need to be accessed from
outside the class. Use internal if they are accessed only within the same assembly and
use private if used in same class.
Avoid passing many parameters to function. If you have more than 4-5 parameters use class
or structure to pass it.
1. Good: public void UpdateAddress(Address address) {}
2. Bad: public void UpdateAddress(int addressId, string country, string state, string ph
oneNumber, string pinCode, string address1, string address2) {}
While working with collection be aware of the below points,
o While returning collection return empty collection instead of returning null when
you have no data to return.
o Always check Any() operator instead of checking count i.e. collection.Count > 0 and
checking of null
o Use foreach instead of for loop while traversing.
o Use IList<T>, IEnumrable<T>,ICollection<T> instead of concrete classes e.g. using
List<>
Use object initializers to simplify object creation.
1. Good: var employee = new Employee {
2. FirstName = “ABC”, LastName = “PQR”, Manager = “XYZ”, Salary = 12346.25
3. };
4. Bad: var employee = new Employee();
5. employee.FirstName = “ABC”;
6. employee.LastName = “PQR”;
7. employee.Manager = “XYZ”;
8. employee.Salary = 12346.25;
The using statements should be sort by framework namespaces first and then application
namespaces in ascending order
1. using System;
IT Policies –V1 P a g e 87 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
2. using System.Collections.Generic; using System.IO;
3. using System.Text;
4. using Company.Product.BusinessLayer;
If you are opening database connections, sockets, file stream etc, always close them in the
finally block. This will ensure that even if an exception occurs after opening the connection, it
will be safely closed in the finally block.
Simplify your code by using the C# using statement. If you have a try-finally statement in which
the only code in the finally block is a call to the Dispose method, use a using statement instead.
1. Good: using(var fileToOpen = new FileInfo(fileName)) {
2. // File operation
3. }
4. Bad: var fileInfo = new FileInfo(fileName);
5. try {
6. // File operation
7. } finally {
8. if (fileInfo != null) {
9. fileInfo.Delete();
10. }
11. }
Always catch only the specific exception instead of catching generic exception.
1. void ReadFile(string fileName) {
2. try {
3. // read from file.
4. } catch (System.IO.IOException fileException) {
5. // log the error. Re-throw exception throw fileException;
6. } finally {}
7. }
8. Bad: void ReadFile(string fileName) {
IT Policies –V1 P a g e 88 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
9. try {
10. // read from file.
11. } catch (Exception ex) {
12. // catching general exception
13. } finally {}
14. }
Use StringBuilder class instead of String when you have to manipulate string objects in a loop.
The String object works in a weird way in .NET. Each time you append a string, it is actually
discarding the old string object and recreating a new object, which is a relatively expensive
operation.
Architecture Design Level Guidelines
Following are some of the Architecture Design Level that ITL developers should follow at all times:
Always use multi tier (N-Tier) Architecture.
Implement loosely coupled architecture using interfaces and abstract class.
Use of generics would help you to make reusable classes and functions.
1. public class MyClass < T > where T: SomeOtherClass {
2. public void SomeMethod(T t) {
3. SomeOtherClass obj = t;
4. }
5. }
Separate your application into multiple assemblies. Create separate assemblies for UI,
Business Layer, Data Access Layer, Framework, Exception handling and Logging components.
Do not access database from UI pages. Use data access layer to perform all tasks which are
related to database.
Always use stored procedure instead of writing inline queries in C# code.
Always use transaction in database operation like Create, Update, and Delete. This would be
helpful to roll back old data again in case of any exception occurred while execution of Sql
statement.
IT Policies –V1 P a g e 89 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Don’t put complex logic inside stored procedure instead of it put it into the business layer.
Don’t use prefix as “sp” or “sp_” to the user defined stored procedure similarly don’t use
prefix as “fn” or “fn_” as the all-system level procedure start with “sp” and functions start
with “fn” which triggers overload for search of procedures.
For installing database on client machine user installer sql scripts.
Try to use design pattern, practices and SOLID principles.
For same code, create separate utility file or move it to base class.
Use try-catch-finally in your data layer to catch all database exceptions. This exception
handler should record all exceptions from the database. The details recorded should include
the name of the command being executed, stored proc name, parameters, connection string
used etc. After recording the exception, it could be re thrown to caller layer so that the
application can catch it and show the user specific message on UI
Don’t store large objects into Session. Storing large or complex object into session may
consume server memory. Destroy or Dispose such session variable after use.
Don’t store large object into view state, this will increase the page load time.
Always refer third party dll, javascripts and css framework through NuGet package so that
you can update with latest version whenever required.
Always refer minified version of javascript or css files, this will reduce unnecessary overhead
to the server.
IT Policies –V1 P a g e 90 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
LIST OF ANNEXURES
Data Sharing Format
Change Request
Incident Management Response and Resolution Time based on Severity Ratings
Incident Management Reporting – Escalation Matrix and Contact Details
Call Matrix In Case of fire
Format for Root Cause Analysis
Format for Remote Access
IT Policies –V1 P a g e 91 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Annexure 1
Format for Request of sharing of data
Doc No.: Rev
DESIGN DATA SHARING FORMAT No.: Page : 1 of
1
SUBJECT:- DATE:-
PROJECT :-
NAME OF VENDOR / DEPT :-
DATA SENT TO :- CONCERN PERSON NAME:-
CONCERN PERSON DETAIL:-
TYPE & SIZE OF DATA:-
DETAIL DESCRIPTION OF
DATA:-
NOTE / REMARK:-
SIGN – OFF
SIGN:-
REQUESTER SECTION HOD - HEAD - Management Approval
HEAD DEPT R&D
IT Policies –V1 P a g e 92 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Annexure 2
Format for Change Request
New Request /
Amendment
Change Control Form
To be filled by the Requester - Incomplete form will not be processed Form No
Requester Name Date
Department
Contact Number
Description of
Requirement
Purpose of the
Requirement
Priority of the Requirement □ High □ Medium □ Low
Reason for priority
Name Signature Date
Requester
HOD IT
IT Policies –V1 P a g e 93 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Annexure 3
Incident Management Response and Resolution Time based on Severity Ratings
Severity Response / Resolution time Details
Response Time: 15 minutes A problem which has mass impact to users. Critical
Resolution Time: 2 hours location like Production Lines, design, Dispatch,
P1 Material Gate, Sales, etc.
Management users (VC Sir, MD Sir, ED Sir, Director Sir,
Director Ma’am.)
Response Time: 30 minutes A problem in which system (Server /application) is
P2 Resolution Time: 4 hours running but slow performance is observed or it impacts
a particular system or user.
Response Time: 30 minutes A problem related to the installation, movement,
P3 Resolution Time: 1 Day / Best upgrade/ changes in hardware, software, network etc.
Effort basis
IT Policies –V1 P a g e 94 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Annexure 4
Incident Management Reporting – Escalation Matrix and Contact Details
Level 1 Level 2 Level 3 Final
Location Field
Escalation Escalation Escalation Escalation
Vikrant Rana
IT Helpdesk Rajneesh Sharma
Varun Sharma
Dharamveer
Data Center Navdeep Sharma
Parmar
Network Ankit Bhavra Aman Sood
Ankit Bhavra
Hoshiarpur Security Bhavna Kapoor Aman Sood Vishal Jasuja Sunil Kumar
Shikha Sehgal
Design
Jagdeep Kalia Sunil Sharma
Application
SAP Gaurav Sharma Ranjit Seera
Manjit Kumar
Application Ranjit Seera
Sourabh Singh
IT Helpdesk Varun Sharma
Pradeep Singh
Sourabh Singh
Dharamveer
Data Center Navdeep Sharma
Noida Parmar Vishal Jasuja Sunil Kumar
Sunil Sharma
Design
Sourabh Singh Sunil Sharma
Application
Retail Apps Arbind Kumar Vivek Garg
IT Helpdesk Manoj Dubey Varun Sharma
Manoj Dubey Dharamveer
IB / Vasant Data Center
Navdeep Sharma Parmar Vishal Jasuja Sunil Kumar
Kunj
Design
Manoj Dubey Sunil Sharma
Application
IT Policies –V1 P a g e 95 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
DMS Application Girish Nagraj Ranjit Singh
IT Policies –V1 P a g e 96 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Name Contact Email
Aman Sood 9914011105 [email protected]
Ankit Bhavra 8557801010 [email protected]
Arbind Kumar 8882863756 [email protected]
Dharamveer Parmar 9115527801 [email protected]
Gaurav Sharma 9115527800 [email protected]
Girish Nagraj 8130697705 [email protected]
Jagdeep Kalia 9115527804 [email protected]
Manjit Kumar 9115527799 [email protected]
Manoj Dubey 9873278304 [email protected]
Navdeep Sharma 9855006002 [email protected]
Pradeep Singh 9990084821 [email protected]
Rajneesh Sharma 9115527808 [email protected]
Ranjit Seera 9855429601 [email protected]
Bhavna Kapoor 9115504932 [email protected]
Shikha Sehgal 9115504927 [email protected]
Sourabh Singh 9870553238 [email protected]
Sunil Sharma 8196900951 [email protected]
Varun Sharma 9855613580 [email protected]
Vikrant Rana 7009090379 [email protected]
Vivek Garg 9717476985 [email protected]
Vishal Jasuja 9914118055 [email protected]
Sunil Kumar 9310312056 [email protected]
IT Policies –V1 P a g e 97 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Annexure 5
Call Matrix In Case of fire
IT Policies –V1 P a g e 98 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Annexure 6
Format for Root Cause Analysis
Report Prepared By: Date of Report:
Department
Section:
Description of Incident:
Root Cause of Incidence:
Impact of Incidence:
Date of Incidence Occurrence:
Time of incidence Occurrence:
Place of incidence Occurrence:
Incidence Reported By:
Corrective Action Taken:
Equipment /Personal Causalities:
Incident Resolution:
Preventive Action from Learnings:
Name Sign Date
IT Admin
IT H.O.D
IT Policies –V1 P a g e 99 | 100
INTERNATIONAL TRACTORS LIMITED
Jalandhar Road, Hoshiarpur, Punjab
Reference: ITL/IT/Pol./2021
Effective From: 17 November 2021
Annexure 7
Format for Remote Access
New Request /
Amendment
Remote Access Form
To be filled by the Requester - Incomplete form will not be processed Form No
Requester Name Date
Department
Contact Number
System for which
Remote Access
Required
Reason for Access:
Date from which Access is Required
Date till which Access is Required
Name Signature Date
Requester
HOD IT
IT Policies –V1 P a g e 100 |
100
You might also like
- ISP-A05-01 Information Security PoliciesNo ratings yetISP-A05-01 Information Security Policies59 pages
- Information Security Acceptable Use Policy: 1.0 OverviewNo ratings yetInformation Security Acceptable Use Policy: 1.0 Overview4 pages
- Information Security Policy Version1.001 RevisedNo ratings yetInformation Security Policy Version1.001 Revised24 pages
- Grit It Information Security and Acceptable Use PolicyNo ratings yetGrit It Information Security and Acceptable Use Policy25 pages
- ISO 270001 Acceptable Use Policy TemplateNo ratings yetISO 270001 Acceptable Use Policy Template10 pages
- Internet and Email Policy For EmployeesNo ratings yetInternet and Email Policy For Employees14 pages
- ISO 27001 Master List Strata GeosystemsNo ratings yetISO 27001 Master List Strata Geosystems11 pages
- DOE ICT Acceptable Usage and Security Policy Final DraftNo ratings yetDOE ICT Acceptable Usage and Security Policy Final Draft21 pages
- IC ISO 27001 Business Continuity Checklist 10838100% (1)IC ISO 27001 Business Continuity Checklist 108388 pages
- Information Technology Policy and Procedures100% (3)Information Technology Policy and Procedures15 pages
- Acceptable Use of Information Policy 0047No ratings yetAcceptable Use of Information Policy 00477 pages
- Aarna Cybernetics Information Security Policy v0.1No ratings yetAarna Cybernetics Information Security Policy v0.17 pages
- Iso 27001 Checklist Template: Information Security PoliciesNo ratings yetIso 27001 Checklist Template: Information Security Policies7 pages
- Data Loss Prevention Technologies and Strategies: Definitive Reference for Developers and EngineersFrom EverandData Loss Prevention Technologies and Strategies: Definitive Reference for Developers and EngineersNo ratings yet
- CISSP Exam Study Guide For Security Professionals: NIST Cybersecurity Framework, Risk Management, Digital Forensics & GovernanceFrom EverandCISSP Exam Study Guide For Security Professionals: NIST Cybersecurity Framework, Risk Management, Digital Forensics & Governance5/5 (1)
- Field Services Mobility Instructions 2024No ratings yetField Services Mobility Instructions 202446 pages
- New Trends in Securing E-Commerce Enhancing Online Security in A Growing Digital MarketplaceNo ratings yetNew Trends in Securing E-Commerce Enhancing Online Security in A Growing Digital Marketplace12 pages
- The Password Book - Internet Security & Passwords Made Easy (PDFDrive)No ratings yetThe Password Book - Internet Security & Passwords Made Easy (PDFDrive)170 pages
- Assignment 2 Front Sheet: Qualification BTEC Level 5 HND Diploma in Computing Unit Number and Title Submission DateNo ratings yetAssignment 2 Front Sheet: Qualification BTEC Level 5 HND Diploma in Computing Unit Number and Title Submission Date29 pages
- ENISA Leaflet - How To Avoid SIM SwappingNo ratings yetENISA Leaflet - How To Avoid SIM Swapping1 page
- Deploying Privileged Account Security On Amazon Web Services PDFNo ratings yetDeploying Privileged Account Security On Amazon Web Services PDF64 pages
- Breakdown of Exam 12 CERTIFIED IN CYBERSECURITY 12No ratings yetBreakdown of Exam 12 CERTIFIED IN CYBERSECURITY 1213 pages
- MS-900 Describe Security, Compliance, Privacy and Trust in MicrosoftNo ratings yetMS-900 Describe Security, Compliance, Privacy and Trust in Microsoft33 pages
- How To Check Passkey On Coinbase Account - Google SearchNo ratings yetHow To Check Passkey On Coinbase Account - Google Search1 page
