You are on page 1of 32

Information Technology Department

POLICIES AND PROCEDURES MANUAL

BY : Eng. Osama I. Malla


SUMOU Holding Company
IT Policy and Procedures Manual

Table of Contents

• Introduction 03

• Acquisition Policy 05

• IT Security Policy 07

• Change Control Policy 11

• Password Policy 13

• Anti-virus Policy 16

• Computer Policy 18

• Technical support policy 20

• Computer Usage Policy 21

• Name Convention Policy 34

Page 2 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

Introduction
• Purpose

1. The purpose of this manual is to define and communicate the policies and procedures applicable
to Information Technology function of SUMOU Holding, the policies and procedures contained
in this manual are aligned with management’s long-term business objectives and strategies and
serves as a guide to take decisions relating to the Management of the Information Technology
functions.
2. It is intended to be an operational guideline for all employees in the Information Technology
Department. Employees who receive this manual are expected to fully apply the policies and
procedures contained in this manual in their day-to-day activities.

• Scope

The contents of this manual are applicable to all the personnel of the company in its entirety. Any
exception to the policies contained herein shall be approved by the CEO.

• Responsibility

It shall be responsibility of IT Manager to ensure that the policies and procedures outlined in this
manual are implemented.

• Distribution

The management considers the information contained in this manual to be of confidential nature.
The distribution of the manual should be controlled and be made available only to persons authorized
by the CEO. No contents of this manual shall be copied or otherwise reproduced except with the
prior written approval of CEO, VP Support Services & IT Manager.

Page 3 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

• Review and Update

1. The enclosed Manual should be reviewed on a yearly basis by the Information Technology
Manager and any changes made should be finally approved by CEO and VP. The Manual may
be revised appropriately, taking into consideration the changes as per regulations, internal &
external environment.
2. When amendments and revisions are made, they will specify the policy which supersedes it.
These amendments will be distributed among the list of employees authorized to view such
policies.

• Organization of the Policies and Procedures Manual

1. This manual is organized by chapters. In other words, policies have been grouped together
according to the chapters. Policies have been further divided into sections, when necessary, to
organize the related activities.
2. Forms and appendices are attached at the end of the manual with individual numbers allocated
to each form and appendix.
3. The purpose of each unit, and the responsibilities of various individuals are documented at the
beginning of the policy.

• Definitions and Abbreviations

1. CEO – Chief Executive Officer.


2. VP – Vice President.
3. IT Manager – Information Technology Manager.
4. Portable devices: Floppy, PDA, USB, personal laptops, Infrared, Bluetooth and wireless devices.

Page 4 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

CHAPTER-1

1. Acquisition Policy
1.1 Purpose:

1.1.1 IT assets refer to tangible assets that are held for use in serving the business process
through use of applications and other programs that reside on them and are expected to
be used for more than three years.
1.1.2 The purpose of this statement is to ensure the availability of necessary IT assets to meet
various operational needs and to control the process of acquisition of IT assets and related
expenditure.

1.2 Responsibility:

IT manager shall be responsible for estimating the company's IT asset requirement in


coordination with other divisions and to oversee the process in respect of acquisition,
maintenance and safeguarding of fixed assets. He shall also be responsible for coordinating
the purchase of IT assets.

1.3 Policy Statements:

1.3.1 All IT asset requirements will be estimated and budgeted. The acquisition of IT assets
shall be planned in advance in accordance with approved capital expenditure budget. A
provision for unexpected purchases shall be included.
1.3.2 All purchases of IT assets must be approved by IT Manager or appropriate authority in
accordance with the company's authority matrix.
1.3.3 Record of IT assets owned by the company shall be maintained by the IT department
with details of the location and custody of the assets. It must also be ensured that the IT
assets are easily identifiable and traceable to the records maintained for the assets. The
records shall be integrated with the fixed asset records of the company that are
maintained by the finance department.

Page 5 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

1.3.4 All the IT assets of the company shall be tagged by IT department coordination with
Finance department. Tagging of the assets should be done in a manner which facilitates
identification and verification.
1.3.5 The IT assets owned by the company must be physically verified at least once in two
years and reconciled with the records of fixed assets.

1.4 Receipt of Fixed Assets:

1.4.1 IT staff receives the invoice and checks it with the fixed assets and tagging this assets
and forwards the same to IT Manager.
1.4.2 The IT Manager verifies the delivery note, approved P.O., and approves the invoice if
all the documents are satisfactory. The IT Manager forwards the documents to
Administration along with copy of P.O. and retains a copy.
1.4.3 IT Manager shall designate the place for location of the asset.

1.5 Physical Verification of Fixed Assets:

The physical verification of fixed assets shall be conducted by the Finance department and HR
and Administration Department shall provide all necessary assistance in the conduct of physical
verification.

1.6 PC Request for new Employees:


As per work productivity and type of work will be define type of PC (laptop, Desktop and
Apple).

Page 6 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

CHAPTER-2

2. IT Security Policy
2.1 Purpose:

The purpose of this policy document is to describe rules for providing user access to Information
System resources that reside within SUMOU Holding networking environment. This policy covers
user access, remote access and physical access controls to all Information systems within the
company. This policy applies to all computer and data communication systems owned by and/or
administered by SUMOU Holding.

2.2 Responsibility:

2.2.1 IT manager shall be responsible for supervising the company's IT security requirement in
coordination with the IT staff and to oversee the process.
2.2.2 Department/Division managers shall be responsible for deciding on the user access
requirements based on the job role and approving the rights to be granted to their respective
staffs.
2.2.3 IT Staff: We will be responsible for physically implementing the access rights.

2.3 Policy Statement:

2.3.1 Access to all information systems within the company would be restricted to valid and
authorized users.
2.3.2 All access should be allocated on a “usage” based approach where users only have access to
resources that they require for the purpose of performing their work.
2.3.3 Granting, revoking, gaining and restricting user access to the Company’s systems should be
governed by the procedures mentioned below.

2.4 Procedural steps for gaining user access to Information System Resources:

2.4.1 All users must be positively identified prior to being able to use any multi-user computer or
communications system resources. Positive identification for internal SUMOU Holding
networks involves both a user-ID and a fixed password, both of which are unique to an
individual user.

Page 7 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

2.4.2 The log-in process for network-connected SUMOU Holding computer systems must simply
ask the user to log-in, providing prompts as needed. That information about the organization
must not be provided until a user has successfully provided both a valid user-ID and a valid
password. The IT Manager are responsible to restrict the access to those information. This
information should be kept to a minimum.
2.4.3 If there has been no activity on a computer terminal, workstation, or computer for a certain
period of time, the system must automatically blank the screen and suspend the session. Re-
establishment of the session must take place only after the user has provided a valid
password. The period of time is fifteen (15) minutes. Users should have the ability to activate
a screen saver if they need to leave the room for a period of time. The screen saver should be
unlocked by password.
2.4.4 Users should be prohibited from logging into any SUMOU Holding system or network
anonymously (for example, by using "guest" user-IDs). If users employ systems facilities
which allow them to change the active user-ID to gain certain privileges, they must have
initially logged-in employing a user-ID that clearly indicates their identity. Procedural steps
for granting system privileges.
2.4.5 Access requests for new user-IDs and modification of privileges must be in writing and
approved by the user's department manager and or Audit before IT Manager fulfills these
requests. To help establish accountability for events on the related systems, documents
(perhaps in electronic form) reflecting these requests must be retained for a period of at least
five years.
2.4.6 Individuals who are not SUMOU Holding employees must not be granted a user-ID or
otherwise be given privileges to use SUMOU Holding computers or communications
systems unless the advance written approval of a department head has been obtained.
2.4.7 Privileges granted to users who are not SUMOU Holding employees must be granted for
periods of 30-days or less and can be renewed.
2.4.8 Special system privileges must be restricted to those directly responsible for systems
administration and/or systems security. Similarly, configuration changes, operating system
changes, and related activities that require "root" privileges must be performed by IT
Manager, NOT end-users.

2.4.9 All users wishing to use SUMOU Holding internal networks, or multi-user systems that are
connected to SUMOU Holding internal networks, must sign a compliance statement prior to

Page 8 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

being issued a user-ID. The latter process must be performed for all the existing users and
new users. A signature on this compliance statement indicates the involved user understands
and agrees to abide by SUMOU Holding policies and procedures related to computers and
networks (including the instructions contained in this document and the User Guidelines
Policy).
2.4.10 High level privileges on system resources (for example “root” access on Unix systems and
“ADMINISTRATOR” access on Windows NT Systems) should remain only with IT Staff
and IT Manager.
2.4.11 All Administrator passwords must be kept confidential in a sealed envelope with the IT
manager and changed every 90 days. Administrator passwords are not to be shared with
anyone besides the IT staff and a complexity of minimum 8 characters with a combination
of uppercase, lowercase, numbers and or symbols must be used for such passwords.
2.4.12 Only licensed copies of applications can be installed on end user computers.

2.5 Procedural steps for revoking system access:

2.5.1 All user-IDs must automatically have the associated privileges revoked, where the individual
system allows it, after a period of inactivity of one week.
2.5.2 IT Staff should restrict the system so as not to allow users to test, or attempt to compromise
computer or communication system security measures unless specifically approved in
advance and in writing by the IT Manager.
2.5.3 The system privileges granted to users must be reevaluated by management every year. In
response to feedback from management, IT Staff must promptly revoke all privileges no
longer needed by users.
2.5.4 Human Resources and Administration Department must promptly report all significant
changes in staff duties or employment status to the IT department responsible for user-IDs
associated with the involved persons.
2.5.5 Third Parties having access to the company’s systems should be informing the company
about terminations a week prior to such terminations.

2.6 Procedure for Restricting System Access:

2.6.1 The computer and communications system privileges of all users, systems, and
independently operating programs (such as "agents") must be restricted based on a need-to-

Page 9 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

know basis. This means that privileges must not be extended unless a legitimate business-
oriented need for such privileges exists.
2.6.2 Default user file permissions must not automatically allow anyone on the system (For
example, on Windows systems, the "world") to read, write, or execute a file. Although users
may reset permissions on a file-by-file basis, such permissive default file permissions are
prohibited.
2.6.3 IT Staff must ensure that users with computers are responsible for administering a screen
saver program securing access to their machine's hard disk drive, and setting passwords for
all applications and systems software that provide the capability.

2.7 Procedure steps for governing physical access:

2.7.1 All SUMOU Holding network equipment must be physically secured with anti-theft devices
if located in an open office environment. Additional physical access control should also be
used for these devices. Local area network servers must be placed in locked cabinets, locked
closets, or locked computer rooms. IT department staff should be the only staff to use the
computer room and vendors can access the room only with prior approval from the IT
Manager.
2.7.2 All networking equipment should be stored in appropriately defined storage rooms that have
air-conditioning, fire protection, static protection, surge protection etc.
2.7.3 Access cards are required before gaining access to rooms which store networking and
systems equipment. Access to these rooms should be enforced in such a way that each user
has their own unique access cards. Logging mechanisms need to be in place to track
individual user activity into and out of these rooms.
2.7.4 Lockable cabinets should be used to store all networking and systems equipment that provide
services for the Company and do not require user interaction.

Page 10 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

CHAPTER-3

3. Change Control Policy


3.1 Purpose:

The purpose of this policy document is to establish management direction, procedures, requirements
and guidelines to ensure that any changes to information system will be well documented and made
in appropriate manner according to strict rules defined in detailed procedures. This policy covers all
Information systems (Workstations, Servers Networks within the company as well as all
Applications and data used by employees to perform daily duties).

3.2 Responsibility:

3.2.1 IT Manager shall be responsible for appropriately controlling changes and approving all
changes to be implemented in the information systems that include operating system(s),
network and applications.
3.2.2 Administration: Department/Division managers shall be responsible for approving changes
to the application requested by the staffs from their departments.
3.2.3 IT Staff: Will be responsible for physically implementing the requested changes in the
operating system, network and applications.

3.3 Policy Statement:

Changes that are made to the configuration or functionality of all Information Technology Systems
within the Company should follow the change control process and procedures that have been
outlined below.

3.4 Procedural steps for guidelines to Management:

3.4.1 Formal change procedure must be developed for every change or significant modification of
any component of existing information system to ensure that only authorized changes are
made. This procedure must be followed for all significant changes to software, hardware,
communications links, and procedures. This procedure must also be followed in the case of
any change to data.
3.4.2 All new applications or updates should have approval from management before
implementing into the information system.

Page 11 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

3.4.3 All support manuals and materials provided to the end users during implementation or
upgrading software must have approval from management.

3.5 Procedural steps for guidelines to Administrators:


3.5.1 All changes made to systems must be reflected in documentation prior to the changes being
implemented.
3.5.2 Periodic checks of end-users computers for unauthorized applications must be performed.
3.5.3 Periodic reviews of operating systems must be conducted to ensure that only authorized
changes have been made.
3.5.4 Operating Systems must be updated regularly when new patch or service pack is available
(especially for network systems).
3.5.5 Trap doors and unauthorized ways of access to applications and databases must be removed
to ensure that every action in the system is registered and easy to identify later on.
3.5.6 If any software is developed internally by the Company there must be procedures for such
activities which will include all stages of developing an application (designing, writing
source code, testing and implementing).
3.5.7 Updates of software developed externally should follow the same procedures for applications
developed internally.
3.5.8 Prior to being placed into production use, each new or significantly modified/enhanced
business application system must include a brief security impact statement which has been
prepared according to standard procedures.
3.5.9 Changes to SUMOU Holding internal networks include loading new software, changing
network addresses, reconfiguring routers, adding new IP addresses, etc. With the exception
of emergency situations, all changes to SUMOU Holding computer networks must be
documented in a work order request, and approved in advance by the IT Manager.

Page 12 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

CHAPTER-4

4. Password Policy
4.1 Purpose:

The purpose of this policy document is to describe guidelines for the use of user passwords which
provide logical access to Information Technology resources throughout the company. This policy
covers user password controls for all Information systems within the Company. This policy applies
to all computer and data communication systems owned by and/or administered by SUMOU.

4.2 Responsibility:

IT Staff: Will be responsible for physically implementing the password policy pertaining to the
procedures explained below in the operating system, network and applications.

4.3 Policy Statement:


4.3.1 All users within the company should choose their account passwords with the following
guidelines described below in mind.
4.3.2 The following procedures should be followed by users and IT Staff when choosing or
changing passwords :
 User Password Procedures and Standards.
 System Password Procedures and Standards.

4.4 User Password Procedures and Standards

4.4.1 Users must choose passwords which are difficult-to-guess. This means that passwords must
NOT be related to one's job or personal life. For example, car license plate number, spouse's
name, must not be used. This also means passwords must not be a word found in the
dictionary or some other part of speech. For example, proper names, places, technical terms,
and slang must not be used. Where such systems software facilities are available, users must
be prevented from selecting easily-guessed passwords.
4.4.2 Users can choose easily-remembered passwords that are at the same time difficult for
unauthorized parties to guess if they:
 string several words together (the resulting passwords are also known as
"passphrases"),
 shift a word up, down, left or right one row on the keyboard,

Page 13 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

4.4.3 Users must not construct passwords that are identical or substantially similar to passwords
they have previously employed. Where systems software facilities are available, users must
be prevented from reusing previous passwords.
4.4.4 Users must not construct passwords using a basic sequence of characters that is then partially
changed based on the date or some other predictable factor.
4.4.5 Passwords must not be written down and left in a place where unauthorized persons might
discover them. Aside from initial password assignment and password reset situations, if there
is reason to believe that a password has been disclosed to someone other than the authorized
user, the password must be immediately changed.
4.4.6 All passwords must be immediately changed if they are suspected of being disclosed, or
known to have been disclosed to anyone besides the authorized user.

4.5 System Password Procedures and Standards:

4.5.1 All computers permanently or intermittently connected to SUMOU Holding networks must
have password access controls.
4.5.2 Computer and communication system access control must be achieved via passwords which
are unique to each individual user. Access control to files, applications, databases,
computers, networks, and other system resources via shared passwords (also called "group
passwords") is prohibited.
4.5.3 Wherever systems software permits, the initial passwords issued to a new user by IT Staff
must be valid only for the new user's first on-line session. At that time, the user must be
forced to choose another password. This same process applies to the resetting of passwords
in the event that a user forgets a password.
4.5.4 All vendor-supplied default passwords must be changed before any computer or
communications system is used for SUMOU Holding business.
4.5.5 Passwords must not be stored in readable form in batch files, automatic log-in scripts,
software macros, terminal function keys, in computers without access control, or in other
locations where unauthorized persons might discover them.
4.5.6 Whenever system security has been compromised, or even if there is a convincing reason to
believe that it has been compromised, the involved IT Staff must immediately:
 reassign all relevant passwords, and
 Force every password on the involved system to be changed at the time of the next log-
in.
4.5.7 If systems software does not provide the latter capability, a broadcast message must be sent
to all users telling them to change their passwords.

Page 14 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

4.5.8 Default passwords given to user accounts must comply with the password guidelines in this
document.
4.5.9 Blank passwords for user accounts on any system are strictly prohibited.
4.5.10 Password access on all systems should have a minimum password length (8 – 10 characters)
defined, should enforce every 90 days password changes and should maintain a password
history (wherever possible).
4.5.11 New users should be forced to change their passwords the first time that they log into the
network.
4.5.12 The system should be set to store password history to a minimum of six previous passwords.

Page 15 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

CHAPTER-5

5. Anti-virus Policy
5.1 Purpose:

The purpose of this policy document is to establish management direction, procedures, and
requirements to ensure the appropriate protection of internal systems of the Company against viruses.
This policy covers all Information systems within the Company that are used to receive Electronic
Mail, upload software from physical and portable devices or use software downloaded from the
Internet. This policy applies to all computer and data communication systems owned by and/or
administered by SUMOU. Protecting information resources against infection with computer viruses
is important to minimize disruptions in daily operations and to prevent embarrassment from virus
contamination with SUMOU Information resources or services

5.2 Responsibility:

IT Staff: Will be responsible for ensuring compliance pertaining to the procedures explained below
in the operating system, network and applications.

5.3 Policy Statement:

IT Staff will comply with the rules and guidelines described below regarding:
 Computer Configurations.
 Software distributed by the Company.
 Monitoring Virus activity.
 Anti-virus Maintenance.

5.4 Computer Configurations:

5.4.1 Virus checking programs installed by the IT department must be continuously enabled on all
computers.
5.4.2 To promptly detect and prevent the spread of computer viruses, all SUMOU computers must
run anti-virus software. Anti-virus software must be continuously enabled and run daily on
all personal computers. It should be configured to execute online virus scanning. Where this
is not possible, virus scanning software should be executed at least weekly. Network Servers
are to be scanned at least each night.

Page 16 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

5.4.3 All software running on computers should be write-protected, such that an error will be
generated if a computer virus tries to modify the software. An exception to this policy will
be made in those cases where the software must modify itself in order to execute.
5.4.4 All new computers which have pre-installed software should go through a virus scanning
exercise before being used.
5.4.5 Disks and portable devices should not be left in the disk drive of disk based computers at
boot-up time.

5.5 Anti-virus Software Maintenance:

5.5.1 SUMOU maintains a site license for virus protection software that allows the company to
install this software on all computers.
5.5.2 Updates to virus scanning software and virus images will be provided at least weekly or as
needed to address specific viruses.

5.6 Monitoring of Virus Activity:

Details regarding virus incidents should be logged. Such a log should record details of the user
who received the virus, how the virus came into the company and possible ways in which the
virus may have spread before being found.
5.7 Anti-virus Procedural Guidelines for Administrators:

5.7.1 PCs [stand-alone or laptops] should be protected with an on-access scanner, to provide the
first layer of protection 'in-depth' [rather than at the perimeter]. The on-access scanner will
scan disks and files before they are used. The on-access scanner runs in the background
[requiring no action on the part of the user]. The user will be given a pop-up warning, to
identify the virus; and the user will not be able to use the infected disk or file. Software may
be configured to auto-disinfect, so that disks and files may be cleaned automatically, on
detection. This makes anti-virus management easier (virus removal is carried out
automatically, rather than by a member of the IT Department). Where possible, software may
be configured to log all virus incidents, allowing the IT Department to monitor all virus
incidents.
5.7.2 Media drives should be disabled from personal computers and servers that do not require
them.

Page 17 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

CHAPTER-6

6. Computer Policy
6.1 Purpose:
The purpose of this policy document is to describe rules for configuring all computers that belong to
the SUMOU. This policy statement provides specific instructions on the ways to secure both
computers (PC’s and servers) and SUMOU data (information) resident on computers. This policy
covers administration guidelines for configuring all computers within the SUMOU. This policy
applies to all computer and data communication systems owned by and/or administered by SUMOU.

6.2 Responsibility:

6.2.1 IT Manager shall be responsible for ensuring compliance to this policy by effectively
monitoring if the procedures have been implemented.
6.2.2 IT Staff will be responsible for physically implementing the requested changes in the
operating system, network and applications.

6.3 Policy Statement:

6.3.1 SUMOU computers must only be used in a secure environment. An environment is


considered to be secure when appropriate controls have been established to protect the
software, hardware, and data. These controls must provide a measure of protection
commensurate with the sensitivity of the data and the nature of anticipated risks.
6.3.2 All users of computers must comply with the rules defined regarding the following security
aspects:
 Configuration Rules.
 Hardware Security.
 Software Security.
 Data Security.
6.4 Hardware Security:
6.4.1 Computers must be protected against environmental hazards (for example, electromagnetic
radiation, dust, fire, and water leaks).
6.4.2 Computer equipment should be physically protected to lessen the risks of theft, destruction,
and/or misuse. Suggested techniques to lessen these risks include housing the equipment in
a locked room, physically locking the equipment to its workstation, or providing guard
service or other physical security to protect the premises containing computers.
6.4.3 Will be close use portable device in Employee PC to keep important data inside company.

Page 18 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

6.5 Data Security:

6.5.1 Data security safeguards must be commensurate with the level of sensitivity of the data stored
on a computer system.
6.5.2 All copies of sensitive data stored on diskettes must be labeled "sensitive" and stored in a
physically-secured location (whether off-site or in the office).
6.5.3 Sensitive data displayed on a computer screen must be protected from unauthorized viewing
via screen saver programs, access control programs, and the arrangement of office furniture.
6.5.4 Data downloaded must be protected in the manner warranted by its sensitivity.

6.6 Configuration Rules for Servers and Network devices (routers, switches, …):

6.6.1 Network devices and servers must be configured according to best security practices that are
defined in Security standards and configuration guidelines. These practices include limiting
access; running network services on a strictly need for usage basis; limiting trust
relationships; regularly updating versions of operation system software; limiting system
access on a need to know basis; using password and authentication controls that should
follow the Password and Access Policy for all users; creating logging and audit facilities
wherever possible.
6.6.2 Although IT Staff are not required to promptly load the most recent version of operating
systems, they are required to promptly apply all security patches to the operating system that
have been released by either:
 Knowledgeable and trusted user groups.
 well-known systems security authorities, and
 The operating system vendor.
Only those systems security tools supplied by these sources or by commercial software firms may
be used on SUMOU computers and networks.

CHAPTER-7

7. IT Technical Support policy


7.1 Purpose:

Page 19 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

To provide a single point-of-contact for computer users through IT Helpdesk portal, telephone, Email
requests for assistance relating to computer hardware and software installations and problems.

7.2 Responsibilities:
7.2.1 IT Manager is responsible for reviewing and monitor helpdesk ticket closed.
7.2.2 IT Staff is responsible for working with users until their problems are resolved.

7.3 SUMOU procedure with regard to IT Technical Support is as follows:

7.3.1 Open ticket by IT Portal using “Email – Website – Phone“.


7.3.2 Will be categorized this Ticket as “ General Request - Software Issue – Hardware Issue –
System and Network Issue – IP Phone Issue - web hosting Issue “.
 General Request “Toner Request – New Joiner – Arrange Meeting - …..”
 Software Issue “Install – Clean – Configure Email - …..”
 Hardware Issue “Arrange Laptop – Fix – Arrange Printer - …….”
 System and Network Issue “Server issue – Network Issue – VOIP - …”
 IP Phone Issue “Telephone Issue – Manage Ext. - …”
 Web hosting Issue “Site Down – add – Remove - ….”

Page 20 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

CHAPTER-8

8. Computer Usage Policy


8.1 Purpose:
8.1.1 To remain competitive, better serve our customers and provide our employees with the
best tools to do their jobs, SUMOU makes available to our workforce access to one or
more forms of electronic media and services, including computers, e-mail, telephones,
voicemail, fax machines, external electronic bulletin boards, wire services, online
services, intranet, Internet and the World Wide Web.
8.1.2 SUMOU encourages the use of these media and associated services because they can
make communication more efficient and effective and because they are valuable sources
of information about vendors, customers, technology, and new products and services.
However, all employees and everyone connected with the organization should remember
that electronic media and services provided by the company are company property and
their purpose is to facilitate and support company business. All computer users have the
responsibility to use these resources in a professional, ethical, and lawful manner.
8.1.3 To ensure that all employees are responsible, the following guidelines have been
established for using e-mail and the Internet. No policy can lay down rules to cover every
possible situation. Instead, it is designed to express SUMOU philosophy and set forth
general principles when using electronic media and services.

8.2 Prohibited communications:

Electronic media cannot be used for knowingly transmitting, retrieving, or storing and
communication that is:
1. Discriminatory or harassing;
2. Derogatory to any individual or group;
3. Obscene, sexually explicit or pornographic;
4. Defamatory or threatening;
5. In violation of any license governing the use of software; or
6. Engaged in for any purpose that is illegal or contrary to SUMOU, country and the
government regulations.
8.3 Personal use:

The computers, electronic media and services provided by SUMOU are primarily for business
use to assist employees in the performance of their jobs. Limited, occasional, or incidental use

Page 21 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

of electronic media (sending or receiving) for personal, non-business purposes is understandable


and acceptable, and all such use should be done in a manner that does not negatively affect the
systems' use for their business purposes. However, employees are expected to demonstrate a
sense of responsibility and not abuse this privilege.

8.4 Individual SUMOU user responsibilities for Computers:

8.4.1 Smoking, eating, or drinking while using a computer system is strongly discouraged.
8.4.2 Computer equipment must not be moved or relocated without the prior approval of local
department management.
8.4.3 The loss or theft of any computer hardware and/or software must be reported
immediately to the IT and HR.
8.4.4 To prevent unauthorized access, users must configure their screen savers to blank the
screen and require a password to resume whenever their workstations are unattended for
more than 15 minutes.
8.4.5 Unless they receive information to the contrary, users should assume that all software on
SUMOU computers is protected by copyright.
8.4.6 Commercial computer software purchased by SUMOU is authorized for SUMOU use
only making. Copies of SUMOU-purchased software for personal use is illegal and
prohibited.
8.4.7 Regardless of the type of software license that SUMOU has purchased, users must not
copy, modify, or transfer software to a diskette or all portable devices without the prior
approval of VP and IT department Manager.
8.4.8 Computer games must not be resident on, or played with on SUMOU computers.
8.4.9 Users are required to delete sensitive data when the data is no longer needed or useful.
8.4.10 Computer equipment must not be formatted outside company but only from IT Staff.
8.4.11 Will keep backup from data of employee who is left company only one month after that
will be deleted.

8.5 Access to employee communications:

8.5.1 Generally, electronic information created and/or communicated by an employee using e-


mail, word processing, utility programs, spreadsheets, voicemail, telephones, Internet
and bulletin board system access, and similar electronic media is not reviewed by the
company. However,

Page 22 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

8.5.2 SUMOU does routinely gather logs for most electronic activities or monitor employee
communications directly, e.g., telephone numbers dialed, sites accessed, call length, and
time at which calls are made, for the following purposes:
1. Cost analysis;
2. Resource allocation;
3. Optimum technical management of information resources; and
4. Detecting patterns of use that indicate employees are violating company policies or
engaging in illegal activity.
8.5.3 SUMOU serves the right, at its discretion, to review any employee's electronic files and
messages to the extent necessary to ensure electronic media and services are being used
in compliance with the law, this policy and other company policies.
8.5.4 Employees should not assume electronic communications are completely private.
Accordingly, if they have sensitive information to transmit, they should use other means.

8.6 Software:
To prevent computer viruses from being transmitted through the company's computer system,
unauthorized downloading of any unauthorized software is strictly prohibited. Only software
registered through SUMOU may be downloaded. Employees should contact the IT Staff if they
have any questions.

8.7 Security/appropriate use:


8.7.1 Employees must respect the confidentiality of other individuals' electronic
communications. Except in cases in which explicit authorization has been granted by
company management, employees are prohibited from engaging in, or attempting to
engage in:
 Monitoring or intercepting the files or electronic communications of other
employees or third parties;
 Hacking or obtaining access to systems or accounts they are not authorized
to use;
 Using other people's log-ins or passwords; and
 Breaching, testing, or monitoring computer or network security measures.
8.7.2 No e-mail or other electronic communications can be sent that attempt to hide the identity
of the sender or represent the sender as someone else.
8.7.3 Electronic media and services should not be used in a manner that is likely to cause
network congestion or significantly hamper the ability of other people to access and use
the system.

Page 23 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

8.7.4 Anyone obtaining electronic assess to other companies' or individuals' materials must
respect all copyrights and cannot copy, retrieve, modify or forward copyrighted materials
except as permitted by the copyright owner.

8.8 Encryption:

Employees can use encryption software supplied to them by the systems administrator for
purposes of safeguarding sensitive or confidential business information. Employees who use
encryption on files stored on a company computer must provide their supervisor with a sealed
hard copy record (to be retained in a secure location) of all of the passwords and/or encryption
keys necessary to access the files.

8.9 Participation in online forums:

8.9.1 Employees should remember that any messages or information sent on company-
provided facilities to one or more individuals via an electronic network—for example,
Internet mailing lists, bulletin boards, and online services—are statements identifiable
and attributable to SUMOU.
8.9.2 SUMOU recognizes that participation in some forums might be important to the
performance of an employee's job. For instance, an employee might find the answer to a
technical problem by consulting members of a news group devoted to the technical area.
8.10 Internet User Responsibilities:

8.10.1 Internet users must read and apply rules defined in this policy for all Internet
communications.
8.10.2 SUMOU visitors or outsource employees whose need internet may only use dedicated
Internet network for accessing the Internet only.

Expected User Behavior:

1. Unauthorized duplication or distribution of copyrighted software (including software


developed by SUMOU) is prohibited.
2. Accessing, viewing or distributing objectionable material (such as video streaming,
instant messengers, radio stations and pornographic sites) through the company network
is prohibited.
3. Accessing systems or files to which you are not authorized is prohibited. Observe all
posted restrictions on systems you are visiting. If company is notified of unauthorized
activity, it will investigate any incidents and act accordingly.
4. Using company time and resources for personal gain is prohibited.

Page 24 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

5. Using excessive system resources during peak working hours is strongly discouraged.

8.11 Resource Usage:


SUMOU management encourages staff to explore the Internet, but if this exploration is for
personal purposes, it should be done on personal, not company time. Use of SUMOU computing
resources for these personal purposes is permissible so long as the incremental cost of the usage
is negligible, and so long as no business activity is preempted by the personal use.

8.12 Public Representations:


8.12.1 Employees may indicate their affiliation with SUMOU in bulletin board discussions, chat
sessions, and other offerings on the Internet. This may be done by explicitly adding
certain words, or it may be implied, for instance via an e-mail address. In either case,
whenever staff provide an affiliation, they must also clearly indicate the opinions
expressed are their own, or not necessarily those of SUMOU. All external representations
on behalf of the company must first be cleared with the CEO. Additionally, to avoid libel
problems, whenever any affiliation with SUMOU is included with an Internet message
or posting, "flaming" or similar written attacks are strictly prohibited.
8.12.2 Employees must not publicly disclose internal sensitive SUMOU information via the
Internet that may adversely affect SUMOU stock price, customer relations, or public
image unless the approval of the VP has first been obtained.

8.13 Access Control:

8.13.1 Users must authenticate with an Internet device such as a Firewall or Proxy server before
using Internet.
8.13.2 Unless the prior approval of the IT manager has been obtained, staff may not establish
Internet or other external network connections that could allow non-SUMOU users to
gain access to SUMOU systems and information. These connections include the
establishment of multi-computer file systems (like Sun's NIS), Internet home pages, FTP
servers, and the like.
8.14 Expectation of Privacy:

8.14.1 Staff using SUMOU information systems and/or the Internet should realize that their
communications are not automatically protected from viewing by third parties. Unless
encryption is used, staff should not send information over the Internet if they consider it
to be private.

Page 25 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

8.14.2 Company will establish mechanisms to record certain types of activities, events or alerts
to allow for overall management and monitoring of the Internet connection. Reports of
Internet activity will be provided to management periodically or on request for their use
in gauging the level of Internet activity. Users of Company information resources must
understand that Company maintains the ability to monitor the usage of its information
resources.
8.14.3 The Company reserves the right to examine archived electronic mail, personal file
directories, hard drive files, all portable devices and other information stored on the
Company’s Information systems. Such examination may be performed to assure
compliance with internal policies, support the performance of internal investigations, and
assist with the management of SUMOU information systems.
8.14.4 The Internet connection is SUMOU resource which is subject to monitoring, recording,
and periodic audits for insuring appropriate functionality and protection against
unauthorized use. In addition, SUMOU may access any user’s computer accounts or
communication. SUMOU will disclose information obtained through such auditing to
appropriate third parties, including law enforcement agencies. Internet users expressly
consent to such monitoring, recording and auditing. SUMOU disclose information only
to appropriate parties.

8.15 Authorized Usage of the Electronic Mail System:


SUMOU electronic communications systems generally must be used only for business activities.
Incidental personal use is permissible so long as:
 It does not consume more than a trivial amount of resources,
 Does not interfere with worker productivity, and
 Does not preempt any business activity.
 Users are forbidden from using SUMOU electronic communication systems for
charitable endeavors, private business activities, or amusement/entertainment purposes.
Employees are reminded that the use of corporate resources, including electronic
communications, should never create either the appearance or the reality of inappropriate
use

8.16 Default Privileges for using the Electronic Mail System:

Page 26 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

Employee privileges on electronic communication systems must be assigned such that only those
capabilities necessary to perform a job are granted. This approach is widely known as the concept
of "need-to-know." For example, end-users must not be able to reprogram electronic mail system
software. With the exception of emergencies and regular system maintenance notices, broadcast
facilities must be used only after the permission of a department manager has been obtained.

8.17 User Separation:


Where electronic communications systems provide the ability to separate the activities of
different users, these facilities must be implemented. For example, electronic mail systems must
employ user-IDs and associated passwords to isolate the communications of different users. But
fax machines that do not have separate mailboxes for different recipients need not support such
user separation.
8.18 User Accountability:
8.18.1 Regardless of the circumstances, individual passwords must never be shared or revealed
to anyone else besides the authorized user. To do so, exposes the authorized user to
responsibility for actions the other party takes with the password. If users need to share
computer resident data, they should utilize message forwarding facilities, public
directories on local area network servers, and other authorized information-sharing
mechanisms. To prevent unauthorized parties from obtaining access to electronic
communications, users must choose passwords which are difficult to guess (not a
dictionary word, not a personal detail, and not a reflection of work activities).
8.18.2 Users must follow the guidelines provided in the Password Policy when accessing the
Electronic Mail System.

8.19 Redirection of mail:


Redirecting or forwarding of electronic mail to a mail server outside the SUMOU is prohibited.
This is to prevent sensitive information belonging to the SUMOU from being distributed outside
of the SUMOU.

8.20 Respecting Privacy Rights and Data Security:


8.20.1 It is the policy of SUMOU NOT to regularly monitor the content of electronic
communications. However, the content of electronic communications may be monitored
and the usage of electronic communications systems will be monitored to support
operational, maintenance, auditing, security, and investigative activities. Users should
structure their electronic communications in recognition of the fact that SUMOU will
from time to time examine the content of electronic communications.

Page 27 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

8.20.2 Technical support personnel may not review the content of an individual employee's
communications out of personal curiosity or at the interest of individuals who have not
gone through proper approval channels.
8.20.3 It may be necessary for technical support personnel to review the content of an individual
employee's communications during the course of problem resolution. Such permission
will be provided by the Information technology Department.
8.20.4 Except as otherwise specifically provided, employees may not intercept or disclose, or
assist in intercepting or disclosing, electronic communications. SUMOU is committed to
respecting the rights of its employees, including their reasonable expectation of privacy.
SUMOU also is responsible for servicing and protecting its electronic communications
networks. To accomplish this, it is occasionally necessary to intercept or disclose, or
assist in intercepting or disclosing, electronic communications.

Page 28 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

8.21 Abuse of Electronic Mail:

8.21.1 All employees who have access to electronic mail from SUMOU are representing the
company in some respects. Employees should not intentionally represent or speak on
behalf of Company without management approval. Thus, users posting to Usenet
newsgroups, Internet mailing lists, etc., must include a company disclaimer as part of
each message.
8.21.2 Unauthorized duplication or distribution of copyrighted software (including software
developed by SUMOU) through the use of electronic mail is prohibited.
8.21.3 Flaming others in e-mail (YELLING AT SOMEONE BY SENDING A MESSAGE IN
ALL CAPITAL LETTERS) is discouraged as it is not polite and may incite retaliation.
8.21.4 Posting messages or sending e-mail that discriminates on the basis of race, sex or other
biases is prohibited.
8.21.5 Accessing, viewing or distributing objectionable material (such as mass mailings,
greetings, fun mails and pornographic sites) through the Company SUMOU network is
prohibited.
8.21.6 Using company time and resources for personal gain is prohibited.
8.21.7 Sending chain letters through e-mail is prohibited.
8.21.8 The use of electronic mail is a SUMOU resource which is subject to monitoring,
recording, and periodic audits for insuring appropriate functionality and protection
against unauthorized use. In addition, SUMOU may access any user’s computer accounts
or communication. SUMOU will disclose information obtained through such auditing to
appropriate third parties, including law enforcement agencies. Electronic mail users
expressly consent to such monitoring, recording and auditing.
8.21.9 Recognizing that some information is intended for specific individuals and may not be
appropriate for general distribution, electronic communications users should exercise
caution when forwarding messages. SUMOU sensitive information must not be
forwarded to any party outside SUMOU without the prior approval of a local department
director. Blanket forwarding of messages to parties outside SUMOU is prohibited unless
the prior permission of the Information technology Department has been obtained.

8.22 Purging Electronic Messages:

Page 29 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

Messages no longer needed for business purposes must be periodically purged by user from
their personal electronic message storage areas. Not only will this increase scarce storage
space, it will also simplify records management and related activities.

8.23 Anti-virus User Responsibilities:


8.23.1 Users should ensure that e-mail attachments and other files received from the Internet
are subjected to virus scanning.
8.23.2 Downloading software from dedicated Internet PC’s or installing improperly licensed
software on SUMOU computer systems is prohibited by policies as outlined in SUMOU
User Guidelines Policy.
8.23.3 Users must not intentionally write, generate, compile, copy, propagate, execute, or
attempt to introduce any computer code designed to self-replicate, damage, or otherwise
hinder the performance of any computer's memory, file system, or software.
8.23.4 Computer users must not write or run any computer program/process that would unduly
consume more computer resources than necessary for performing SUMOU work.
8.23.5 Users are prohibited from installing any additional 3rd party software that is not required
for internal use on the Company’s computer systems. All software requirements and
installations should be provided by appropriate IT Staff.
8.23.6 Users must notify the Anti-virus task team of instances of virus infection to allow for
tracking and enhancement of existing virus detection procedures. (* Reporting
procedures should be tight so that viruses are reported and dealt with promptly. This will
often result in IT staff being able to find out if a particular user is a regular source of
infection.
8.23.7 Externally-supplied portable devices as well as pre-installed software on new systems
may not be used on any SUMOU computer unless these disks have first been checked
for viruses and received a message indicating that no viruses were found. Dealing with
virus quickly will be easier when it has just arrived.*).
8.23.8 To prevent infection by computer viruses, staff must not use any externally-provided
software from a person or organization other than a known and trusted supplier. The only
exception to this is when such software has first been tested and approved by the
Information technology Department.

8.24 Reporting Security Problems:

8.24.1 If sensitive SUMOU information is lost, disclosed to unauthorized parties, or suspected


of being lost or disclosed to unauthorized parties, the IT manager must be notified

Page 30 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

immediately. If any unauthorized use of SUMOU’s information systems has taken place,
or is suspected of taking place, the IT Manager must be notified immediately. Similarly,
whenever passwords or other system access control mechanisms are lost, stolen, or
disclosed, or are suspected of being lost, stolen, or disclosed, IT Staff of the system must
be notified immediately. Because it may indicate a computer virus infection or similar
security problem, all unusual systems behavior, such as missing files, frequent system
crashes, misrouted messages, and the like must also be immediately reported. The
specifics of security problems should not be discussed widely but should instead be
shared on a need-to-know basis.
8.24.2 Internet users must notify the IT manager in the event security related problems are
noted; examples of such include: unauthorized use of your account, unfamiliar computer
files on external servers, etc.
8.24.3 SUMOU has established guidelines for responding to incidents that occur through its
network connections. Users must notify the IT Manager in the event they suspect
problems with their network connection. Incidents or problems may include, but not
limited to:
 Unauthorized use of your personal account (i.e., unexplained use of your login).
 Solicitations via phone, e-mail, etc. for passwords
 Loss of service; degraded service.
 Receipt of strange, offensive or chain e-mail.
 The appearance of unfamiliar computer files on external servers (e.g. many hackers like
to use ftp sites as free storage sites for their materials).
 Detection or infection by computer viruses.

Page 31 of 32
SUMOU Holding Company
IT Policy and Procedures Manual

CHAPTER-9
9. Naming Convention Policy
9.1 Overview:
DNS names or computer names, are used to identify various devices on the network. In
order to ensure names are compatible with DNS requirements, certain standards must be
maintained.
9.2 Purpose:
To develop a standard DNS naming convention, provides uniqueness and provides an easy
way to identify devices on the network.
9.3 Scope:
All network computer devices assigned a static or dynamic address on SUMOU computer
network, this includes Windows or Macintosh operating system.
9.4 Policy:
9.4.1 A computer name can be up to 15 alphanumeric characters and must be
unique on the network and cannot contain the following special characters: !
@ # $ % ^ & ( ) _ ' { } . ~ \ * + = | : ; " ? < > , SPACE
9.4.2 All letters must be in CAPITAL case.
9.4.3 The name consists of three parts :
9.4.3.1 Location code in 2 letters “KH – RY – JD“.
9.4.3.2 Company Name in 3 Letters “SHC – SRE – ADR – AWJ – TAM- … “.
9.4.3.3 Dash ( - ).
9.4.3.4 The user first name followed by the first letter of the second name.

Example KHSHC-OSAMAM
9.5 Email Account:
9.5.1 Email account it should be same with Active directory account.
9.5.2 Email Account consists of three parts:
9.5.2.1 First character from employee name after that dot point”.”
9.5.2.2 Second part full last name of employee.
9.5.2.3 3rd part domain name of company.
Example o.mallah@sumou.com.sa

Page 32 of 32

You might also like