Professional Documents
Culture Documents
Table of Contents
• Introduction 03
• Acquisition Policy 05
• IT Security Policy 07
• Password Policy 13
• Anti-virus Policy 16
• Computer Policy 18
Page 2 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
Introduction
• Purpose
1. The purpose of this manual is to define and communicate the policies and procedures applicable
to Information Technology function of SUMOU Holding, the policies and procedures contained
in this manual are aligned with management’s long-term business objectives and strategies and
serves as a guide to take decisions relating to the Management of the Information Technology
functions.
2. It is intended to be an operational guideline for all employees in the Information Technology
Department. Employees who receive this manual are expected to fully apply the policies and
procedures contained in this manual in their day-to-day activities.
• Scope
The contents of this manual are applicable to all the personnel of the company in its entirety. Any
exception to the policies contained herein shall be approved by the CEO.
• Responsibility
It shall be responsibility of IT Manager to ensure that the policies and procedures outlined in this
manual are implemented.
• Distribution
The management considers the information contained in this manual to be of confidential nature.
The distribution of the manual should be controlled and be made available only to persons authorized
by the CEO. No contents of this manual shall be copied or otherwise reproduced except with the
prior written approval of CEO, VP Support Services & IT Manager.
Page 3 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
1. The enclosed Manual should be reviewed on a yearly basis by the Information Technology
Manager and any changes made should be finally approved by CEO and VP. The Manual may
be revised appropriately, taking into consideration the changes as per regulations, internal &
external environment.
2. When amendments and revisions are made, they will specify the policy which supersedes it.
These amendments will be distributed among the list of employees authorized to view such
policies.
1. This manual is organized by chapters. In other words, policies have been grouped together
according to the chapters. Policies have been further divided into sections, when necessary, to
organize the related activities.
2. Forms and appendices are attached at the end of the manual with individual numbers allocated
to each form and appendix.
3. The purpose of each unit, and the responsibilities of various individuals are documented at the
beginning of the policy.
Page 4 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
CHAPTER-1
1. Acquisition Policy
1.1 Purpose:
1.1.1 IT assets refer to tangible assets that are held for use in serving the business process
through use of applications and other programs that reside on them and are expected to
be used for more than three years.
1.1.2 The purpose of this statement is to ensure the availability of necessary IT assets to meet
various operational needs and to control the process of acquisition of IT assets and related
expenditure.
1.2 Responsibility:
1.3.1 All IT asset requirements will be estimated and budgeted. The acquisition of IT assets
shall be planned in advance in accordance with approved capital expenditure budget. A
provision for unexpected purchases shall be included.
1.3.2 All purchases of IT assets must be approved by IT Manager or appropriate authority in
accordance with the company's authority matrix.
1.3.3 Record of IT assets owned by the company shall be maintained by the IT department
with details of the location and custody of the assets. It must also be ensured that the IT
assets are easily identifiable and traceable to the records maintained for the assets. The
records shall be integrated with the fixed asset records of the company that are
maintained by the finance department.
Page 5 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
1.3.4 All the IT assets of the company shall be tagged by IT department coordination with
Finance department. Tagging of the assets should be done in a manner which facilitates
identification and verification.
1.3.5 The IT assets owned by the company must be physically verified at least once in two
years and reconciled with the records of fixed assets.
1.4.1 IT staff receives the invoice and checks it with the fixed assets and tagging this assets
and forwards the same to IT Manager.
1.4.2 The IT Manager verifies the delivery note, approved P.O., and approves the invoice if
all the documents are satisfactory. The IT Manager forwards the documents to
Administration along with copy of P.O. and retains a copy.
1.4.3 IT Manager shall designate the place for location of the asset.
The physical verification of fixed assets shall be conducted by the Finance department and HR
and Administration Department shall provide all necessary assistance in the conduct of physical
verification.
Page 6 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
CHAPTER-2
2. IT Security Policy
2.1 Purpose:
The purpose of this policy document is to describe rules for providing user access to Information
System resources that reside within SUMOU Holding networking environment. This policy covers
user access, remote access and physical access controls to all Information systems within the
company. This policy applies to all computer and data communication systems owned by and/or
administered by SUMOU Holding.
2.2 Responsibility:
2.2.1 IT manager shall be responsible for supervising the company's IT security requirement in
coordination with the IT staff and to oversee the process.
2.2.2 Department/Division managers shall be responsible for deciding on the user access
requirements based on the job role and approving the rights to be granted to their respective
staffs.
2.2.3 IT Staff: We will be responsible for physically implementing the access rights.
2.3.1 Access to all information systems within the company would be restricted to valid and
authorized users.
2.3.2 All access should be allocated on a “usage” based approach where users only have access to
resources that they require for the purpose of performing their work.
2.3.3 Granting, revoking, gaining and restricting user access to the Company’s systems should be
governed by the procedures mentioned below.
2.4 Procedural steps for gaining user access to Information System Resources:
2.4.1 All users must be positively identified prior to being able to use any multi-user computer or
communications system resources. Positive identification for internal SUMOU Holding
networks involves both a user-ID and a fixed password, both of which are unique to an
individual user.
Page 7 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
2.4.2 The log-in process for network-connected SUMOU Holding computer systems must simply
ask the user to log-in, providing prompts as needed. That information about the organization
must not be provided until a user has successfully provided both a valid user-ID and a valid
password. The IT Manager are responsible to restrict the access to those information. This
information should be kept to a minimum.
2.4.3 If there has been no activity on a computer terminal, workstation, or computer for a certain
period of time, the system must automatically blank the screen and suspend the session. Re-
establishment of the session must take place only after the user has provided a valid
password. The period of time is fifteen (15) minutes. Users should have the ability to activate
a screen saver if they need to leave the room for a period of time. The screen saver should be
unlocked by password.
2.4.4 Users should be prohibited from logging into any SUMOU Holding system or network
anonymously (for example, by using "guest" user-IDs). If users employ systems facilities
which allow them to change the active user-ID to gain certain privileges, they must have
initially logged-in employing a user-ID that clearly indicates their identity. Procedural steps
for granting system privileges.
2.4.5 Access requests for new user-IDs and modification of privileges must be in writing and
approved by the user's department manager and or Audit before IT Manager fulfills these
requests. To help establish accountability for events on the related systems, documents
(perhaps in electronic form) reflecting these requests must be retained for a period of at least
five years.
2.4.6 Individuals who are not SUMOU Holding employees must not be granted a user-ID or
otherwise be given privileges to use SUMOU Holding computers or communications
systems unless the advance written approval of a department head has been obtained.
2.4.7 Privileges granted to users who are not SUMOU Holding employees must be granted for
periods of 30-days or less and can be renewed.
2.4.8 Special system privileges must be restricted to those directly responsible for systems
administration and/or systems security. Similarly, configuration changes, operating system
changes, and related activities that require "root" privileges must be performed by IT
Manager, NOT end-users.
2.4.9 All users wishing to use SUMOU Holding internal networks, or multi-user systems that are
connected to SUMOU Holding internal networks, must sign a compliance statement prior to
Page 8 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
being issued a user-ID. The latter process must be performed for all the existing users and
new users. A signature on this compliance statement indicates the involved user understands
and agrees to abide by SUMOU Holding policies and procedures related to computers and
networks (including the instructions contained in this document and the User Guidelines
Policy).
2.4.10 High level privileges on system resources (for example “root” access on Unix systems and
“ADMINISTRATOR” access on Windows NT Systems) should remain only with IT Staff
and IT Manager.
2.4.11 All Administrator passwords must be kept confidential in a sealed envelope with the IT
manager and changed every 90 days. Administrator passwords are not to be shared with
anyone besides the IT staff and a complexity of minimum 8 characters with a combination
of uppercase, lowercase, numbers and or symbols must be used for such passwords.
2.4.12 Only licensed copies of applications can be installed on end user computers.
2.5.1 All user-IDs must automatically have the associated privileges revoked, where the individual
system allows it, after a period of inactivity of one week.
2.5.2 IT Staff should restrict the system so as not to allow users to test, or attempt to compromise
computer or communication system security measures unless specifically approved in
advance and in writing by the IT Manager.
2.5.3 The system privileges granted to users must be reevaluated by management every year. In
response to feedback from management, IT Staff must promptly revoke all privileges no
longer needed by users.
2.5.4 Human Resources and Administration Department must promptly report all significant
changes in staff duties or employment status to the IT department responsible for user-IDs
associated with the involved persons.
2.5.5 Third Parties having access to the company’s systems should be informing the company
about terminations a week prior to such terminations.
2.6.1 The computer and communications system privileges of all users, systems, and
independently operating programs (such as "agents") must be restricted based on a need-to-
Page 9 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
know basis. This means that privileges must not be extended unless a legitimate business-
oriented need for such privileges exists.
2.6.2 Default user file permissions must not automatically allow anyone on the system (For
example, on Windows systems, the "world") to read, write, or execute a file. Although users
may reset permissions on a file-by-file basis, such permissive default file permissions are
prohibited.
2.6.3 IT Staff must ensure that users with computers are responsible for administering a screen
saver program securing access to their machine's hard disk drive, and setting passwords for
all applications and systems software that provide the capability.
2.7.1 All SUMOU Holding network equipment must be physically secured with anti-theft devices
if located in an open office environment. Additional physical access control should also be
used for these devices. Local area network servers must be placed in locked cabinets, locked
closets, or locked computer rooms. IT department staff should be the only staff to use the
computer room and vendors can access the room only with prior approval from the IT
Manager.
2.7.2 All networking equipment should be stored in appropriately defined storage rooms that have
air-conditioning, fire protection, static protection, surge protection etc.
2.7.3 Access cards are required before gaining access to rooms which store networking and
systems equipment. Access to these rooms should be enforced in such a way that each user
has their own unique access cards. Logging mechanisms need to be in place to track
individual user activity into and out of these rooms.
2.7.4 Lockable cabinets should be used to store all networking and systems equipment that provide
services for the Company and do not require user interaction.
Page 10 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
CHAPTER-3
The purpose of this policy document is to establish management direction, procedures, requirements
and guidelines to ensure that any changes to information system will be well documented and made
in appropriate manner according to strict rules defined in detailed procedures. This policy covers all
Information systems (Workstations, Servers Networks within the company as well as all
Applications and data used by employees to perform daily duties).
3.2 Responsibility:
3.2.1 IT Manager shall be responsible for appropriately controlling changes and approving all
changes to be implemented in the information systems that include operating system(s),
network and applications.
3.2.2 Administration: Department/Division managers shall be responsible for approving changes
to the application requested by the staffs from their departments.
3.2.3 IT Staff: Will be responsible for physically implementing the requested changes in the
operating system, network and applications.
Changes that are made to the configuration or functionality of all Information Technology Systems
within the Company should follow the change control process and procedures that have been
outlined below.
3.4.1 Formal change procedure must be developed for every change or significant modification of
any component of existing information system to ensure that only authorized changes are
made. This procedure must be followed for all significant changes to software, hardware,
communications links, and procedures. This procedure must also be followed in the case of
any change to data.
3.4.2 All new applications or updates should have approval from management before
implementing into the information system.
Page 11 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
3.4.3 All support manuals and materials provided to the end users during implementation or
upgrading software must have approval from management.
Page 12 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
CHAPTER-4
4. Password Policy
4.1 Purpose:
The purpose of this policy document is to describe guidelines for the use of user passwords which
provide logical access to Information Technology resources throughout the company. This policy
covers user password controls for all Information systems within the Company. This policy applies
to all computer and data communication systems owned by and/or administered by SUMOU.
4.2 Responsibility:
IT Staff: Will be responsible for physically implementing the password policy pertaining to the
procedures explained below in the operating system, network and applications.
4.4.1 Users must choose passwords which are difficult-to-guess. This means that passwords must
NOT be related to one's job or personal life. For example, car license plate number, spouse's
name, must not be used. This also means passwords must not be a word found in the
dictionary or some other part of speech. For example, proper names, places, technical terms,
and slang must not be used. Where such systems software facilities are available, users must
be prevented from selecting easily-guessed passwords.
4.4.2 Users can choose easily-remembered passwords that are at the same time difficult for
unauthorized parties to guess if they:
string several words together (the resulting passwords are also known as
"passphrases"),
shift a word up, down, left or right one row on the keyboard,
Page 13 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
4.4.3 Users must not construct passwords that are identical or substantially similar to passwords
they have previously employed. Where systems software facilities are available, users must
be prevented from reusing previous passwords.
4.4.4 Users must not construct passwords using a basic sequence of characters that is then partially
changed based on the date or some other predictable factor.
4.4.5 Passwords must not be written down and left in a place where unauthorized persons might
discover them. Aside from initial password assignment and password reset situations, if there
is reason to believe that a password has been disclosed to someone other than the authorized
user, the password must be immediately changed.
4.4.6 All passwords must be immediately changed if they are suspected of being disclosed, or
known to have been disclosed to anyone besides the authorized user.
4.5.1 All computers permanently or intermittently connected to SUMOU Holding networks must
have password access controls.
4.5.2 Computer and communication system access control must be achieved via passwords which
are unique to each individual user. Access control to files, applications, databases,
computers, networks, and other system resources via shared passwords (also called "group
passwords") is prohibited.
4.5.3 Wherever systems software permits, the initial passwords issued to a new user by IT Staff
must be valid only for the new user's first on-line session. At that time, the user must be
forced to choose another password. This same process applies to the resetting of passwords
in the event that a user forgets a password.
4.5.4 All vendor-supplied default passwords must be changed before any computer or
communications system is used for SUMOU Holding business.
4.5.5 Passwords must not be stored in readable form in batch files, automatic log-in scripts,
software macros, terminal function keys, in computers without access control, or in other
locations where unauthorized persons might discover them.
4.5.6 Whenever system security has been compromised, or even if there is a convincing reason to
believe that it has been compromised, the involved IT Staff must immediately:
reassign all relevant passwords, and
Force every password on the involved system to be changed at the time of the next log-
in.
4.5.7 If systems software does not provide the latter capability, a broadcast message must be sent
to all users telling them to change their passwords.
Page 14 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
4.5.8 Default passwords given to user accounts must comply with the password guidelines in this
document.
4.5.9 Blank passwords for user accounts on any system are strictly prohibited.
4.5.10 Password access on all systems should have a minimum password length (8 – 10 characters)
defined, should enforce every 90 days password changes and should maintain a password
history (wherever possible).
4.5.11 New users should be forced to change their passwords the first time that they log into the
network.
4.5.12 The system should be set to store password history to a minimum of six previous passwords.
Page 15 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
CHAPTER-5
5. Anti-virus Policy
5.1 Purpose:
The purpose of this policy document is to establish management direction, procedures, and
requirements to ensure the appropriate protection of internal systems of the Company against viruses.
This policy covers all Information systems within the Company that are used to receive Electronic
Mail, upload software from physical and portable devices or use software downloaded from the
Internet. This policy applies to all computer and data communication systems owned by and/or
administered by SUMOU. Protecting information resources against infection with computer viruses
is important to minimize disruptions in daily operations and to prevent embarrassment from virus
contamination with SUMOU Information resources or services
5.2 Responsibility:
IT Staff: Will be responsible for ensuring compliance pertaining to the procedures explained below
in the operating system, network and applications.
IT Staff will comply with the rules and guidelines described below regarding:
Computer Configurations.
Software distributed by the Company.
Monitoring Virus activity.
Anti-virus Maintenance.
5.4.1 Virus checking programs installed by the IT department must be continuously enabled on all
computers.
5.4.2 To promptly detect and prevent the spread of computer viruses, all SUMOU computers must
run anti-virus software. Anti-virus software must be continuously enabled and run daily on
all personal computers. It should be configured to execute online virus scanning. Where this
is not possible, virus scanning software should be executed at least weekly. Network Servers
are to be scanned at least each night.
Page 16 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
5.4.3 All software running on computers should be write-protected, such that an error will be
generated if a computer virus tries to modify the software. An exception to this policy will
be made in those cases where the software must modify itself in order to execute.
5.4.4 All new computers which have pre-installed software should go through a virus scanning
exercise before being used.
5.4.5 Disks and portable devices should not be left in the disk drive of disk based computers at
boot-up time.
5.5.1 SUMOU maintains a site license for virus protection software that allows the company to
install this software on all computers.
5.5.2 Updates to virus scanning software and virus images will be provided at least weekly or as
needed to address specific viruses.
Details regarding virus incidents should be logged. Such a log should record details of the user
who received the virus, how the virus came into the company and possible ways in which the
virus may have spread before being found.
5.7 Anti-virus Procedural Guidelines for Administrators:
5.7.1 PCs [stand-alone or laptops] should be protected with an on-access scanner, to provide the
first layer of protection 'in-depth' [rather than at the perimeter]. The on-access scanner will
scan disks and files before they are used. The on-access scanner runs in the background
[requiring no action on the part of the user]. The user will be given a pop-up warning, to
identify the virus; and the user will not be able to use the infected disk or file. Software may
be configured to auto-disinfect, so that disks and files may be cleaned automatically, on
detection. This makes anti-virus management easier (virus removal is carried out
automatically, rather than by a member of the IT Department). Where possible, software may
be configured to log all virus incidents, allowing the IT Department to monitor all virus
incidents.
5.7.2 Media drives should be disabled from personal computers and servers that do not require
them.
Page 17 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
CHAPTER-6
6. Computer Policy
6.1 Purpose:
The purpose of this policy document is to describe rules for configuring all computers that belong to
the SUMOU. This policy statement provides specific instructions on the ways to secure both
computers (PC’s and servers) and SUMOU data (information) resident on computers. This policy
covers administration guidelines for configuring all computers within the SUMOU. This policy
applies to all computer and data communication systems owned by and/or administered by SUMOU.
6.2 Responsibility:
6.2.1 IT Manager shall be responsible for ensuring compliance to this policy by effectively
monitoring if the procedures have been implemented.
6.2.2 IT Staff will be responsible for physically implementing the requested changes in the
operating system, network and applications.
Page 18 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
6.5.1 Data security safeguards must be commensurate with the level of sensitivity of the data stored
on a computer system.
6.5.2 All copies of sensitive data stored on diskettes must be labeled "sensitive" and stored in a
physically-secured location (whether off-site or in the office).
6.5.3 Sensitive data displayed on a computer screen must be protected from unauthorized viewing
via screen saver programs, access control programs, and the arrangement of office furniture.
6.5.4 Data downloaded must be protected in the manner warranted by its sensitivity.
6.6 Configuration Rules for Servers and Network devices (routers, switches, …):
6.6.1 Network devices and servers must be configured according to best security practices that are
defined in Security standards and configuration guidelines. These practices include limiting
access; running network services on a strictly need for usage basis; limiting trust
relationships; regularly updating versions of operation system software; limiting system
access on a need to know basis; using password and authentication controls that should
follow the Password and Access Policy for all users; creating logging and audit facilities
wherever possible.
6.6.2 Although IT Staff are not required to promptly load the most recent version of operating
systems, they are required to promptly apply all security patches to the operating system that
have been released by either:
Knowledgeable and trusted user groups.
well-known systems security authorities, and
The operating system vendor.
Only those systems security tools supplied by these sources or by commercial software firms may
be used on SUMOU computers and networks.
CHAPTER-7
Page 19 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
To provide a single point-of-contact for computer users through IT Helpdesk portal, telephone, Email
requests for assistance relating to computer hardware and software installations and problems.
7.2 Responsibilities:
7.2.1 IT Manager is responsible for reviewing and monitor helpdesk ticket closed.
7.2.2 IT Staff is responsible for working with users until their problems are resolved.
Page 20 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
CHAPTER-8
Electronic media cannot be used for knowingly transmitting, retrieving, or storing and
communication that is:
1. Discriminatory or harassing;
2. Derogatory to any individual or group;
3. Obscene, sexually explicit or pornographic;
4. Defamatory or threatening;
5. In violation of any license governing the use of software; or
6. Engaged in for any purpose that is illegal or contrary to SUMOU, country and the
government regulations.
8.3 Personal use:
The computers, electronic media and services provided by SUMOU are primarily for business
use to assist employees in the performance of their jobs. Limited, occasional, or incidental use
Page 21 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
8.4.1 Smoking, eating, or drinking while using a computer system is strongly discouraged.
8.4.2 Computer equipment must not be moved or relocated without the prior approval of local
department management.
8.4.3 The loss or theft of any computer hardware and/or software must be reported
immediately to the IT and HR.
8.4.4 To prevent unauthorized access, users must configure their screen savers to blank the
screen and require a password to resume whenever their workstations are unattended for
more than 15 minutes.
8.4.5 Unless they receive information to the contrary, users should assume that all software on
SUMOU computers is protected by copyright.
8.4.6 Commercial computer software purchased by SUMOU is authorized for SUMOU use
only making. Copies of SUMOU-purchased software for personal use is illegal and
prohibited.
8.4.7 Regardless of the type of software license that SUMOU has purchased, users must not
copy, modify, or transfer software to a diskette or all portable devices without the prior
approval of VP and IT department Manager.
8.4.8 Computer games must not be resident on, or played with on SUMOU computers.
8.4.9 Users are required to delete sensitive data when the data is no longer needed or useful.
8.4.10 Computer equipment must not be formatted outside company but only from IT Staff.
8.4.11 Will keep backup from data of employee who is left company only one month after that
will be deleted.
Page 22 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
8.5.2 SUMOU does routinely gather logs for most electronic activities or monitor employee
communications directly, e.g., telephone numbers dialed, sites accessed, call length, and
time at which calls are made, for the following purposes:
1. Cost analysis;
2. Resource allocation;
3. Optimum technical management of information resources; and
4. Detecting patterns of use that indicate employees are violating company policies or
engaging in illegal activity.
8.5.3 SUMOU serves the right, at its discretion, to review any employee's electronic files and
messages to the extent necessary to ensure electronic media and services are being used
in compliance with the law, this policy and other company policies.
8.5.4 Employees should not assume electronic communications are completely private.
Accordingly, if they have sensitive information to transmit, they should use other means.
8.6 Software:
To prevent computer viruses from being transmitted through the company's computer system,
unauthorized downloading of any unauthorized software is strictly prohibited. Only software
registered through SUMOU may be downloaded. Employees should contact the IT Staff if they
have any questions.
Page 23 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
8.7.4 Anyone obtaining electronic assess to other companies' or individuals' materials must
respect all copyrights and cannot copy, retrieve, modify or forward copyrighted materials
except as permitted by the copyright owner.
8.8 Encryption:
Employees can use encryption software supplied to them by the systems administrator for
purposes of safeguarding sensitive or confidential business information. Employees who use
encryption on files stored on a company computer must provide their supervisor with a sealed
hard copy record (to be retained in a secure location) of all of the passwords and/or encryption
keys necessary to access the files.
8.9.1 Employees should remember that any messages or information sent on company-
provided facilities to one or more individuals via an electronic network—for example,
Internet mailing lists, bulletin boards, and online services—are statements identifiable
and attributable to SUMOU.
8.9.2 SUMOU recognizes that participation in some forums might be important to the
performance of an employee's job. For instance, an employee might find the answer to a
technical problem by consulting members of a news group devoted to the technical area.
8.10 Internet User Responsibilities:
8.10.1 Internet users must read and apply rules defined in this policy for all Internet
communications.
8.10.2 SUMOU visitors or outsource employees whose need internet may only use dedicated
Internet network for accessing the Internet only.
Page 24 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
5. Using excessive system resources during peak working hours is strongly discouraged.
8.13.1 Users must authenticate with an Internet device such as a Firewall or Proxy server before
using Internet.
8.13.2 Unless the prior approval of the IT manager has been obtained, staff may not establish
Internet or other external network connections that could allow non-SUMOU users to
gain access to SUMOU systems and information. These connections include the
establishment of multi-computer file systems (like Sun's NIS), Internet home pages, FTP
servers, and the like.
8.14 Expectation of Privacy:
8.14.1 Staff using SUMOU information systems and/or the Internet should realize that their
communications are not automatically protected from viewing by third parties. Unless
encryption is used, staff should not send information over the Internet if they consider it
to be private.
Page 25 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
8.14.2 Company will establish mechanisms to record certain types of activities, events or alerts
to allow for overall management and monitoring of the Internet connection. Reports of
Internet activity will be provided to management periodically or on request for their use
in gauging the level of Internet activity. Users of Company information resources must
understand that Company maintains the ability to monitor the usage of its information
resources.
8.14.3 The Company reserves the right to examine archived electronic mail, personal file
directories, hard drive files, all portable devices and other information stored on the
Company’s Information systems. Such examination may be performed to assure
compliance with internal policies, support the performance of internal investigations, and
assist with the management of SUMOU information systems.
8.14.4 The Internet connection is SUMOU resource which is subject to monitoring, recording,
and periodic audits for insuring appropriate functionality and protection against
unauthorized use. In addition, SUMOU may access any user’s computer accounts or
communication. SUMOU will disclose information obtained through such auditing to
appropriate third parties, including law enforcement agencies. Internet users expressly
consent to such monitoring, recording and auditing. SUMOU disclose information only
to appropriate parties.
Page 26 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
Employee privileges on electronic communication systems must be assigned such that only those
capabilities necessary to perform a job are granted. This approach is widely known as the concept
of "need-to-know." For example, end-users must not be able to reprogram electronic mail system
software. With the exception of emergencies and regular system maintenance notices, broadcast
facilities must be used only after the permission of a department manager has been obtained.
Page 27 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
8.20.2 Technical support personnel may not review the content of an individual employee's
communications out of personal curiosity or at the interest of individuals who have not
gone through proper approval channels.
8.20.3 It may be necessary for technical support personnel to review the content of an individual
employee's communications during the course of problem resolution. Such permission
will be provided by the Information technology Department.
8.20.4 Except as otherwise specifically provided, employees may not intercept or disclose, or
assist in intercepting or disclosing, electronic communications. SUMOU is committed to
respecting the rights of its employees, including their reasonable expectation of privacy.
SUMOU also is responsible for servicing and protecting its electronic communications
networks. To accomplish this, it is occasionally necessary to intercept or disclose, or
assist in intercepting or disclosing, electronic communications.
Page 28 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
8.21.1 All employees who have access to electronic mail from SUMOU are representing the
company in some respects. Employees should not intentionally represent or speak on
behalf of Company without management approval. Thus, users posting to Usenet
newsgroups, Internet mailing lists, etc., must include a company disclaimer as part of
each message.
8.21.2 Unauthorized duplication or distribution of copyrighted software (including software
developed by SUMOU) through the use of electronic mail is prohibited.
8.21.3 Flaming others in e-mail (YELLING AT SOMEONE BY SENDING A MESSAGE IN
ALL CAPITAL LETTERS) is discouraged as it is not polite and may incite retaliation.
8.21.4 Posting messages or sending e-mail that discriminates on the basis of race, sex or other
biases is prohibited.
8.21.5 Accessing, viewing or distributing objectionable material (such as mass mailings,
greetings, fun mails and pornographic sites) through the Company SUMOU network is
prohibited.
8.21.6 Using company time and resources for personal gain is prohibited.
8.21.7 Sending chain letters through e-mail is prohibited.
8.21.8 The use of electronic mail is a SUMOU resource which is subject to monitoring,
recording, and periodic audits for insuring appropriate functionality and protection
against unauthorized use. In addition, SUMOU may access any user’s computer accounts
or communication. SUMOU will disclose information obtained through such auditing to
appropriate third parties, including law enforcement agencies. Electronic mail users
expressly consent to such monitoring, recording and auditing.
8.21.9 Recognizing that some information is intended for specific individuals and may not be
appropriate for general distribution, electronic communications users should exercise
caution when forwarding messages. SUMOU sensitive information must not be
forwarded to any party outside SUMOU without the prior approval of a local department
director. Blanket forwarding of messages to parties outside SUMOU is prohibited unless
the prior permission of the Information technology Department has been obtained.
Page 29 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
Messages no longer needed for business purposes must be periodically purged by user from
their personal electronic message storage areas. Not only will this increase scarce storage
space, it will also simplify records management and related activities.
Page 30 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
immediately. If any unauthorized use of SUMOU’s information systems has taken place,
or is suspected of taking place, the IT Manager must be notified immediately. Similarly,
whenever passwords or other system access control mechanisms are lost, stolen, or
disclosed, or are suspected of being lost, stolen, or disclosed, IT Staff of the system must
be notified immediately. Because it may indicate a computer virus infection or similar
security problem, all unusual systems behavior, such as missing files, frequent system
crashes, misrouted messages, and the like must also be immediately reported. The
specifics of security problems should not be discussed widely but should instead be
shared on a need-to-know basis.
8.24.2 Internet users must notify the IT manager in the event security related problems are
noted; examples of such include: unauthorized use of your account, unfamiliar computer
files on external servers, etc.
8.24.3 SUMOU has established guidelines for responding to incidents that occur through its
network connections. Users must notify the IT Manager in the event they suspect
problems with their network connection. Incidents or problems may include, but not
limited to:
Unauthorized use of your personal account (i.e., unexplained use of your login).
Solicitations via phone, e-mail, etc. for passwords
Loss of service; degraded service.
Receipt of strange, offensive or chain e-mail.
The appearance of unfamiliar computer files on external servers (e.g. many hackers like
to use ftp sites as free storage sites for their materials).
Detection or infection by computer viruses.
Page 31 of 32
SUMOU Holding Company
IT Policy and Procedures Manual
CHAPTER-9
9. Naming Convention Policy
9.1 Overview:
DNS names or computer names, are used to identify various devices on the network. In
order to ensure names are compatible with DNS requirements, certain standards must be
maintained.
9.2 Purpose:
To develop a standard DNS naming convention, provides uniqueness and provides an easy
way to identify devices on the network.
9.3 Scope:
All network computer devices assigned a static or dynamic address on SUMOU computer
network, this includes Windows or Macintosh operating system.
9.4 Policy:
9.4.1 A computer name can be up to 15 alphanumeric characters and must be
unique on the network and cannot contain the following special characters: !
@ # $ % ^ & ( ) _ ' { } . ~ \ * + = | : ; " ? < > , SPACE
9.4.2 All letters must be in CAPITAL case.
9.4.3 The name consists of three parts :
9.4.3.1 Location code in 2 letters “KH – RY – JD“.
9.4.3.2 Company Name in 3 Letters “SHC – SRE – ADR – AWJ – TAM- … “.
9.4.3.3 Dash ( - ).
9.4.3.4 The user first name followed by the first letter of the second name.
Example KHSHC-OSAMAM
9.5 Email Account:
9.5.1 Email account it should be same with Active directory account.
9.5.2 Email Account consists of three parts:
9.5.2.1 First character from employee name after that dot point”.”
9.5.2.2 Second part full last name of employee.
9.5.2.3 3rd part domain name of company.
Example o.mallah@sumou.com.sa
Page 32 of 32