INFORMATION SERVICES POLICIES AND PROCEDURES MANUAL
1. Introduction
This manual has been developed as a guide, model, and frequent decision-making reference for Tapal Tea Private Limited Information Technology Department. No two information systems operations could pass for twins, but they have elements in common: hardware, software, and personnel. This manual defines these common threads that link all information technology operations, providing variety of situations. IT operations that have formal policies and procedures manuals in place are noticeably easier to manage and operate.
1.1. Purpose
The prime focus of this manual is to lay down Policies and Procedures to govern day to day IT operations which are to be followed by every staff member of Tapal Tea and sister companies involved with technology operations, permanent or contractual.
1.2. Waiver and Exception criteria
This manual is intended to address day to day IT Operations. Requested waivers and exceptions must be formally submitted to the document owner including justification and benefits attributed to the waiver and must be approved by the Steering Committee. The waiver should only be used in exceptional situations when communicating non-compliance with the policy / procedure for a specific period of time (subject to a maximum period of 1 year). At the completion of the period the need for the waiver should be reassessed and re-approved, if necessary. No policy/procedure should be provided waiver for more than three consecutive terms.
1.3. Maintenance
Tapal Tea’s IT Department is responsible for administering these policies & procedures. This task includes updating the Policy & Procedures document from time to time to reflect updates, amendments, circumstances requiring change and training the personnel.
Beside the above-mentioned changes, the document will undergo a formal review once every three years and whenever there is an apparent need to revise to confirm incorporation of all the changes to the business/IT environment since the last review.
1.4. Revision Procedure and Control Techniques
When there is an apparent need for new or revised policies & procedures, the IT Department will submit it through appropriate channels to the Steering Committee.
After the Steering Committee has approved the new or revised policy/procedure, it may direct that the policy/procedure be issued and administered immediately.
Approved policies & procedures will be distributed to authorized management and supervisory officials by the IT Department.
The following manual revision control techniques will be used:
• The policy & procedure holders must be responsible to point out the need for revision when it is indicated that current instructions will be impracticable.
1.5. Version Number
The version of the manual is mentioned on the title page along with the date of publish i.e., “Version 2.0, March 2025”. An updated version of the manual will be released after significant changes in the individual chapters of this manual.
2. IT Organization Structure and Governance
2.1 Information technology Organization Chart
For Information technology Organization Chart, please refer to Annexure A:
2.1. Establishment of Information technology Steering Committee
2.1.1. Objective
The Steering Committee has the specific responsibility for overseeing major IT projects, managing IT priorities, and setting the overall alignment of technology strategies with business objectives.
The primary function of the IS Steering Committee is to take responsibility for the feasibility, business case and the achievement of outcomes of all the Information Technology and Systems projects and investments. The IS Steering Committee will monitor and review any kind of IT investment, in process project status, as well as provide guidance in the project deliverable rollout.
2.1.2. Members
Committee membership shall include representatives from senior management, user management and the IS function to ensure active participation of IS functions. Other representatives may be invited upon request. Committee members shall comprise of the following:
• CEO Tapal Tea Private Limited
• GM IT
• CFO Tea Private Limited
• Business Heads
• Information technology Management
2.1.3. Responsibilities of IS Steering Committee Members
The following are the responsibilities of the Steering Committee:
• Overseeing the development and implementation of policies, principles, standards, and guidelines on information security, consistent with the guidance of Information Security Standards and proposed IS governance framework.
• Ensuring that information security management processes are integrated with organization strategic and operational planning processes.
• Review progress on the existing IS and InfoSec. Projects and initiatives.
• Approve new projects (along with budgets) by going through the requirements.
• Discuss Cost benefit analysis and need assessment for each initiative/project of IS and Info Sec.
• Decide whether to go for internal development of the systems or use external off-the-shelf products or services.
• Ensure that the General Manager Information technology, reports periodically to the CFO Tapal Tea on the effectiveness of their information security program, including the progress of remedial actions.
• Formulate Project teams (A mix of Business Users and IS, where required) for each of the projects so that proper coordination is done between departments.
• Formulate the IS and Info. Sec. Strategy and ensure their alignment with the business objectives of Tapal Tea.
• Ensure that the IS and InfoSec. Strategy is followed for each of the approved projects.
• Review significant IS related risks.
• Ensure that adequate resources are allocated to support the overall enterprise information security strategy.
• Ensure roles and responsibilities include risk management in all activities.
• Ensure that risk analysis is conducted on all critical systems within their area to assure that controls are deployed commensurate with the risk.
• Review and monitor progress of Internal/External IS Auditor’s report.
• Ensure that an External IS Audit is carried out as per State Company requirements.
• Monitor and review Company-wide compliance of IS and InfoSec. Policies and discuss to resolve conflicting issues pertaining to Non-Compliance.
2.1.4. Role of CEO and/ or CFO in IS Steering Committee
The CEO and / or CFO have overall strategic responsibility of all IS investments and IS projects. He has the responsibility to ensure that the business brings the necessary commitment to the entire IS projects and investments. Time requirements for this role are normally at least once a quarter or as and when required.
The responsibilities of the CEO / Chairman in IT steering committee are to:
• Communicate the importance of the project and investment to the business.
• Maintain regular and visible contact with all the IS projects and investments
• Approve and monitor the IS budget and expenditures
• Make business decisions on issues escalated by the members steering committee
• Accept IS deliverables on behalf of the business
• Assist in clearing any kind of bottlenecks, obstructions to the project and IS investments
2.2.5 Role of the IS Steering Committee Facilitator and Coordinator:
The responsibility of IS Steering Committee Facilitator is to:
• Propose an agenda for each meeting using input from the committee members. Be genuinely interested in taking initiative in pursuing IT projects
• Ensure that the meeting agenda and any relevant materials are distributed to all members of the committee at least two working days prior to the meeting.
• Have a broad understanding of SAP, IT and project management issues and approach being adopted
• Deliver presentation on complete IT requirement to all members of steering committee
• Understand the strategic implications and outcomes of initiatives being pursued through project outputs
• Serve as the liaison to the IS Steering Committee Chairman and check adherence to project activities timelines
• Report on project progress to IS Steering Committee member in steering committee meetings
• Coordinate with business process owners on a daily basis to resolve issues and complete projects
• Foster positive communication outside of the team regarding the project's progress and outcomes
2.2.6 Role of Business Power User (Business Head):
Business Power users also the designated Business Head should:
• Serve as the liaison between business users and the IT department.
• Own the business process including all the information processing assets and underlying data falling under the line of function, from a strategic point of view and have end-to-end responsibility for the process.
• Define process goals based on Tapal Tea's strategy and business objectives.
• Drive the continuous improvement of the process.
• Possess capability to answer system functionality and business process questions; Ensure training to the end users on business processes and system use has been given.
• Have final decision-making power for changes to the process.
2.1.5. Meeting Schedule and Process
The Steering Committee will meet quarterly or as on when required to keep track of issues and the progress of all IT project’s implementation, IT procurement and on-going support to its stakeholders.
Facilitator IS Steering Committee will facilitate the Steering Committee Meeting in the presence of CEO and / or CFO and all Steering Committee members.
2.1.6. Meeting Agenda
At each meeting, all running IT project statuses will be reported to the committee by Facilitator IS Steering Committee using an agenda outlined such as the following:
A. Introductory Items such as:
• Introduction
• Review Agenda
• Minutes from the last meeting
• Review of actions arising from previous IS Steering Committee meetings
B. Review All In-Progress IS Project Statuses
• Overall Status
• Scope status
• Schedule status
• Budget status
• Reason for deviation from green
• Current issues arising since the last meeting
C. Review all IS procurements company wise/business wise
D. Review critical IS procurement if not Budgeted
E. Plans, date, and location for the next meeting
2.2.9 Reporting:
Facilitator of the Steering Committee will regularly report to the CEO and / or CFO about activities, issues, and related recommendations. In addition, publish meeting agendas, minutes and supporting documents so that all members are aware of the work and recommendations of the committee.
2.2. IT Strategic Plan
2.2.1. Objective
An IT Strategic plan provides a road map of IT to support the business objectives of the company. Without a Strategic Plan, implementation of IT may be misguided, delayed and/or expensive. Furthermore, absence of Strategic Plan may cause difficulties in achieving IT goals according to organizational needs.
2.2.2. Responsibility
• IS Steering Committee
• GM IT
• Business Analyst Manager (SAP)
• System Manager/ IT Business Partner Systems
• Information Security Manager
2.2.3. IT Strategic Plan Development
1. The IT Department is responsible for developing and implementing an IT strategy which is in line with the business objectives of the Tapal Tea.
2. Once developed, IT strategy will be revised yearly to cover Tapal Tea’s next 3 to 5 years investments in technology. IT strategy will include a roadmap of efforts/projects to be undertaken on a yearly basis.
3. The IT Strategic Plan shall include the following:
• Vision Statement
• Mission, goals, and objectives of Tapal Tea
• Business models for strategic use of IT
• Future IT Model that supports the business vision
• Analysis and strategies to close the gaps between providers and users of IT
• New technology-based products.
• Definition of Key Milestones (Major Projects)
4. The IT Strategy Plan shall be presented and approved by the Steering Committee.
2.2.4. IT Strategic Plan Review
The Steering Committee shall review the IT Strategic Plan at least once a year to ensure that appropriate IT and related business resources are available to fulfil the IT committed plans. Relevant changes shall be made by GM Information technology.
2.3. IT Department Budget Policy
2.3.1. Objective
The objective of this policy is to prepare annual budget for requirements pertaining to the IT Department in line with Tapal Tea’s annual budgeting and allocation; and provide guidelines for monitoring performance, periodic review for relevancy and revision in the annual budget.
2.3.2. Responsibility
• GM IT
• Steering Committee
• IS Management Staff
• Finance Department
2.3.3. Policy
1. IS Management staff should be responsible for preparing the annual budget.
2. Budget should be prepared based on forecasting view to predict future expected expenditures, and should be in line with company’s long and short range IS Plan
3. The budgeting procedure of the finance department may be followed for IS budget. (if exist)
4. The annual IS budget should be reviewed by GM IS, before sending it to Finance Department.
5. The IT budget should be first presented to IS Steering Committee and then to Board of Directors for approval along with Tapal Tea’s Annual Budget.
6. For non-budgeted projects and contingency requirements, a detailed business case with cost benefit analysis shall be prepared and presented to CEO and / or CFO for approval.
2.4. Personnel Qualification and Competence
2.4.1. Objective
Human resources are the most valuable asset of Tapal Tea. This policy lays down guidelines via which the IT management can regularly verify that personnel performing specific tasks are qualified on the basis of appropriate education, training, and/or experience.
2.4.2. Prerequisite
This policy should be read in conjunction with:
• Information Security Policies, including − Human Resource Security
2.4.3. Responsibility
• Steering Committee
• GM Information Technology
2.4.4. Policy
1. Experienced staff shall be given the responsibility of imparting technical training to junior staff.
2. Employees shall be encouraged to attend training/workshops/short courses relevant to their role at Tapal Tea.
3. The IT department shall ensure personnel performing their tasks attain adequate competence level.
4. Hiring personnel for specific roles should match at maximum the required qualification level of that role.
2.4.5. Job Descriptions
1. HR shall clearly define roles and responsibilities for personnel with the help of relevant Department, including the requirement to adhere to policies and procedures, the code of ethics and professional practices.
2. Efforts should be made to achieve segregation of duties. In case of resource constraints, monitoring shall be increased to compensate.
2.5. IT Asset Management & Information Classification
2.5.1. Objective
The hardware and software components that constitute Tapal Tea Private Limited’s Information Technology assets represent a sizable monetary investment that must be efficiently monitored, maintained, and protected. The management of IS assets should be in line with guidelines of the Information Security Policies of the Company.
The classification of information is a key element in the protection of information assets against unauthorized disclosure. The objective of the information classification procedure is to identify guidelines for keeping information assets protected against unauthorized disclosures. It provides a basis to establish proportionality between the level of Information Security control and the asset value in order to avoid the cost of overprotecting or the risk of under protecting information assets
2.5.2. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including:
o Asset Management and Information Classification
o Access Control Policy
o Physical and Environmental Security
2.5.3. Responsibility
• Steering Committee
• GM Information technology
• Head of departments (Business Heads)
• Supply Chain Management (CPD) Department
2.5.4. IT Asset Management
Step Description Responsibility
IT Assets Inventory
1. Information being recorded for IT assets shall consist of, but is not limited to, the criteria established in Annexure A of Asset Management and Information Classification Policy. IT Department
2. Changes / upgrades to IT assets shall be timely updated in the IT Asset Inventory. IT Department
3. All information assets shall be labelled physically or electronically in accordance with their asset classification scheme as described in Annexure - “A IT Department
Depreciation of IT Assets
Step Description Responsibility
4. IT Department provide relevant information to Finance department in case of depreciation to be recorded against IT assets Depreciation policy of Finance department to be followed (4 years of normal laptops / Desktops and 5 years of servers, network till the end of support). IT department/
Finance
Department
Sale / Write off Equipment
5. The IT Department with the help of Finance and CPD departments will initiate to sell / write off an old / obsolete / faulty IT equipment. IS / Finance / CPD
Departments
6. Asset Inventory list to be timely updated, maintained and periodically reviewed. IT department/
Finance
Department
7. Asset inventory shall include:
a) Asset name/ Tag
b) Description
c) Asset owner
d) Classification
e) CIA values
f) Asset value IT department/
Finance
Department/ information security
Loss of Equipment
8. In case hardware was under insurance coverage, the Finance department dealing insurance related issues, to be informed of loss. Relevant
Insurance policy to be followed for loss of equipment and insurance claim. IT department/
Finance
Department
9. Asset Inventory list to be timely updated. IT department/
Finance
Department
2.5.5. Information Classification
Step Description Responsibility
1. Business Owners to be identified (application wise) by the Management. IS Steering Committee
2. Data custodians to be nominated for protection of data/information assets. Business Head
3. Data Custodians and there nominated Business Heads to be given awareness training for protection of Information assets. IT department/
GM IT
4. Access to information assets to be granted in application shall be in accordance with the Access Control policy and procedure. GM IT/ IT Department
5. Identify the criticality of asset based on CIA value of Data residing in it and its potential impact on business.
6. Classify Asset on the following criteria:
a) High
b) Medium
c) low
2.6. Vendor Selection & Contracting
2.6.1. Objective
Selecting vendors for outside services and hardware requires the application of stringent evaluation procedures. This policy provides guidelines for the most appropriate way of acquiring hardware and software and outlines the minimum steps to be followed in order to meet required purchasing needs.
2.6.2. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including:
o Supplier Relationships
2.6.3. Responsibility
• Steering Committee
• GM Information technology / IT Department
• Central procurement Department (CPD)
2.6.4. Policy
1. The vendor shall have sufficient experience in the area of Computer System Sales and Support of relevant equipment.
2. The vendor shall be selected keeping in view the following points:
• Expertise and experience in the domain
• Have affiliation with their parent/principal companies not only to sell the product locally, but also to provide after sales service.
• Previous and existing clientele
• Financial stability and good reputation
3. Conflict of interest between vendor and any company personnel should be avoided wherever possible.
4. Vendor representative signing must have the authority to represent their companies.
5. Contracts shall include a cancellation and performance clause.
6. In case the Vendor is implementing a customized software, the source code should be received either from the vendor initially or there should be provisions for acquiring the source code in the event that the vendor goes out of business. Clauses pertaining to the Software Escrow Agreement should be included in which a third party (escrow agent) holds the software in escrow should such an event occur. It should be ensured that product updates and program fixes are included in the escrow agreement.
7. The vendor should be willing and able to provide a complete set of system documentation for review prior to acquisition. The level of detail and precision found in the documentation may be an indicator of the detail and precision utilized within the design and development of the system itself.
8. The vendor should have available a complete line of support products for the software packages and Hardware solutions. This may include onsite training during implementation, product upgrades, automatic updated version notification and onsite maintenance, if requested.
9. Efforts should be made to identify and send “request for proposals” (RFPs) to at least 3 vendors.
10. All vendors shall be required to send their company profile along with client list and reference numbers.
11. Following Items should be addressed in detail when contracting the vendor:
• Fees
• Roles and responsibilities
• Deliverables
• Workflows
• Maintenance procedures
• Access controls
• Security and performance review
• Fallback procedures
• Basis for payment and arbitration procedures.
• Penalty and reward mechanisms
• Confidentiality of information
• Ownership and licensing of Intellectual property
• Transition-out procedures
12. Steering Committee to be consulted if required in case of Vendor selection.
13. Without approval of GM Information technology, no IT related purchase order shall be assigned to any vendor.
14. Both Business Procurement/ IT Department are responsible to verify the purchase Items as given in appropriate purchase requisition.
15. The warranty and technical support time shall be at least for one year where applicable.
16. Extended warranties options shall be specified by the vendor in the agreement.
17. All agreements between Tapal Tea Private Limited and the vendor shall be in writing.
18. The final contract shall be examined by the legal department of Tapal Tea Private Limited before it is signed.
2.6.5. Procedure
Step Description Responsibility
1. Review all requests for proposals (RFPs) to ensure that they:
• Clearly define requirements
• Include a procedure to clarify requirements
• Allow vendors sufficient time to prepare their proposals
• Clearly define award criteria and the decision process IT Department / CPD Department
2. Identify vendors providing required service via market research, contacting business with similar needs, newspapers etc. IT Department / CPD Department
3. Float RFP’s and brief list at least 3 Vendors who best meet the requirements. CPD Department
4. Contact parent companies of vendors to identify if vendors are indeed authorized business partners providing products and after sales service. CPD Department
5. Evaluate and RFPs in accordance with the approved evaluation process/criteria and maintain documentary evidence of the evaluations. Verify the references of candidate vendors.
Evaluate responses with respect to “Vendor Selection and Contracting” policy. CPD Department
6. Contact previous and existing vendor clients to obtain opinions about products sales and services. IT Department / CPD Department
7. Select the Vendor that best fits the RFP, document and communicate the decision, and sign the contract. IT Department
2.7. IT Equipment / Technology Procurement
2.7.1. Objective
Procurement of cost-effective hardware/software is a key aspect of success for any business. It is imperative that all viable solutions available in the market may be evaluated as part of the cost benefit analysis, while maintaining transparency in the procurement process. The following procedures establish a procurement process for any hardware/software solutions procured for the Company.
2.7.2. Prerequisite
This procedure should be read in conjunction with:
• Vendor Selection and Contracting
• Information Security Policies, including:
o Supplier Relationships
2.7.3. Responsibility
1. CEO Tapal Tea Private Limited
2. CFO Tapal Tea Private Limited
3. GM Information technology
4. Senior Manager IT Infrastructure
5. Finance Department
6. Steering Committee
7. Central Procurement Department (CPD
8. Tapal Tea Staff
2.7.4. Policy
1. All vendors for the procurement of IT Equipment / Technology shall be selected based on the guidelines and procedure mentioned in section Vendor Selection and Contracting.
2. In case of IT related hardware procurement, the hardware lying at “zero” written down value as mentioned in “fixed asset register” i.e., fully depreciated, it shall be replaced as per Tapal Tea’s Laptop policy and / or as per technical need.
3. Branded / new systems shall be recommended after fulfilling the minimum specifications and requirements.
2.7.5. Procedure for the procurement of Minor IT Equipment
Step Description Responsibility
1. IT Equipment /Software Procurement request to be raised via Service desk system / Form / Email. Tapal Tea Staff
2. Request is forwarded to CPD then the approval required from respective Business Head / Divisional Head for onwards submission of request to IT department. CPD/Business Head
3. Request to be carefully evaluated with future need and then compensated via available inventory of IT assets. GM Information technology / IT department/
Information Security
Step Description Responsibility
4. In case where equipment could not be processed via existing IT Inventory. A local Purchase request is raised after careful evaluation of needs. GM Information
Services / IT
Department
5. After approval of Local Purchase Request, the CPD Department contacts existing vendors to furnish the items.
In case new vendor is to be selected, refer “Vendor Selection and Contracting” policy. CPD Department
6. After when the equipment is purchased the IT equipment is handed over to the IT Department representative and the bill is sent to the Finance department. CPD Department
7. In case equipment falls in insurance coverage range, Finance department to be sent details of hardware to get asset registered with Insurance provider. GM IT/ IT department/
Finance Department
8. IT Asset inventory to be updated. GM IT/ IT department/
Finance Department
9. The IT Department after updating the inventory will hand over the IT equipment to the requesting Staff and closes the Service desk request / email after obtaining the formal endorsement.
IT department/ Service desk Generated / Email
2.7.6. Procedure for the procurement of Major IT Equipment
Step Description Responsibility
1. A request is sent to all departments requiring IT related equipment (laptop /desktop and accessories).
Further, the IT Department internally evaluate the current inventory for replacement and upgradation plan. IT Department
2. All departments send the filled requests requiring new IT equipment or replacement of existing IT equipment to the IT Department after approval. Requirements including all capitalized items of higher cost. This will be presented to the CFO / CEO / along with the justification for approval. Requirements below the stated amount will be presented to GM IT for approval. Business Head /
3. Request to be evaluated in terms of IT budget & available inventory of IT assets. GM Information
Services / IT
Department
4. After the approval of the budget for IT Equipment, existing vendor if any is contacted to furnish the items.
In case new vendor is to be selected, refer “Vendor Selection and Contracting” policy. IT Department / CPD
Step Description Responsibility
5. In case where equipment’s fall in insurance coverage range, Finance department to be sent details of hardware to get asset registered with Insurance provider. GM Information
Systems / IS
Department/ Finance Department
6. IT Asset inventory to be updated. GM Information
Services / IS
Department / Finance Department
7. The IT equipment is then handed over to the requested departments. IT Asset inventory to be updated. GM Information
Services / IS
Department
2.8. Awareness and Compliance of IS Policies and IT Procedures
2.8.1. Objective
Awareness and implementation of IS policies and IT procedures is vital in safeguarding Tapal Tea’s information assets and ensuring smooth operations of IS activities. This policy emphasizes the responsibilities of higher management in creating awareness amongst staff towards the implementation of policies and procedures.
2.8.2. Prerequisite
This policy should be read in conjunction with:
• Information Security Policies
2.8.3. Responsibility
• Steering Committee
• GM IT
• Sr. Manager IT Infrastructure
• Manager Systems/ IT Business Partner Systems
• Business Analyst Manager (SAP)
• Business Heads (Head of Departments)
• Manager Information Security
2.8.4. Policy
1. It shall be the responsibility of Steering Committee members / Business Head to ensure awareness of IS policies amongst employees.
2. All employees regularly or on contract, entering into Tapal Tea shall be asked to read the IS Policies Manual, so as to be fully aware of the Company’s IS policies.
3. It shall be made clear to all employees that a willful negligence or a serious compromise on Information Security shall result in disciplinary action as deemed necessary by the Steering Committee.
4. Users in particular will be made aware of the importance of data security and will be emphasized to take measures to avoid unauthorized access to confidential information as specified in IS Policies.
3. Developing and Delivering IT Solutions
3.1. Project Definition Policy
3.1.1. Objective
Each project must have objectives that are defined by management and achievable. This policy highlights the importance of project definition.
3.1.2. Policy
1. Each project must have achievable objectives backed by a defined benefits realization (e.g., feasibility study, business case) approved by the IS Steering Committee/ Business Heads. For smaller projects, the approval would be enough from General Manager Information technology and the relevant business unit.
2. Relevant IS Management shall conduct the Feasibility Study of the project which shall cover technical, operational, and monetary aspects.
3. Feasibility Study shall clearly define alternatives for the new system. It shall identify whether to acquire off-the-shelf package, develop internally, outsource or a combination of all.
4. In each evaluation it shall be described how the alternative meets or does not meet the feasibility criteria.
5. A Project schedule must be prepared within which work must be performed in measurable milestone units so progress can be reported.
6. The personnel assigned to the project shall also have their time and commitments defined.
7. The success of a project assignment must also be measurable by some defined and agreed upon KPIs, between the IT Department and business unit.
8. IT outsourcing of equipment and services within or outside Pakistan shall be approved by Senior Management.
9. The company shall execute Software Escrow Agreements with the software developer or service providers. (if applicable)
10. It is the responsibility of the service provider to provide uninterrupted services to the TAPAL tea in a reliable manner.
11. Outsourcing of IT Audit is allowed subject to the arrangement shall be approved by the Senior management or its relevant committee.
Project Manager
12. A Project Manager will be appointed to manage the entire project. He can be a delegated staff member appointed by GM IS. He will be accountable to the IS Steering Committee / GM IT for any overspending, delays in schedules or the project not meeting the user expectations.
Information Security
13. The Information Security will ensure that system controls and supporting processes provide an effective level of security for information and in accordance with Tapal Tea’s Information Security Policies.
Project Team
14. Depending on the size and urgency of the project, different project teams will be formed to work for a defined time period under the Project Manager nominated by the IT Steering committee / GM IS.
Project documentation
15. All project-related information is systematically recorded, maintained, and accessible throughout the project lifecycle. This policy mandates the creation, organization, and storage of comprehensive documentation, including project charters, plans, requirements, design documents, progress reports, meeting minutes, and final deliverables. Documentation must be regularly updated to reflect current project status, and be securely stored with appropriate access controls.
3.2. Cloud Management
3.2.1. Purpose
The purpose is to manage cloud services at TAPAL with focus on cost and resource optimization, enhanced availability, reliability, data privacy and security of cloud services.
3.2.2. Policy statement
1. Cloud services should be considered based on business and IT strategies supporting efficiency, cost effectiveness, data privacy and security.
2. The decision regarding acquiring cloud services shall be substantiated by management.
3. Selection of appropriate cloud deployment and service model shall be done as per service acquisition policy considering short-, medium- and long-term impact related to cost, technology, roll-out and ease of use.
4. During the acquisition process, as a part of the service contract with the cloud service provider, the transfer of information back to TAPAL shall be specified on contract termination.
5. SLA’s and contracts shall be in-place for cloud services acquisition and appropriate clauses that allow cloud platforms to be scalable, cost effective and innovative shall be included.
6. Managing access, change, data backup, disaster recovery, incidents and adequate logging mechanism related to cloud services shall be governed as per relevant approved IT policies.
7. TAPAL shall review Service agreements before acquiring any cloud service and ensure that services are acquired only if they fulfill TAPAL’s compliance requirements. IT management shall ensure that access to cloud resources is subjected to the needs of IT and or employees to accomplish their duties on least privilege principle with strong access control enforced.
3.3. Application Development Management
3.3.1. Objective
Application systems are developed and maintained to serve system users by providing them with various data processing and Management of Information System (MIS) capabilities. In order to standardize and streamline system development process, a structured system development methodology needs to be adopted. The objective of every Tapal Tea system development project is to develop systems that are engineered to satisfy the users' requirements, within determined cost, schedule, and quality guidelines.
3.3.2. Responsibilities
• IS Steering Committee
• General Manager Information technology
• Head of Departments (Business Heads)
• Manager Systems/ IT Business Partner Systems
• Sr. Manager IT Infrastructure
• ABAPer
• Technical Team (Developers)
• User Line Manager
• Users (Intra Departmental Personnel)
3.3.3. Procedure
Step Description Responsibility
Application/Module request & approval
1. Requests for any new application/module development should be initiated by the user and send to their line manager via portal / email. Users
2. User line manager/ Business Heads should analyze the need and approve the request. Line manager/ Business Heads
3. Request for application/module development shall be forwarded to the IT Department for evaluation of change. User Line Manager
4. Assessment for nature of development along with time and cost (wherever applicable) factors should be evaluated along with effect on the system. Business Analyst Mgr. / Business System Mgr.
5. The Business Head shall approve the time and cost factor (if any) for the development required. Business Head
6. Where cost and time factors are involved, upon consensus, the feasibility of the project will be presented in the IS Steering Committee. GM IT/Application
Manager / Business
System Manager
7. IT Business partners (having user / requester’s representation also) will decide whether to accept/reject project. IT business partner
Project Initiation
Step Description Responsibility
1. The Project Team shall be formed consisting of the following members:
• Nominated Project Manager
• Representatives from IT (GM IS, Business Analyst Manager, Business Systems Manager, Manger
Information Security, Functional/ Technical Team, QA)
• User Representative / Business Analyst
QA / Inter Department Personnel function will act as an independent reviewer throughout the project IS Steering Committee
/ GM IT
2. A high-level Project Plan shall be developed having details of all activities, resources, and timelines. Nominated Project
Manager
3. Naming the convention will be decided for all documents/deliverables created throughout the project. Nominated Project
Manager
4. Project Plan shall be updated as the project proceeds. Nominated Project
Manager
System Analysis
1. User requirements will be documented in detail. In case existing system is fulfilling certain requirements, these shall be explicitly mentioned along with additional features that are required in the new system. Nominated Project
Manager
2. Business Requirement Document (BRD) shall be developed with close collaboration of Business Head covering the following:
• Project Stakeholders
• Dependency on existing systems (If any)
• Scope of requirements (in scope / out of scope)
• Functional requirements
• Non-Functional requirements (Wherever applicable)
• Application workflow
• Data Migration process (Wherever applicable) Business Rules Nominated Project
Manager/ Business Head
3. Users / IT Representative shall work jointly to decide functional / data requirements. Nominated Project
Manager
4. Adequate security and control features shall be incorporated / defined within the system. Information Security
5. Requirements shall be verified to ensure they are complete, consistent, unambiguous, modifiable, testable, and traceable. Users (Inter
Departmental
Personnel)
6. Business Requirement Document (BRD), once developed, shall be formally approved by the relevant stakeholders (Business Head/ Departmental Head). Any conflict arising shall be resolved and user/business signoffs will be obtained. The scope of the project activity will freeze. Business Heads/
Nominated Project Manager
Step Description Responsibility
7. Additional hardware/software required for the project shall be arranged as per the feasibility decided. Nominated Project
Manager
8. Segregation of Duties matrix (Responsibility Matrix) for project personnel shall be developed. There shall be separate test, development, and production environment. Nominated Project
Manager
9. All the risks and areas that could be potentially impacted shall be recorded with the appropriate impact, because they shall need to be addressed in later stages of application development. Nominated Project
Manager / GM IS/
Business Head
System Design
1. System Design Document (SDD) shall be prepared, which shall, but not limited to include:
• System Input forms/ screens
• System Output
• Validation Criteria
• System Security and Control
• Data Structure
• Database Design
• Description of design and database logic
• System Interfacing
• Performance Indicators (If any) Business Analyst
Team (Functional
Team) /Technical
Team (Developers)
2. Wherever applicable, detailed schematics of the portions of the communication networks that relate to the system shall be designed with the help of Network Manager. Business Analyst
Team (Functional
Team) /Network Manager
3. Potential threats to the system under development and its security measures that have been incorporated to reduce or eliminate those threats shall be outlined. Key information security controls shall be integrated in System Design Document Nominated Project
Manager
4. Process flows and sequence diagrams shall be developed for all processes being built in the application. The user/technical team should approve these. Project Manager/
Business Analyst
Team (Functional
Team) /Users
5. Timing requirements (response time, throughput time, etc.) for data availability, data storage requirements including internal storage requirements, use of internal storage and auxiliary storage such as tape and disk, and the estimated quantity of storage required for each shall be defined. Project Manager/
Business Analyst
Team (Functional
Team) /Users
6. The testing plan for the application shall be devised, including testing methodologies, system success criteria, actual and expected results etc. Project Manager /
System Analyst Team
(Functional Team)
/Technical Team
(Developers)/ Users
7. Design Documents shall be approved. GM IS/ Business Head
System Development
Step Description Responsibility
1. Coding of the system should be conducted using the design documents. Technical Team
(Developers)
2. Database shall be implemented in line with the database diagram defined in the design phase. Technical Team
(Database
Administration)
3. Database design shall be reviewed to ensure that it is built as modelled in the design phase. The review shall cover the following:
• Database indexes.
• Fields constraints and data structures in the Database.
• Edit or validation checks.
Business Analyst Team
(Functional Team)
/Technical Team
(Developers)
4. Application code shall be cross referred to the system design documents. Technical Team
(Developers)
5. Wherever applicable errors encountered during development / compilation etc. shall be documented. Technical Team
(Developers)
6. Unit testing shall be performed in accordance with the test plan.
The following should be part of unit tests:
• Name of the software module to be tested
• Description and objective of the test
• Any test stubs and drivers used in executing the test
• Test data to be used in the test
• Expected results
• Steps to be taken to execute the test
• Actual results Business Analyst Team
(Functional Team)
/Technical Team
(Developers)
7. Unit test results shall be compared with expected test results documented in the testing plan. Testing cycles will be repeated after code changes till expected results are achieved. Business Analyst Team
(Functional Team)
/Technical Team
(Developers)
8. The Application/Module shall be integrated after the successful unit testing. Integration testing according to the test plan developed in the System Design phase. Business Analyst Team
(Functional Team)
/Technical Team
(Developers)
9. After integration, review shall be performed to compare actual and expected results. Testing cycles will be repeated after code changes till expected results are achieved. Project Manager /
Business Analyst team/
/Intra Departmental
10. Application deployment plan shall be devised. Project Manager
System Testing
1. Thorough testing shall be performed of developed application as per testing plan. A report having details of test methodologies and results shall be sent to the Project Manager. Business Analyst
Team / Technical Team
2. Test systems should be made available with application installed, for User acceptance testing (UAT). Project Manager /
Business Analyst
Team (Functional Team)
3. User Manual shall be developed by resource designated. User Manual shall contain procedures for using the application. Business Analyst
Team (Functional Team)
4. Business users should be trained before UAT. Project Manager /
Project Team
5. The actual output generated by UAT shall be compared against the expected output documented by the users in the test plan. If deviations from the expected results are discovered, then these shall be reported to the GM IT/ Steering Committee. The root cause of the variation shall be identified, and the rectified system shall be retested. Users / Business
Analyst Team
(Functional Team) /
Project Manager
6. UAT results shall be documented, and signoffs/ formal comments shall be obtained from business users. Project Manager/
Users
7. Test results and evaluation reports shall be prepared. This document shall cover the following:
• Results of all system acceptance tests.
• Deviations from the expected results.
• Responsibilities to be assigned to resolve issues during acceptance tests.
• Security considerations.
• Recommendations for improvements, if required. Project Manager/
Business Analyst
Team (Functional Team)
System Implementation
1. System / data conversion shall be performed if required. Project Manager/
Users/ Business
Analyst Team
(Functional Team)
/Technical Team
(Developers)
2. The system shall be rolled out as per application deployment plan. A full system test shall be conducted in the actual operations environment. This shall also involve the users as a part of final user acceptance testing. Project Manager/
Users
3. Perform All daily activities necessary to operate the system, including monitoring the system's performance to ensure adequate response time, system security, and problem-free operation.
Project Manager/
Users / System
Analyst Team
(Functional Team)
/Technical Team
(Developers)
Post Implementation Review
Step Description Responsibility
1. A post implementation review shall be conducted including the following:
• System performance
• Transaction volumes
• Inefficient program statements and modules
• Memory paging and CPU utilization
• Inefficient Database calls, routines, structure, and commands
• Availability of the system
• Discrepancies of the system
• Potential system modifications
• Security of the environment GM IT/ Project
Manager/ Business Analyst Team
(Functional Team)
2. The post implementation report shall be made available for all internal stakeholders Project Manager /
GM IT
3.4. SAP Change Management Procedure
3.4.1. Objective
The objective of this document is to provide policy and procedure guidance for implementation of change management with respect to SAP Business Suite.
3.4.2. Prerequisite
This procedure should be read in conjunction with:
• IT Organization, Structure and Governance
• Information Security Policies, including:
o Operations Security
o Asset Management and Information Classification
o Access Control Policy
o Supplier Relationships
3.4.3. Responsibility
● GM Information Technology
● Head of Department (HOD) / Business Head
● Sr. Manager IT Infrastructure
● Business Analyst Manager
● Manager Systems/ IT Business Partner Systems
● SAP Technical and Functional Team (ABAP Developers)
● Manager Information Security
3.4.4. Procedure
Step Description Responsibility
Change Request Creation
1. Request for SAP Changes shall be initiated via an email / form or Service desk portal by the end user after discussion with Head of Department. All change requests pertaining to SAP will be titled as “SAP Change Request.” The request shall contain adequate information for the SAP support team to log and prioritize the change. This includes:
• Name of originator (Username who initiated the request)
• Contact details / Department
• Date and Time Stamp
• Significance
o Major Change – Change which might pose a risk for creating a system outage or provide the ability to modify data used for financial reporting.
o Minor Change – All other change requests.
o Emergency Change – Change, which is extremely critical and if not implemented immediately, could result in long term application outage or data loss.
Change Priority
User
Step Description Responsibility
− Low
− Medium
− High
− Urgent
● Change specification
● Background to change request/Justification
● Required date
Users may discuss the change with IT Department first to decide on its significance.
2. After careful analysis functional team then send the request to Relevant
HOD for approval Functional Team
3. Minor / Major Change Request shall be approved by the concerned HOD. This HOD matrix/ Data Owners shall be approved by the Business Head and Steering committee. Business Head
4. For emergency change, the IT Department shall use its initiative to make the necessary emergency change. Permanent changes shall be applied later to ensure that the long-term disruption resulting from the change is minimized. Provisions should be made for the use of special logon IDs (i.e., emergency IDs) that grant ABAPer /analyst temporary access to the production environment during the emergency situations. GM Information
technology / Business Analyst Manager
5. Change Request is assessed and approved or rejected by IT department. In case of rejection the request will be termed as closed in the Service Desk system with appropriate comments. GM Information
technology / Business Analyst Manager
Change Request Logging
1 All change requests shall be sequentially numbered and maintained by the IT Department via Service Desk System / an email.
All approvals/ rejections shall be logged in via on an email GM Information Technology
/ Business Analyst Manager
2. Emergency changes done on a priority basis shall be logged retrospectively. GM Information Technology
/ Business Analyst Manager
Change Request Prioritization and Scheduling
1. Priority shall be allocated according to severity criteria. The criteria shall address the following:
● Maximum tolerable lead time
● The potential impact of the change
● The risk associated with the change. All the risks and areas that could be potentially impacted shall be recorded with the appropriate impact, because they shall need to be addressed in later stages of the change control process
● The effect/cost of the change not being made Business Analyst Manager
2. The developer (ABAPer) shall be assigned specific tasks for coding. Business Analyst Manager
SAP Team
Step Description Responsibility
3. In case of major or minor change or implementation of a new SAP module. SAP team might be approached to analyze the nature of change and provide insights to Tapal Tea’s IS management for the workaround and deployment. GM Information
Systems / Business Analyst Manager
4. In case Consultant are approached, Consultants (Contracted via SLA) might analyze the nature of change and inform Tapal Tea’s IS Management for deployment of their team at Tapal Tea premises to carry out requested work on site. SAP Consultants contracted via third party vendors
5. In case of in-house configuration changes in SAP, activities will be performed by SAP internal team on a development server which is independent to the Quality Assurance Server as well as the Production (Live) Server. / SAP Functional Team /
SAP BASIS Team
6. An optimal time shall be agreed and communicated to the requester and the Business Owner (Business Head) to propagate the change so as to cause minimal disruption. Inter Department Personnel
Change Request Design and Implementation
1. Where the change is originated from a change in business process, detailed specification requirements shall be documented. User/ Business Head/
Business Analyst Manager
2. The implementation plan shall be communicated to all relevant business users and support staff.
SAP Team Engagement: - Patches are incorporated on special requests and with technical assistance from SAP team at first on DEV and then after technical evaluation, it is then transported in PRD. The designated QA personnel shall receive the patches from the SAP Global / its partners and “Security Patch Management” procedure shall be followed.
Business Analyst
Manager/ Delegated Technical Team
SAP Development in Dev Environment
1. All Changes after formal approval and assessment (Customized Report Development, Configurational, New functionality etc.) shall be developed in the Development environment. ABAPer /SAP Team
2. After development, the changes are to be transported to the Quality Assurance Test Server to perform detailed testing before further transporting them to the Production (Live) Server. SAP Basis Team
Testing, evaluation, and acceptance of solution
1. Detailed testing will be carried out in development environment covering:
● Technical testing – ensure changes comply with technical requirements.
● Unit testing – ensure each unit is error free
● Integration testing – ensure change does not affect data/transactions in live environment. Interfaces with other applications shall also be tested.
Final changes shall be made in the development environment. SAP Technical and
Functional Team /
Step Description Responsibility
2. Once the required change has been developed and Transported to the QA Environment, User shall be informed to test change in test environment (QA) SAP Technical and Functional Team
3. The respective user shall ensure that the change meets the specifications outlined in the SAP Change Request as raised previously. Users (Inter Department Personnel)
4. Formal UAT/ QA Testing record shall be obtained from user over the respective Change Request thread in the email / Service Desk System and consent will be sought for the schedule and final deployment over the production environment. Users (Inter Department Personnel)
Deploying Changes in production (SAP Change and Transport Management)
1. After successful UAT and obtaining formal go ahead for implementing changes to the live production environment, final compiled object shall be transported to SAP production environment from the QA environment via SAP Transport Management System.
Direct changes should not be allowed on the production client, unless in exceptional circumstances where changes are not transportable. SAP Basis Team
2. A formal log of all Transports carried out via Change and Transport System to Production Environment and relevant documentation pertaining to Transports shall be maintained and updated. GM Information
Systems / Business
Analyst Manager / SAP Basis Team
3. Wherever applicable the System documentation and configuration database shall be updated. Business Analyst
Manager / SAP Basis Administrator / GM
Information Systems
Closing Change Request
1. Once the change is Live, the request shall be closed off by updating the comments in Service desk portal by IT Tech Team, same is intimated to end user via email / service desk. Business Analyst Manager
Post Implementation Review
1. A formal post implementation review shall be carried out by GM Information Technology, SAP Technical and Functional Team, and Information Security to ensure key security controls are in-place, problems are identified (if any) and action taken to ensure that these problems are not replicated in the future. GM Information
Systems/ SAP Technical and Functional Team /
Information Security Function
2. The post implement report shall be made available for all internal stakeholders GM Information
Systems / Business Analyst Manager
3.4.5. Process Flow for SAP Changes / Support Requests
3.5. Software Change Management Procedure (and Other)
3.5.1. Objective
The objective of this document is to provide policy and procedure guidance for implementation of change management within software applications for Tapal Tea.
3.5.2. Prerequisite
This procedure should be read in conjunction with:
• IT Organization, Structure and Governance Procedure
• Information Security Policies, including:
o Information Systems Implementation and Development
o Operations Security
o Service Level Agreement
3.5.3. Responsibility
● GM Information Technology
● IT Divisional Heads
● Manager Systems/ IT Business Partner Systems
● Divisional Unit Head / Head of Departments (Business Heads)
● Application Administrator
● System Analyst Team (Functional Team)
● Technical Team (Developers)
● User (Intra Department Personnel)
● Manager Information Security
3.5.4. Procedure
Step Description Responsibility
Change Request Creation
1. Request for Software Change shall be initiated either by using “Service Desk” or by email. All Change requests pertaining to Software Application will be titled as “Software Change Request.” The request shall contain adequate information for the system support personnel to log and prioritize the change. This includes:
• Name of originator (Username who initiated the request)
• Contact details / Department
• Date and Time Stamp
• Significance
o Major Change – Change which might pose a risk for creating a system outage or provide the ability to modify data used for financial reporting.
o Minor Change – All other change requests.
o Emergency Change – Change, which is extremely critical and if not implemented immediately, could result in long term application outage or data loss.
Change Priority
User
Step Description Responsibility
o Low
o Medium
o High
o Urgent
● Change specification
● Background to change request/Justification
● Required date
Users may discuss the change with IT Department first to decide on its significance.
2. Minor / Major Change Request shall be approved as per approval matrix. This matrix shall be approved by the Business Head and IS Steering committee. Business Head / Steering Committee
3. For emergency change, the IT Department shall use its initiative to make the necessary temporary emergency change. Permanent changes shall be applied later to ensure that the long-term disruption resulting from the change is minimized. GM Information
Services / Business
Systems Manager
4. Change Request is assessed and approved / rejected by the IT Department. In case of rejection the request will be termed as closed in the Service Desk system / via an email. GM Information
Systems / Business Systems Manager
Change Request Logging
1. All change requests shall be sequentially numbered and maintained by the IT Department via Service Desk System / an email.
All approvals/ rejections shall be logged in the Service Desk system / an email. GM Information
Systems / Business
Systems Manager
2. Emergency changes done on a priority basis shall be logged, respectively. GM Information
Systems / Business
Systems Manager
Change Request Prioritization and Scheduling
1. Priority shall be allocated according to severity criteria. The criteria shall address the following:
● Maximum tolerable lead time
● The potential impact of the change
● The risk associated with the change. All the risks and areas that could be potentially impacted shall be recorded with the appropriate impact, because they shall need to be addressed in later stages of the change control process
● The effect/cost of the change not being made Business Systems
Manager (Or its delegated staff) in
collaboration with
User
2. The developer shall be assigned specific tasks for coding via Service desk system / an Email. Business Systems
Manager / System enforced via Service desk.
3. An optimal time shall be agreed and communicated to the requester and the Business Owner (Business Head) to propagate the change so as to cause minimal disruption. Users (Intra Department Personnel)
Change Request Design and Implementation
1. Where the change is originated from a change in business process, detailed specification requirements shall be documented. User / Business Head/ GM IT
Step Description Responsibility
2. The implementation plan shall be devised with adequate recovery and fallback procedures in place. Original code before change shall be retained until changes have been fully accepted. Business Systems
Manager /
Application
Administrator
3. The implementation plan shall be communicated to all relevant business users and support staff.
If the change request is for applications which are not developed in-house, then designated QA personnel shall receive the patches from the vendor and “User Acceptance Testing” procedure shall be followed. Business Systems
Manager / Delegated Technical Team
Coding and Version Control
1. In case of change in existing code, code shall be obtained from the assigned part of source code from the respective area of the source code repository. The check-out of the source code will be logged by the version control software. System Analyst Team
(Functional Team)
/Technical Team
(Developers)
2. The required modification shall be carried out, the source code then deposited back in the repository. Technical/ Functional Team Lead shall be informed after this activity is complete.
The check-in of the code is automatically logged by the version control software. An updated version is automatically assigned by the version control software. Business Systems
Manager / System Analyst Team
(Functional Team)
/Technical Team
(Developers)
Testing
1. Detailed testing is carried out in the development environment covering:
● Technical testing – ensure changes comply with technical requirements.
● Unit testing – ensure each unit is error free
● Integration testing – ensure change does not affect data/transactions in live environment.
Final source code shall be compiled in development environment. System Analyst Team
(Functional Team)
/Technical Team
(Developers)
2. Inform QA/Intra Department Personnel to test file with filename and version, along with related scripts. System Analyst Team
(Functional Team)
/Technical Team
(Developers)
User Acceptance Testing
1. Once the required change has been developed and migrated to the QA
Environment, User shall be informed to test change in test environment (QA) Business Systems Manager
2. The respective user shall ensure that the change meets the specifications outlined in the Software Change Request as raised in the Service Desk system User/ Intra
Department Personnel
3. Formal UAT record shall be obtained from user over the respective Change Request thread in the Service Desk System and consent will be sought for the schedule and final deployment over the production environment. User
Deploying Change to production
1. Final compiled object transferred to production environment. System documentation and configuration database to be updated. Designated Functional Team Lead
Closing Change Request
Step Description Responsibility
1. Once the change is live, the request shall be closed off by updating the comments in Helpdesk by IT Tech Team, same is intimated to end user via Service desk / email. Business Systems
Manager /Designated
Functional Team Lead
Post Implementation Review
1. A formal post implementation review shall be carried out to ensure key security controls are in-place, problems are identified (if any) and action taken to ensure that these problems are not replicated in the future. GM Information
Systems / System
Analyst Team
(Functional Team) /
Manager Information Security
2. The post implement report shall be made available for all internal stakeholders. GM Information
Systems / Steering committee
3.6. Configuration / Parameter Management
3.6.1. Objective
The purpose of this procedure is to define on how configuration level changes shall be implemented & managed to minimize information security threats and unnecessary disruption to business processes.
3.6.2. Prerequisite
This procedure should be read in conjunction with:
1. Information Security Policies, including:
o Communications Security
o Operations Security
3.6.3. Responsibility
● GM Information Technology
● Manager Systems/ IT Business Partner Systems
● Sr. Manager IT Infrastructure
● Network and Services Manager
● Manager Information Security
3.6.4. Procedure
Step Description Responsibility
Operating System\Database\Network devices\Physical & Environment Controllers
1. In case a configuration/parameter change is required, a request shall be raised on an email or service desk portal by the concerned IT Staff working for particular domain. Database
Administrator/ Network
Manager / Application Administrator
2. “System Activity” request shall be approved by GM Information Technology. Approving authorities to ensure that proposed activity does not compromise IT policies or disrupt normal business activities. GM Information Technology
3. In case Planned system/network outage is required, activity shall be performed off business hours or business users shall be informed as per impact in advance of outage. Database Administrator/
Network Manager /
Application
Administrator
4. Configuration change shall be tested in test environment before being implemented in production, depending on applicability of test environment. Database Administrator/
Network Manager /
Application
Administrator
Step Description Responsibility
5. Respective administrators shall update the configuration database* with new settings and take backup of configuration database to be sent to DR/ offsite site. System documentation shall also be updated
*Configuration database refers to a central repository where configurations of all components (Database, OS, infrastructure etc.) shall be saved. In case of deployment of new database/infrastructure/OS, these configurations shall be used. Database Administrator/
Network and Services
Manager/ Application
Administrator
6. System documentation and configuration database to be periodically reviewed to ensure they are up to date. GM Information Technology Sr. System Manager / Sr.
Manager IT Operations
7. Audit trail/log of configuration change implemented shall be maintained, where applicable. Database Administrator/
Network Manager/
Application Administrator
Application Software
1. For configuration changes raised by business users e.g., Change in Parameterization etc., Change Management Procedure to be followed.
For configuration change raised by Application Administrator, for enhancement of application performance or strengthening of security, Configuration / Parameter Management Procedure to be followed. Change Management
Procedure
Configuration /
Parameter Management Procedure
3.7. Network Design Change Management
3.7.1. Objective
The objective of this document is to provide policy and procedure guidance for implementation of change management within networks/infrastructure for Tapal Tea’s.
3.7.2. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including: − Communication Security
3.7.3. Responsibility
● GM Information Technology
● Sr. Manager IT Infrastructure
● Network and Services Managers
3.7.4. Procedure
Step Description Responsibility
Network Change Management
1. All Change requests pertaining to Network will be raised via an email or Forms.
The request shall be approved by the Business head in case request is outside IT Department. Network Manager / User
2.
In case the request is from outside IT Department, it shall be evaluated and forwarded to GM Information Technology.
In case of request within the IT Department, it shall be forwarded directly to GM Information Technology.
Network Manager
3. Request shall be approved/rejected/deferred by GM Information Technology, if required.
For major change, the change should be approved by CFO / IS Steering Committee. GM Information
Systems / CFO / IT
Steering Committee
4. Change shall be implemented in a test environment first before being rolled out in live environment, where applicable. Network Manager
5. Fall back plan / strategy will be created before implementation of change Network Manager
6. In case change was requested by user, he/she shall be informed that change has been implemented. Confirmation to be received from user over the respective email thread.
Network Manager
7. All “Network Change Requests” shall be retained on emails or forms. Network Manager
Step Description Responsibility
8. All network documentation to be updated. Network Manager
9. Documentation shall be reviewed Annually to ensure it is up to date. GM Information Technology
/ Sr. Manager IT Operations
3.8. Tracking Management
3.8.1. Objective
The objective of this document is to provide policy and procedure guidance for maintenance and review of formal documentation reflecting complete track of all the changes carried out for Tapal Tea’s IS Environment.
3.8.2. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including: − Operations Security − Communication Security
3.8.3. Responsibility
● GM Information Technology
● Business Analyst Managers (SAP)
● Manager Systems/ IT Business Partner Systems
● Sr. Manager IT Infrastructure
3.8.4. Procedure
Change Request Tracking
1. An updated and formal list of all the changes that have been executed and finalized shall be maintained. GM IT / Sr. Systems Manager / Sr.
Manager IT
Operations
2. It shall be ensured that a complete track of all the changes is maintained on service desk and is available for an independent review and audit on quarterly basis. GM Information
Systems / Sr. Systems Manager / Sr.
Manager IT Operations
3. The IT Department shall maintain the detailed documentation of the environment to reflect all change(s) that have an effect on other applications. This relates to networks, system configuration, database configuration and interfaces. GM Information
Systems / Sr. Systems Manager / Sr.
Manager IT
Operations
4. Operating the IT Environment
4.1. Access to IT workplace
4.1.1 Objective
The objective of this procedure is to establish security requirements for access to the information resources of Tapal Tea. Effective implementation of this procedure will streamline the process of access management and minimize unauthorized access to Tapal Tea’s proprietary information systems.
4.1.3 Responsibility
• GM Information technology
• Designated In Charge Data Centre
• Users
Step Description Responsibility
1. The purpose of the visit shall be provided to the receptionist Visitor
2. A relevant person shall be informed, and approval shall be taken Receptionist
3. A logbook shall be maintained, and a visitor card shall be provided. Receptionist
4. The visitor shall be supervised throughout his stay at the IT workplace Relevant Person
5 Exit time shall be noted at the time of visitor departure Receptionist
6 Logbook shall be reviewed when needed. IT/Admin
4.2. Logical Access Management
4.2.1. Objective
The objective of this procedure is to establish security requirements for access to the information resources of Tapal Tea Private Limited. Effective implementation of this procedure will streamline the process of access management and minimize unauthorized access to Tapal Tea Private Limited’s proprietary information systems.
4.2.2. Scope
● Operating Systems
● Databases
● Applications
● Network Systems
4.2.3. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including
o Access Control Policy
o Physical and Environmental Policy
o Organization of Information Security
4.2.4. Responsibility
• Head of Information technology
• Head of Department (Business Head)
• SAP, System, Application, and Database Administrators
• HR
• Users
4.2.5. Procedure
Logical Access Grant (SAP)
Step Description Responsibility
1. User shall file a request at the “user account creation form” Service desk portal or via an email.
The request shall at a minimum include the following:
• Access Rights Required.
• Necessary comments to justify the requested rights. User
2. All Logical Access Requests for SAP shall be approved by the relevant Head of Department. Business Head
3. Approved “user account creation form” request to be forwarded to IT Department. System enforced via Service desk or email
Step Description Responsibility
4. All Access requests pertaining to SAP shall be assigned to SAP Basis Administrator in the Service desk or via email.
Basis administrator shall seek approval from Senior Manager Systems via Service desk system or an email / Form System enforced via
Service desk or email
SAP Basis
Administrator
5. The Logical access request shall be assessed as per the approved user authorization matrix and shall be analyzed for potential SOD conflicts based upon the approved SOD Matrix. Basis Administrator /
Business analyst / GM IT
6. In case where requested rights may result in Potential SOD conflicts, the user access request shall be rejected/deferred by GM IT after corroboration with the Head of Department.
If deemed necessary, CFO Tapal Tea Private Limited’s consent shall be acquired for conflict resolution. GM IS/ Business Head / CFO Tapal Tea
Private Limited
7. After obtaining all necessary approvals the User-ID along with requested rights shall be created.
The User Shall be notified with required login-credentials and his/her endorsement in the service desk system / via an email shall be sought. It shall be communicated to the user to change his/her password upon first login. SAP Basis Administrator / User
8. After obtaining the formal endorsement from the User the request shall be closed in the service desk system / via an email with appropriate comments. In case where formal endorsement from user remains pending for greater than three days, the request shall be automatically or manually closed in the service desk system / via email. SAP Basis Administrator / User
9. User authorization matrix and SOD matrix shall be updated if required. Business Analyst Manager
Logical Access Grant (Secondary Sales and Other Applications)
Step Description Responsibility
1. User shall file a request at the “User account creation form” service desk portal.
The request shall at a minimum include the following:
• Access Rights Required.
• Necessary comments to justify the requested rights. User
2. All Logical Access Requests for Secondary sales and other applications shall be approved by the relevant Head of Department. Business Head
3. Approved “User account creation form” request to be forwarded to IT department. Service desk team
4. All Access requests pertaining to Secondary sales or other applications shell be assigned to relevant team in IS dept.
Application administrator shall seek approval from Business System Manager IT Designated team
Step Description Responsibility
5. After obtaining all necessary approvals the User-ID along with requested rights shall be created.
The User Shall be notified with required login-credentials and his/her endorsement in shall be sought.
It shall be communicated to the user to change his/her password upon first login. Application Administrator / User
6. After obtaining formal endorsement from the User the request shall be closed in the service desk system with appropriate comments.
In case where formal endorsement from users remains pending for greater than three days, the request shall be automatically closed in the service desk system. Application Administrator / User
Logical Access Grant (System / Network and Database Administrators)
Step Description Responsibility
1. IT Staff shall file a request at the “User activation form” service desk portal.
The request shall at a minimum include the following:
• Administrative Rights Required.
• Necessary comments to justify the requested rights. IT Staff
2. All privilege access requests for the administrator shall be approved by the GM IT Department. GM IT
3. Approved “User creation form” request to be forwarded to IT department. Service desk team
4. After obtaining all necessary approvals the User-ID (other than default Admin ID) along with requested administrative rights shall be created. The IT staff shall be notified with required login credentials and his/her endorsement shall be sought.
It shall be communicated to the user to change his/her password upon first login. Relevant Administrator and Requester
5. After obtaining formal endorsement from the User the request shall be closed in the service desk system with appropriate comments. Relevant Administrator / Service Desk
Logical Access modification (SAP & Other Applications)
Step Description Responsibility
1. User shall file a request at service desk portal, (User form) or via email. The modification for access rights request shall at a minimum but not limited to include the following:
• Access Rights Required/To be Modified (Add or Remove).
• Necessary comments to justify the requested rights. User
Step Description Responsibility
2. All Logical Access Requests for Access Rights Modifications in SAP or other applications shall be approved by the relevant Head of Department / Business Head. Head of Department / Business Head
3. Approved request to be forwarded to the IT department. System enforced via service desk, user form
or email
4. All Access rights modification requests pertaining to SAP shall be assigned to SAP Basis Administrator via a user form or email.
All Access rights modification requests pertaining to other applications shall be assigned to the relevant application Administrator in the service desk request.
Basis or other applications administrator shall seek approval from relevant IS managers. System enforced via service desk
SAP Basis and other applications
Administrator
5. The access rights modification request shall be assessed as per the approved user authorization matrix and shall be analyzed for potential SOD conflicts based upon the approved SOD Matrix. Business Analyst
Manager / Business
System Manager /
SAP Basis
Administrator
6. In case where requested rights may result in Potential SOD conflicts, the service desk request shall be rejected/deferred after corroboration with the Business Head / Head of Department.
If deemed necessary, CFO Tapal Tea Private Limited’s consent shall be acquired for conflicts resolution. GM IT/ Business Head /
CFO Tapal Tea Private Limited
7. After obtaining all necessary approvals the User-ID with requested rights shall be modified.
The User Shall be notified and his/her endorsement in the service desk system or via email shall be sought. SAP Basis Administrator
/ Application
Administrator / User
8. After obtaining the formal endorsement from the User the request shall be closed in the service desk system or via an email with appropriate comments.
In case where formal endorsement from user remains pending for greater than three days, the request shall be automatically or manually considered closed. SAP Basis Administrator
/ Applications
Administrator / User
9. User authorization matrix and SOD matrix shall be updated if required. Business Analyst
Manager / Business systems Manager / GM
IS
Logical Access Revocation
Step Description Responsibility
Terminated Employee
1. The IT Department shell be informed via email or phone call of terminated employees.
HR (ER)
2. Relevant Administrators shall revoke access from all Tapal Tea Private Limited applications and systems immediately. Application /
Network / Database Administrator
Step Description Responsibility
3. Leaver’s Line Manager / Head of Department to be contacted in case of recovery of any IS assets assigned to terminate employee.
HR Department
4. Employee Leaving checklist to be completed retrospectively. Application /
Network / Database Administrator
Leaver / Resigned Employees
1. IT Department to be informed of leavers? As soon as the employee is end dated in SAP HR by HR an automatic request for the employee’s email-id deactivation is generated into the relevant IS Manager. HR/ System enforced via service desk
2. Employee leaving status shall be updated in the service desk, respective administrators to revoke access from all Tapal Tea Private Limited applications and systems. Application /
Network / Database Administrator
3. Leaver’s Head of Department to be contacted in case of recovery of any IS assets assigned to leaver. IT Department
4.
Employee Leaving checklist to be completed retrospectively. Application /
Network / Database Administrator
Account Reactivation
Step Description Responsibility
1. In case user account is locked out, service desk request or an email will be generated. User
2. Respective Administrator will be assigned against the service desk request or over the email. service desk
3. Respective administrator will change the password whenever required. Application Administrator/
Network Administrator/ Database Administrator
4. The User Shall be notified with required password reset and his/her endorsement in the service desk system shall be sought. Application Administrator/
Network Administrator/ Database Administrator
5. After obtaining formal endorsement from the User the request shall be closed in the service desk system with appropriate comments.
In case where formal endorsement from users remains pending for greater than three days, the request shall be automatically closed in the service desk system. Application Administrator/
Network Administrator/
Database Administrator
6. Passwords shall be changed at first logon. User
Access Rights and Logs Review (Regular and Privilege right)
Step Description Responsibility
1. ARE function advice relevant administrators to provide a user list with access rights for review Information Security
2. Relevant administrators shall generate user profiles of all users from the systems and provide them. IT Department
3. IS function forward user list with access rights to Departmental Heads or substitute for their review annually and Privileged IDs shall be reviewed bi-annually. Information Security
4. User Profiles shall be reviewed according to the job descriptions and any amendments marked on the user profile. The revocations/modification identified during the review shall be forwarded to the IT Department. Information Security
5. The relevant system administrator shall modify the access rights accordingly and keep the signed-off/ emailed copies for future reference. Administrator
4.3. Active Directory and Email Access Management
4.3.1. Objective
The purpose of this procedure is to minimize risk associated with Active Directory and E-mail services and define controls against the threats of unauthorized access and theft of information/services.
4.3.2. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including
o Access Control Policy
o Email Policy
4.3.3. Responsibility
• GM IT
• Sr. Manager IT Infrastructure
• Head of Department (Business Head)
• User
• HR
4.3.4. Procedure
Step Description Responsibility
Email Access
1. HR department shall give the “User Account Creation Form” to the new joiner for Active Directory and Email access. After it is filled up by the user HR forwarded the form to the IT Department which will grant AD Identity and email ID for the new joiner.
HR / IT Department
2. If an AD / network and email id for existing employee is required, the user shall generate a request in the Service Desk System via an email, which will be approved by Head of Department. After necessary approval from the Head, the request is forwarded to the IT Department for action.
User/ Head of
Department (Business Head)
3. The service desk request for the generation of new network and email ID shall be checked for relevant approval. Email Server and Active Directory Administrator
4. AD and Email ID shall be created using information specified in an email request. (First Name, Last Name, Department, Title) by the relevant administrator. Email Server and Active Directory Administrator
Operational & Monitoring
1. Appropriate restrictions shall be placed, set email attachment limits, installation restrictions, sensitive windows file access restrictions etc.
System Manager
Step Description Responsibility
2. Email disclaimer, as stated in Email Policy, must be added underneath the signature by the server.
“Interactive Logon: Message title for users attempting to log on” should be set with legal notice and warning. Email Server and Active Directory Administrator
3. Content scanning may be done to detect emails containing malicious, offensive, racist, or obscene remarks. If found, they shall be reported to the IS function. Email Server and Active Directory Administrator
Terminated Employees / Leavers
1. The IT Department shall be informed of Terminated Employee / Leaver. Request for the employee’s domain and email-id deactivation is generated via an email. HR (ER)
2. Backup of all emails and important files to be taken of Terminated Employee/Leaver. User
3. Email ID and Domain ID to be blocked immediately. Email Server Administrator
4.4. Internet Access Management
4.4.1. Objective
The purpose of this procedure is to minimize risk associated with the Internet and define controls against the threats of unauthorized access and theft of services.
4.4.2. Prerequisite
This procedure should be read in conjunction with:
● Information Security Policies, including
o Access Control Policy − Internet Usage Policy
4.4.3. Responsibility
• GM IT
• Sr. Manager IT Infrastructure
• Network Manager
• Head of Department / Business Head
• User
4.4.4. Procedure
Step Description Responsibility
Access to Internet
1. Access to internet is provided on the day of joining to all official workforces. IT Department
Operational & Monitoring
1. All ports, other than those required for the Internet e.g. (http-www), emails (pop & SMTP) and file transfers (ftp), shall be blocked. Network Manager / GM IT
Step Description Responsibility
2. Network traffic shall be monitored to check that it passes through the firewall. Network Manager / GM
IS
3. Network utilization and downtime shall be monitored. Network Manager
4. Any misuse of internet facility detected shall be reported to IS function. Network Manager
4.5. Database Management
4.5.1. Objective
Data stored within the Company’s databases is critical and provides valuable information for management decisions. This procedure is aimed at ensuring the integrity, security, consistency, and accuracy of the organizational databases by providing database management guidelines.
4.5.2. Responsibility
• GM Information technology
• Sr. Manager IT Infrastructure
• Manager Systems/ IT Business Partner System
• Database Administrator
4.5.3. Procedure
Step Description Responsibility
Installation
1. Database administrator or designated personnel shall be provided with database software that shall be approved before installation. GM IT
2. All the default passwords of the system supplied accounts present in the database system shall be changed. Database Administrator/ Designated Personnel
3. A separate ID with privileges shall be created for use. System supplied or “SYS” & “System” equivalent access accounts shall not be used for day-to-day operations. Database Administrator / Designated Personnel
Configuration
1. Auditing shall be enabled for all sensitive and security related transactions. Moreover, key events like Failed Login and Successful Logins and sensitive table access related events will be logged at a minimum. Database Administrator / Designated Personnel
2. Changes to schema i.e., create, alter, or drop sensitive/critical tables shall be followed as per change management process GM IT/Database Administrator
3. A configuration database shall be created having all baselines security settings. This database shall be updated upon all configuration changes. Database Administrator / Designated Personnel
Operation
1. A list shall be maintained of roles and access rights of the authorized database accounts. This list shall be updated whenever required. The list shall include:
• User list against each role
• Access right granted for each role
Database
Administrator / Designated Personnel
Monitoring
Step Description Responsibility
1. On a random basis, database logs shall be reviewed for any suspicious activity. Any anomaly note shall be reported to Senior Manager Infrastructure. Database Administrator
2. Logs of privileged user IDs (e.g., DBA) shall be reviewed on ad-hoc basis or at least annually. Information Security
4.6. System Management and Administration
4.6.1. Objective
The Procedure is to outline the responsibilities and guidelines for all individuals who function as system administrators.
4.6.2. Prerequisite
This procedure should be read in conjunction with:
● Information Security Policies, including
o System Acquisition, Development and Maintenance
o Operations Security
4.6.3. Responsibility
• GM Information technology
• Sr. Manager IT Operations
• Network and Service Manager
• System Manager
4.6.4. Procedure
Step Description Responsibility
Clock Synchronization
1. On a quarterly basis the system clock of the central server (with NTP Service Activated) shall be checked to ensure it is accurate. System Manager / Sr. System Manager
2. System clocks of all the machines shall be synchronized with the clock of the central server automatically when the client machines log on to the central server. User shall not have the right to modify system time. System Manager / Sr. System Manager
Installation of Server end OS
1. The system administrator shall provide OS software that shall be approved before installation. The IT department is responsible for all aspects of the installation of the systems, including loading software on servers. Nobody shall install or modify software on a server without the approval of the authorized person. Sr. Manager IT
Operations / Network and Service Manager /
Sr. Systems Manager
2. All the default passwords of the system supplied accounts present in the Operating system shall be changed, and all unnecessary default accounts shall be disabled. Sr. Manager IT
Operations / Network and Service Manager
3. A separate ID with privileges shall be created for use. System supplied or “Administrator” & “root” equivalent access accounts shall not be used for day-to-day operations. Senior Manager Infrastructure
Step Description Responsibility
4. The server shall be joined with the Tapal Tea Private Limited’s domain. IT Department
Installation of User end OS
1. User end OS software shall be approved before installation. The Service Desk Support Staff / IS staff are responsible for all aspects of installation of the OS on end user’s PC. All end users shall be barred from administrative controls. Service desk / IS Staff
2. All the default passwords of the system supplied accounts present in the Operating system shall be changed, and all unnecessary default accounts shall be disabled. Service desk / IS Staff
3. The prepared system shall be joined with the Tapal Tea Private Limited’s domain. Service desk / Staff
Configuration
1. Auditing shall be enabled for all sensitive and security related events. Moreover, key events like Failed Login and Successful Logins and sensitive file/folder access related events will be logged at a minimum. System Manager / Sr. System Manager
2. Changes to sensitive file / folder i.e., file shares / file permissions shall be restricted and will rest with permission from Head of Information technology. System Manager / Sr. System Manager
3. Unnecessary OS services shall be stopped. A security baseline document shall be maintained. (where necessary) System Manager / Sr. System Manager
Operation
1. A list shall be maintained of access rights of the authorized OS Local users. This list shall be updated whenever required. System Manager / Sr. System Manager
Monitoring
1. OS related Audit logs (Event Logs) shall be monitored and reviewed for any suspicious activity. Any anomaly noted shall be reported to the Head of Information technology. IT/ IS function
2. Logs of privileged user IDs (System Administrator/ root/ Administrator) shall be reviewed as stated in IS Policy. Information Security / GM IT
4.7. Installation and Use of Licensed Software
4.7.1. Objective
A software license grants an organization the legal right to use the software, apart from being compliant on copyright laws. Organizations look up to a software contract as a means of investment protection, thereby ensuring support from vendors as well as avoiding any bad reputation arising from a legal action in case of non- compliance. This procedure is to describe the process of requesting installation of software on desktops/laptops etc.
The objective of this procedure is to streamline the process of having licensed software installed without facing disruptions in normal day to day business.
4.7.2. Prerequisite
This procedure should be read in conjunction with:
● Information Security Policies
4.7.3. Responsibility
• GM Information technology
• Sr. Manager IT Infrastructure
• Manager Systems/ IT Business Partner Systems
• Head of Department/ Line Manager
• IT Team
• Users
4.7.4. Policy
1. All software license purchases shall be made in the legal name of the company (official email address of the workforce) and not in any other entity / individual's name.
2. For licensed software acquired from third parties (including authorized dealers and software developers), it shall be ensured that the third party is capable of validating, protecting, and maintaining the software license rights.
3. List of licensed software shall be maintained as per their license agreement i.e., “perpetual” or “term license” and the no. of users supported. This list should be updated timely when new software is purchased, or license is renewed.
• Perpetual license - agreement has unlimited validity period since the organization owns the license.
• Term license - agreement has a definite validity period.
4. Designated personnel managing IT inventory shall review licensed software list periodically and inform Sr. Manager IT Infrastructure about software license agreements that are near expiration
4.7.5. Procedure
Step Description Responsibility
1. Software that is already being used, the requirement will be forwarded by the user department after the approval of IT via Service Desk Request or an email.
For new software requirement, Business Head/ Line Manager approval is required over the Service Desk Request or an email. Users / Business Head. Line Manager
Step Description Responsibility
2. Request shall be matched with existing software license inventory, and if license is available, request shall be queued for installation. Service Desk
3. In case license is not available and requirement needs to be procured, request shall be checked for Business Head/ Line Manager’s approval. GM Information
Services / Service desk / Sr. system Manager
4. Request to be forwarded to Business Head/ Line Manager for final approval, however senior management’s approval would be required for higher commercials. Relevant department to be approached for purchase.
Business Head/ Line Manager/ CPD
5. Once the software is available (purchased or exists in inventory), IT Team will install the new software. After installation at the user's computer an acknowledgement/email shall be obtained from the user over the Service Desk or via an email. Service Desk
6. After receiving acknowledgement, the Service Desk Team updated the "number of current users" in the Software License Inventory. Service Desk
4.8. Security Patch Management
4.8.1. Objective
The purpose of this procedure is to lay down guidelines and best practices which are to be followed in case of deployment of security patches on production environment.
4.8.2. Responsibility
• GM of Information Technology
• Sr. Manager IT Infrastructure
• Manager IT Operations
• Sr. System Manager/ IT Business Partner System
• System / Network / Application (Administration Team)
4.8.3. Patch Management
Introduces security and correction patches on regular time intervals on their service portal. All new patches shall be regularly checked for applicability. Security Patches shall not be ignored.
First on DEV / QA (Development Environment) and after technical evaluation, it is then transported in PRD (Production Environment). (For Business Applications)
4.8.4. Procedure
Step Description Responsibility
1. Public, private, vendor and industry vulnerability reports shall be monitored periodically to identify latest patches available.
Live updates to software shall be enabled for notifications regarding new security patches available, Where applicable. System / Network /
Application
(Administration team)
2. A request Pertaining to New Patch/Service Pack Deployment shall be raised via an email to Line Manager and it shall be assigned to the relevant IT support staff. System / Network /
Application
(Administration team)
Step Description Responsibility
3. Patches shall be ranked using the following convention, based on their criticality: Rollout plan shall be devised depending on criticality.
• Emergency (Very High): Threat source is critical, and immediate deployment is required to safeguard against damage to business and information assets.
• High: The threat source is highly motivated and sufficiently capable; controls to prevent vulnerability from being exercised are ineffective.
• Medium: The threat source is motivated and capable, but controls are in place that may impede successful exercise of vulnerability.
• Low: The threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, vulnerability from being exercised. Those Patches which have additional features.
In case of emergency, approval from GM of Information Technology / designated personnel shall be required to immediately deploy the patch. System / Network /
Application
(Administration team)
4. Patch files shall be scanned for threats using antivirus before deployment and where applicable. System / Network /
Application
(Administration team)
5. Patch shall first be tested in test environment to ensure it has no adverse effect on the systems. Wherever applicable, all the risks and areas that could be potentially impacted shall be recorded with the appropriate impact where applicable. System / Network /
Application
(Administration team)
6. Finally, after testing the Patch on the Test (QA) environment, the Patch implementation plan shall be devised with adequate recovery and fallback procedures in place, For all application.
The implementation plan shall be communicated to all relevant business users / Business Heads and support staff whose operations may be affected. Application Administrator
(Administration team)
7. In case a planned system/network outage is required, activity should be performed off business hours or business users shall be informed at least 1 day in advance of outage.
System / Network /
Application
(Administration team)
8. After successful implementation of the Patch, the respective request shall be closed with appropriate comments.
System / Network /
Application
(Administration team)
9. Patch deployment history shall be maintained. System / Network /
Application
(Administration team)
10. System documentation and configuration database to be annually reviewed to ensure they are up to date. Sr. System
Manager / System /
Network / Application
(Administration team)
4.9. Password Storage & Management
4.9.1. Objective
The purpose of this procedure is to establish mechanisms to keep administrative passwords safe and available for emergency use
4.9.2. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including
o Access Control Policy
4.9.3. Responsibility
● General Manager Information Technology
● Senior Manager IT Infrastructure
● System Manager / IT Business Partner Systems
● System / Network / Application (Administration Team)
● Information Security Function
4.9.4. Procedure
Step Description Responsibility
1. All passwords of default Administrative Accounts will be kept in sealed envelopes in a locked cabinet/safe considering the future disaster. GM IT
3. These passwords can only be used in case of emergency after a formal approval from the GM IS. A log shall be maintained for the use of these passwords. GM IT
4. The administrators will reset all the administrative passwords every 90 days. Sr. System Manager
/ System / Network
/ Application
(Administration team)
5. It shall be ensured that passwords are changed every 90 days. All previous envelopes shall be destroyed.
A log shall be maintained for each password change (where applicable) Information Security function
4.10. Security Incident Management
4.10.1. Objective
The objective of this procedure is to provide guidelines on reducing any potential business impact and risk of incident occurring, by responding to incidents in a manner allowing timely corrective action and to identify perpetrators of malicious acts and preserve sufficient evidence to prosecute them if required.
4.10.2. Prerequisite
This procedure should be read in conjunction with:
Information Security Policies, including:
• Security Incident Management
• Organization of Information Security
4.10.3. Responsibility
• General Manager Information Technology
• IT Team
• IS Support Staff (if any other)
• Users
• Information Security Function
4.10.4. Procedure
Step Description Responsibility
1. Information Security / GM IT to be notified in case of any kind of technology related incident is detected. For any kind of security incidents refer Security Incident Management policy. Incidents will be logged in the IS Service Desk system. IT Team/ IS Support Staff / User
2. Additional staff of IT Department to be consulted if necessary, depending upon incident reported. Information Security /
IT Department
Managers
3. In case of incidents like malicious code, malicious access, denial of service attacks or virus infections etc. IT in consultation with IS team shall be directed to isolate affected host/system from the network.
In case of Fault logging and System malfunction incidents, IT Team shall resolve the incident with the help of Information Security function and affected users for timely resolution. Manager Information
Security / IS and IT Team
4. It will be determined if any additional systems within the environment may have been impacted or compromised as well. These systems will also be immediately isolated from the network. Manager Information
Security / IT Team
5. A quick assessment will be performed to determine the type, impact, and severity of the incident. Manager Information
Security / IT Team
Step Description Responsibility
6. If the repair would require the help of a vendor, the respective IS Support Staff will contact the vendor. Procurement department will be contacted when need arise. IT Team
7. The affected system(s) will be repaired, tested, and handed over to the user. IT Team
8. Incident response shall be logged and completed in Service Desk.
Following information must be included in the Incident Response:
• Details of incident reporter
• Date and time
• System or application affected
• Type of incident e.g. (DDOS, unauthorize access, malicious code etc.)
• Description of incident
• Impact of incidents (loss of information, system damage, monetary loss)
• Remedial actions taken
• Evidence obtains (logs etc.)
• Lessons learned and future improvement to policies. IT Team
9. For every Incident, the Incident Response to be sequentially numbered and retained. Any evidence shall be preserved in hardcopy or softcopy in Service Desk system. IT and IS Team
10. Through analysis of available evidence, it shall be determined whether the incident was a mishap or was it caused intentionally. IT and IS Team
11. In case of Malicious Incidents, it will be assessed whether the damage was caused through remote location or through internal network. IT and IS Team
12. In the event of an internal security incident, disciplinary action may be sought against involved staff. GM IT/Legal
Department / ER /
Information Security
13. On a yearly basis, all incidents logged in the Service desk shall be reviewed to identify recurring incidents etc. to strengthen level of controls in place. Information Security / Service Desk Team
4.11. Complaint request Management
4.11.1. Objective
The objective of this procedure is to establish guidelines for computer-related/technical support provided by the IT Team / IS Team of Tapal Tea covering all the domains like Access Management, Change Management, and Incident Management.
4.11.2. Responsibility
• General Manager Information Technology
• Sr. Manager IT Infrastructure
• IT Team
• Asset Management Team
• IS Support Staff (if any other)
• Users
• Information Security Manager
4.11.3. Procedure
Step Description Responsibility
1. Request shall be sent to IT via ‘Service Desk System’ or via email. In case request is made via phone call / email shall be logged in support system later. User
2. Requests initiated by the end users will be verified and catered only after the necessary approvals from their respective Line Manager/ IT Business Partner (where necessary). Service Desk Team/ IT Team
3. Where User requests pertain only to error resolution such as Network connectivity, System Malfunction etc., approval can be bypassed and request to be assigned directly to respective IT Staff for early resolution. Service Desk Team/ IT Team
4. Information Security function to be informed if reported issue falls under “security incident” category. Incident Management Procedure to be followed there on. Service Desk Team/ IT Team
5. Relevant Application Support Team to be informed if reported issue falls under “Application Access/ Change/ Configuration / Patch Management” category. Relevant Procedures to be followed there on. Service Desk Team/ IT Team
6. IT Network Management Team to be informed if reported issue falls under Network Management i.e., Email/Internet Access and Network Change/ Configuration / Patch Management category. Relevant Procedures to be followed there on. Service Desk Team/ IT Team
7. For request that require new installation/ new hardware setup, the request will be forwarded to the relevant System support staff. Service Desk Team/ IT Team
8. For minor problems, user may be contacted on the phone to resolve the issue. If not, then a visit or remotely by the System Support staff shall be required. However, in any case, user shall be required to log ticket. Service Desk Team/ IT Team
Step Description Responsibility
9. If the problem cannot be resolved at the 1st tier support, 2nd tier, and tier 3 (vendor) support will be active to respond that problem. Service Desk team
10. Service Desk Team will also be responsible to arrange any alternates, if the problem cannot be able to unravel at that time, due to damage or not repairable, in the existing IT infrastructure of Tapal Tea.
Any logged complain will take time according to nature of complain and which tier level hierarchy is required for resolution.
Backup shall be taken by asset management team. Service Desk
Operator /
Asset
Management Team
11. If the quandary could not be resolved, it would be forwarded to relevant SME for further clarification and support staff to produce the best possible alternatives. Service Desk
Team / IT
Team
12. After completion and entertaining complain/request, relevant technical support person would be responsible to close that ticket (Case) after obtaining endorsement from user. After 3 days request shall be considered as closed if not responded by user. Service Desk team
13. The user will offer his satisfaction level in the Service Desk System and term the issue as resolved.
The log of the resolution date, time, and the Service desk/IT/Administration etc. personnel who worked on the problem will be automatically logged by the system. User
14. A formal analysis, of the nature of problems logged, will be carried out by at the end of every quarter. This analysis will be used subsequently for identifying the major causes of problems so that efforts can be made to minimize the problems. The results (major cause of problem only) of this analysis will be presented to the General Manager of Information technology. Suggestions will be imparted on improvements for the Service Desk/ IT Support staff that includes procedures to diagnose and resolve problems. Service Desk /
IT Support /
Information Security
15. Service desk logs shall be monitored to ensure no “security incidents” that no security incident have been left been reported to authorized personal and all problems were successfully resolved. Further, resolution measures taken shall be reviewed to ensure no breach of Information Security policies took place. Manager Information
Security
16. Response times will be monitored to increase the efficiency of the Service Desk, in resolving the problems quickly. Based on this, performance evaluation of the system support personnel will be carried out on a quarterly basis. Service Manager
4.12. Network Management
4.12.1. Objective
This procedure is aimed at ensuring smooth and controlled operations of all Tapal Tea Private Limited networks by stating network management guidelines.
4.12.2. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including:
o Communication Security Policy
4.12.3. Responsibility
• GM Information technology
• Sr. Manager IT Infrastructure
4.12.4. Procedure
Step Description Responsibility
Network Documentation
1. Following shall be maintained and timely updated:
• High level network diagram showing main network domains and connections
• Diagram showing servers and their connection methods. Sr. Manager IT Infrastructure/ Network Team
Audit Logging & Monitoring
1. Audit logs of VPN, firewalls, and Network Monitoring Systems, where applicable, shall be retained at a minimum for one year. Sr. Manager IT Infrastructure/ Network Team
2. Logs shall be reviewed quarterly for any suspicious activities. Network and Service Manager / Information Security Manager
3. Network devices & mediums / links shall be monitored to ensure the network connectivity access layer and upstream provider links. Network and Service Manager
4. Downtime reports shall be retained in the Service Desk Portal and Quarterly reviewed to identify recurring problems and highlight solutions. Network and Service Manager / GM IT
4.13. Remote Access
4.13.1Objective
The objective of this procedure is to establish guidelines for granting remote access to employees over the Tapal Tea network while minimizing information security and risk threats.
4.13.1. Prerequisite
This procedure should be read in conjunction with:
• Information Security Policies, including:
o Organization of Information Security
o Access Control Policy
4.13.2. Responsibility
• GM Information technology
• Division Unit Head / Head of Department (Business Head)
• Sr. Manager IT Infrastructure
• System Manager / IT Business Partner
• IT Network Team
• Users
4.13.3. Procedure
Step Description Responsibility
1. The Users requesting remote access via Service desk / email. User
2. The request shall be approved by Line Manager after assessing the need and justification for remote access. Line Manager
4. Request shall be forwarded to Line Manager for approval via Service desk. Network and Service Manager
6. Once the request is approved, User remote access / VPN account shall be created as per application/system for which access is required. All remote access to Tapal Tea information system resources will be controlled by an approved authentication mechanism. IT Network Team
7. Remote access approval documentation and list of all remote access users shall be maintained. IT Network Team
8. List of Users with remote access should be updated whenever any change occurs. IT Network Team
Auditing and Monitoring
1. Remote access logs shall be continuously reviewed for unusual activity and violations. IT Network Team
Step Description Responsibility
2. Accounts not in use for 35 days shall be Locked. IT Network Team
3. Remote access users list shall be annually reviewed. Sr. Manager IT Infrastructure
4.14. Capacity Planning
4.14.1. Objective
The Procedure is to outline the responsibilities, guidelines, and standards for determining service level requirements of IT Infrastructure and planning for future capacity requirements.
4.14.2. Responsibility
• GM of Information technology
• Sr. Manager IT Infrastructure
• System Manager / IT Business Partner
• Application Administrator (SAP Basis/ Applications other than SAP ERP.)
• Designated IT staff
4.14.3. Procedure
Step Description Responsibility
1. Each application and infrastructure shall have a nominated administrator/owner who shall be responsible for monitoring the service levels / Utilizations, over time, among peak usage time of that IT infrastructure. Use of automated tools for monitoring is encouraged.
Following components must be included:
• Network Bandwidth (Network devices)
• Routers & switches
• Disk Space (server / desktops)
• Server processors
• RAM
• Printers Sr. Manager IT Infrastructure/ Manager Systems/ Operation Manager IT/ IT Network Team Lead
2. Results of monitoring of service levels and infrastructure utilization shall be compared with maximum usable capacities. This shall help establish when particular infrastructure is reaching maximum usable capacity and additional hardware/software is required for smooth functioning. Sr. Manager IT Infrastructure/ Manager Systems/ Operation Manager IT/ IT Network Team Lead
3. Performance tuning activities to be carried out to enhance performance of existing infrastructure. Sr. Manager IT Infrastructure/ Manager Systems/ Operation Manager IT/ IT Network Team Lead
4. Future changes/enhancements shall be evaluated with respect to existing results to establish if additional hardware/software is required. Sr. Manager IT Infrastructure/ Manager Systems/ Operation Manager IT/ IT Network Team Lead
Step Description Responsibility
5. Increase in business activities and staffing levels must also be monitored to allow for the extra facilities that will be required for example numbers of workstations. Sr. manager IT Infrastructure/ Operation Manager IT
4.15. Backup & Restoration
4.15.1. Objective
The objective of this procedure is to outline the backup/restoration schedules and practices to be followed at Tapal Tea Private Limited.
4.15.2. Responsibility
● GM of Information Technology
● Sr. Manager IT Infrastructure
● Manager IT Operations
● System Manager/ IT Business Partner Systems
● Application / Database Administrator (SAP Basis, Other Apps)
4.15.3. Procedure
SAP Database Backup
Step Description Responsibility
Backup
2. Backups are taken on real time basis. SAP Basis/ SAP Rise
Step Description Responsibility
3. In case the DR site is up and working as Primary site, Daily backup sets and export dumps are copied to external Hard drive. DR Manager
4. Backup activity shall be recorded, and logs shall be retained for a minimum of one month. SAP Basis and Database Administrator / Sr.
System Manager
5. Ten working days backup retention policy shall be followed. SAP Basis and Database Administrator / Sr.
System Manager
6. Backup Tape media shall be adequately labeled. SAP Basis and Database Administrator / Sr.
System Manager
Validation of backup
1.
Backup sets shall be validated at least 3 months through adequate restoration testing on separate server. SAP Basis and Database Administrator / Sr.
System Manager
2.
Evidence / results of successful backup restoration testing shall be retained. SAP Basis and Database Administrator / Sr.
System Manager
Planned/ Unplanned Maintenance
1. Full cold backup of relevant database shall be taken and moved to storage media before any major planned or unplanned maintenance activity. SAP Basis and Database Administrator / Sr.
System Manager
Tapal Tea (Pvt.) Limited Other Apps Database Backup
Step Description Responsibility
Backup
1.
Full back up shall be taken every day manually on demand or via backup schedule Job configured in MySQL / MS SQL Server. IT Team/ Third Party
Backup storage and retention
1. Backup dumps shall be transferred to separate media/ a file server. Cloud storage. IT Team/ Third Party
2. Backup activity shall be recorded, and logs shall be retained for a minimum of one year. IT Team/ Third Party
3. One week backup retention policy shall be followed. IT Team/ Third Party
4. Backup Folders shall be adequately labeled. IT Team/ Third Party
Validation of backup
IT Team
1. Backups shall be validated every 3 months in accordance with backup restoration testing plan.
Step Description Responsibility
2.
Evidence / results of successful backup restoration testing shall be retained. IT Team
Planned/ Unplanned Maintenance
1. Full back up of relevant system/ database shall be taken before any major planned or unplanned maintenance activity. IT Team
Application and other data
Step Description Responsibility
Backup
1. Backup up of all Application exe-files and folders shall be taken before any change in source code/application configuration. IT Team/ Manager Systems/ Third Party
2. Backup activities shall be recorded and evidence (logs) to be retained at minimum for 3 months. IT Team/ Manager Systems/ Third Party
3. Wherever applicable, Backup media/ folder shall be adequately labelled and organized. IT Team/ Manager Systems/ Third Party
Network Devices Backup
Step Description Responsibility
Backup
1. Backup up of all Network devices shall be taken before and after any change in network configuration. Network Team/ Sr. Manager IT Infrastructure
2. Backup activities shall be recorded and evidence (logs) to be retained at minimum for 1 years. Network Team/ Sr. Manager IT Infrastructure
3. Wherever applicable, Backup media shall be adequately labelled and organized. Network Team/ Sr. Manager IT Infrastructure
4.16. Information Technology Business Continuity/ Disaster Recovery
4.17.1 Purpose
This Policy provides guidelines for on-going process of planning, developing, and implementing disaster recovery plan for IT services resilience at Tapal.
4.17.2 Policy Statements
1. IT Team is committed to implement robust IT solutions that are able to provide availability of IT Services in case of an incident that are critical to achieve organization’s objectives.
2. The Company shall develop comprehensive Disaster Recovery Plan (DRP) for all the assets being managed and hosted by IT function, however, recovery plan can be obsoleted in cases where assurance of availability of an information asset and its related data is the responsibility of third party
3. DRP shall be approved by Senior Management and communicated to relevant stakeholders.
4. Manager IT shall review the plan prior to approval of Senior Management.
5. Senior Management is responsible to ensure the effective implementation of the plan.
6. The disaster recovery plan shall address the following aspects but not limited to:
• Define system recovery, business resumption priorities and establish specific recovery objectives including Recovery Time Objectives (RTO) and Recovery Point Objective (RPO) for IT systems and applications.
• Identification of key contact persons during the event of disaster and their contact information.
• Identification of Disaster Recovery Site that is geographically separated from the primary site.
7. DRP shall be updated at-least on annual basis if required.
8. DR drill exercise must be conducted at least annually to validate their effectiveness, and to ensure that staff are appropriately trained in its execution.
9. Outcome of drill exercise shall be logged and validated against required results to assess adequacy.
10. Involve the respective business group heads/ unit heads while signing-off test results of DR drills.
11. A DR Site shall be established as a passive function possessing all necessary operational utilities and systems required for the efficient continuation of service delivery that are critical to meet organization’s objectives.
Business Impact Assessment
12. Manager IT along with Senior Management shall identify critical assets and services, both, in-housed and outsourced, and map to business processes that are necessary to achieve business objectives.
13. Manager IT is responsible to establish DR Plan based on BIA.
14. BIA should be communicated and approved by senior management and relevant stakeholders.
15. BIA Assumptions should be evaluated using various threat scenarios affecting critical assets and services.
16. The selection of DR specifications shall be made according to the BIA to address the identified threats and to meet the recovery objectives.
BIA should be reviewed periodically or when some change occurs to ensure security of information and related technologies.
5. Organizing and Monitoring IT Processes
5.1. Independent Audit
5.1.1. Objective
To increase confidence level in the business systems, benefit from global best practices and have an unbiased review of the information technology setup of Tapal Tea, an independent IT audit is essential. This allows management to take proactive measures for safeguarding the information assets of the company in view of the emerging threats and also to exploit the opportunities as they present themselves.
5.1.2. Responsibility
• CEO Tapal Tea
• CFO Tapal Tea
• IT Steering Committee
• General Manager Information technology
• Information Security Function
5.1.3. Policy
1. External IT audit shall be conducted at least once a year by reputable auditing firms who have required skill set, proven expertise and experience.
2. Internal audit shall be conducted by a person/department independent of IT Division (whether in-housed or outsourced) who shall be competent and qualified to perform IT audits.
3. The scope of internal audit shall be decided after a preliminary assessment and formal IT internal Audit Plan.
4. A draft audit report shall be prepared and submitted to the management. The issues highlighted in the report shall be discussed and agreed with the management. The management's comments shall be taken and incorporated in the auditors' report. A definite date for the actions to be taken by the management shall be mutually agreed and documented.
5. The final audit report shall be issued to the relevant management and stakeholders.
5.2. Monitoring
5.2.1. Objective
Tapal Tea shall monitor its information technology processes to ensure that IT Operations are managed and performed in a controlled environment so that the overall IT and business objectives are met.
5.2.2. Responsibility
• GM of Information technology
• Sr. Manager IT Infrastructure
• Manager Systems/ IT Business Partner System
5.2.3. Policy
1. GM of Information technology or his designate shall ensure that audit logs are maintained as per Access Control Policy.
2. Audit logs shall be protected against unauthorized modifications and malicious tampering. This can be achieved by segregation of duties in most cases. E.g., DBA should not have system administrator rights to access partitions where database logs are created.
3. Information security shall review privileged ID audit logs as per frequency defined in the Access Control Policy. User level logs can be reviewed from time to time by System/Network/DB administrators provided they are designated to do so by Head of Information technology.
4. System Administrator, Application Administrator, Network Administrator and DBA are responsible for generating audit logs for their respective applications.
5. In absence of an electronic access device (RFID) used to secure access to server room, a manual entry logs for server room shall be maintained by GM of Information technology / Sr. Manager IT Operations or designated personnel.
6. Sr. Manager IT Infrastructure will ensure all records are maintained pertaining to the review of logs so as to demonstrate compliance with Tapal Tea’s Information Security and Information Technology policies and procedures for auditing purposes.
7. A checklist should be prepared which should include what factors are to be considered during review of audit logs. Some factors which can be included are as follows:
Application Level
1. User level application must log shall include, but is not limited to, the following:
• Unsuccessful login/logoff attempts.
• Login - logout timings.
• Transactions performed or T-Codes executed with time and date stamps
2. Privileged ID Application must log shall include, but is not limited to, the following:
• User administration activities to detect if any unauthorized roles have been granted to user of administrator himself.
• Ensure that privileged IDs are not involved in executing business functions.
Database Level
1. User level database log review shall include, but is not limited to, the following:
• Updates to sensitive/critical tables.
• Unauthorized access.
2. Privileged ID database log review shall include, but is not limited to, the following:
• Any modifications made to data/schema etc. (insert, update, delete)
• Any modification made to master file/data dictionary.
• Patch updates history.
Network Configuration / Firewall
1. Audit logs of firewall and proxy server shall be monitored to detect access to blocked/banned websites.
2. Network configuration changes shall be reviewed after any change to ensure they were authorized.
Operating System
1. System Administrator activity log review shall include, but is not limited to, the following:
• Patch Updates history
• User administration activities to detect if any unauthorized roles have been granted to users.
Service desk
1. All the user queries submitted to Service desk must be logged with date, time, username, query details, attendant's name, action taken, and query forwarded to the appropriate person.
2. Manager Operations shall monitor performance of query resolution.
5.3. Quality management
5.3.1. Objective
To ensure quality by capturing management’s vision of quality objectives, acceptable level of quality and duties of specific teams and entities and to ensure consistent and systematic delivery of technology solutions and services that meet the quality requirements of Tapal to satisfy stakeholder needs.
5.3.2. Policy statement
1. Quality management practices shall be included in all IT processes and solutions.
2. Focus on quality management shall be ensured by determining internal and external stakeholders’ requirements for quality as well as by ensuring alignment with the IT policies and procedures.
3. Recurring quality defects shall be identified, their root cause shall be determined, and their impact and result be evaluated by IT. Improvement actions shall be agreed with service and project teams.
5.4. Knowledge management
5.4.1. Objective
To ensure the availability of relevant, current, validated, and reliable knowledge to support IT processes and to facilitate decision making related to governance and management.
5.4.2. Policy statement
Personnel Competencies
1. Manager IT should periodically verify that the IT employees, contractors, or third-party service providers have the appropriate competencies to fulfill their roles and meet the required tasks.
2. Minimum level of IT competency requirements shall be defined according to the job roles and verified that they are being maintained.
Assigning of Roles
3. Job description is an important item for all IT personnel as it provides a clear definition of their job responsibilities and authority.
4. Employees shall be equipped with the “know-how,” skills, time, tools, contacts, and authority to fulfill their assigned roles. However, while assigning roles and responsibilities the Manager IT shall ensure proper avoidance of any “Conflict of Interest” that could lead to any misconduct and increase the risk of collusion or fraudulent activity.
5. Efforts should be made to achieve segregation of duties. In case of resource constraints, monitoring shall be increased to compensate.
6. Exposure shall be minimized to critical dependency on key individuals through knowledge capture, knowledge sharing, succession planning and staff backup.
7. IT Function shall collect and analyze information from project challenges, change errors, and IT or cybersecurity incidents, and where applicable, shall communicate with relevant stakeholders to educate them and protect organization from future similar threats.
8. IT employees shall be provided training/ session by their respective units/ divisional heads based on performance evaluation.
5.5. Compliance and Audit management
5.5.1. Purpose
To increase confidence level in the business systems, benefit from global best practices and have an unbiased review of the changing information technology setup of the company, an independent IT audit is essential. This allows management to take proactive measures for safeguarding the information assets of the company.
5.5.2. Policy Statements
1. Assurance initiatives shall be exercised to validate the design and performance of IT controls, and services (in-house and outsourced) subjected to support business objectives.
2. External IT audit shall be conducted at least once a year by reputable auditing firms or any internal Tapal’s department which is independent of IT.
3. The scope of internal audit should be decided after a preliminary assessment.
4. Internal audit shall be conducted by a person/department independent of IT Division who shall be competent and qualified to perform IT audits.
5. As a first step, a risk assessment shall be carried out to highlight areas where the exposure to risk is higher.
6. A formal audit plan shall be prepared with the consultation of Manager IT based on the risk assessment and approved by audit committee.
7. A draft audit report shall be prepared and submitted to the management. The issues highlighted in the report shall be discussed and agreed with the management. The management's comments shall be taken and incorporated in the auditors' report. Definite date for the actions to be taken by the management shall be mutually agreed and documented.
8. Final audit report shall be issued to the relevant workforce or senior management.
9. An action plan shall be drawn out by the Manager IT based on the agreed recommendations. Manager IT will be responsible for ensuring effective implementation of this action plan. The status of its implementation shall be presented to the next IT audit.
5.6. Relationship management
5.6.1. Purpose
The purpose of this policy is to provide guidelines to establish and maintain relations between business and IT, and to establish transparency, mutual trust, and a common focus on achieving strategic goals within the context of budget and risk tolerance.
5.6.2. Policy statements
1. IT shall maintain and cultivate productive relationships with all the departments of Tapal.
2. IT shall position itself as a partner to business in its digital transformation journey by identifying and communicating with key stakeholders on opportunities, risk and constraints including current and emerging technologies and services.
3. IT shall collaborate with business stakeholder on key initiatives by providing value advice and recommendations (e.g., for business case, requirements definition, solution design)
4. Through effective communication and relationship management, IT and business functions shall determine priorities, dependencies, resource constraints and emerging risks of key initiatives.