INFORMATION SERVICES POLICIES AND PROCEDURES MANUAL

1 Introduction

This manual has been developed as a guide, model and frequent decision-making reference for Tapal Tea Private Limited Information Services Department. No two information systems operations could pass for twins, but they have elements in common: hardware, software and personnel. This manual defines these common threads that link all information technology operations, providing variety of situations. IT operations that have a formal policies and procedures manual in place are noticeably easier to manage and operate.

1.1 Purpose

The prime focus of this manual is to lay down Policies and Procedures to govern day to day IT operations which are to be followed by every staff member of Tapal Tea and sister companies involved with technology operations, permanent or contractual.

1.2 Waiver and Exception criteria

This manual is intended to address day to day IT Operations. Requested waivers and exceptions must be formally submitted to the document owner including justification and benefits attributed to the waiver, and must be approved by the Steering Committee. The waiver should only be used in exceptional situations when communicating non-compliance with the policy / procedure for a specific period of time (subject to a maximum period of 1 year). At the completion of the period the need for the waiver should be reassessed and re-approved, if necessary. No policy/procedure should be provided waiver for more than three consecutive terms.

1.3 Maintenance

Tapal Tea’s IT Department is responsible for administering these policies & procedures. This task includes updating the Policy & Procedures document from time to time to reflect updates, amendments, circumstances requiring change and training the personnel.

Beside the above-mentioned changes, the document will undergo a formal review annually to confirm incorporation of all the changes to the business/IT environment since the last review.

1.4 Revision Procedure and Control Techniques

When there is an apparent need for new or revised policies & procedures, the IS Department will submit it through appropriate channels to the Steering Committee.

After the Steering Committee has approved the new or revised policy/procedure, it may direct that the policy/procedure be issued and administered immediately.

Approved policies & procedures will be distributed to authorized management and supervisory officials by the IT Department.

The following manual revision control techniques will be used:

• The policy & procedure holders must be responsible to point out the need for revision when it is indicated that current instructions will be impracticable.

1.5 Version Number

The version of the manual is mentioned on the title page along with the date of publish i.e. “Version 1.0, June 2018”. A new version of the manual will be released after significant changes in the individual chapters of this manual.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 11 of 93

Internal use only

1.6 Release Level

The Release of the manual is mentioned on the first page (release-number, 00 month 0000) i.e. “Release. 01, June 2018”, and on the second page under Document History.

Release level will be maintained separately for each chapter / annexure. The old replaced pages shall be stored as a record of revision of the manual

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 12 of 93

Internal use only

Planning the IT Environment

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 13 of 93

Internal use only

2 IT Organization Structure and Governance

2.1 Information Services Organization Chart

For Information Services Organization Chart, please refer Annexure A:

2.2 Establishment of Information Services Steering Committee

2.2.1 Objective

Steering Committee has the specific responsibility for overseeing major IT projects, managing IT priorities and setting the overall alignment of technology strategies with business objectives.

The primary function of the IS Steering Committee is to take responsibility for the feasibility, business case and the achievement of outcomes of all the Information Technology and Systems projects and investments. The IS Steering Committee will monitor and review any kind of IT investments, in-process project status, as well as provide guidance in the project deliverable rollout.

2.2.2 Members

Committee membership shall include representatives from senior management, user management and the IS function to ensure active participation of IS functions. Other representatives may be invited upon request. Committee members shall comprise of the following:

• CEO Tapal Tea Private Limited

• GM IS

• CFO Tea Private Limited

• Business Heads

• Information Services Management

2.2.3 Responsibilities of IS Steering Committee Members

Following are the responsibilities of the Steering Committee:

• Overseeing the development and implementation of policies, principles, standards, and guidelines on information security, consistent with the guidance of Information Security Standards and proposed IS governance framework.

• Ensuring that information security management processes are integrated with organization strategic and operational planning processes.

• Review progress on the existing IS and InfoSec. Projects and initiatives.

• Approve new projects (along with budgets) by going through the requirements.

• Discuss Cost benefit analysis and need assessment for each initiative/project of IS and Info Sec.

• Decide whether to go for internal development of the systems or use external off-the-shelf products or services.

• Ensure that the General Manager Information Services, reports periodically to the CFO Tapal Tea on the effectiveness of their information security program, including the progress of remedial actions.

• Formulate Project teams (A mix of Business Users and IS, where required) for each of the projects so that proper coordination is done between departments.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 14 of 93

Internal use only

• Formulate the IS and Info. Sec. Strategy and ensure their alignment with the business objectives of Tapal Tea.

• Ensure that the IS and InfoSec. Strategy are followed for each of the approved projects.

• Review significant IS related risks.

• Ensure that adequate resources are allocated to support the overall enterprise information security strategy.

• Ensure roles and responsibilities include risk management in all activities.

• Ensure that risk analysis is conducted on all critical systems within their area to assure that controls are deployed commensurate with the risk.

• Review and monitor progress of Internal/External IS Auditor’s report.

• Ensure that an External IS Audit is carried out as per State Company requirements.

• Monitor and review Company-wide compliance of IS and InfoSec. Policies and discuss to resolve conflicting issues pertaining to Non-Compliance.

2.2.4 Role of CEO and/ or CFO in IS Steering Committee

The CEO and / or CFO has overall strategic responsibility of all IS investments and IS projects. He has the responsibility to ensure that the business brings the necessary commitment to the entire IS projects and investments. Time requirements for this role are normally at least once a quarter or as and when required.

The responsibilities of the CEO / Chairman in IT steering committee is to:

• Communicate the importance of the project and investment to the business.

• Maintain regular and visible contact with all the IS projects and investments

• Approve and monitor the IS budget and expenditures

• Make business decisions on issues escalated by the members steering committee

• Accept IS deliverables on behalf of the business

• Assist in clearing any kind of bottle-necks, obstructions to the project and IS investments

2.2.5 Role of the IS Steering Committee Facilitator and Coordinator:

The responsibility of IS Steering Committee Facilitator is to:

• Propose an agenda for each meeting using input from the committee members. Be genuinely interested in taking initiative in pursuing IT projects

• Ensure that the meeting agenda and any relevant materials are distributed to all members of the committee at least two working days prior to the meeting.

• Have a broad understanding of SAP, IT and project management issues and approach being adopted

• Deliver presentation on complete IT requirement to all members of steering committee

• Understand the strategic implications and outcomes of initiatives being pursued through project outputs

• Serve as the liaison to the IS Steering Committee Chairman and check adherence to project activities timelines

• Report on project progress to IS Steering Committee member in steering committee meetings

• Coordinate with business process owners on daily basis to resolve issues and complete projects

• Foster positive communication outside of the team regarding the project's progress and outcomes

2.2.6 Role of Business Power User (Business Head):

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 15 of 93

Internal use only

Business Power user also the designated Business Head should:

• Serve as the liaison between business users and IS Department;

• Own the business process including all the information processing assets and underlying data falling under the line of function, from a strategic point of view and have end-to-end responsibility for the process;

• Define process goals based on the Tapal Tea's strategy and business objectives;

• Drive the continuous improvement of the process;

• Possess capability to answer system functionality and business process questions;

• Ensure training to the end users on business processes and system use has been given;

• Have final decision making power for changes to the process.

2.2.7 Meeting Schedule and Process

The Steering Committee will meet on quarterly or as on when required to keep track of issues and the progress of all IT project’s implementation, IT procurement and on-going support to its stakeholders.

Facilitator IS Steering Committee will facilitate the Steering Committee Meeting in the presence of CEO and / or CFO and all Steering Committee members.

2.2.8 Meeting Agenda

At each meeting, all running IT project statuses will be reported to the committee by Facilitator IS Steering Committee using an agenda outlined such as the following:

A. Introductory Items such as:

• Introduction

• Review Agenda

• Minutes from last meeting

• Review of actions arising from previous IS Steering Committee meetings

B. Review All In-Progress IS Project Statuses

• Overall Status

− Scope status

− Schedule status

− Budget status

− Reason for deviation from green

• New issues arising since the last meeting

C. Review all IS procurements company wise/business wise

D. Review critical IS procurement if not Budgeted

E. Plans, date and location for next meeting

2.2.9 Reporting:

Facilitator of the Steering Committee will regularly report to the CEO and / or CFO about activities, issues, and related recommendations. In addition, publish meeting agendas, minutes and supporting documents so that all members are aware of the work and recommendations of the committee.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 16 of 93

Internal use only

2.3 IT Strategic Plan

2.3.1 Objective

An IT Strategic plan provides the road map of IT to support the business objectives of the company. Without a Strategic Plan, implementation of IT may be misguided, delayed and/or expensive. Furthermore, absence of Strategic Plan may cause difficulties in achieving IT goals according to organizational needs.

2.3.2 Responsibility

• IS Steering Committee

• GM IS

• Business Analyst Manager (SAP)

• Business System Manager

• IS Manager Operations

• Sr. System Manager

• Information Security Manager

2.3.3 IT Strategic Plan Development

1. IS Department is responsible for developing and implementing an IT strategy which is in line with the business objectives of the Tapal Tea.

2. Once developed, IT strategy will be revised yearly to cover the Tapal Tea’s next 3 to 5 years investments in technology. IT strategy will include a roadmap of efforts/projects to be undertaken on a yearly basis.

3. The IT Strategic Plan shall include the following:

• Vision Statement

• Mission, goals and objectives of Tapal Tea

• Business models for strategic use of IT

• Future IT Model that supports the business vision

• Analysis and strategies to close the gaps between providers and users of IT

• New technology based products

• Definition of Key Milestones (Major Projects)

4. IT Strategy Plan shall be presented and approved by the Steering Committee.

2.3.4 IT Strategic Plan Review

1. Steering Committee shall review the IT Strategic Plan at least once a year to ensure that appropriate IT and related business resources are available to fulfil the IT committed plans. Relevant changes shall be made by GM Information Services.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 17 of 93

Internal use only

2.4 IS Department Budget Policy

2.4.1 Objective

The objective of this policy to prepare annual budget for requirements pertaining to the IS Department in line with Tapal Tea’s annual budgeting and allocation; and provide guidelines for monitoring performance, periodic review for relevancy and revision in the annual budget.

2.4.2 Responsibility

• GM IS

• Steering Committee

• IS Management Staff

• Finance Department

2.4.3 Policy

1. IS Management staff should be responsible for preparing annual budget.

2. Budget should be prepared based on forecasting view to predict future expected expenditures, and should be in line with company’s long and short range IS Plan

3. The budgeting procedure of finance department may be followed for IS budget. (if exist)

4. Annual IS budget should be reviewed by GM IS, before sending it to Finance Department.

5. IT budget should be first presented to IS Steering Committee and then to Board of Directors for approval along with Tapal Tea’s Annual Budget.

6. For non-budgeted projects and contingency requirements, a detailed business case with cost benefit analysis shall be prepared and presented to CEO and / or CFO for approval.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 18 of 93

Internal use only

2.5 Personnel Qualification and Competence

2.5.1 Objective

Human resource is the most valuable asset of Tapal Tea. This policy lays down guidelines via which the IT management can regularly verify that personnel performing specific tasks are qualified on the basis of appropriate education, training and/or experience.

2.5.2 Prerequisite

This policy should be read in conjunction with:

• Information Security Policies, including

− Human Resource Security

2.5.3 Responsibility

• Steering Committee

• GM Information Services

2.5.4 Policy

1. Experienced staff shall be given the responsibility of imparting technical training to junior staff.

2. Employees shall be encouraged to attend trainings/workshops/short courses relevant to their role at Tapal Tea.

2.5.5 Job Descriptions

1. HR shall clearly define roles and responsibilities for personnel with the help of relevant Department, including the requirement to adhere to policies and procedures, the code of ethics and professional practices.

2. Efforts should be made to achieve segregation of duties. In case of resource constraints, monitoring shall be increased to compensate.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 19 of 93

Internal use only

2.6 IT Asset Management & Information Classification

2.6.1 Objective

The hardware and software components that constitute Tapal Tea Private Limited’s Information Technology assets represent a sizable monetary investment that must be efficiently monitored, maintained and protected. The management of IS assets should be in line with guidelines of the Information Security Policies of the Company.

The classification of information is a key element in the protection of information assets against unauthorized disclosure. The objective of information classification procedure is to identify guidelines for keeping information assets protected against unauthorized disclosures. It provides a basis to establish proportionality between the level of Information Security control and the asset value in order to avoid the cost of overprotecting or the risk of under protecting information assets

2.6.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including:

− Asset Management and Information Classification

− Access Control Policy

− Physical and Environmental Security

2.6.3 Responsibility

• Steering Committee

• GM Information Services

• Head of departments (Business Heads)

• Supply Chain Management (SCM) Department

2.6.4 IT Asset Management

Step Description Responsibility IT Assets Inventory 1.

Information being recorded for IT assets shall consist of, but is not limited to, the criteria established in Annexure A of Asset Management and Information Classification Policy. IS Department 2.

Changes / upgrades to IT assets shall be timely updated in the IT Asset Inventory. IS Department 3.

All information assets shall be labelled physically or electronically in accordance with their asset classification scheme as described in Annexure - “A IS Department Depreciation of IT Assets

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 20 of 93

Internal use only

Step Description Responsibility 4.

IS Department to provide relevant information to Finance department in case of depreciation to be recorded against IT assets Depreciation policy of Finance department to be followed (4 years of normal laptops / Desktops and 5 years of servers, network till the end of support). IS Department/ Finance Department Sale / Write off Equipment 5.

IS Department with the help of Finance and SCM departments will initiate to sell / write off an old / obsolete / faulty IT equipment. IS / Finance / SCM Departments 6.

Asset Inventory list to be timely updated, maintained and periodically reviewed. IS Department/ Finance Department Loss of Equipment 7.

In case hardware was under insurance coverage, Finance department dealing insurance related issues, to be informed of loss. Relevant Insurance policy to be followed for loss of equipment and insurance claim. IS Department/ Finance Department 8. Asset Inventory list to be timely updated. IS Department/ Finance Department

2.6.5 Information Classification

Step Description Responsibility 1.

Business Owners to be identified (application wise) by the Management. IS Steering Committee 2.

Data custodians to be nominated for protection of data/information assets. Business Head 3.

Data Custodians and there nominated Business Heads to be given awareness training for protection of Information assets. IS Department/ GM IS 4. Access to information assets to be granted in application, shall be in accordance with the Access Control policy and procedure. GM IS / IS Department

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 21 of 93

Internal use only

2.7 Vendor Selection & Contracting

2.7.1 Objective

Selecting vendors for outside services and hardware requires the application of stringent evaluation procedures. This policy provides guidelines for the most appropriate way of acquiring hardware and software and outlines the minimum steps to be followed in order to meet required purchasing needs.

2.7.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including:

− Supplier Relationships

2.7.3 Responsibility

• Steering Committee

• GM Information Services / IS Department

• Supply Chain Management (SCM) Department

2.7.4 Policy

1. The vendor shall have sufficient experience in area of Computer System Sales and Support of relevant equipment.

2. The vendor shall be selected keeping in view the following points:

• Expertise and experience in the domain

• Have affiliation with their parent/principal companies not only to sell the product locally, but also to provide after sales service.

• Previous and existing clientele

• Financial stability and good reputation

3. Conflict of interest between vendor and any company personnel should be avoided wherever possible.

4. Vendor representative signing must have the authority to represent their companies.

5. Contracts shall include a cancellation and performance clause.

6. In case the Vendor is implementing a customized software, the source code should be received either from the vendor initially or there should be provisions for acquiring the source code in the event that the vendor goes out of business. Clauses pertaining to Software Escrow Agreement should be included in which a third party (escrow agent) holds the software in escrow should such an event occur. It should be ensured that product updates and program fixes are included in the escrow agreement.

7. The vendor should be willing and able to provide a complete set of system documentation for review prior to acquisition. The level of detail and precision found in the documentation may be an indicator of the detail and precision utilized within the design and development of the system itself.

8. The vendor should have available a complete line of support products for the software packages and Hardware solutions. This may include onsite training during implementation, product upgrades, automatic new version notification and onsite maintenance, if requested.

9. Efforts should be made to identify and send “request for proposals” (RFPs) to at least 3 vendors.

10. All vendors shall be required to send their company profile along with client list and reference numbers.

11. Following Items should be addressed in detail when contracting the vendor:

• Fees

• Roles and responsibilities

• Deliverables

• Workflows

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 22 of 93

Internal use only

• Maintenance procedures

• Access controls

• Security and performance review

• Fallback procedures

• Basis for payment and arbitration procedures.

• Penalty and reward mechanisms

• Confidentiality of information

• Ownership and licensing of Intellectual property

• Transition-out procedures

12. Steering Committee to be consulted if required in case of Vendor selection.

13. Without approval of GM Information Services no IT related purchase order shall be assigned to any vendor.

14. Both Business Procurement/ IS Department are responsible to verify the purchase Items as given in appropriate purchase requisition.

15. The warranty and technical support time shall be at least for one year where applicable.

16. Extended warranties options shall be specified by the vendor in the agreement.

17. All agreements between Tapal Tea Private Limited and the vendor shall be in writing.

18. Final contract shall be examined by the legal department of Tapal Tea Private Limited before it is signed.

2.7.5 Procedure

Step Description Responsibility 1.

Review all requests for proposal (RFPs) to ensure that they:

• Clearly define requirements

• Include a procedure to clarify requirements

• Allow vendors sufficient time to prepare their proposals

• Clearly define award criteria and the decision process IS Department / SCM Department 2.

Identify vendors providing required service via market research, contacting business with similar needs, newspapers etc. IS Department / SCM Department 3.

Float RFP’s and short list at-least 3 Vendors who best meet the requirements. SCM Department 4.

Contact parent companies of vendors to identify if vendors are indeed authorized business partners providing products and after sales service. SCM Department 5.

Evaluate and RFPs in accordance with the approved evaluation process/criteria, and maintain documentary evidence of the evaluations. Verify the references of candidate vendors.

Evaluate responses with respect to “Vendor Selection and Contracting” policy. SCM Department 6.

Contact previous and existing vendor clients to obtain opinions about products sales and services. IS Department / SCM Department 7. Select the Vendor that best fits the RFP, document and communicate the decision, and sign the contract. IS Department

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 23 of 93

Internal use only

2.8 IT Equipment / Technology Procurement

2.8.1 Objective

Procurement of a cost-effective hardware/software is a key aspect of success for any business. It is imperative that all possible solutions available in the market may be evaluated as part of the cost benefit analysis, while maintaining transparency in the procurement process. The following procedures establish a procurement process for any hardware/software solutions procured for the Company.

2.8.2 Prerequisite

This procedure should be read in conjunction with:

• Vendor Selection and Contracting

• Information Security Policies, including:

− Supplier Relationships

2.8.3 Responsibility

• CEO Tapal Tea Private Limited

• CFO Tapal Tea Private Limited

• GM Information Services

• Finance Department

• Steering Committee

• Supply Chain Management (SCM) Department

• Tapal Tea Staff

2.8.4 Policy

1. All vendors for the procurement of IT Equipment / Technology shall be selected based on the guidelines and procedure mentioned in section Vendor Selection and Contracting.

2. In case of IT related hardware procurement, the hardware lying at “zero” written down value as mentioned in “fixed asset register” i.e. fully depreciated, it shall be replaced as per Tapal Tea’s Laptop policy and / or as per technical need..

3. Branded / new systems shall be recommended after fulfilling the minimum specifications and requirements.

2.8.5 Procedure for procurement of Minor IT Equipment

Step Description Responsibility 1.

IT Equipment /Software Procurement request to be raised via Service desk system / Form / Email. Tapal Tea Staff 2.

Approval required from respective Business Head / Divisional Head for onwards submission of request to IS Department. Business Head 3.

Request to be carefully evaluated with future need and then compensated via available inventory of IT assets. GM Information services / IS Department / Information Security

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 24 of 93

Internal use only

Step Description Responsibility 4.

In case where equipment could not be processed via existing IT Inventory. A local Purchase request is raised after careful evaluation of needs. GM Information Services / IS Department 5.

After approval of Local Purchase Request the SCM Department contacts existing vendor to furnish the items.

In case new vendor is to be selected, refer “Vendor Selection and Contracting” policy. SCM Department 6.

After when the equipment is purchased the IT equipment is handed over to the IS Department representative and the bill is sent to the Finance department. SCM Department 7.

In case equipment falls in insurance coverage range, Finance department to be sent details of hardware to get asset registered with Insurance provider. GM IS / IS Department/ Finance Department 8.

IT Asset inventory to be updated. For Inventory Management procedures refer “Error! Reference source not found.”. GM IS / IS Department/ Finance Department 9. The IS Department after updating the inventory will hand over the IT equipment to the requesting Staff and closes the Service desk request / email after obtaining the formal endorsement. IS Department/ Service desk Generated / Email

2.8.6 Procedure for procurement of Major IT Equipment

Step Description Responsibility 1.

A request form is sent to all departments requiring IT related equipment (laptop /desktop and accessories).

Further, IS Department internally evaluate the current inventory for replacement and upgradation plan. IS Department 2.

All departments send the filled requests requiring new IT equipment or replacement of existing IT equipment to the IS Department after approval.

Requirements including all capitalized items that are equal to or more than 100,000 PKR will be presented to the CFO / CEO / along with the justification for approval. Requirements below to the stated amount will be presented to GM IS for approval. Business Head / 3.

Request to be evaluated in terms of IT budget & available inventory of IT assets. GM Information Services / IS Department 4.

In case the request requires new purchase, the IS Department prepares/updates the IT budget and submits it to the Finance Department which acquires the necessary approval of CAPEX budget from the Budget Approving Authorities. Finance Department/Budget Approving Authority. 5.

After the approval of budget for IT Equipment, existing vendor if any is contacted to furnish the items.

In case new vendor is to be selected, refer “Vendor Selection and Contracting” policy. IS Department / SCM

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 25 of 93

Internal use only

Step Description Responsibility 6.

In case where equipment’s fall in insurance coverage range, Finance department to be sent details of hardware to get asset registered with Insurance provider. GM Information Systems / IS Department/ Finance Department 7.

IT Asset inventory to be updated. For Inventory Management procedures refer “Error! Reference source not found.”. GM Information Services / IS Department / Finance Department 8. The IT equipment is then handed over to the requesting departments. IT Asset inventory to be updated. For Inventory Management procedures refer “Error! Reference source not found.”. GM Information Services / IS Department

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 26 of 93

Internal use only

2.9 Awareness and Compliance of IS Policies and IT Procedures

2.9.1 Objective

Awareness and implementation of IS policies and IT procedures is vital in safeguarding Tapal Tea’s information assets and ensuring smooth operations of IS activities. This policy emphasizes the responsibilities of higher management in creating awareness amongst staff towards implementation of policies and procedures.

2.9.2 Prerequisite

This policy should be read in conjunction with:

• Information Security Policies

2.9.3 Responsibility

• Steering Committee

• GM IS

• IS Manager Operations

• Sr. System Manager

• Sr. Manager IS Operations

• Business Analyst Manager (SAP)

• Business System Manager

• Business Heads (Head of Departments)

• Information Security

2.9.4 Policy

1. It shall be the responsibility of Steering Committee members / Business Head to ensure awareness of IS policies amongst employees.

2. All employees regular or on contract, entering into Tapal Tea shall be asked to read the IS Policies Manual, so as to be fully aware of the Company’s IS policies.

3. It shall be made clear to all employees that a willful negligence or a serious compromise on Information Security shall result in a disciplinary action as deemed necessary by the Steering Committee.

4. Users in particular will be made aware of the importance of data security and will be emphasized to take the measures to avoid unauthorized access to confidential information as specified in IS Policies.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 27 of 93

Internal use only

Developing and Delivering IT Solutions

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 28 of 93

Internal use only

3 Developing and Delivering IT Solutions

3.1 Project Definition Policy

3.1.1 Objective

Each project must have objectives that are defined by management and achievable. This policy highlights the importance of project definition.

3.1.2 Policy

1. Each project must have achievable objectives backed by a defined benefits realization (e.g. feasibility study, business case) approved by the IS Steering Committee/ Business Heads. For smaller projects, the approval would be enough from General Manager Information Services and the relevant business unit.

2. Relevant IS Management shall conduct the Feasibility Study of the project which shall cover technical, operational and monetary aspects.

3. Feasibility Study shall clearly define the alternatives for the new system. It shall identify whether to acquire off-the-shelf package, develop internally, outsource or a combination of all.

4. In each evaluation it shall be described that how the alternative meets or does not meet the feasibility criteria.

5. A Project schedule must be prepared within which work must be performed in measurable milestone units so progress can be reported.

6. The personnel assigned to the project shall also have their time and commitments defined.

7. The success of a project assignment must also be measurable by some defined and agreed upon KPIs, between IS Department and business unit.

Project Manager

8. A Project Manager will be appointed to manage the entire project. He can be a delegated staff appointed by GM IS. He will be accountable to the IS Steering Committee / GM IS for any overspending, delays in schedules or the project not meeting the user expectations.

Information Security

9. The Information Security will ensure that system controls and supporting processes provide an effective level of security for information and in accordance with the Tapal Tea’s Information Security Policies.

Project Team

10. Depending on the size and urgency of the project, different project teams will be formed to work for defined time period under the Project Manager nominated by the IT Steering committee / GM IS.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 29 of 93

Internal use only

3.2 Project Documentation Policy

3.2.1 Objective

The objective of this policy is to maintain thorough documentation and to provide a permanent description of the project being undertaken along with the identified problems solutions methodology.

3.2.2 Responsibilities

• General Manager Information Services

• Business Analyst Manager (SAP)

• Business Systems Manager

• Relevant IS and InfoSec Staff

• Business Heads

3.2.3 Policy

1. When starting a project, a project binder / folder will be created to provide an ongoing record of information relating to the specific project.

2. The contents should not remove from a project documentation binder / folder at any time. If necessary, a copy can be made of any needed part(s) of the binder contents and both the date and the word “copied” posted on each reproduced page.

3. If the repository is made in softcopy form, it must be ensure that the original documents may not get modified / deleted or purged.

4. All documents created during the development cycle shall be timely inserted/ placed in this binder / folder / repository with appropriate naming convention.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 30 of 93

Internal use only

3.3 Application Development Management

3.3.1 Objective

Application systems are developed and maintained to serve system users by providing them with various data processing and Management of Information System (MIS) capabilities. In order to standardize and streamline system development process, a structured system development methodology needs to be adopted. The objective of every Tapal Tea system development project is to develop systems that are engineered to satisfy the users' requirements, within determined cost, schedule and quality guidelines.

3.3.2 Responsibilities

• IS Steering Committee

• General Manager Information Services

• Head of Departments (Business Heads)

• Business Systems Manager

• Senior System Manager

• Business Analysis Manager (Functional Team)

• ABAPer

• Technical Team (Developers)

• User Line Manager

• Users (Intra Departmental Personnel)

3.3.3 Procedure

Step Description Responsibility Application/Module request & approval 1.

Request for any new application/module development should be initiated by the user and send to their line manager via portal / email. Users 2.

User line manager/ Business Heads should analyse the need and approve the request. Line manager/ Business Heads 3.

Request for application/module development shall be forwarded to IS Department for evaluation of change. User Line Manager 4.

Assessment for nature of development along with time and cost (where ever applicable) factor should be evaluated along with effect on the system. Business Analyst Mgr. / Business System Mgr. 5.

The Business Head shall approve the time and cost factor (if any) for the development required. Business Head 6.

Where cost and time factor is involved, upon consensus, the feasibility of the project will be presented in the IS Steering Committee. GM IS /Application Manager / Business System Manager 7.

IS Steering Committee (having user / requester’s representation also) will decide whether to accept/reject project. IS Steering Committee Project Initiation

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 31 of 93

Internal use only

Step Description Responsibility 1.

Project Team shall be formed consisting of the following members:

• Nominated Project Manager

• Representatives from IT(GM IS, Business Analyst Manager, Business Systems Manager, Manger Information Security, Functional/ Technical Team, QA)

• User Representative / Business Analyst

QA / Inter Department Personnel function will act as an independent reviewer throughout the project IS Steering Committee / GM IS 2.

A high level Project Plan shall be developed having details of all activities, resources and timelines. Nominated Project Manager 3.

Naming convention will be decided for all documents/deliverables created throughout the project. Nominated Project Manager 4.

Project Plan shall be updated as the project proceeds. Nominated Project Manager System Analysis 1.

User requirements will be documented in detail. In case existing system is fulfilling certain requirements, these shall be explicitly mentioned along with additional features that are required in the new system. Nominated Project Manager 2.

Business Requirement Document (BRD) shall be developed with close collaboration of Business Head covering the following:

• Project Stakeholders

• Dependency on existing systems (If any)

• Scope of requirements (in scope / out of scope)

• Functional requirements

• Non Functional requirements (Where ever applicable)

• Application work flow

• Data Migration process (Where ever applicable)

• Business Rules Nominated Project Manager/ Business Head 3.

Users / IT Representative shall work jointly to decide functional / data requirements. Nominated Project Manager 4.

Adequate security and control features shall be incorporated / defined within the system. Information Security 5.

Requirements shall be verified to ensure they are complete, consistent, unambiguous, modifiable, testable and traceable. Users (Inter Departmental Personnel) 6.

Business Requirement Document (BRD), once developed, shall be formally approved by the relevant stakeholders (Business Head/ Departmental Head). Any conflicts arising shall be resolved and user/business signoffs will be obtained. The scope of the project activity will be freeze. Business Heads/ Nominated Project Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 32 of 93

Internal use only

Step Description Responsibility 7.

Additional hardware/software required for the project shall be arranged as per feasibility decided. Nominated Project Manager 8.

Segregation of Duties matrix (Responsibility Matrix) for project personnel shall be developed. There shall be separate test, development and production environment. Nominated Project Manager 9.

All the risks and areas that could be potentially impacted shall be recorded with the appropriate impact, because they shall need to be addressed in later stages of application development. Nominated Project Manager / GM IS/ Business Head System Design 1.

System Design Document (SDD) shall be prepared, which shall, but not limited to include:

• System Input forms/ screens

• System Output

• Validation Criteria

• System Security and Control

• Data Structure

• Database Design

• Description of design and database logic

• System Interfacing

• Performance Indicators (If any) Business Analyst Team (Functional Team) /Technical Team (Developers) 2.

Where ever applicable, detailed schematics of the portions of the communication networks that directly relate to the system shall be designed with the help of Network Manager. Business Analyst Team (Functional Team) /Network Manager 3.

Potential threats to the system under development and its security measures that have been incorporated to reduce or eliminate those threats shall be outlined. Key information security controls shall be integrated in System Design Document Nominated Project Manager 4.

Process flows and sequence diagrams shall be developed for all processes being built in the application. These should be approved by the user/technical team. Project Manager/ Business Analyst Team (Functional Team) /Users 5.

Timing requirements (response time, throughput time, etc.) for data availability, data storage requirements including internal storage requirements, use of internal storage and auxiliary storage such as tape and disk, and the estimated quantity of storage required for each shall be defined. Project Manager/ Business Analyst Team (Functional Team) /Users 6.

Testing plan for the application shall be devised, including testing methodologies, system success criteria, actual and expected results etc. Project Manager / System Analyst Team (Functional Team) /Technical Team (Developers)/ Users 7.

Design Documents shall be approved. GM IS/ Business Head System Development

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 33 of 93

Internal use only

Step Description Responsibility 1.

Coding of the system shall be carried out using the design documents. Technical Team (Developers) 2.

Database shall be implemented in line with the database diagram defined in the design phase. Technical Team (Database Administration) 3.

Database design shall be reviewed to ensure that it is built as modelled in the design phase. The review shall cover the following:

• Database indexes.

• Fields constraints and data structures in the Database.

• Edit or validation checks. Business Analyst Team (Functional Team) /Technical Team (Developers) 4.

Application code shall be cross referred to the system design documents. Technical Team (Developers) 5.

Wherever applicable errors encountered during development / compilation etc. shall be documented. Technical Team (Developers) 6.

Unit testing shall be performed in accordance with the test plan.

Following should be part of unit tests:

• Name of the software module to be tested

• Description and objective of the test

• Any test stubs and drivers used in executing the test

• Test data to be used in the test

• Expected results

• Steps to be taken to execute the test

• Actual results Business Analyst Team (Functional Team) /Technical Team (Developers) 7.

Unit test results shall be compared with expected test results documented in the testing plan. Testing cycles will be repeated after code changes till expected results are achieved. Business Analyst Team (Functional Team) /Technical Team (Developers) 8.

The Application/Module shall be integrated after the successful unit testing. Integration testing according to the test plan developed in the System Design phase. Business Analyst Team (Functional Team) /Technical Team (Developers) 9.

After integration, review shall be performed to compare actual and expected results. Testing cycles will be repeated after code changes till expected results are achieved. Project Manager / Business Analyst team/ /Intra Departmental 10.

Application deployment plan shall be devised. Project Manager System Testing 1.

Thorough testing shall be performed of developed application as per testing plan. A report having details of test methodologies and results shall be sent to Project Manager. Business Analyst Team / Technical Team 2.

Test systems shall be made available with application installed, for User acceptance testing (UAT). Project Manager / Business Analyst Team (Functional Team)

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 34 of 93

Internal use only

Step Description Responsibility 3.

User Manual shall be developed by resource designated. User Manual shall contain procedures for using the application. Business Analyst Team (Functional Team) 4.

Business users shall be trained before UAT. Project Manager / Project Team 5.

The actual output generated by UAT shall be compared against the expected output documented by the users in the test plan. If deviations from the expected results are discovered then these shall be reported to the GM IS / Steering Committee. The root cause of the variation shall be identified and the rectified system shall be retested. Users / Business Analyst Team (Functional Team) / Project Manager 6.

UAT results shall be documented and signoffs/ formal comments shall be obtained from business users. Project Manager/ Users 7.

Test results and evaluation reports shall be prepared. This document shall cover the following:

• Results of all system acceptance tests.

• Deviations from the expected results.

• Responsibilities to be assigned to resolve issues during acceptance tests.

• Security considerations.

• Recommendations for improvements, if required. Project Manager/ Business Analyst Team (Functional Team) System Implementation 1.

System / data conversion shall be performed if required. Project Manager/ Users/ Business Analyst Team (Functional Team) /Technical Team (Developers) 2.

System shall be rolled out as per application deployment plan. A full system test shall be conducted in the actual operations environment. This shall also involve the users as a part of final user acceptance testing. Project Manager/ Users 3.

All daily activities necessary to operate the system, including monitoring the system's performance to ensure adequate response time, system security, and problem-free operation shall be performed.

Project Manager/ Users / System Analyst Team (Functional Team) /Technical Team (Developers) Post Implementation Review

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 35 of 93

Internal use only

Step Description Responsibility 1.

A post implementation review shall be carried out including the following:

• System performance

• Transaction volumes

• Inefficient program statements and modules

• Memory paging and CPU utilization

• Inefficient Database calls, routines, structure and commands

• Availability of the system

• Discrepancies of the system

• Potential system modifications

• Security of the environment GM IS / Project Manager/ Business Analyst Team (Functional Team) 2. The post implementation report shall be made available for all internal stake-holders Project Manager / GM IS

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 36 of 93

Internal use only

3.4 SAP Change Management Procedure

3.4.1 Objective

The objective of this document is to provide policy and procedure guidance for implementation of change management with respect to SAP Business Suite.

3.4.2 Prerequisite

This procedure should be read in conjunction with:

• IT Organization, Structure and Governance

• Information Security Policies, including:

− Operations Security

− Asset Management and Information Classification

− Access Control Policy

− Supplier Relationships

3.4.3 Responsibility

● GM Information Systems

● Head of Department(HOD) / Business Head

● Business Analysis Manager

● Senior System Manager / System Manager (BASIS)

● SAP Technical and Functional Team(ABAP Developers )

● User (Intra Department Personnel)

● Manager Information Security

3.4.4 Procedure

Step Description Responsibility

Change Request Creation

Request for SAP Changes shall be initiated via an email / form or Service desk portal by the end user after discussion with Head of Department. All change requests pertaining to SAP will be titled as “SAP Change Request”. The request shall contain adequate information for the SAP support team to log and prioritize the change. This includes:

● Name of originator(User name who initiated the request)

● Contact details / Department

● Date and Time Stamp

● Significance

− Major Change – Change which might pose a risk for creating a system outage, or provide the ability to modify data used for financial reporting.

− Minor Change – All other change requests.

− Emergency Change – Change which is very critical and if not implemented immediately, could result in long term application outage or data loss.

● Change Priority

− Very High

User

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 37 of 93

Internal use only

Step Description Responsibility

− High

− Medium

− Low

− Very Low

● Change specification

● Background to change request/Justification

● Required date

User may discuss the change with IS Department first to decide on its significance.

After careful analysis functional team then send the request to Relevant HOD for approval

Functional Team

Minor / Major Change Request shall be approved by the concerned HOD. This HOD matrix/ Data Owners shall be approved by Business Head and Steering committee.

Business Head

For emergency change, IS Department shall use its initiative to make the necessary emergency change. Permanent changes shall be applied later to ensure that the long term disruption resulting from the change is minimized. Provisions should be made for the use of special logon IDs (i.e., emergency IDs) that grant ABAPer /analyst temporary access to the production environment during the emergency situations.

GM Information Systems / Business Analyst Manager

Change Request is assessed and approved or rejected by IS Department. In case of rejection the request will be termed as closed in the Service Desk system with appropriate comments.

GM Information Systems / Business Analyst Manager

Change Request Logging

All change requests shall be sequentially numbered and maintained by IS Department via Service Desk System / an email.

All approvals/ rejections shall be logged in via on an email

GM Information Systems / Business Analyst Manager

Emergency changes done on priority basis shall be logged retrospectively.

GM Information Systems / Business Analyst Manager

Change Request Prioritization and Scheduling

Priority shall be allocated according to severity criteria. The criteria shall address the following:

● Maximum tolerable lead time

● The potential impact of the change

● The risk associated with the change. All the risks and areas that could be potentially impacted shall be recorded with the appropriate impact, because they shall need to be addressed in later stages of the change control process

● The effect/cost of the change not being made

Business Analyst Manager

The developer (ABAPer) shall be assigned specific tasks for coding.

Business Analyst Manager

SAP Team

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 38 of 93

Internal use only

Step Description Responsibility

In case of major or minor change or implementation of a new SAP module. SAP team might be approached to analyze the nature of change and provide insights to Tapal Tea’s IS management for the workaround and deployment.

GM Information Systems / Business Analyst Manager

In case Consultant are approached, Consultants (Contracted via SLA) might analyze the nature of change and inform Tapal Tea’s IS Management for deployment of their team at Tapal Tea premises to carry out requested work on site.

SAP Consultants contracted via third party vendors

In case of in-house configuration changes in SAP, activities will be performed by SAP internal team on a development server which is independent to the Quality Assurance Server as well as the Production (Live) Server.

/ SAP Functional Team / SAP BASIS Team

An optimal time shall be agreed and communicated to the requester and the Business Owner (Business Head) to propagate the change so as to cause minimal disruption.

Inter Department Personnel

Change Request Design and Implementation

Where the change is originated from a change in business process, detailed specification requirements shall be documented.

User/ Business Head/ Business Analyst Manager

The implementation plan shall be communicated to all relevant business users and support staff.

SAP Team Engagement:- Patches are incorporated on special requests and with technical assistance from SAP team at first on DEV and then after technical evaluation, it is then transported in PRD. The designated QA personnel shall receive the patches from the SAP Global / its partners and “Security Patch Management” procedure shall be followed.

Business Analyst Manager/ Delegated Technical Team

SAP Development in Dev Environment

All Changes after formal approval and assessment (Customized Report Development, Configurational, New functionality etc.) shall be developed in the Development environment.

ABAPer /SAP Team

After development the changes are to be transported to Quality Assurance Test Server to perform detailed testing before further transporting them to the Production (Live) Server.

SAP Basis Team

Testing, evaluation and acceptance of solution

Detailed testing will be carried out in development environment covering:

● Technical testing – ensure changes comply with technical requirements.

● Unit testing – ensure each unit is error free

● Integration testing – ensure change does not affect data/transactions in live environment. Interfaces with other applications shall also be tested.

Final changes shall be made in development environment.

SAP Technical and Functional Team /

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 39 of 93

Internal use only

Step Description Responsibility

Once the required change has been developed and Transported to the QA Environment, User shall be informed to test change in test environment(QA)

SAP Technical and Functional Team

The respective user shall ensure that the change meets the specifications outlined in the SAP Change Request as raised previously.

Users (Inter Department Personnel)

Formal UAT/ QA Testing record shall be obtained from user over the respective Change Request thread in the email / Service Desk System and consent will be sought for the schedule and final deployment over the production environment.

Users (Inter Department Personnel)

Deploying Changes to production (SAP Change and Transport Management)

After successful UAT and obtaining formal go ahead for implementing changes to the live production environment, final compiled object shall be transported to SAP production environment from the QA environment via SAP Transport Management System.

Direct changes should not be allowed on the production client, unless in exceptional circumstances where changes are not transportable.

SAP Basis Team

A formal log of all Transports carried out via Change and Transport System to Production Environment and relevant documentation pertaining to Transports shall be maintained and updated.

GM Information Systems / Business Analyst Manager / SAP Basis Team

Where ever applicable System documentation and configuration database shall be updated.

Business Analyst Manager / SAP Basis Administrator / GM Information Systems

Closing Change Request

Once the change is Live, the request shall be closed off by updating the comments in Service desk portal by IT Tech Team, same is intimated to end user via email / service desk.

Business Analyst Manager

Post Implementation Review

Formal post implementation review shall be carried out by GM Information Systems, SAP Technical and Functional Team, and Information Security to ensure key security controls are in-place, problems are identified (if any) and action taken to ensure that these problems are not replicated in the future.

GM Information Systems/ SAP Technical and Functional Team / Information Security Function

The post implement report shall be made available for all internal stake-holders

GM Information Systems / Business Analyst Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 40 of 93

Internal use only

3.4.5 Process Flow for SAP Changes / Support Requests

Change Request

shell be initiated by

user via helpdesk /

an email

Head of

Department

approved

Request

assigned to

developer

Request

assigned to

ABAPER

Unit testing to

be performed

in the

development

envoirnmet

End user is

intimated for

UAT in test

environment

User performs

the testing

and provide

UAT

acceptance

Implementation

plan is devised

Change

implemented

to live /

production

environment

User to be

initiated and

request to be

closed

helpdesk / email

CASE CLOSED

Post

implementation

review to be

conducted

Post

implementation

report

Change Management

SAP Functional

Consultant

Not Approved Approved

Approved

Not Approved

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 41 of 93

Internal use only

3.5 Software Change Management Procedure (and Other)

3.5.1 Objective

The objective of this document is to provide policy and procedure guidance for implementation of change management within software applications for Tapal Tea.

3.5.2 Prerequisite

This procedure should be read in conjunction with:

• IT Organization, Structure and Governance Procedure

• Information Security Policies, including:

− Information Systems Implementation and Development

− Operations Security

− Service Level Agreement

3.5.3 Responsibility

● GM Information Systems

● IS Divisional Heads

● Business System Manager

● Divisional Unit Head / Head of Departments (Business Heads)

● Application Administrator

● System Analyst Team (Functional Team)

● Technical Team (Developers)

● User (Intra Department Personnel)

● Manager / Officer Information Security

3.5.4 Procedure

Step Description Responsibility

Change Request Creation

Request for Software Change shall be initiated either by using “Service Desk” or by email. All Change requests pertaining to Software Application will be titled as “Software Change Request”. The request shall contain adequate information for the system support personnel to log and prioritize the change. This includes:

● Name of originator(User name who initiated the request)

● Contact details / Department

● Date and Time Stamp

● Significance

− Major Change – Change which might pose a risk for creating a system outage, or provide the ability to modify data used for financial reporting.

− Minor Change – All other change requests.

− Emergency Change – Change which is very critical and if not implemented immediately, could result in long term application outage or data loss.

● Change Priority

− Very High

− High

User

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 42 of 93

Internal use only

Step Description Responsibility

− Medium

− Low

− Very Low

● Change specification

● Background to change request/Justification

● Required date

User may discuss the change with IS Department first to decide on its significance.

Minor / Major Change Request shall be approved as per approval matrix. This matrix shall be approved by Business Head and IS Steering committee.

Business Head / Steering Committee

For emergency change, IS Department shall use its initiative to make the necessary temporary emergency change. Permanent changes shall be applied later to ensure that the long term disruption resulting from the change is minimized.

GM Information Services / Business Systems Manager

Change Request is assessed and approved / rejected by IS Department. In case of rejection the request will be termed as closed in the Service Desk system / via an email.

GM Information Systems / Business Systems Manager

Change Request Logging

All change requests shall be sequentially numbered and maintained by IS Department via Service Desk System / an email.

All approvals/ rejections shall be logged in the Service Desk system / an email.

GM Information Systems / Business Systems Manager

Emergency changes done on priority basis shall be logged respectively.

GM Information Systems / Business Systems Manager

Change Request Prioritization and Scheduling

Priority shall be allocated according to severity criteria. The criteria shall address the following:

● Maximum tolerable lead time

● The potential impact of the change

● The effect/cost of the change not being made

Business Systems Manager (Or its delegated staff) in collaboration with User

The developer shall be assigned specific tasks for coding via Service desk system / an Email.

Business Systems Manager / System enforced via Service desk.

An optimal time shall be agreed and communicated to the requester and the Business Owner (Business Head) to propagate the change so as to cause minimal disruption.

Users (Intra Department Personnel)

Change Request Design and Implementation

Where the change is originated from a change in business process, detailed specification requirements shall be documented.

User / Business Head/ GM IS

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 43 of 93

Internal use only

Step Description Responsibility

Implementation plan shall be devised with adequate recovery and fall back procedures in place. Original code before change shall be retained until changes have been fully accepted.

Business Systems Manager / Application Administrator

The implementation plan shall be communicated to all relevant business users and support staff.

If the change request is for applications which are not developed in-house, then designated QA personnel shall receive the patches from the vendor and “User Acceptance Testing” procedure shall be followed.

Business Systems Manager / Delegated Technical Team

Coding and Version Control

In case of change in existing code, code shall be obtained from the assigned part of source code from the respective area of the source code repository.

The check-out of the source code will be logged by the version control software.

System Analyst Team (Functional Team) /Technical Team (Developers)

The required modification shall be carried out, the source code then deposited back in the repository. Technical/ Functional Team Lead shall be informed after this activity is complete.

The check-in of the code is automatically logged by the version control software. A new version is automatically assigned by the version control software.

Business Systems Manager / System Analyst Team (Functional Team) /Technical Team (Developers)

Testing

Detailed testing is carried out in development environment covering:

● Technical testing – ensure changes comply with technical requirements.

● Unit testing – ensure each unit is error free

● Integration testing – ensure change does not affect data/transactions in live environment.

Final source code shall be compiled in development environment.

System Analyst Team (Functional Team) /Technical Team (Developers)

Inform QA/Intra Department Personnel to test file with filename and version, along with related scripts.

System Analyst Team (Functional Team) /Technical Team (Developers)

User Acceptance Testing

Once the required change has been developed and migrated to the QA Environment, User shall be informed to test change in test environment(QA)

Business Systems Manager

The respective user shall ensure that the change meets the specifications outlined in the Software Change Request as raised in the Service Desk system

User/ Intra Department Personnel

Formal UAT record shall be obtained from user over the respective Change Request thread in the Service Desk System and consent will be sought for the schedule and final deployment over the production environment.

User

Deploying Change to production

Final compiled object transferred to production environment. System documentation and configuration database to be updated.

Designated Functional Team Lead

Closing Change Request

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 44 of 93

Internal use only

Step Description Responsibility

Once the change is live, the request shall be closed off by updating the comments in Helpdesk by IT Tech Team, same is intimated to end user via Service desk / email.

Business Systems Manager /Designated Functional Team Lead

Post Implementation Review

Formal post implementation review shall be carried out to ensure key security controls are in-place, problems are identified (if any) and action taken to ensure that these problems are not replicated in the future.

GM Information Systems / System Analyst Team (Functional Team) / Manager Information Security

The post implement report shall be made available for all internal stakeholders.

GM Information Systems / Steering committee

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 45 of 93

Internal use only

3.6 Configuration / Parameter Management

3.6.1 Objective

The purpose of this procedure is to define on how configuration level changes shall be implemented & managed to minimize information security threats and unnecessary disruption to business processes.

3.6.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including:

− Communications Security

− Operations Security

3.6.3 Responsibility

● GM Information Systems

● Sr. Systems Manager

● Sr. Manager IS Operation

● Manager IS Operation North

● System Manager

● Network and Services Manager

● Information Security Officer

3.6.4 Procedure

Step Description Responsibility

Operating System\Database\Network devices\Physical & Environment Controllers

In case a configuration/parameter change is required, a request shall be raised on an email or service desk portal by the concerned IS Staff working for particular domain.

Database Administrator/ Network Manager / Application Administrator

“System Activity” request shall be approved by GM Information Systems. Approving authorities to ensure that proposed activity does not compromise IT policies or disrupt normal business activities.

GM Information Systems

In case Planned system/network outage is required, activity shall be performed off business hours or business users shall be informed as per impact in advance of outage.

Database Administrator/ Network Manager / Application Administrator

Configuration change shall be tested in test environment before being implemented in production, depends on applicability of test environment.

Database Administrator/ Network Manager / Application Administrator

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 46 of 93

Internal use only

Step Description Responsibility

Respective administrators shall update configuration database* with new settings and take backup of configuration database to be sent to DR/ offsite site. System documentation shall also be updated

*Configuration database refers to a central repository where configurations of all components (Database, OS, infrastructure etc.) shall be saved. In case of deployment of new database/infrastructure/OS, these configurations shall be used.

Database Administrator/ Network and Services Manager/ Application Administrator

System documentation and configuration database to be periodically reviewed to ensure they are up to date.

GM Information Systems Sr. System Manager / Sr. Manager IS Operations

7. 7

Audit trail/log of configuration change implemented shall be maintained, where applicable.

Database Administrator/ Network Manager/ Application Administrator

Application Software

For configuration changes raised by business user’s e.g. Change in Parameterization etc., Change Management Procedure to be followed.

For configuration change raised by Application Administrator, for enhancement of application performance or strengthening of security, Configuration / Parameter Management Procedure to be followed.

Change Management Procedure

Configuration / Parameter Management Procedure

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 47 of 93

Internal use only

3.7 Network Design Change Management

3.7.1 Objective

The objective of this document is to provide policy and procedure guidance for implementation of change management within networks/infrastructure for Tapal Tea’s.

3.7.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including:

− Communication Security

3.7.3 Responsibility

● Chief Finance Officer (CFO)

● GM Information Systems

● Sr. Manager IS Operation

● Network and Services Managers

● Users

3.7.4 Procedure

Step Description Responsibility

Network Change Management

All Change requests pertaining to Network will be raised via an email or Forms.

The request shall be approved by Business head in case request is outside IS Department.

Network Manager / User

In case request is from outside IS Department, it shall be evaluated and forwarded to GM Information Systems.

In case of request within IS Department, it shall be forwarded directly to GM Information Systems.

Network Manager

Request shall be approved/rejected/deferred by GM Information Systems, if required.

For major change the change should be approved by CFO / IS Steering Committee.

GM Information Systems / CFO / IS Steering Committee

4. 4.

Change shall be implemented in test environment first before being rolled out in live environment, where applicable.

Network Manager

5. 5

Fall back plan / strategy will be created before implementation of change

Network Manager

6. 5.

In case change was requested by user, he/she shall be informed that change has been implemented. Confirmation to be received from user over the respective email thread.

Network Manager

7. 6.

All “Network Change Requests” shall be retained on emails or forms.

Network Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 48 of 93

Internal use only

Step Description Responsibility

8. 7.

All network documentation to be updated.

Network Manager

9. 8.

Documentation shall be reviewed periodically to ensure it is up to date.

GM Information Systems / Sr. Manager IS Operations

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 49 of 93

Internal use only

3.8 Tracking Management

3.8.1 Objective

The objective of this document is to provide policy and procedure guidance for maintenance and review of formal documentation reflecting complete track of all the changes carried out for Tapal Tea’s IS Environment.

3.8.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including:

− Operations Security

− Communication Security

3.8.3 Responsibility

● GM Information Systems

● Business Analyst Managers (SAP)

● Business System Manager

● Sr. System Manager

● Sr. Manager IS Operation

3.8.4 Procedure

Change Request Tracking

An updated and formal list of all the changes that have been executed and finalized shall be maintained.

GM IS / Sr. Systems Manager / Sr. Manager IS Operations

It shall be ensured that a complete track of all the changes is maintained on service desk and is available for an independent review and audit on quarterly basis.

GM Information Systems / Sr. Systems Manager / Sr. Manager IS Operations

The IS Department shall maintain the detailed documentation of the environment to reflect all change(s) that have an effect on other applications. This relates to networks, system configuration, database configuration and interfaces.

GM Information Systems / Sr. Systems Manager / Sr. Manager IS Operations

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 50 of 93

Internal use only

Operating the IT Environment

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 51 of 93

Internal use only

4 Operating the IT Environment

4.1 Physical Access Management

4.1.1 Objective

The objective of this procedure is to establish security requirements for access to the information resources of Tapal Tea. Effective implementation of this procedure will streamline the process of access management and minimize unauthorized access to Tapal Tea’s proprietary information systems.

4.1.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including

− Access Control Policy

− Physical and Environmental Policy

4.1.3 Responsibility

• GM Information Services

• Designated In Charge Data Centre

• Users

4.1.4 Procedure

A designated in charge of Data Centre (including primary and DR site) shall be nominated from IS Infrastructure Team. The In-Charge Data Centre shall be responsible for managing Physical Access requirements to Data Centre.

4.1.5 Third party / Vendor Access to / Data Centre / Network and Power Room

Step Description Responsibility 1.

In case vendor visit is required, access request to be forwarded to GM Information Services via Service Desk system or an email. In-Charge Data Centre 2.

Request shall be informed / rejected. Designated Manager 3.

Vendor to fill 3rd party Vendor visit log book. Details to be recorded should be as specified in Physical and Environmental Security Policy. In-Charge Data Centre 4.

For those vendors who perform routine tasks and visit Tapal Tea frequently, a list of approved vendors with access to Data Centre to be updated and pasted at Data Centre entrance. In-Charge Data Centre 5.

Vendor to be supervised throughout his stay at Data Centre. In-Charge Data Centre 6. 3rd party log book to be reviewed as per specified in Information Security Policies. GM IS / Sr. Manager IS Operations

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 52 of 93

Internal use only

4.1.6 IT Personnel Access to Server Room / Data Centre

Step Description Responsibility 1.

Request for authorization of access to server room, along with an explanation to be sent to GM Information Systems. In-Charge Data Centre 2.

Request shall be approved or rejected. Outcome to be communicated to In- Charge Data Centre. GM IS 3.

After approval an access card (RFID) will be assigned to the IT staff seeking access to the Datacentre. In-Charge Data Centre 4.

In case request is approved, Access to be granted to requestor. List of approved users with access to Data Centre to be updated and pasted at Data Centre entrance. In-Charge Data Centre 5. Approved users list to be reviewed as specified in Information Security Policies. GM IS / Information Security

4.1.7 Physical Access Revocation

Step Description Responsibility 1.

In case of termination/resignation of IT Staff, or change in responsibilities, access to server room / data Centre shall be revoked. In-Charge Data Centre / GM IS 2.

The outgoing IT Staff’s access card (RFID) to be formally collected and signoffs to be acquired for the return of card on employee clearance. In-Charge Data Centre 3.

Approved list of users to be updated and signed by GM Information Services. GM Information Services 4. List to be pasted at Data Centre entrance (if possible). In-Charge Data Centre

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 53 of 93

Internal use only

4.2 Logical Access Management

4.2.1 Objective

The objective of this procedure is to establish security requirements for access to the information resources of Tapal Tea Private Limited. Effective implementation of this procedure will streamline the process of access management and minimize unauthorized access to Tapal Tea Private Limited’s proprietary information systems.

4.2.2 Scope

• Operating Systems

• Databases

• Applications

• Network Systems

4.2.3 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including

− Access Control Policy

− Physical and Environmental Policy

− Organization of Information Security

4.2.4 Responsibility

• Head of Information Services

• Head of Department (Business Head)

• SAP, System, Application, and Database Administrators

• HR

• Users

4.2.5 Procedure

4.2.6 Logical Access Grant (SAP)

Step Description Responsibility 1.

User shall file a request at the “user creation form” Service desk portal or via an email.

The request shall at a minimum, include the following:

• Access Rights Required;

• Necessary comments to justify the requested rights.

User 2.

All Logical Access Requests for SAP shall be approved by relevant Head of Department. Business Head 3.

Approved “user creation form” request to be forwarded to IS Department. System enforced via Service desk or email

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 54 of 93

Internal use only

Step Description Responsibility 4.

All Access requests pertaining to SAP shall be assigned to SAP Basis Administrator in the Service desk or via an email.

Basis administrator shall seek approval from Senior Manager Systems via Service desk system or an email / Form System enforced via Service desk or email SAP Basis Administrator 5.

The Logical access request shall be assessed as per the approved user authorization matrix and shall be analyzed for potential SOD conflicts based upon the approved SOD Matrix. Basis Administrator / Business analyst / GM IS 6.

In case where requested rights may result in Potential SOD conflicts, the user access request shall be rejected/deferred by GM IS after corroboration with the Head of Department.

If deemed necessary, CFO Tapal Tea Private Limited’s consent shall be acquired for conflict resolution. GM IS/ Business Head / CFO Tapal Tea Private Limited 7.

After obtaining all necessary approvals the User-ID along with requested rights shall be created.

The User Shall be notified with required login-credentials and his/her endorsement in the service desk system / via an email shall be sought.

It shall be communicated to the user to change his/her password upon first login. SAP Basis Administrator / User 8.

After obtaining the formal endorsement from the User the request shall be closed in the service desk system / via an email with appropriate comments.

In case where formal endorsement from user remains pending for greater than three days, the request shall be automatically or manually closed in the service desk system / via an email. SAP Basis Administrator / User 9. User authorization matrix and SOD matrix shall be updated if required. Business Analyst Manager

4.2.7 Logical Access Grant (Secondary Sales and Other Applications)

Step Description Responsibility 1.

User shall file a request at the “User activation form” service desk portal.

The request shall at a minimum, include the following:

• Access Rights Required;

• Necessary comments to justify the requested rights.

User 2.

All Logical Access Requests for Secondary sales and other application shall be approved by relevant Head of Department. Business Head 3.

Approved “User creation form” request to be forwarded to IS Department. Service desk team 4.

All Access requests pertaining to Secondary sales or other applications shell be assigned to relevant team in IS dept.

Application administrator shall seek approval from Business System Manager IS Designated team

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 55 of 93

Internal use only

Step Description Responsibility 5.

After obtaining all necessary approvals the User-ID along with requested rights shall be created.

The User Shall be notified with required login-credentials and his/her endorsement in shall be sought.

It shall be communicated to the user to change his/her password upon first login. Application Administrator / User 6. After obtaining the formal endorsement from the User the request shall be closed in the service desk system with appropriate comments. In case where formal endorsement from user remains pending for greater than three days, the request shall be automatically closed in the service desk system. Application Administrator / User

4.2.8 Logical Access Grant (System / Network and Database Administrators)

Step Description Responsibility 1.

IT Staff shall file a request at the “User activation form” service desk portal.

The request shall at a minimum, include the following:

• Administrative Rights Required;

• Necessary comments to justify the requested rights.

IT Staff 2.

All privilege access request for administrator shall be approved by GM IS Department. GM IS 3.

Approved “User creation form” request to be forwarded to IS Department. Service desk team 4.

After obtaining all necessary approvals the User-ID (other than default Admin ID) along with requested administrative rights shall be created.

The IT staff shall be notified with required login-credentials and his/her endorsement in shall be sought.

It shall be communicated to the user to change his/her password upon first login. Relevant Administrator and Requester 5. After obtaining the formal endorsement from the User the request shall be closed in the service desk system with appropriate comments. Relevant Administrator / Service Desk

4.2.9 Logical Access modification (SAP & Other Applications)

Step Description Responsibility 1.

User shall file a request at service desk portal, (User form) or via an email.

The modification for access rights request shall at a minimum but not limited to, include the following:

• Access Rights Required/To be Modified (Add or Remove);

• Necessary comments to justify the requested rights.

User

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 56 of 93

Internal use only

Step Description Responsibility 2.

All Logical Access Requests for Access Rights Modifications in SAP or other application shall be approved by relevant Head of Department / Business Head. Head of Department / Business Head 3.

Approved request to be forwarded to IS Department. System enforced via service desk, user form or email 4.

All Access rights modification requests pertaining to SAP shall be assigned to SAP Basis Administrator via a user form or email.

All Access rights modification requests pertaining to other applications shall be assigned to relevant application Administrator in the service desk request.

Basis or other applications administrator shall seek approval from relevant IS managers. System enforced via service desk SAP Basis and other applications Administrator 5.

The access rights modification request shall be assessed as per the approved user authorization matrix and shall be analyzed for potential SOD conflicts based upon the approved SOD Matrix. Business Analyst Manager / Business System Manager / SAP Basis Administrator 6.

In case where requested rights may result in Potential SOD conflicts, the service desk request shall be rejected/deferred after corroboration with the Business Head / Head of Department.

If deemed necessary, CFO Tapal Tea Private Limited’s consent shall be acquired for conflict resolution. GM IS / Business Head / CFO Tapal Tea Private Limited 7.

After obtaining all necessary approvals the User-ID with requested rights shall be modified.

The User Shall be notified and his/her endorsement in the service desk system or via an email shall be sought. SAP Basis Administrator / Application Administrator / User 8.

After obtaining the formal endorsement from the User the request shall be closed in the service desk system or via an email with appropriate comments.

In case where formal endorsement from user remains pending for greater than three days, the request shall be automatically or manually considered closed. SAP Basis Administrator / Applications Administrator / User 9. User authorization matrix and SOD matrix shall be updated if required. Business Analyst Manager / Business systems Manager / GM IS

4.2.10 Logical Access Revocation

Step Description Responsibility Terminated Employee 1.

IS department shell be informed via an email or phone call of terminated employee. HR (ER) 2.

Relevant Administrators shall revoke access from all Tapal Tea Private Limited applications and systems immediately. Application / Network / Database Administrator

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 57 of 93

Internal use only

Step Description Responsibility 3.

Leaver’s Line Manager / Head of Department to be contacted in case of recovery of any IS assets assigned to terminate employee. HR Department 4.

Employee Leaving checklist to be completed retrospectively. Application / Network / Database Administrator Leaver / Resigned Employees 1.

IS Department to be informed of leavers? As soon the employee is end dated in SAP HR by HR an automatic request for the employee’s email-id deactivation is generated in to the relevant IS Manager. HR/ System enforced via service desk 2.

Employee leaving status shall be updated in the service desk, respective administrators to revoke access from all Tapal Tea Private Limited applications and systems. Application / Network / Database Administrator 3.

Leaver’s Head of Department to be contacted in case of recovery of any IS assets assigned to leaver.

IS Department 4. Employee Leaving checklist to be completed retrospectively. Application / Network / Database Administrator

4.2.11 Account Reactivation

Step Description Responsibility 1.

In case user account is locked out, service desk request or an email will be generated. User 2.

Respective Administrator will be assigned against the service desk request or over the email. service desk 3.

Respective administrator will change the password whenever required. Application Administrator/ Network Administrator/ Database Administrator 4.

The User Shall be notified with required password reset and his/her endorsement in the service desk system shall be sought. Application Administrator/ Network Administrator/ Database Administrator 5.

After obtaining the formal endorsement from the User the request shall be closed in the service desk system with appropriate comments.

In case where formal endorsement from user remains pending for greater than three days, the request shall be automatically closed in the service desk system. Application Administrator/ Network Administrator/ Database Administrator 6. Password shall be changed at first logon. User

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 58 of 93

Internal use only

4.2.12 Access Rights and Logs Review

Step Description Responsibility User Profile 1.

Relevant administrator shall generate user profiles of all users from the systems and circulate the same to concerned departmental heads on quarterly basis. Application Administrator/ Network Administrator/Database Administrator 2.

User Profiles shall be reviewed according to the job descriptions and any amendments marked on the user profile and signed-off/ email. The user profile shall be forwarded to the IS Department. Department Heads & GM IS 3.

Relevant system administrator shall modify the access rights accordingly and keep the signed-off/ emailed copies for future reference. Application Administrator/ Network Administrator/Database Administrator Privileged Ids 1.

Logs of privileged ID’s shall be generated as per IS Policy. Database Administrator/ Application Administrator/ Network Administrator 2. Logs to be reviewed for any suspicious activities and review results to be retained for Audit purpose. Investigation to be carried out in case suspicious activities detected. GM IS

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 59 of 93

Internal use only

4.3 Active Directory and Email Access Management

4.3.1 Objective

The purpose of this procedure is to minimize risk associated with Active Directory and E-mail services, and defines controls against the threats of unauthorized access and theft of information/services.

4.3.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including

− Access Control Policy

− Email Policy

4.3.3 Responsibility

• GM IS

• System Team

• Head of Department (Business Head)

• User

• HR

4.3.4 Procedure

Step Description Responsibility Email Access 1.

HR department shall give the “Account Activation Form” to the new joiner for Active Directory and Email access. After filled up by the user HR forwarded the form to IS Department which will grant AD Identity and email ID for the new joiner. HR / IS Department 2.

If an AD / network and email id for existing employee is required, the user shall generate a request in the Service Desk System via an email, which will be approved by Head of Department. After necessary approval from the Head, the request is forwarded to IS Department for action. User/ Head of Department (Business Head) 3.

The service desk request for the generation of new network and email ID shall be checked for relevant approval. Email Server and Active Directory Administrator 4.

AD and Email ID shall be created using information specified in an email request.(First Name, Last Name, Department, Title ) by the relevant administrator. Email Server and Active Directory Administrator 5.

After necessary approval by GM IS, the User will be assigned a unique Domain ID and email ID and his/her computer shall be configured with domain and email access. Email Server and Active Directory Administrator Operational & Monitoring 1. b

Appropriate restrictions shall be placed, set email attachment limits, installation restrictions, sensitive windows file access restrictions etc. System Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 60 of 93

Internal use only

Step Description Responsibility 2.

Email disclaimer, as stated in Email Policy, must be added underneath the signature by the server.

“Interactive Logon: Message title for users attempting to log on” should be set with legal notice and warning. Email Server and Active Directory Administrator 3.

Content scanning may be done to detect emails containing malicious, offensive, racist or obscene remarks. If found they shall be reported to the GM IS. Email Server and Active Directory Administrator Terminated Employees / Leavers 1.

IS Department shall be informed of Terminated Employee / Leaver. Request for the employee’s domain and email-id deactivation is generated via an email. HR (ER) 2.

Backup of all emails and important files to be taken of Terminated Employee/Leaver. User 3. Email ID and Domain ID to be blocked immediately. Email Server Administrator

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 61 of 93

Internal use only

4.4 Internet Access Management

4.4.1 Objective

The purpose of this procedure is to minimize risk associated with Internet and defines controls against the threats of unauthorized access and theft of services.

4.4.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including

− Access Control Policy

− Internet Usage Policy

4.4.3 Responsibility

• GM IS

• Sr. Manager IS Operations

• Network Manager

• Head of Department / Business Head

• User

4.4.4 Procedure

Step Description Responsibility Access to Internet 1.

The user shall generate a request for Internet Access in the Service Desk System / email, which will be approved by Head of Dept.

After necessary approval from the Head, the request is forwarded to IS Department for action.

Streaming and social media access is allowed on M4 and above positions. User/ Relevant Head of Department/ IS Department 2.

The Business Head / Head of Department should evaluated the need for the request before approval.

Business Head / Head of Department 3.

Internet Access Request shall be checked for relevant approval and request shall be approved/rejected/deferred.

GM IS may be consulted for content access approval.

Information Security function may be consulted if required. GM IS / IS Operation Manager / Network Manager 4.

In case of approval, user pc shall be provided internet access. Network Manager Operational & Monitoring 1.

All ports, other than those required for Internet e.g. (http-www), emails (pop & SMTP) and file transfers (ftp), shall be blocked. Network Manager / GM IS

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 62 of 93

Internal use only

Step Description Responsibility 2.

Network traffic shall be monitored to check that it passes through the firewall. Network Manager / GM IS 3.

Network utilization and downtime shall be monitored. Network Manager 4. Any misuse of internet facility detected shall be reported to GM IS. Network Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 63 of 93

Internal use only

4.5 Database Management

4.5.1 Objective

Data stored within the Company’s databases is critical and provides valuable information for management decisions. This procedure is aimed at ensuring the integrity, security, consistency and accuracy of the organizational databases by providing database management guidelines.

4.5.2 Responsibility

• GM Information Services

• Database Administrator

4.5.3 Procedure

Step Description Responsibility Installation 1.

Database administrator shall be provided with database software that shall be approved before installation. GM IS 2.

All the default passwords of the system supplied accounts present in the database system shall be changed. Database Administrator 3.

A separate ID with privileges shall be created for use. System supplied or “SYS” & “System” equivalent access accounts shall not be used for day to day operations. Database Administrator / GM IS Configuration 1.

Auditing shall be enabled for all sensitive and security related transactions. Moreover, key events like Failed Login and Successful Logins and sensitive table access related events will be logged at a minimum. Database Administrator 2.

Changes to schema i.e. create, alter or drop sensitive/critical tables shall be followed as per change management process GM IS /Database Administrator 3.

Configuration database shall be created having all baselines security settings. This database shall be updated upon all configuration changes. Database Administrator Operation 1.

A list shall be maintained of roles and access rights of the authorized database accounts. This list shall be updated whenever required. The list shall include:

• User list against each role

• Access right granted for each role Database Administrator 2.

Data Dictionary shall be created for the all user defined Tapal Tea’s Databases. Database Administrator Monitoring

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 64 of 93

Internal use only

Step Description Responsibility 1.

On random basis, database logs shall be reviewed for any suspicious activity. Any anomaly noted shall be reported to Head of Information Systems. Database Administrator 2. Logs of privileged user IDs (e.g. DBA) shall be reviewed as stated in IS Policy. Information Security

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 65 of 93

Internal use only

4.6 System Management and Administration

4.6.1 Objective

The Procedure is to outline the responsibilities and guidelines for all individuals who function as system administrators.

4.6.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including

− System Acquisition, Development and Maintenance

− Operations Security

4.6.3 Responsibility

• GM Information Services

• Sr. Manager IS Operations

• Network and Service Manager

• System Manager

4.6.4 Procedure

Step Description Responsibility Clock Synchronization 1.

On a quarterly basis system clock of the central server (with NTP Service Activated) shall be checked to ensure it is accurate. System Manager / Sr. System Manager 2.

System clocks of all the machines shall be synchronized with the clock of central server automatically when the client machines log on to the central server. User shall not have rights to modify system time. System Manager / Sr. System Manager Installation of Server end OS 1.

System administrator shall provide OS software that shall be approved before installation. The System administrator is responsible for all aspects of installation of the systems, including loading of software on servers. Nobody shall install or modify software on a server without the approval of the authorized person. Sr. Manager IS Operations / Network and Service Manager / Sr. Systems Manager 2.

All the default passwords of the system supplied accounts present in the Operating system shall be changed, and all unnecessary default accounts shall be disabled. Sr. Manager IS Operations / Network and Service Manager 3.

A separate ID with privileges shall be created for use. System supplied or “Administrator” & “root” equivalent access accounts shall not be used for day to day operations. Sr. Manager IS Operations / Network and Service Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 66 of 93

Internal use only

Step Description Responsibility 4.

The server shall be joined with the Tapal Tea Private Limited’s domain. System Administrator / Domain Administrator / Sr. Manager IS Operations / Network and Service Manager Installation of User end OS 1.

User end OS software shall be approved before installation. The Service desk Support Staff / IS staff is responsible for all aspects of installation of the OS on end user’s PC. All end users shall be barred from administrative controls. Service desk / IS Staff 2.

All the default passwords of the system supplied accounts present in the Operating system shall be changed, and all unnecessary default accounts shall be disabled. Service desk / IS Staff 3.

The prepared system shall be joined with the Tapal Tea Private Limited’s domain. Service desk / IS Staff Configuration 1.

Auditing shall be enabled for all sensitive and security related events. Moreover, key events like Failed Login and Successful Logins and sensitive file/folder access related events will be logged at a minimum. System Manager / Sr. System Manager 2.

Changes to sensitive file / folder i.e. file shares / file permissions shall be restricted and will rest with permission from Head of Information Services. System Manager / Sr. System Manager 3.

Un-necessary OS services shall be stopped. A security baseline document shall be maintained. (where necessary) System Manager / Sr. System Manager 4.

Configuration database shall be created having all OS baselines settings. This database shall be updated upon all configuration changes. System Manager / Sr. System Manager Operation 1.

A list shall be maintained of access rights of the authorized OS Local users. This list shall be updated whenever required. System Manager / Sr. System Manager Monitoring 1.

On random basis, OS related Audit logs (Event Logs) shall be reviewed for any suspicious activity. Any anomaly noted shall be reported to Head of Information Services. System Manager / Sr. System Manager 2. Logs of privileged user IDs (System Administrator/ root/ Administrator) shall be reviewed as stated in IS Policy. Information Security / GM IS

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 67 of 93

Internal use only

4.7 Installation and Use of Licensed Software

4.7.1 Objective

A software license grants an organization the legal right to use the software, apart from being compliant on the copyright laws. Organizations look up to a software contract as a means of investment protection, thereby ensuring support from vendors as well as avoiding any bad reputation arising from a legal action in case of non- compliance. This procedure is to describe the process of requesting installation of software on desktops/laptops etc.

The objective of this procedure is to streamline the process of having licensed software installed without facing disruptions in normal day to day business.

4.7.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies

4.7.3 Responsibility

• GM Information Services

• Sr. System Manager

• Head of Department (Business Head)

• Users

4.7.4 Policy

1. All software license purchases shall be made in the legal name of the company and not in any other entity / individual's name.

2. For licensed software acquired from third-parties (including authorized dealers and software developers), it shall be ensured that the third party is capable of validating, protecting and maintaining the software license rights.

3. List of licensed software shall be maintained as per their license agreement i.e. “perpetual” or “term license” and the no. of users supported. This list should be timely updated when new software is purchased or license is renewed.

• Perpetual license - agreement has unlimited validity period since the organization owns the license.

• Term license - agreement has a definite validity period.

4. Designated personnel managing IT inventory shall review licensed software list periodically and inform GM Information Services about software license agreements that are near expiration

4.7.5 Procedure

Step Description Responsibility 1.

Software that is already being used, the requirement will be forwarded by the user department after the approval of IS via Service Desk Request or an email.

For new software requirement, Business Head approval is required over the Service Desk Request or an email. Users / Business Head

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 68 of 93

Internal use only

Step Description Responsibility 2.

Request shall be matched with existing software license inventory, and if license is available, request shall be queued for installation. Service desk / Sr. system Manager 3.

In case license is not available and requirement needs to be procured, request shall be checked for Business Head approval. GM Information Services / Service desk / Sr. system Manager 4.

Request to be forwarded to GM IS for final approval.

IT Equipment / Technology Procurement procedure to be followed. GM Information Services 5.

Once the software is available (purchased or exists in inventory), IS Staff will install the new software. After installation at the user's computer an acknowledgement/email shall be obtained from the user over the Service Desk or via an email. Service desk 6. After receiving acknowledgement, IT Inventory Maintainer to be informed to update the "number of current users" in the Software License Inventory. Sr. system Manager / System Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 69 of 93

Internal use only

4.8 Security Patch Management

4.8.1 Objective

The purpose of this procedure is to lay down guidelines and best practices which are to be followed in case of deployment of security patches on production environment.

4.8.2 Responsibility

• GM of Information Services

• Sr. Manager IS Operations

• Sr. System Manager

• IS Manager Operation

• System / Network / Application (Administration Team)

4.8.3 Patch Management

Introduces security and correction patches on regular time interval on their service portal. All new patches shall be regularly checked for applicability. Security Patches shall not be ignored.

At first on DEV / QA (Development Environment) and after technical evaluation, it is then transported in PRD (Production Environment). (For Business Applications)

4.8.4 Procedure

Step Description Responsibility 1.

Public, private, vendor and industry vulnerability reports shall be monitored periodically to identify latest patches available.

Live updates to software shall be enabled for notifications regarding new security patches available, Where applicable. Sr. System Manager / System / Network / Application (Administration team) 2.

A request Pertaining to New Patch/Service Pack Deployment shall be raised via an email to Line Manager and it shall be assigned to the relevant IT support staff. Sr. System Manager / System / Network / Application (Administration team)

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 70 of 93

Internal use only

Step Description Responsibility 3.

Patches shall be ranked using following convention, based on their criticality: Rollout plan shall be devised depending on criticality.

• Emergency (Very High): Threat source is critical and immediate deployment is required to safeguard against damage to business and information assets.

• High: The threat source is highly motivated and sufficiently capable; controls to prevent the vulnerability from being exercised are ineffective.

• Medium: The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

• Low: The threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised. Those Patches which have additional features.

In case of emergency, approval from GM of Information Systems / designated personal shall be required to immediately deploy the patch. Sr. System Manager / System / Network / Application (Administration team) 4.

Patch files shall be scanned for threats using antivirus before deployment and where applicable. Sr. System Manager / System / Network / Application (Administration team) 5.

Patch shall first be tested in test environment to ensure it has no adverse effect on the systems. Where ever applicable, all the risks and areas that could be potentially impacted shall be recorded with the appropriate impact where applicable. Sr. System Manager / System / Network / Application (Administration team) 6.

Finally after testing the Patch on the Test (QA) environment, the Patch implementation plan shall be devised with adequate recovery and fall back procedures in place, For all application.

The implementation plan shall be communicated to all relevant business users / Business Heads and support staff whose operations may be affected. GM Information Services / Application Administrator (Administration team) 7.

In case planned system/network outage is required, activity should be performed off business hours or business users shall be informed at least 1 day in advance of outage. Sr. System Manager / System / Network / Application (Administration team) 8.

After successful implementation of the Patch, the respective request shall be closed with appropriate comments. Sr. System Manager / System / Network / Application (Administration team) 9.

Patch deployment history shall be maintained. Sr. System Manager / System / Network / Application (Administration team) 10. System documentation and configuration database to be periodically reviewed to ensure they are up to date. GM Information Services / Sr. System Manager / System / Network / Application (Administration team)

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 71 of 93

Internal use only

4.9 Password Storage & Management

4.9.1 Objective

The purpose of this procedure is to establish mechanisms to keep administrative passwords safe and available for emergency use

4.9.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including

− Access Control Policy

4.9.3 Responsibility

• General Manager Information Services

• Senior Manager IS Operations

• Network and Services Manager

• Sr. Systems Manager

• System Manager

• IS Manager Operations

• System / Network / Application (Administration Team)

• Database Administrator

• Information Security Function

4.9.4 Procedure

Step Description Responsibility 1.

All passwords of default Administrative Accounts will be kept in sealed envelopes in a locked cabinet/safe considering the future disaster. GM IS 2.

These passwords can only be used in case of emergency after a formal approval from the GM IS. A log shall be maintained for the use of these passwords. GM IS 3.

The administrators will reset all the administrative passwords every 90 days. Sr. System Manager / System / Network / Application (Administration team) 4. It shall be ensured that passwords are changed every 90 days. All previous envelopes shall be destroyed. A log shall be maintained for each password change (where applicable) Information Security function

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 72 of 93

Internal use only

4.10 Security Incident Management

4.10.1 Objective

The objective of this procedure is to provide guidelines on reducing any potential business impact and risk of incident occurring, by responding to incidents in a manner allowing timely corrective action and to identify perpetrators of malicious acts and preserve sufficient evidence to prosecute them if required.

4.10.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including

− Security Incident Management

− Organization of Information Security

4.10.3 Responsibility

• General Manager Information System

• IS Management

• Service Desk Team

• IS Support Staff (if any other)

• Users

• Information Security Function

4.10.4 Procedure

Step Description Responsibility 1.

Information Security / GM IS to be notified in case of any kind of technology related incident is detected. For any kind of security incidents refer Security Incident Management policy. Incidents will be logged in the IS Service Desk system. IS Service Desk Executive / IS Support Staff / User 2.

Additional staff of IS Department to be consulted if necessary depending upon incident reported. Information Security / IS Department Managers 3.

In case of incidents like malicious code, malicious access, denial of service attacks or virus infections etc. IS support staff shall be directed to isolate affected host/system from the network.

In case of Fault logging and System malfunction incidents, IS Support Staff shall resolve the incident with the help of Information Security function and affected users for timely resolution. Manager Information Security / IS Support Staff 4.

It will be determined if any additional systems within the environment may have been impacted or compromised as well. These systems will also be immediately isolated from the network. Manager Information Security / IS Support Staff 5.

A quick assessment will be performed to determine the type, impact and severity of the incident. Manager Information Security / IS Support Staff

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 73 of 93

Internal use only

Step Description Responsibility 6.

If the repair would require the help of a vendor, the respective IS Support Staff will contact the vendor. Procurement department will be contacted when need arise. Service Desk Team 7.

The affected system(s) will be repaired, tested and handed over to the user. Service Desk Team 8.

Incident response shall be logged and completed in Service Desk. Following information must be included in the Incident Response:

• Details of incident reporter

• Date and time

• System or application affected

• Type of incident e.g.

− Denial of Service

− Unauthorized Access

− Malicious Code

− Unauthorized use

− Violation of IS policies

− Unplanned downtime

− Others

• Description of Incident

• Impact of incident e.g.

− Loss of information

− Damage to system/downtime

− Financial loss

• Remedial Actions taken

• Evidence obtained (logs etc.)

• Evaluation of Tapal Tea staff on reporting incident

• Lessons learned and future improvements to policies. Service Desk Team 9.

For every Incident, the Incident Response to be sequentially numbered and retained. Any evidence shall be preserved in hardcopy or softcopy in Service Desk system. Service Desk Team 10.

Through analysis of available evidence, it shall be determine whether the incident was a mishap or was it caused intentionally. Information Security / Service Desk Team 11.

In case of Malicious Incidents, It will be assessed whether the damage was caused through remote location or through internal network. Information Security / Service Desk Team 12.

In case of an internal security incident, disciplinary action may be sought against involved staff. GM IS /Legal Department / ER / Information Security 13. On half yearly basis, all incidents logged in the Service desk shall be reviewed to identify recurring incidents etc. to strengthen level of controls in place. Information Security / Service Desk Team

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 74 of 93

Internal use only

4.11 Complaint request Management

4.11.1 Objective

The objective of this procedure is to establish guidelines for computer-related/technical support provided by the Service Desk Team / IS Support staff of Tapal Tea covering all the domains like Access Management, Change Management and Incident Management.

4.11.2 Responsibility

• General Manager Information Services

• IS Management

• Service Desk Team

• Asset Management Team

• IS Support Staff (if any other)

• Users

• Information Security Manager

4.11.3 Procedure

Step Description Responsibility 1.

Request shall be sent to IS Service Desk staff via ‘Service Desk System’ or via email. In case request is made via phone call / email shall be logged in support system later.

User 2.

Requests initiated by the end users will be verified and catered only after the necessary approvals from their respective Head of Departments (where necessary). IS Support team 3.

Where User requests pertain only to error resolution such as Network connectivity, System Malfunction etc., HOD’s approval can be bypassed and request to be assigned directly to respective IS Staff for early resolution. Service Desk Operator / IS Support Staff 4.

Information Security function to be informed if reported issue falls under “security incident” category. Incident Management Procedure to be followed there on. Service Desk Operator/ IT Support Staff 5.

Relevant Application Support Team to be informed if reported issue falls under “Application Access/ Change/ Configuration / Patch Management” category. Relevant Procedures to be followed there on. Service Desk team 6.

IT Network Management Team to be informed if reported issue falls under Network Management i.e. Email/Internet Access and Network Change/ Configuration / Patch Management category. Relevant Procedures to be followed there on. Service Desk team 7.

For request that require new installation/ new hardware setup, the request will be forwarded to the relevant System support staff. Service Desk Team 8.

For minor problems, user may be contacted on the phone to resolve the issue. If not then a visit or remotely by the System Support staff shall be required. System Support Team

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 75 of 93

Internal use only

Step Description Responsibility 9.

If the problem can’t be resolved at the 1st tier support, ultimately 2nd tier and tier 3 (vendor) support will be active to respond that problem. Service Desk team 10.

Service Desk Team will also be responsible to arrange any alternates, if the problem can’t be able to unravel at that time, due to damage or not repairable, in the existing IT infrastructure of Tapal Tea.

Any logged complain will take time according to nature of complain and which tier level hierarchy is required for resolution.

Backup shall be taken by asset management team. Service Desk Operator / Asset Management Team 11.

If the quandary could not be resolved, it would be forwarded for further RND and support staff the Requesting User with the best possible alternatives. Service Desk Operator / IS Support Staff 12.

After completion and entertaining complain/request, relevant technical support person would be responsible to close that ticket (Case) after obtaining endorsement from user. After 3 days request shall be considered as closed if not responded by user. Service Desk team 13.

The user will offer his satisfaction level in the Service Desk System and term the issue as resolved.

The log of the resolution date, time and the Service desk/IT/Administration etc. personnel who worked on the problem will be automatically logged by the system. User 14.

A formal analysis, of the nature of problems logged, will be carried out by at the end of every quarter. This analysis will be used subsequently for identifying the major causes of problems so that efforts can be made to minimize the problems. The results of this analysis will be presented to the General Manager of Information Services. Suggestions will be imparted on improvements for the Service Desk/ IT Support staff that includes procedures to diagnose and resolve problems. Service Desk / IS Support / Information Security 15.

Service desk logs shall be monitored to ensure no “security incidents” that no security incident have been left been reported to authorized personal and all problems were successfully resolved. Further, resolution measures taken shall be reviewed to ensure no breach of Information Security policies took place. Manager Information Security 16. Response times will be monitored to increase the efficiency of the Service Desk, in resolving the problems quickly. Based on this, performance evaluation of the system support personnel will be carried out on a quarterly basis. Service Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 76 of 93

Internal use only

4.12 Network Management

4.12.1 Objective

This procedure is aimed at ensuring smooth and controlled operations of all Tapal Tea Private Limited networks by stating network management guidelines.

4.12.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including:

− Communication Security Policy

4.12.3 Responsibility

• GM Information Services

• Network and Service Manager

4.12.4 Procedure

Step Description Responsibility Network Documentation 1. 1.

Following shall be maintained and timely updated:

• High level network diagram showing main network domains and connections

• Diagram showing servers and their connection methods. Network and Service Manager Audit Logging & Monitoring 1. 1

Audit logs of VPN, firewalls and Network Monitoring Systems, where applicable, shall be retained at a minimum for one year. Network and Service Manager 2. .

Logs shall be reviewed quarterly for any suspicious activities. Network and Service Manager / GM IS 3. 3.

Network devices & mediums / links shall be monitored to ensure the network connectivity access layer and upstream provider links. Network and Service Manager 4. 4. Downtime reports shall be retained in the Service Desk and periodically reviewed to identify recurring problems and highlight solutions. Network and Service Manager / GM IS

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 77 of 93

Internal use only

4.13 Remote Access

4.13.1 Objective

The objective of this procedure is to establish guidelines for granting remote access to employees over the Tapal Tea network while minimizing information security and risk threats.

4.13.2 Prerequisite

This procedure should be read in conjunction with:

• Information Security Policies, including:

− Organization of Information Security

− Access Control Policy

4.13.3 Responsibility

• GM Information Services

• Division Unit Head / Head of Department (Business Head)

• Network and Service Manager

• Sr. System Manager

• System Manager

• Users

4.13.4 Procedure

Step Description Responsibility 1.

The Users requesting remote access via Service desk / email. User 2.

The request shall be approved by Business Head after assessing the need and justification for remote access. Head of Department (Business Head) 3.

All new requests related to remote access will be evaluated . Network and Service Manager 4.

Request shall be forwarded to GM Information Services for approval via Service desk. Network and Service Manager 5.

Request shall be approved/rejected/deferred. GM Information Services 6.

Once the request is approved, User remote access / VPN account shall be created as per application/system for which access is required. All remote access to Tapal Tea information system resources will be controlled by an approved authentication mechanism. Network and Service Manager 7.

Remote access approval documentation and list of all remote access users shall be maintained. Network and Service Manager 8.

List of Users with remote access should be updated. Network and Service Manager Auditing and Monitoring 1.

Remote access logs shall be reviewed for unusual activity and violations. Network and Service Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 78 of 93

Internal use only

Step Description Responsibility 2.

Accounts not in use for 30 days shall be Locked. Network and Service Manager 3. Remote access users list shall be annually reviewed. GM Information Services

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 79 of 93

Internal use only

4.14 Capacity Planning

4.14.1 Objective

The Procedure is to outline the responsibilities, guidelines and standards for determining service level requirements of IS Infrastructure and planning for future capacity requirements.

4.14.2 Responsibility

• GM of Information Services

• Sr. System Manager

• System Manager

• Network and Service Manager

• Application Administrator (SAP Basis/ Applications other than SAP ERP.)

• Designated IT staff

4.14.3 Procedure

Step Description Responsibility 1.

Each application and infrastructure shall have a nominated administrator/owner who shall be responsible for monitoring the service levels / Utilizations, over time, among peak usage time of that IT infrastructure. Use of automated tools for monitoring is encouraged.

Following components must be included:

• Network Bandwidth (Network devices)

• Routers & switches

• Disk Space (server / desktops )

• Server processors

• Tape Drives

• RAM

• Printers GM of Information Services 2.

Results of monitoring of service levels and infrastructure utilization shall be compared with maximum usable capacities. This shall help establish when particular infrastructure is reaching maximum usable capacity and additional hardware/software is required for smooth functioning. System Administrator / Domain Administrator / Sr. Manager IS Operations / Network and Service Manager 3.

Performance tuning activities to be carried out to enhance performance of existing infrastructure. System Administrator / Domain Administrator / Sr. Manager IS Operations / Network and Service Manager 4.

Future changes/enhancements shall be evaluated with respect to existing results to establish if additional hardware/software is required. GM of Information Services / System Administrator / Domain Administrator / Sr. Manager IS Operations / Network and Service Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 80 of 93

Internal use only

Step Description Responsibility 5. Increase in business activities and staffing levels must also be monitored to allow for the extra facilities that will be required for example numbers of workstations. System Administrator / Domain Administrator / Sr. Manager IS Operations / Network and Service Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 81 of 93

Internal use only

4.15 Backup & Restoration

4.15.1 Objective

The objective of this procedure is to outline the backup/restoration schedules and practices to be followed at Tapal Tea Private Limited.

4.15.2 Responsibility

• GM of Information Services

• IS Manager Operations

• Sr. Systems Manager

• System Manager

• Sr. Manager IS Operations

• Network and services Manager

• Application / Database Administrator(SAP Basis, Other Apps)

4.15.3 Existing Backup Schedule

Database Backup

For Database backup refer Annexure C of this manual

Application Backup

For Application Backup schedule please refer Annexure D of this manual

4.15.4 Procedure

SAP Database Backup

Step Description Responsibility Backup 1.

Full back up shall be taken every day via backup schedule configured in Back up Tool. SAP Basis and Database Administrator / Sr. System Manager 2.

Backups are taken on real time basis, after completion of 50 MB. SAP Basis and Database Administrator / Sr. System Manager 3.

Backups shall be taken daily at specified time on tape drive. SAP Basis and Database Administrator / Sr. System Manager Backup storage and retention 1.

Backup dumps shall be transferred to tape drive. Sr. System Manager / System Manager 2.

Tape drives are to be sent to Head office / Secure location and rotated after every days. Sr. System Manager / System Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 82 of 93

Internal use only

Step Description Responsibility 3.

In case the DR site is up and working as Primary site, Daily backup sets and export dumps are copied to external Hard drive. DR Manager 4.

Backup activity shall be recorded and logs shall be retained for a minimum of one year. SAP Basis and Database Administrator / Sr. System Manager 5.

10 working days backup retention policy shall be followed. SAP Basis and Database Administrator / Sr. System Manager 6.

Backup Tape media shall be adequately labeled. SAP Basis and Database Administrator / Sr. System Manager Validation of backup 1.

Backup sets shall be validated atleast 3 months through adequate restoration testing on separate server. SAP Basis and Database Administrator / Sr. System Manager 2.

Evidence / results of successful backup restoration testing shall be retained. SAP Basis and Database Administrator / Sr. System Manager Planned/ Unplanned Maintenance 1. Full cold backup of relevant database shall be taken and moved to storage media before any major planned or unplanned maintenance activity. SAP Basis and Database Administrator / Sr. System Manager

Tapal Tea (Pvt.) Limited Other Apps Database Backup

Step Description Responsibility Backup 1.

Full back up shall be taken every day via backup schedule Job configured in MySQL / MS SQL Server. Apps Administrator 2.

Backups shall be taken daily. Apps Administrator Backup storage and retention 1.

Backup dumps shall be transferred to separate media / tape on a file server Apps Administrator 2.

Backup activity shall be recorded and logs shall be retained for a minimum of one year. Apps Administrator 3.

10 days backup retention policy shall be followed. Apps Administrator 4.

Backup Folders shall be adequately labeled. Apps Administrator Validation of backup 1.

Backup shall be validated every 3 months. Apps Administrator

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 83 of 93

Internal use only

Step Description Responsibility 2.

Evidence / results of successful backup testing shall be retained. Apps Administrator Planned/ Unplanned Maintenance 1. Full cold backup of relevant database shall be taken and moved to storage media before any major planned or unplanned maintenance activity. Apps Administrator

Application and other data

Step Description Responsibility Backup 1.

Backup up of all Application exe-files and folders shall be taken after any change in source code/application configuration. Sr. Systems Manager / Sr. Manager IS Operations / Network and Services Manager 2.

Backup activities shall be recorded and evidence (logs) to be retained at minimum for 1 years. Sr. Systems Manager / Sr. Manager IS Operations / Network and Services Manager 3. Wherever applicable, Backup media shall be adequately labelled and organized. Sr. Systems Manager / Sr. Manager IS Operations / Network and Services Manager

Network Devices Backup

Step Description Responsibility Backup 1.

Backup up of all Network devices shall be taken before and after any change in network configuration. Network and Services Manager 2.

Backup activities shall be recorded and evidence (logs) to be retained at minimum for 1 years. Network and Services Manager 3. Wherever applicable, Backup media shall be adequately labelled and organized. Network and Services Manager

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 84 of 93

Internal use only

4.16 Data Retention Policy

4.16.1 Objective

The objective of this procedure is to outline data retention period and practices to be followed at Tapal Tea.

4.16.2 Responsibility

• GM IS

• Sr. Manager IS Operations

• Network and Service Manager

• Sr. System Manager

• System Manager

• DR Manager

• Users

4.16.3 Policy

In order for department to function administratively, undergo periodic audits, provide for its audit requirements, it must manage its records properly. Therefore, the department or Tapal Tea employees requires to retain and destroy electronic data or email sent and received in the course of conducting official business in accordance with an approved records Retention and Disposal Schedule.

4.16.4 Records Retention and Disposal Schedules

Listings of records or records series that are maintained by Tapal Tea’s department heads in the course of conducting their official business that identify how long the records must be kept, when they may be destroyed and when certain records can be sent to the Archives for permanent preservation. In accordance the records cannot be destroyed unless their disposal is authorized by an approved Retention and Disposal Schedule. Retention and Disposal Schedules are developed by the Department heads. These schedules are then approved by the CEO / CFO / Heads.

4.16.5 Procedure

Step Description Responsibility 1.

Users shall evaluate each message to determine if they need to keep it as documentation of their role in a business process

It is recommended that employees retain only the final outgoing message in a communication string that documents the contents of all previous communications. Users 2.

Shall evaluate the content and purpose of each e-mail message to determine which Retention and Disposal Schedule defines the message’s approved retention period Users 3.

Shall retain transactional information with the e-mail message if there is a substantial likelihood of relevancy to litigation Users 4. Business Head shall ensure that users comply with Data Retention and disposal schedule Business Head

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 85 of 93

Internal use only

4.16.6 Retention Schedule

For instance please refer Annexure E:

Organizing and Monitoring IT Processes

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 86 of 93

Internal use only

5 Organizing and Monitoring IT Processes

5.1 Independent Audit

5.1.1 Objective

To increase confidence level in the business systems, benefit from global best practices and have an unbiased review of the information technology setup of Tapal Tea, an independent IT audit is essential. This allows management to take proactive measures for safeguarding the information assets of the company in view of the emerging threats and also to exploit the opportunities as they present themselves.

5.1.2 Responsibility

• CEO Tapal Tea

• CFO Tapal Tea

• Steering Committee

• General Manager Information Services

5.1.3 Policy

1. External IT audit shall be conducted at least once a year by reputable auditing firms who have required skill-set, proven expertise and experience.

2. Internal audit shall be conducted by a person/department independent of IT Division who shall be competent and qualified to perform IT audits.

3. The scope of internal audit shall be decided after a preliminary assessment and formal IT internal Audit Plan.

4. A draft audit report shall be prepared and submitted to the management. The issues highlighted in the report shall be discussed and agreed with the management. The management's comments shall be taken and incorporated in the auditors' report. A definite date for the actions to be taken by the management shall be mutually agreed and documented.

5. The final audit report shall be issued to the relevant management and audit committee.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 87 of 93

Internal use only

5.2 Monitoring

5.2.1 Objective

Tapal Tea shall monitor its information technology processes to ensure that IT Operations are managed and performed in a controlled environment so that the overall IT and business objectives are met.

5.2.2 Responsibility

• GM of Information Services

• Sr. Manager IS Operations

• Sr. System Manager

• Network and service Manager

5.2.3 Policy

1. GM of Information Services or his designate shall ensure that audit logs are maintained as per Access Control Policy.

2. Audit logs shall be protected against unauthorized modifications and malicious tampering. This can be achieved by segregation of duties in most cases. E.g. DBA should not have system administrator rights to access partitions where database logs are created.

3. Head of Information Services shall review privileged ID audit logs as per frequency defined in the Access Control Policy. User level logs can be reviewed from time to time by System/Network/DB administrators provided they are designated to do so by Head of Information Services.

4. System Administrator, Application Administrator, Network Administrator and DBA are responsible for generating audit logs for their respective applications.

5. In absence of an electronic access device (RFID) used to secure access to server room, a manual entry logs for server room shall be maintained by GM of Information Services / Sr. Manager IS Operations or designated personnel.

6. Head of Information Services will maintain all records pertaining to the review of logs so as to demonstrate compliance with Tapal Tea’s IS and IT Operational policies and procedures for auditing purposes.

7. A checklist should be prepared which should include what factors are to be considered during review of audit logs. Some factors which can be included are as follows:

Application Level

1. User level application must log shall include, but is not limited to, the following:

• Unsuccessful login/logoff attempts.

• Login - logout timings.

• Transactions performed or T-Codes executed with time and date stamps

2. Privileged ID Application must log shall include, but is not limited to, the following:

• User administration activities to detect if any unauthorized roles have been granted to user of administrator himself.

• Ensure that privileged ID’s are not involved in executing business functions.

Database Level

1. User level database log review shall include, but is not limited to, the following:

• Updates to sensitive/critical tables.

• Unauthorized access.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 88 of 93

Internal use only

2. Privileged ID database log review shall include, but is not limited to, the following:

• Any modifications made to data/schema etc. (insert, update, delete)

• Any modification made to master file/data dictionary.

• Patch updates history.

Data Centre / Server Room

1. Access logs of employees and third party manual logs shall be reviewed depending on frequency of visits to data center.

Network Configuration / Firewall

1. Audit logs of firewall and proxy server shall be reviewed from time to time to detect access to blocked/banned websites.

2. Network configuration changes shall be reviewed to ensure they were authorized.

Operating System

1. System Administrator activity log review shall include, but is not limited to, the following:

• Patch Updates history

• User administration activities to detect if any unauthorized roles have been granted to users.

Service desk

1. All the user queries submitted to Service desk must be logged with date, time, username, query details, attendant's name, action taken, and query forwarded to the appropriate person.

2. GM Information Services / Services Manager to monitor performance of query resolution.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 89 of 93

Internal use only

Annexure A

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 90 of 93

Internal use only

Annexure B

Incident Resolution Severity level Critical Service Level Turn Around Time – SAP and Integrated systems Turn Around Time – Secondary Sales Turn Around Time - Other Incidents Major

Yes

Hours

Hours Medium No Hours Hours Hours Low

Days or as agreed with users at the time of logging

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 91 of 93

Internal use only

Annexure C

Database Application Backup Utility Frequency of Backup Type of Backup Backup Media Other

MySQL

SCADA

No backup

MS SQL 08

LaserFiche

System Center Data Protection Manager (SCDPM)

LaserFiche DB Backup 5 days Secondary Sales DB Backup 6 Days

Daily Full DB backup

Disk and Tape

Retention Policy: 8-10 backup

Copies, Manage Via SCDPM.

Secondary Sales

All SAP Production Instances

Backup Tool: SAP Application & AIX Console.

ECC 6 – 6 Days and All other backups are taken 5 days a week

Full Online Backup and Archive Logs

Disk Tape

Tape Retention Policy:

DB2

Daily Tape:7 Days

Month - end Tape: 1 Year Manually Manage these backups

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 92 of 93

Internal use only

Annexure D

Application Backup Utility Frequency of Backup Type of Backup Backup Media Other

SAP

Application itself takes backup

Daily

Full Backup

NFS Folder

SCADA

Laserfiche

VM Backup

Daily Backup

Full

Disk and Tape

Retention Policy: 2-3 backup

Copies, Manage Via SCDPM.

Secondary Sales

VM backup

Monthly VM Backup

Full

Disk and Tape

Retention Policy: 2-3 backup

Copies, Manage Via SCDPM.

Information Services Policies and Procedures Manual

Tapal Tea (Private) Limited

Proprietary and Confidential – Document Version 1.0 Page 93 of 93

Internal use only

Annexure E

S No Activity Disposal Type Disposal Action Description Move to Achieve Disposal Trigger

TEMPORARY

Destroy 1 years after last action.

Records relating to the acquisition of external, purchase request, purchase order, approval etc.

1 years

after last action

TEMPORARY

Destroy 3 years after last action.

Records relating to the acquisition of external delivery order or GRN etc.

3 years

after last action

TEMPORARY

Destroy 3 months after last action.

Promotional material and other ancillary information provided by systems and equipment suppliers relating to hardware, software, data processing equipment, suppliers’ services, etc.

3 months

after last action

TEMPORARY

Destroy 3 years after action completed

Records relating to acquisition of technology and telecommunication services including billing records, service reports, authorizations, etc.

3 years

after action

completed

Control

TEMPORARY

Destroy 1 month after last action.

Electronic data interchange. EDI

1 month

after last action

Application

Development

TEMPORARY

Destroy 5 years after application discontinued or superseded.

Records relating to the development or modification of applications that becomes operational. Includes surveys,

status reports, pilots, operational

specifications, flowcharts, etc.

5 years

after application discontinued or superseded

Implementation

TEMPORARY

Destroy 5 years after

Records relating to implementation of information management applications or systems, including monitoring processes and post-implementation reviews.

5 years

after system

closed or

superseded