FVSZ-QM-0209 IT-Policy.docx

Doc. Type: FVSZ- QMRevision: 002Page 5 of 52.9 IT PolicyAuthor by: Poey GuoDate: 090417Approver by: Andrew LiDate: 090417Where Update: Responsible department: QCScope : FVSZ Plant弗雷德里克森（苏州）精密机械加工有限公司Fredriksons (Suzhou) Contract Manufacturing Co., Ltd.1 Purpose and responsibility: 1.1 Purpose:Give all PC users at FVSZ general IT information. It is also intended as a means to communicate information concerning FVSZ rules and recommendations for PC users so that the highest possible confidentiality and dependability in the complete IT environment is secured. 1.2 Scope: This policy is valid for all PC users. Each PC user is responsible that his/hers PC is only used for performing tasks within FVSZ. All PC users must be aware that both internal and external unannounced inspections can be performed to control that this policy is followed. 1.3 Definition:PC is defined as all types of Personal Computer and Work Station owned by FVSZ. PC User is each person who uses a PC or Work Station at FVSZExecutable files are all types of executable program code - .EXE, -COM files etc.Internal/External Inspection. FVSZ have internal audits for following up that are applicable routines, policies and laws are followed. A number of external audits are performed each year to check that internal audits and routines are followed and effective. 1.4 Restrictions The term information security has a broad definition, but can simply be described with these three concepts: Confidentiality ensuring that information is accessible only to those authorised to access and use the information. Authenticity protection of information so that it remains correct and complete. Accessibility ensuring that users have access to information when needed. 2. IT Security Policy 2.1 Users 2.1.1 User training All users are to receive training in security issues. IT security responsible is responsible for the scope of the programme and the completion of training programmes. Written affirmation that the user has been informed of and understood the companys policy is to be secured. All use of company computers and networks for non business-related purposes is prohibited! 2.2 Applications/operations 2.2.1 Development, procurement and operations IT security requirements must be reviewed and included in requirement specifications for the development or procurement of computers, data processing systems, networks, computer equipment, computer operations or related services. 2.2.2 System events log System logs are to be continuously monitored. Events of a serious nature or events that may have an impact on continued operations are to be logged. 2.2.3 Service and support agreements The IT security responsible is responsible for ensuring the existence of sufficient service and support agreements. These agreements are to be enclosed as appendixes to this policy. 2.2.4 Contingency plans Concerning contingency plans for various crisis situations. Each contingency plan is regulated according to contingency plans as documented FVSZ-F0209001 contingency plan2.2.5 Documentation and handbooks All the software installed both in servers and clients are listed and documented on FVSZ-F0209002 install software list Systems specifications for critical resources, such as servers and storage of media, such as CDs are listed and documented on FVSZ-F0209003 IT material use list2.2.6 Contacts and people responsible List the names, phone numbers and other contact data for all individuals involved in security in some way. This list is documented on FVSZ-F0209004 responsible contact list. This list should include the following information. Security responsible Individuals at management level that are to be contact in case of a security crisis Systems administrators Contacts at the organisations IT consultancy firm Network suppliers Security companies Electricians and other external parties and companies that can help in various crisis situations 2.3 Accounts and passwords Each computer user is to have a private password to information to which he or she is authorised access. In certain exceptional instances, such as several people sharing a user name on computers selected for a specific purpose, each individual is responsible for ensuring that security routines are followed. The password is to be unique and complex, and carefully protected by the employee. All employees will receive succinct instructions about what applies in terms of passwords and user names. Above all, it is important that our employees are aware of the responsibility associated with a password that gives access to company information. The password should be the same to access all of the organisations services. The password should be a complex password, which means it must contain minimum seven characters from at least three of the below groups. Passwords must not resemble user names. The groups are the following: Small letters: i.e. a, b, c, d, e, f, g, h . . . Capital letters: i.e. A, B, C, D, E, F, G, H . . . Special characters: i.e. !, ”, #, , %, &, /, (, ), =, +, , , , * Numbers: 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 Example of a valid password: xANO4ever five small letters, three capital letters and one number. Examples of invalid passwords: 109Alto if your user name is 109alto, this password is invalid since it resembles your user name. Alto109 same as above. Sommar123 contains characters from only two groups. Passwords are to be changed at least six times per year. Password-secured screen savers are to be installed on all computers that are triggered within a reasonable timeframe. Computers are to be switched off at the end of a working day. Finally, it should be pointed out that passwords should never be kept on paper for any length of time. 2.4 File and database security 2.4.1 Backup routines Daily copied data is the minimum level required for security backups and system and date backup is made monthly. The copied date of both system and work is kept permanently in safe place separate from server room. Verification Control of backup status and log entries should be made each time the tape is changed. Storage The latest backup is to be stored outside the building. Other tapes with related logs are to be stored in a locked, fireproof cabinet, separate from the server room. This cabinet must be approved by the insurance company. Backup media must not be left unsupervised. Re-access Routines for re-accessing backup data should be tested at least four times per year and for each new backup installation. 2.4.2 Storage All privately produced files, mails and databases are to be stored on the server. Exceptions include portable computers where information is continuously copied/synchronised to the server. 2.4.3 Access The IT security responsible is in charge of issuing information and software authorisation. This authorisation is to be affiliated with the users duties in the company. 2.5 Protection 2.5.1 Antivirus It is essential that we update our virus lists often since new viruses are released daily. We will use products that automatically check and update all clients. Software with built-in firewall and spy ware protection is to be used for clients. The following areas are to be checked for viruses: All servers. All clients. Incoming and outgoing electronic mail. 2.5.2 Firewalls Installation and verification is to be performed by an individual certified for the tasks. 2.5.3 Service packs and updates All critical service packs are to be installed immediately. Verification in regard to function is to be performed before installation. 2.6 Physical access 2.6.1 Server room The servers are to be housed in a locked area and UPS equipped. The server room shall maintain an even temperature, about 20 C, +/- 4. An approved fire extinguisher is to be placed in the immediate proximity of the room. The room is to be locked when unmanned, and as few people as possible shall have access to the keys. The room should have an alarm system. 2.6.2 Connection of external computers External computers owned by consultants, customers and other partners may only be connected to the network if the computer has an approved antivirus protection and otherwise fulfils the Fredriksonss IT security regulations. 2.6.3 Portable computers If information vital to the company is stored locally on the portable computer, the information is to be encrypted or the enti