Documente Academic
Documente Profesional
Documente Cultură
2. The expectation for the trade on this program is to make commitment toward the
common goal of creating a more secured and efficient supply chain through partnership. C-
TPAT demands the assistance of private industry to ensure increased vigilance throughout
the supply chain. Business must ensure that their brands, employees, and customers are
protected to the best of their abilities.
3. C-TPAT is not intended to create any new “liability” for the company beyond their
existing security practices. However, joining C-TPAT will commit company to follow the
actions specified in the signed agreement. C-TPAT recognizes that a safe and security
supply chain is the most critical part of both the vendors and the buyers. For this reason, a
strong anti-terrorism partnership with the community through C-TPAT is required to
safeguard the supplied commodities. Trade partners will have a commitment to both trade
security and trade compliance, which are routed in the same business practices. US
customs wants to work closely with companies through C-TPAT whose good business
practices ensure security of supply and compliance with trade laws.
4. As part of our effort to enhance supply chain security of goods ordered by our
customers, we have set principles, guidelines and procedures at our factory within the
premise and its area. Besides to enhance the security of our own factory for the protection
of our property and safety of all employees, it is further established to comply to our
customers’ as well as US Customs’ security requirements. The objective of this plan is to
ensure our factory to play an important role in the supply chain security, and is one of the
most secured factories in the country.
Security Policies
Our factory is committed, from our part, to the Supply Chain Security as part of our
compliance program. The management and all employees of our factory are responsible to
uphold and maintain the Supply Chain Security Plan (herein after called the “security plan”)
in accordance with the criteria we set and the applicable local law within the factory and the
factory’s subcontractors, if any.
Principles
Our factory’s security plan was developed based on the following principles, and shall focus
on prevention and risk management rather than to handle the incident afterward. The keys
of this security plan are:
• Prevention on TRESPASSING
• Prevention on TAMPERING
• Establishment of the TRACEBILITY
Guidelines
Our factory has developed guidelines for every employee in this factory to follow as part of
the factory’s regulations; such guidelines are posted on the readily accessible place to alert
all employees’ concern on security. These guidelines were developed to cover the security
of the following 7 areas:
• Container/Closed Truck Security— Focus on the physical integrity of the incoming and
outgoing containers closed truck prior to stuffing and the procedures of the seals and the
reliability of the locking mechanisms of the doors.
• Personnel Security — Our factory shall enhance the factory’s recruitment system to
include interviewing and background checks/verifications.
• Procedural Security — To set systems and methodology to handle the incoming and
outgoing goods. Engaged with Security Officers on controls of in/out cargo; record on
shipping marks, weights, number etc; procedures for verifying seals on containers, trucks
etc; reporting shortages and overages; storage of empty and fill containers to prevent
unauthorized access; and a tracking system of all cargo movements.
• Security Training and Threat Awareness — This security plan also provides to our
employees a security awareness training, that including operation procedures, awareness,
identity and reporting of crime, and determining and addressing unauthorized access. The
training program encourages active employee’s participation in security controls.
• Physical Security — Focus on buildings & constructions; external and internal locking
devices; warehouse safety; lighting inside and outside the facility; shipping, loading &
cargo areas; as well as internal and external communications systems for assurance of
factory’s physical security.
Focus on the protection and accountability policy on the Information Technology (IT)
Procedure
Methodology
All employees, including management and workers, are expected to have a thorough
understanding of the security plan, familiar with the operation procedure. Our education on
awareness and training on practices on supply chain security issues are conducted in the
following manner:
4. Supervision — managers are responsible to ensure all criteria listed in this plan are
properly carried out.
Security Guard
Security Guard’s Responsibilities
1. Entrance Control - The security guard should station at all entrance gates for 24
hours. Guard on duty should complete hand-over and takeover procedures clearly to the
next shift before leaving.
3. Daily patrolling on the factory premises Besides entrance control, the security
guard should patrolling all factory departments periodically in order to assure that no
unauthorized/unidentified people/object trespasses on the factory of which obstructs the
security operation of the factory.
4. Visitor’s Registration All visitors should register (the company name, date and
time of entry/leave, etc.), and should be verified by the reception employee before entering
the factory. (Exhibit A)
6. Verifying Employee’s Identification The security guard has to check all the
employees’ badges to verify all the employees’ identification in/out the factory. If the
employee loses the employee’s badge, the security guard should notit3’ the relevant
departments and Security Manager to verify the identification of the employee and record
the case, before allow the employee enters the factory.
1. Ensure that all the guards reported on time and deployed with delay to the
respective post.
2. Take over the duty from the reliever with all details and sign in the handing and
taking over register.
3. Assist Security Office / Supervisor at the time of factory opening and closing.
4. Ensure the entrance of the authorized persons- checking the ID Cards are hanged with
the neck.
5. Ensure that goods and materials are loaded and unloaded as per the laid procedure.
6. Enter the details of gate passes into the appropriate registers and preserve the gate
passes for further records.
7. Enter the details of vehicle in I out in the vehicle register.
8. Ensure proper parking of the vehicles inside the factory and take extra effort while
shipment vehicle enters / go out of the factory.
9. Do periodical patrolling to check the alertness of the guards especially at night.
10. Ensure that no person enter into the factory after closing, in case of any urgency
report the same to the concerned senior management person.
11. Ensure the safety and security of the factory and materials.
12. Take appropriate action in case of any fire incident in the factory.
Main Gate
Packing Area
1. Observe the activities of the packing men during packing. No unauthorized person is
in the area during packing.
2. Not to allow any person with out the permission of the concerned manager.
3. Observe the unnecessary movement of any person- check, interrogate and inform
accordingly.
4. Observe for any thing being throwing through window.
5. Check/observe for any conspiring by any person through the gate with outsiders.
6. Ask/ inform to the reliever if any thing important.
7. Not to leave the post without any reliever.
8. Observe for any type of sabotaging.
9. Do not leave the post with permission
Stair case
Floor Area
1. While on the loading and off loading duty ask for the gate pass and delivery challan
to know about the number and quantity of the materials.
2. Ensure that concerned person is present at the time of loading and off loading.
3. Count the item in the tally sheet and submit the same to the supervisor for further
record.
4. If it is observed that the quantity I number is not matching with the gate pass
challan or packet or bundle is torn or broken inform the matter to security officer /
supervisor immediately.
5. Check the lock before and after loading and off loading for its effectiveness.
Main Store
1. Take over the duty of the post mentioning the date and time in the handing taking
over register.
2. Check the area whether every thing in order or not.
3. If any problem found the same to be noticed to the concerned authority with out
delay.
4. Ensure that the concerned persons entered into the case area.
5. Inquire the reason of entering by checking the challan.
6. Enter the full particular of the person need to enter into the case.
7. This formality is applicable for all people.
8. Hand over the duty to the reliever with everything OK.
Location of Guards
ORGANIZATION OF SECURITY
UNIT-2
Manager
(Security)
Supervisor
In order to assure the effectiveness of the factory’s security plan, the commission of all the
security chief manager/officer/security guard should meet the following recruitment
requirements:
Factory has to verify the background/past history of the security candidates
No criminal records
Good physique
Holder of Security Guard Permit/Qualification.
Passed the professional training for security guard .
Employed by professional security companies or troops .
Periodical on job training to strengthen the security awareness
To give a general idea regarding what is CTPAT? Why CTPAT is so important for us?
What is security threat? What are the activities which will help us to work safely?
If anyone sees or discover any suspicious activities taking place whom they should
inform immediately.
General Counseling regarding wearing ID card and uniform.
Security awareness and CTPAT Training program for the Security Guards
To guard the insertion of illegal / unauthorized materials/ product tampering into the
factory.
To guard against the unauthorized entry of any person.
To handle recognition? Reporting of suspected illegal conducts activities
by any employee.
To give a general idea regarding what is CTPAT?
Why this is so important for us.
Frisking and checking of ID card of each and every employee.
All shipment must document their preloading, 7 Point container inspection program
including visual inspection of container wall, floor, ceiling and door for any signs of
tempering or malfunction prior to loading. All security guards would be trained on 7 point
checking.
The security Personnel will be very alert to identify any unauthorized persons entering the
factory. The unauthorized person would be stopped in the main entrance and ask the
purpose of the visit. His ID card would be checked for proper verification. If the verification
is correct he would be directed to the appropriate person/department after proper
documentation of his personal details in the register kept in the main gate. If his
identification can not be verified then GM (Security and Admin) would investigate his
identity. Under no circumstance any one would be allowed to enter in the factory without
proper identification. If any illegal person is identified then he would be handed over to the
law enforcement agency for proper investigation and necessary action.
Container Loading
Container Loading/Unloading Security Procedure Guidelines
2. When the containers enter the factory, the entrance guard should identify and register
the following details:
3. During loading process, the company should appoint at least one supervisory
employee to monitor the whole process, and have to check and verif3’ whether the goods
match with the information stated on the documents, and the packing of the goods are
intact. In case any items/quantity of the good are not match with the information stated on
the relative documents or the package is damaged, then the supervisory employee should
report to the management and relevant departments. Stop all loading process and
investigate the reasons immediately.
4. For all cargoes move in/out the warehouse, the warehouse supervisor should issue a
cargo receipt/delivery order for record. And the cargo receipt/delivery order should include
the following details:
6. When the truck leaves the factory, the security guard at the entrance gate should
register the date (year/month/day), time and container number for record.
Security Procedure for Container Loading
• For all in-cargo/ex-cargo, the carrier must have valid in-cargo receipts/delivery
orders for record and verification.
• The Delivery Order should contain the following details:
• The warehouse supervisor has to verify and monitor the procedure for in-cargo and
ex-cargo in order to assure that all the cargoes in/out the warehouse, quantity, and others
are clear and correct.
• The warehouse supervisor has to keep all the in-cargo receipts delivery orders for record.
• The warehouse supervisor has to keep daily warehouse reports and monthly
summary reports in order to have a detailed record of the goods in the warehouse for
verification and tracing, or the warehouse can verify the records with other departments.
Packing
Front wall
Left side
Right side
Floor
Ceiling / Roof
Inside / Outside doors
Outside / Undercarriage
The container number
If the said unusual circumstances were found, the employee needs to inform the shipping
forwarder immediately.
The company should assign a specially designated area for loading and unloading
purposes. Only authorized employee is allowed to enter this area. The company has
to appoint one supervisor to coordinate record and monitor the whole loading
process.
Only authorized people are allowed to enter and work in this specially designated
loading area.
All visitors are prohibited to enter or stay in this area except the truck driver.
The appointed loading coordinator has to record and verify the type, style, quantity
or other necessary details of the loaded cargo and has to monitor the whole loading
process, in order to assure that the whole process is faultless (no unidentified objects
are loaded into the container during the loading process)
In case of the type, style, quantity, unit and other details are not conformed with the
documents, then, the nonconformity must be clarified the with the related
departments, and should wait for the final judgment from the Heads of the packing
and shipping department.
The appointed loading coordinator should file all the records after the loading process
completed.
The register & verification of the shipment details The employee of the
related departments should register and verify the details of the cargo to be shipped.
The details should contain the following items:
Invoice copy
Packing list copy
Customs documents (such as export license, country of origin, etc.)
The type, style, color, quantity and unit of the cargo
The gross weight and net weight of the cargo
All the above said documents should be file for record tracing.
The container seals
All LCL cargo must be transported by closed truck from factory to forwarder’s
warehouse.
Assign a designated employee to monitor the cargo stuffing and escort the cargo
from factory to forwarder’s warehouse.
Verify and record the Truck Driver’s identity documents.
Issue the Delivery orders for record and verification.
The Delivery Order should contain the following details
Front wall
Left side
Right side
Floor
Ceiling/Roof
Inside/Outside doors
Outside/Undercarriage
If the said unusual circumstances were found, the employee needs to inform the shipping
forwarder immediately.
Assign a specially designated area for loading and unloading purposes. Only
authorized employees are allowed to enter this area. The company has to assign one
supervisor to coordinate record and monitor the whole loading process.
Only authorized people are allowed to enter and work in this specially designated
loading area.
All visitors are prohibited to enter or stay in this area except the truck driver.
The assigned loading coordinator has to record and verify the type, style, quantity
or other necessary details of the loaded cargo and has to monitor the whole
loading process, in order to assure that the whole process is faultless (no
unidentified objects are loaded into the truck during the loading process)
In case of the type, style, quantity, unit and other details are not conformed with
the
documents, then, the nonconformity must be clarified the with the related
departments, and should wait for the final judgment from the Heads of the
packing and shipping department.
The loading coordinator should file all the records after the loading process
completed.
The register & verification of the shipment details The employee of the
related departments should register and verify the details of the cargo to be shipped.
The details should contain the following items:
o Invoice copy
o Packing list copy
o Customs documents (such as export license, country of origin, etc.)
o The type, style, color, quantity and unit of the cargo
a The gross weight and net weight of the cargo
All the above said documents should be file for record tracing
Assign a designated employee to inspect the mechanical lock and lock the closed
truck, After the whole loading process is completed and correct. The locking process
should be recorded and filed.
11. A designated employee must escort the cargo from factory to forwarder’s
warehouse, and hand over the cargo to forwarder. The employee records the time
when the truck leaving the factory and arriving the forwarder’s warehouse. The cargo
hand over should be recorded with receipt document, chop and signature.
12. Report cargo loading and trucking Information
The assigned loading coordinator should submit a report with all related
Documents to the shipping department for reference and file.
i) The responsibility of the shipping department
The shipping department should receive a report and all related documents from the
loading employee after the loading process completed. He should veri& all the
information (including the time when the truck leaving the factory and arriving the
forwarder’s warehouse) and file all the documents for record. All the records/reports
should be kept for at least 12 months.
j) Reporting System
• In case of the loading information is not conformed, such as over-shipment or short-
shipment, the employee who discover this nonconformity should report to his/her
department head firstly. Then, the employee should further clarii’ with all correlated
departments whether there is any typo error or because of other reasons. All related
department heads should take immediate action to investigate the case after they receive
the inquiries of the nonconformity queries.
If the situation is serious, all loading and unloading operations should be stopped
immediately, until the problems are correct.
Procedure of tracking the goods from factory to ultimate destination.
Lenny fashions ltd. produces garments for number of buyers. Our company policy is to
ensure safe and secured departure and arrival of all shipments to ultimate destination in a
safe and secured manner.
We believe that, it is necessary to ensure safety of the transportation process to make the
shipment safe and secured for arrival to the destination within the reasonable time.
As a matter of policy we have the following procedure of tracking the shipment goods in the
process of movement from factory to destination.
1. After getting the final inspection passed report or SRA (Shipment Release Authorization)
from buyer Qc for a particular consignment. We contact nominated C&F agent to get
covered van/container for loading the cartons.
2. Before loading the loading area security personnel long with store officer in charge of
export & commercial officer check the covered van/containers. This checking is recorded in
the delivery record book signed by the store officer. If the covered van/container is free
from any damage or any suspected materials only the loading is initiated. If the condition is
not found satisfactory we inform to C & F agent and ask for replacement Covered
van/container.
3. During checking of the covered van? container if we find any suspected or illegal
materials DEPZ security and police station is informed.
4. Our security maintains a log book for checking the covered / containers, which includes
the covered van? container number and store in charge’s signature.
5. In presence of security store and commercial staff loading is done as per packing list and
locked properly Different procedure are being maintain for locking the truck and container
which are as follows
a. If it is a covered van, security locks it and handover the key to commercial department.
Our commercial department sends a representative separately to nominated C & F office,
chittagong along with the keys.
b. If it is a containers, customs authority staffs comes over here in the factory and lock and
seal the containers in front of our security commercial and store staffs.
6. We closely monitor the trucks/containers until it arrives to nominated forwarder at
chittagong as well as we communicate with the buyers nominated forwarder whether they
have received the
7. goods in due time or not. After that times to time we communicate with the shipping
lines to get the exact location of shipped goods on the way to final destination.
8. One of our representatives is permanently posted in chitt agong to monitor the goods till
ship to destination.
Procedure for checking discrepancy in shipment documents.
Lenny Fashions Ltd. is one of the largest and prominent garments manufacturers in
Bangladesh. We have an separate commercial department to arrange and prepare the
shipping documents foe smooth shipment of goods to our buyer.
Our commercial department checks all the relevant shipping documents through a checklist
before shipment of goods.
We follow below mentioned procedure to prepare the shipping documents in different
stage:
1. When goods are ready for shipments , immediately we contact the buyer nominated
forwarder to get the booking confirmation and stuffing details. On the basis of above we
start preparing the shipping the shipping documents.
2. Goods send to forwarder along with invoice and packing list signed by our Commercial
Manager.
3. Prepare and arrange commercial invoice, final packing list, multiple country declaration,
and manufacturer certificate, certificate of origin, wearing apparels details and bill of lading
send to forwarder. Above documents are checked and signed by our Commercial Manager.
4. Before sending the above documents to forwarder our commercial staff in charge of
export check and verifS’ the documents through a set checklist (if any specific buyer has
any checklist that is also adhered to) and that checklist includes concerned persons
signature for accuracy of the documents. If they find any discrepancy in the documents,
they bring it into the notice of the concerned staff for correction or rectification . Only then
the documents are put to Commercial Manager for final checking for his signature. The
commercial Manager only signs when he finds there is no discrepancy in the documents
prepared.
5. Corrected and verified documents are then sent to the forwarder. If forwarder finds any
discrepancies in the shipping documents they immediately bring it to the notice of the
Commercial Manager.
Policy for handling of suspected or illegal activities
At present, Garments sector is the backbone of Bangladesh and Lenny Fashions Ltd. is one
of the largest exporters in this sector. So, we are very much aware and conscious to tackle
any kinds of destructive situation as well as illegal activities . Natwally, we have to remain
more cautious to overcome any unexpected situation.
Therefore following procedure regarding suspected and illegal activities are to be followed:
1. All the security posts to remain alert round the clock for inside and perimeter security so
that they can identi& any suspected person or movement.
2. Nobody is allowed to get inside without proper identification.
3. It has been instructed to all workers regarding quick information to the admin dept. or
security for any suspected incident or suspicious person.
4. If any suspected person is found inside the factory,
a. He will interrogated by company security guard and administration department.
Unauthorized persons will be detained for further action.
b. Unauthorized person shall be handed over to the DEPZ security or police with valid
reason.
c. A general dairy to be entry in local police station.
5. If any suspected materials is detected
a. Initially those materials will be cordoned by own security force till any competent
representative of DEPZ or local police authority come. So that no body can come across.
b. As soon as possible DEPZ security and local police station should be informed.
c. All employees to be removed from that particular place to the safe area.
d. Materials to be handed over to the local police in presence of DEPZ authority.
e. A general dairy to be entry in local police station.
Procedure for Surprise check) unannounced audit.
The factory authority adopts appropriate measures to ensure a good standard security in all
the vulnerable places in the factory. To ascertain the adopted measures the iesponsible
persons of administration and personnel dept with the instruction from higher authority
undertakes the activities mentioned below
I. (a) A surprise security is found to undertake a spot checks suspecting any activities
against the security of any area of the factory. It includes the identity checking in different
workplaces, stair and gate.
(b) Checking any section for the authorized persons are working or not.
(c) Checking for whether any persons is disappeared without permission for considerable
time.
Cd) Observe closely the interaction and discussion not concern to the production.
(e) Checking for the ID card for any unauthorized persons.
Assure Quality & JIT: Our Production Technical Team visits the factory before sub-contract
assures the Quality Production, capacity to delivery JIT.
Commercial Contract: All Sub-contract activities Commercial based. No-Verbal agreement
is valid.
Delivery & Receiving: All Delivery & Receiving process though physical counting, Gate Pass
& Challan with valid Signature.
Transport: We use our nominated transport.
Procedure for locking covered Van
As a 100% Export oriented Garment Industry, Lenny Fashions Ltd understands the Covered
Van Locking Arrangements and Procedures to meet different types of business needs
After getting approval for loading cartons to ship, store team should count the cartons to be
loaded physically.
After counting, comparing and confirming with commercial invoice, the cartons should be
loaded into covered vans.
A delivery challan & Gate pass should be made truck wise for each shipment. Company),
security sign and van driver sign (on behalf of C&F agent)
After Loading a shipment into a truck from factory, the C&F agent, Truck driver are the
responsible persons to hand over the shipment to Buyer’s Forwarder.
The Shipment Truck) Van should be locked and sealed by the security in front of truck
driver, Store person and commercial person.
If the seal is found broken before handing over to the Buyer’s forwarder, the Buyer’s
forwarder will not accept the Shipment? Goods of the truck and should inform the incidence
to commercial personnel and to factory management immediately.
Policy for affixing, replacing record and track seal place in control
As a 100% Export oriented Garment Industry, Lenny Fashions Ltd understands the policy
for Affixing, replacing record and track seal place in control.
After getting approval for loading cartons to ship, store team should count the cartons to be
loaded physically.
After counting, comparing and confirming with commercial invoice, the cartons should be
loaded into covered vans.
A Delivery challan & Gate pass should be made Truck wise for each shipment. It should be
having sign of store person (on behalf of company), Security sign and van driver sign.
After Loading a shipment into a truck from factory, the C&F agent, Truck driver are the
responsible persons to hand over the shipment to Buyer’s Forwarder.
Affixing:
The Shipment Truck! Van should be locked and sealed by the security in front of truck
driver, Store person and commercial person.
If the seal is found broken before handing over to the Buyer’s forwarder, the Buyer’s
forwarder will not accept the Shipment! Goods of the truck and should inform the incidence
to commercial personnel and to factory management immediately.
Replacing & Tracking:
The seal may be broken? damaged! opened on transit in various reasons/ ways. It may
happen for police checking, natural disaster, accidents, stealing etc...
If such circumstances arise, the C&F agent must inform to the Factory stating the reason
why the seal was broken? damaged! opened with the reasons.
Commercial dept accompany a person with a seal and will send him to the place for
replacing the seal. The goods should be off loaded, recounted and should be loaded again
in front of him before handing over to Buyer’s forwarder.
Any illegal activities are detected or suspected out side the premises regarding to
shipment, Lenny will inform Buyer’s forwarder and to Buyer as well if requires. Lenny is
determined to take help of the law enforcement agency as well.
Any illegal activities detected or suspected inside the premises in any form, Admin dept
reports to top management accordingly and record such type of activities. Lenny is
determined to take help of the law enforcement agency as well.
Security Guidelines for IT Department
I. Password logon be set up to control employees to access to network and sensitive
information
2. Conduct periodic internal audits of the IT system
3. Employees are required to change passwords on a regular basis
4. System in place to identi& the abuse of IT including improper access, tampering or
altering of business data
5. All system violators are subjected to appropriate disciplinary actions for abuse.
6. All system violators must be reported to the management and be recorded. All records
should be kept for at least 12 months
7. All illegal activities must be reported to the management and police.
5. Employees are responsible to keep and store their tools properly before off duty. In case
of any tools are lost, should report to the Department Head immediately.
6. Employees must not take away any factory’s property and goods when they leave the
factory. Once found, the employee will be treated as stealing and would be hand-over to
Police.
7. Before off duty, each Department Head and the security guard conduct a patrol
inspection at the workshop to ensure that there’s no illegal object in the workshop, and
then the security guard locks up all the windows and doors.
IT Policy
for
Lenny Fashions Ltd.
Contents
Page
1. Introduction j
1.1 Scope 4
1.2 Objectives 4
2. Physical Security 5
2.1.2 Environmcnta 5
-- 6 -
2.2. PhysicalSecurity Guideline for Data Center -
2.2.1. Data Center Access
6
2.2.2 Environmental 7
2.3.2 Environmental 9
2.4PhysicaiSecurityforDesktopandLaptopcomputers 10
2.5 Physical Security for Other System and Devices 11
3. Information Security Standard 12
3.2NehvorkSeaiñty 14
3.2.1 Network Security 14
3.2.2 Firewall 15
4. Mail Management 17
19
Lenny Fashion’s MIS teem has prepared a IT Policy as a guideline for Information &
Communication Technology (ICT) for company to be used as a minimum requirement and
as appropriate to the level of computerization of their operations.
1.1 Scope
This if Policy is a systematic approach to policies required to be formulated for IT and also
to ensure security of information and information systems. This Guideline covers all
information that is electronically generated, received, stored, printed, scanned, and typed.
The provisions of this Guideline apply to:
• Lenny Fashions Ltd. for all of their IT systems
• All activities and operations required to ensure data security including facility design,
physical security, network security, disaster recovery and business continuity planning, use
of hardware and software, data disposal, and protection of copyrights and other intellectual
property rights
1.2 Objectives
This Guideline defines the minimum requirements to which IT department must adhere.
The primary objectives of the Guideline are:
a) To establish a standard IT Policy & IT Management
b) To help the company for secure and stable setup of its IT platform
c) To establish a secure environment for the processing of data
d) To identify information security risks and their management
e) To communicate the responsibilities for the protection of information
Prioritize information and information systems that are to be protected
g) User awareness and training regarding information security
h) Procedure for periodic review of the policy and security measures
2. Physical Security
Lenny requires that sound business and management practices be implemented in the
workplace to ensure that information and technology resources are properly protected. It is
the responsibility of each department to protect technology resources from unauthorized
access in terms of both physical hardware and data perspectives. In fact the effective
security measure of assets in the workplace is a responsibility held jointly by both
management and employees.
Physical security involves providing environmental safeguards as well as controlling
physical access to equipment and data. The following list of safeguards methods where
believed to be practical, reasonable and reflective of sound business practices.
2.1 Physical Security Guideline for Server Room
2.1.1 Sewer room Access
a) Server room must have a glass enclosure with lock and key with a responsible person of
the Branch.
b) Physical access should be restricted, visitors log must exist and to be maintained for
server room.
c) Access authorizati on hat must be maintained and reviewed on regular basis.
2.1.2 Environmental
a) Desktop screen must be locked and Server must have password protected screen saver
that should activate after 10 seconds.
b) Administrative password of Operating System and Database should be written in sealed
envelop and kept in vault.
c) User creation request form should be maintained.
d) Provision to replace the server within quickest possible time in case of any disaster.
e) Server room should be air-conditioned.
Power Generator should be in place to continue operations in case of power failure.
g) UPS should be in place to provide uninterrupted power supply to the server during power
failure.
h) Proper attention must be given on overloading electrical outlets with too many devices.
2.1.3 Fire Protection
a) Channel alongside the wall to be prepared to allow all the cabling to be in neat and safe
position with the layout of power supply and data cables.
b) Fire extinguisher needs to be placed outdoor of the server room. This must be
maintained and reviewed on an annual basis.
c) Proper earthing of electricity to be ensured.
2.2. Physical Security Guideline for Data Center
2.2.1. Data Center Access
a) Data Centre must be restricted area and unauthorized access is prohibited.
b) Number of entrance into the Data Centre should be limited, locked and secured.
c) Access Authorization procedures should exist and apply to all persons (e.g employees
and vendors). Unauthorized individuals and cleaning crews must be escorted during their
stay in the Data Centre.
d) Company should maintain Access Authorization list, documenting individuals who are
authorized to access the data centre, reviewed and updated periodically.
e) Access log with date and time, should be maintained documenting individuals who have
accessed the data centre.
f) Visitor Log should exist and need to be maintained.
g) Security guard should be available for 24 hours.
h) There should be Emergency exit door available.
2.2.2 Environmental
a) Sufficient documentation is required regarding the physical layout of the data centre.
b) Documentation regarding the layout of power supplies of the data centers and network
connectivity to be prepared.
c) Floors to be raised with removable square blocks or channel alongside the wall to be
prepared, which allow all the data and power cabling to be in neat and safe position.
d) Any accessories, not related to data center should not be allowed to be stored in the
Data Centre.
e) Existence of Closed Circuit Television (CCTVs) camera is required and to be monitored.
Data Centre must show the sign of “No eating, drinking or smoking.”
g) Vehicles for any emergency purpose should always be available on site.
h) Address and telephone or mobile numbers of all contact persons (e.g. Fire service, police
station, service providers, vendor and all IT personal) should be available to cope with any
emergency situation.
i) Proper attention must be given with regard to overloading of electrical outlets with too
many devices. Proper and practical usage of extension cords should be reviewed annually
in the office environment.
j) The following computer environmental controls to be installed:
i. Uninterruptible power supply (UPS) with backup units
ii. Backup Power Supply
iii. Temperature and humidity measuring devices
iv. Air conditioners with backup units
v. Water leakage precautions and water drainage system from Air conditioner
vi. Emergency power cut-off switches
vii. Emergency lighting arrangement
viii. Dehumidifier to be installed
2.2.3 Fire Prevention
a) The Data Centre wall/ceiling/door should be fire resistant.
b) Fire suppression equipment should be installed.
c) Procedures must exist for giving the immediate alarm of a fire, and reporting the fire
services and to be periodically tested.
d) There should be Fire detector below the raised floor, if it is raised.
e) Electric cables in the Data Centre must maintain a quality and concealed.
f) Any flammable items should not be kept in the Data Centre. ____
g) Laptop computers actively connected to the network or information systems must not be
left unattended.
h) Laptop computers, computer media and any other forms of removable storage (e.g.
diskettes, CD ROMs, zip disks, PDAs, flash drives) shall be stored in a secure location or
locked cabinet when not in use.
i) Other information storage media containing confidential data such as paper, files, tapes,
etc. shall be stored in a secure location or locked cabinet when not in use.
5) Individual users shall not install or download software applications and/or executable
files to any desktop or laptop computer without prior authorization.
k) Desktop and laptop computer users shall not write, compile, copy, knowingly propagate,
execute, or attempt to introduce any computer code designed to self-replicate, damage, or
otherwise hinder the performance of any computer system (e.g. virus, worm, Trojan etc).
1) Any kind of viruses should be reported immediately.
in) Viruses shall not be deleted without expert assistance unless instructed by the 11.
n) User identification (name) and authentication (password) shall be required to access all
desktop and laptop whenever turned on or restarted.
o) Standard virus detection software must be installed on all desktop and laptop
computers, mobile, and remote devices and shall be configured to check files when read
and routinely scan the system for viruses.
p) Desktop and laptop computers shall be configured to log all significant computer security
relevant events. (e.g., password guessing, unauthorized access attempts or modifications
to applications or systems software.)
q) On holiday occasions computers should be removed from floors and away from windows.
a) All the devices should be locked and secured by password, pin no. or any kind of
physical attachments.
b) The devices that are connected through LAN, should be access restricted through DNS
access control rules or others.
c) The devices that use WAN should be behind the firewall. For these kinds of devices there
should be special rule in the firewall that are carefully sated and properly monitored time to
time.
d) The output of these devices should only go to only the authenticated employee of the
company.
e) There should have time to time monitoring and documentation for if the outputs of these
devices are going to proper hand or not
3. Information Security Standard
The objective of this part is to specify Information Security Policies and Standard to be
adopted by all department of Lenny Fashions Ltd. using Information Technology (H’) for
service delivery and data processing. It covers the basic and general information security
controls applicable to all functional groups of a business to ensure that information assets
are protected against risk.
3.1 Access Control for information systems
3.1.1 Password Control
a) The password definition parameters ensure that minimum password length is specified
according to the company’s IT security policy of the company (at least 6 characters,
combination of uppercase or lowercase & numbers).
b) The maximum validity period of password is not beyond the number of days permitted in
the company’s IT Security policy (maximum 30 days cycle).
c) The parameters to control the maximum number of invalid logon attempts is specified
properly in the system according to the if security policy (at least 3 consecutive limes)
d) Password history maintenance is enabled in the system to allow same passwords can be
used again after at least 4 times.
e) Password entries must be masked.
f) The terminal inactive time allowable for users should be set in accordance with the
company’s policy.
g) Operating time schedule for the users is to be defined where necessary.
h) Sensitive passwords have to be preserved itt a sealed envelope with movement records
for usage in case of emergency.
i) Audit trail should be available to review the user profile for maintenance purpose.
3.1.2 User ID Maintenance
a) Each user must have a unique User ID and a valid password.
b) The User ID will be locked up after 3 unsuccessful log-in attempts.
c) There need to have a control to ensure that user ID and password are not same.
d) The User ID Maintenance Form with access privileges is duly approved by the
appropriate authority.
e) Access privileges are changed/locked within 24 hours when userst status changed or left
the office.
3.1.3 Security Seals:
a) Valid and allowed User ID and Password is mandatory to access any system in the
company.
b) There should keep detail profile for every correspondent User ID.
c) For every logon attempts should be kept in the history for future reference.
a) All Internet facility should be routed through a Firewall for PCs connected to network.
b) Illegal, irrelevant and injurious traffic should not be routed.
c) No user should use personal e-mail web-mail account without authorization of the
network administrator.
d) User with web browsing should not fry to access unnecessary, irrelevant, web sites.
e) User with web browsing should not download any file, software or any other shortcut
without the authorization of the network administrator.
4. Mail Management
Administrator Level Duties:
a) Mail server or exchange server should be password protected
b) All the email ID should be password protected and used by 1 user only.
c) hi case of group email ID, user access should be limited by the system administrator.
d) Mail databases should be backed up periodically.
e) Proper documentation should be maintained while creating, altering and giving access
permission to any group email ID.
0 Virus protection should be ensured and black listed lOs and domains should be regularly
managed.
g) Only Administrator should have the permission to delete mail.
User Level Duties
a) Mail user should not misuse the email account for personal or any
other reasons. -
b) Users should not go through junk mails.
c) Users should not execute any file sent from any unknown user or any unknown file
format.
d) User should not sent same mail to more then 20 users at a time.
e) User should check the recipients list of any mail properly to protect secured data from
unwanted recipients.
1) User should to send unnecessary and unwanted attach files.
g) User should handover his/ her User ID and Password to the department head over or
mail administrator when they are leaving company or going for a holiday.
5. Application and Database Software:
Lenny Fashions Ltd. has expert teem to develop customized software themselves. But most
of the software aiid systems are outsourced according to the need of the company and
requirement of the buyers. IT policy enforces the following rules for using outsourced
system and software:
a) Company must use original software.
b) Licenses must be renewed time to time to maintain performance,
security and stake holder’s interests.
The IT policies of the company limit the employee access to the company’s information by
User ID and Password. Each of every User ID is guided by customized authentication level
which is control by the IT administrators and each department’s head.
User access and authentication control is fully automated by the smart application software,
Database Administration and Domain Name System.
Administrator Level Duties:
a) User creation and access authentication should be followed by Application and
Department rule.
b) Each of users should have a unique password protected user ID.
User Level Duties
a) User must not share thefr User ID and password with others.
b) Department’s superiors should not recommend excessive access to any user.
c) Any kind of error and failure should be informed to the application administrator.
Security Seals for Application Users:
a) Valid and allowed User ID and Password is mandatory to access any system in the
company.
b) There should keep detail profile for every correspondent User ID.
c) For every application should keeps stamps of user ID for every activity in the database.
Shipping Documents, Forms and Data:
1. Shipping forms, Documents and Data should be handled by only authenticated users and
employees.
2. Data manipulations, Form filling and Documents printing should be done only by valid
and active user.
3. Printings of shipping documents should be done only in a separated printer which is
restricted from the access of unauthorized employees.
4. Printed documents, forms, etc should be handled by only authenticated employees, kept
in a secured separated place and shattered after use.
Adjust or Rescind User Access:
1. Company should the procedure to adjust or rescind user access to the applications.
2. Every department should review departmental organogram every month and update
every body’s access permission.
6. Business Continuity and Disaster Recovery Plan
recovery plan. The BCP should take into account the backup and recovery process. Keeping
this into consideration this part covers BCP, Disaster Recovery Plan and Backup / Restore
plan.
6.1 Business Continuity Plan (BCP)
a) There must be a Business Continuity Plan (in line with business) for H’ in place.
b) All the documents related to business continuity and disaster recovery plan must be kept
in a safe/secured off site location. One copy can be stored in the office for ready reference.
c) BCP must contains the followings:
i. Action plan for i) during office hours disaster, ii) outside office hours disaster, and iii)
immediate and long term action plan in the line with business
ii. Emergency contacts, address and phone numbers including venders
iii. Crab list of items such as backup tapes, laptops etc.
iv. Disaster recovery site map
d) Review of BCP must be done at least once a year.
6.2 Disaster Recovery Plan (DRP)
a) A Disaster Recovery Site (DRS) must be in place replicating the Data Center (Production
Site).
b) DR site must be at a minimum of 10 kilometers (radius) of distance from the ‘production’
site.
c) DR site is equipped with compatible hardware and telecommunications equipment to
support the live systems in the event of a disaster.
d) Physical and environmental security at the DR site is appropriate.
e) Information security is properly maintained throughout the failback and DR recovery
process.
f) An up-to-date and tested copy of the DR plan is securely held off- site. DR plans exist for
all the critical services where DR requirement is agreed with the business.
g) DR test is successfully carried out at least once a year.
h) DR Test documentation should include at a minimum:
i. Scope - defines scope of planned tests - expected success criteria
ii. Plan - detailed actions with timetable
iii. Test Results
6.3 Backup! Restore
a) There is a documented back up procedure.
b) Backup copies of information are stored off-site at a geographically separate and safe
environment.
c) There is at least one backup copy kept on-site for time critical delivery.
d) The backup cycle is based on the following:
1. At least 6-days (week) daily cycle
ii. At least 6-month monthly cycle
iii. At least 1-year yearly cycle
e) The back up media is sent off-site immediately after the backs
up have been taken.
0 The back up log sheet is maintained, checked & signed by supervisor
g) The back up inventory is maintained, checked & signed by supervisor.
i. Pricing.
ii. Measurable service/deliverables
iii. Timing/schedules, i.e. service levels
iv. Confidentiality clause
v. Contact person names (on daily operations and relationship levels)
vi. Roles and responsibilities of contracting parties, including an escalation matrix
vii. Renewal period
viii. Modification clause