Ahiml It Policy

Arif Habib Investment Management Ltd IT Infrastructure
Ar i f Habi b I nvest ment s

Document Version 1.0

Information Technology Policies and Procedures

Made by
I.T AHIML


2
Table of Contents

1 Software Development, Usage & Maintenance Policy........................................... 4
1.1 Objective .............................................................................................................. 4
1.2 Scope .................................................................................................................... 4
1.3 Policy.................................................................................................................... 4
2 Software License Policy ............................................................................................ 5
2.1 Objective .............................................................................................................. 5
2.2 Scope .................................................................................................................... 5
2.3 Policy.................................................................................................................... 5
3 Web Development and Maintenance Policy ........................................................... 6
3.1 Objective .............................................................................................................. 6
3.2 Scope .................................................................................................................... 6
3.3 Policy.................................................................................................................... 6
4 Training and Skill Development Policy .................................................................. 7
4.1 Objective .............................................................................................................. 7
4.2 Scope .................................................................................................................... 7
4.3 Policy.................................................................................................................... 7
5 Hardware Purchasing & Maintenance Policy........................................................ 8
5.1 Objective .............................................................................................................. 8
5.2 Scope .................................................................................................................... 8
5.3 Policy.................................................................................................................... 8
5.3.1 Purchasing of Equipments ............................................................................ 8
5.3.2 Maintenance of Hardware ............................................................................. 8
5.3.3 Problem Shooting.......................................................................................... 9
6 User Account Policy .................................................................................................. 9
6.1 Objective .............................................................................................................. 9
6.2 Scope .................................................................................................................... 9
6.3 Policy.................................................................................................................... 9
6.3.1 User Account Creation................................................................................ 10
6.3.2 Change in Access Rights ............................................................................ 11
6.3.3 User Account Removal, Lock-Out and Password Reset ............................ 11
7 IT Infrastructure Resources Usage Policy............................................................ 12
7.1 Objective ............................................................................................................ 12
7.2 Scope .................................................................................................................. 12
7.3 Policy.................................................................................................................. 12
8 Help Desk Policy...................................................................................................... 13
8.1 Objective ............................................................................................................ 13
8.2 Scope .................................................................................................................. 13
8.3 Policy.................................................................................................................. 13
9 Desktop Usage Policy .............................................................................................. 14
9.1 Objective ............................................................................................................ 14
9.2 Scope .................................................................................................................. 14
9.3 Policy.................................................................................................................. 14
9.3.1 General Desktop Usage............................................................................... 14
9.3.2 Domain and Network Usage ....................................................................... 15

3
9.3.3 Antivirus...................................................................................................... 15
9.3.4 Network/Dialup connectivity ...................................................................... 15
9.3.5 Operating System(s).................................................................................... 16
9.3.6 File System Security / Permissions / Local Sharing ................................... 16
9.3.7 Removable Devices/Peripherals ................................................................. 16
9.3.8 Password ..................................................................................................... 16
10 Email Usage ............................................................................................................. 17
10.1 Objective ......................................................................................................... 17
10.2 Scope............................................................................................................... 17
10.3 Procedure ........................................................................................................ 17
10.3.1 Company Property ...................................................................................... 17
10.3.2 Access ......................................................................................................... 17
10.3.3 Authorized Usage........................................................................................ 17
10.3.4 User Accountability .................................................................................... 18
10.3.5 Signature and Scanning............................................................................... 18
11 Network and Physical Security Policy .................................................................. 19
11.1 Objective ......................................................................................................... 19
11.2 Scope............................................................................................................... 19
11.3 Policy .............................................................................................................. 19
11.3.1 Network Security ........................................................................................ 19
11.3.2 Physical Security......................................................................................... 19
12 Internet Usage Policy .............................................................................................. 20
12.1 Objective ......................................................................................................... 20
12.2 Scope............................................................................................................... 20
12.3 Policy .............................................................................................................. 20


4
1 Software Development, Usage & Maintenance
Policy
1.1 Objective
To develop a state-of-art, integrated software for the achievement of core business
objective and help to enhance the efficiency, competence and productivity of
organization.
1.2 Scope
This policy document:
1. Outlines the acceptable use of software in AHIML computer environment.
2. Assigns roles and responsibilities to employees to ensure compliance with the
policy.
1.3 Policy
1. AHIMLs main focus is to refine its strategies and to develop more dynamic,
smart and creative business plan. Therefore the company will not concentrating in
much on developing in- house softwares; and shall outsource all main core
applications.
2. Company always prefers to develop software by reputable software house, having
backup support for troubleshooting.
3. Only those applications that play a vital role in promoting business and not easily
available in market will be developed in- house.
4. The Registrar, Operations department, Marketing department and Asset
Management department shall use the software and shall have access facility for
Trustee and Distribution companies.
5. The arrangement for maintenance of software shall be made with the developers
of the software. No staff member shall enter into software code in any case.
6. Any new software requirement or change in the existing software or any report
required from existing software shall be forwarded to IT department via change
request form or through email. IT department shall evaluate the requirement and
forward his recommendations for necessary approval and than it shall be
forwarded to the software vendor for further action.
7. Before any updation in core business applications, proper testing shall be
conducted in test environment to avoid any accidental change.
8. Whenever software development shall takes place (both in- house and outsourced),
Project Manager shall ensure that only licensed software are used for
development.

5
9. Any updation by vendor at Registrars server, dual approval shall be required
from higher management in the form of letter or email. Proper log of all updates
made by vendor in software application(s) shall be maintained by IT department.
2 Software License Policy
2.1 Objective
To identify and manage software assets as well as encourage and promote license
software usage within organization. Ensures software support from vendors as well as
avoiding any bad reputation arising from a legal action in case of non-compliance.
2.2 Scope
1. Outlines the acceptable use of software in AHIML computer environment.
2. Assigns roles and responsibilities to employees to ensure compliance with the
policy.
2.3 Policy
1. AHIML shall use only licensed software and applications and adhere to the
license agreements. Use of unlicensed software is strictly prohibited.
2. All software license purchases shall be made in the name of AHIML and not in
any individuals name.
3. Any duplication of copyrighted software, except for backup and archival purposes
shall not allow. IT dept shall ensure that copyright laws are not violated.
4. For licensed software acquired from third-parties (including authorized dealers
and software developers), it shall be ensured that the third party is capable of
validating, protecting and maintaining the software license rights.
5. All PCs and servers shall be periodically checked by the I.T dept to see any
unlicensed software.
6. Systems administrator shall maintain a list of software according to their license
agreements i.e. either 'perpetual' or 'term license'. Whenever new software is
purchased it shall be added to the list.
7. The list of software under term license agreement shall be reviewed on a regular
basis by Systems administrator. Systems administrator shall inform Head of IT of
those software agreements that will expire in the coming month. These shall then
be renewed immediately otherwise the software shall be removed from the
computers.
8. The software license list maintained by the Systems administrator shall contain
the number of users supported by the agreement (number of copies purchased).

6
9. Users shall not be allowed to install software on their own. Administrator shall
restrict users access rights for this purpose.
10. The original copies of all the software shall be kept in a secure and locked
location. Only the IT Head or any person designated by him shall have access to
it.
11. Whenever a user needs software, he/she shall request IT dept for the software via
I.T access form or through email.

3 Web Development and Maintenance Policy
3.1 Objective
To develop a comprehensive official website for detailed review about the company,
product and helpful guide to various kind of investors.
3.2 Scope
1- Depicts the acceptable use of resources access.
2- Outlines the roles and responsibility of end users, Departmental Heads and IT
Department necessary for effective implementation of the policy.
3- Assigns responsibilities for website updation and maintenance.
3.3 Policy
1. The companys website shall be updated on a regular basis i.e. unit sale and
redemption prices, companys financial account, monthly fund manager reports,
updation of clients account to see the performance of funds and check their
account status through email, articles on investments written by investment
professionals of company, research material and other related material.
2. The departments shall forward their material to IT department for updating the
website through email. The IT department shall ensure that the material issued by
the department is posted on the website within reasonable time.
3. To ensure stability, any web page utilizing dynamic content, programming or
designing must be tested on AHIML local server prior to posting to AHIML live
web server.
4. The companys website shall be maintained in- house due to rapid changes and on
time updation.
5. The in-charge web development shall review and monitor the performance of the
companys website. If any difficulty in connectivity of the website is noted it
should be brought to the knowledge of the service provider.

7
6. The in-charge web development shall maintain the proper log of every
changes/updations on website. Only in-charge web development is allowed to
upload and maintain the live web server.
7. Website will be reviewed annually for revision altogether.

4 Training and Skill Development Policy
4.1 Objective
The AHIML recognizes that the members of its staff are its most valuable resource and
that their competence, commitment and skills developments are basic to the successful
achievement of its current and future business goals.
4.2 Scope
1. To encourage and support personal training and development.

2. The company will seek, through identified budgets, to encourage and support
staffs to undertake courses and programs which are relevant to their individual
work and those of the company strategic goals.
4.3 Policy
1. Company shall arrange training and development for staff in areas related to the
strategic and organizational needs.
2. The company shall offer facilities for staff training and development through:
Short courses
Seminars/Workshops
Departmental Staff Appraising
Briefings
Personal Educational Development
Foreign Training and Conferences

3. Information technology shall conduct a training program (with the help of vendor
if required) for any new enhancement in existing core business software
application before its actual deployment.
4. Information technology department shall arrange the regular training/awareness
programs for employees on upcoming/latest technologies.
5. Company shall provide training in general skills including key aspects of personal
effectiveness.

8
5 Hardware Purchasing & Maintenance Policy
5.1 Objective
The purpose of this policy is to establish a clear line of authority and responsibility in
purchasing of any hardware and its proper maintenance.
5.2 Scope
This policy applies to all AHIML employees using AHIML computing and network
resources.
5.3 Policy
5.3.1Purchasing of Equipments
1. Company always prefers to purchase and use the machines manufactured by
renowned companies or compatible hardware supplied by reputable vendors
having backup support and warranty arrangements.
2. Any staff of the company requiring any computer or related equipments shall
forward their requirements to IT department after seeking approval from his
department head. The IT department shall evaluate the requirements and shall
forward his recommendations to respective department head.
3. For procurement of any expensive hardware i.e computers, printers etc, a
prescribed capital expenditure form shall be used as per company purchase
policy and shall seek approval of CEO.
4. For procurement of any hardware, at least three quotations shall be obtained
from well-known supplier having after sales services arrangements. The
supplier with least quotation shall be selected to procure the desired hardware
device.
5. Approval of recurring expenditure like Toners, Cartridges and UPS etc shall
be taken on quarterly basis.
6. Hardware annual maintenance contract with the vendors shall be arranged and
will be reviewed on regular basis.
7. Obsolete computers and network accessories will only be deposed off after
approval of CEO.
8. For servers, only branded machines shall be purchased and for users
branded/unbranded computers will purchase.
5.3.2 Maintenance of Hardware

Maintenance of machine is basically the responsibility of the user; every user is
expected to put off his/her computer before leaving the office. However, the
Admin dept shall ensure that all computers are off at the time of close of office. In

9
case Admin dept finds a computer on when the user has left the office he shall
report the matter to the concerned Department Head. Repeated complains shall be
considered as negligence at the part of the user and the Department Head may
take a disciplinary action against the concerned staff.

5.3.3 Problem Shooting
If user faces frequent problems with his/her computer should report the matter to
IT department. The IT department shall call the vendor for service if the machine
is under warranty. The IT department shall arrange regular service arrangements
from a computer maintenance company for computers, printers, hubs and UPS,
when the warranty period is over.

6 User Account Policy
6.1 Objective
Account policy serves as a preventive control against any unauthorized access to the
Information System. It identifies controls that should be in place to ensure authorized and
secure access to the Information of the company.
AHIML recognizes the significance of increased dependence of its business operations
on Information Technology (IT) and wants to maintain highest degree of integrity,
confidentiality and security of its corporate data and information. Since all the data is
being processed on computerized applications and is stored on corporate network, it is
essential to restrict access to the network, data and applications to authorized users.
6.2 Scope
This policy is applicable to all applications and operating systems that are being run at
AHIML.
6.3 Policy
1. Access to all the applications and operating systems that are being run at AHIML
shall be restricted by using unique user- ids and passwords for each individual.
2. In order to further strengthen the account security, account passwords shall
encompass the following characteristics:
a. Passwords shall be at least 5 characters long.
b. Password expiry period shall be 15 days; therefore, users are required to
change their passwords within this timeframe.
c. The system shall not allow re-use of last 5 passwords.
d. The user account shall be locked if a user enters wrong combination of
user-id and password 4 times consecutively.

10
e. Passwords shall be constructed using combination of alphabets, numbers
and special characters (e.g. */?<>). At least one alphabet, one special
character and one number shall be used. A blank password shall not be
allowed.
f. User- ids and respective passwords shall not be same.
g. Passwords shall be masked wherever it is displayed on the screen
3. Workstations at AHIML shall be automatically signed-off if they were left
unattended for more than 120 minutes. Password protected screen savers shall be
used at all the workstations. These screen savers shall be invoked automatically if
the system is unattended for 2 minutes. In additions, users shall be encouraged to
invoke screen savers whenever they leave their systems.
4. The system shall force the users to change their passwords immediately on their
first log on.
5. IT Department shall lock out the user account of an employee if he/she is going
on leaves for 7 days or more. It is the responsibility of Human Resource
Department to intimate IT Department of the person going on leaves.
6. In case of resignation or termination of an employee, IT Department shall delete
the user account of that person upon intimation from Human Resource
Department.
Following procedure shall be followed while creating, removing or making changes
to the access rights of a user account:
6.3.1User Account Creation
1. User shall obtain IT Access Form from IT department. He shall then fills
the details in the form and forward it to the Departmental Head.
2. The Head of User department shall then define the user access rights required
and sign the form.
3. The form shall then be sent to the Head of IT Department for user creation on
the system.
4. The Head of IT Department shall then check the access rights form for
completeness and proper authorization.
5. He shall then initial the form and forward it to the respective administrator for
user creation. The administrator shall create the user-id and assign a user
password to it. There he shall post a next available sequence number on the
form and pass it back to Head of IT Department.
6. The relevant user shall then be informed by the administrator that his/her
account has been created and shall be instructed to change his/her password
immediately. Acknowledgement shall be taken on the user creation form from
the user as a confirmation that he/she has received his/her user- id and
password.

11
6.3.2 Change in Access Rights
Same procedure as in 6.3.1 shall be followed for changing access rights of a
user as required for creating a new user account. However, the present user-
id/name shall clearly be marked in the IT Access Form when forwarding it
to IT Department.
6.3.3 User Account Removal, Lock-Out and Password Reset
1. In case of termination, Human Resource & Administration Department
shall immediately inform the Head of IT in writing or through email
that the particular employee has been terminated from the company.
Upon this intimation, on intimation from the Head of IT, systems
administrator shall delete all the user accounts of that particular
employee.
2. In case of resignation, Human Resource & Administration Department
shall formally inform IT Department once the resignation is approved.
Upon this intimation, the systems administrator shall delete all the user
accounts of that particular employee.
3. In both of the above cases, systems administrator shall send a formal
acknowledgement to the Human Resource Department confirming that
the user accounts of that particular employee have been
deleted/blocked.
4. In case where an employee shall go on long leave for any reason, his
user-id shall be locked till the time he/she resumes the office. For this
purpose, a leave period of 7 days or more shall be taken as long leaves.
5. Heads of User Departments shall be instructed to inform Human
Resource Department if any of their staff members shall be on leaves
for the specified time period. Human Resource Department shall then
formally inform the IT Department that the relevant employee shall be
on leave for 7 days or more. The systems administrator shall then lock-
out his/her user-id and send an acknowledgement to Human Resource
Department.
6. When the employee shall resume his/her work, he shall contact IT
department asking them to activate his user account.
7. In case a user account is locked out automatically by the system due to
entering wrong combination of user- id and password, the user shall
inform IT Department and then administrator shall activate his/her
user account.
In case the user accounts password needs to be reset, a request form or an e- mail
from head of department shall be received before any further procedure to reset
the password. Written acknowledgement shall be taken from the user after
confirming that his/her user account has been activated.


12
7 IT Infrastructure Resources Usage Policy
7.1 Objective
AHIML provides centralized storage and resources access to staff to assist them in
carrying out their official duties. The purpose of this policy is to provide guidance to
the staff of AHIML on the use of the centralized storage and resources. These
resources include server storage, internet bandwidth and printers.
7.2 Scope
1- Depicts the acceptable use of resources access.
2- Outlines the roles and responsibility of end users, Departmental Heads and IT
3- Assigns responsibilities for data security and confidentiality.
7.3 Policy
1. All the company data shall be kept on the central storage with appropriate rights
to the users.
2. Users shall keep their personal company data on their home drives mapped onto
their desktops with the drive letter of U.
3. Users shall keep their shareable company data on pool drive in appropriate folder
mapped onto their desktops with the drive letter of P.
4. Access to AHIML IT resources shall be allowed to only those users who are
specifically authorized for this purpose.
5. Central resources shall only be used to access/store information necessary for
performing job responsibilities. It shall not be used for entertainment. Any non
business information stored on the central resources is discouraged and shall be
deleted upon revelation and subsequent actions shall be taken against the user.
Users shall be held responsible for the entire activities performed from their
account.
6. Any misuse of internet services consumes space and server/central storage
therefore any such activity shall be avoided and disciplinary actions shall be
taken.
7. The use of departmental printers shall be restricted to the same department.
Network printers shall not be directly connected or installed to any computer.
8. The use of any resources of one department by another department shall be
authorized by respective departmental heads or Chief Executive Officer.
9. Deletion of data shall be audited and reviewed on periodic basis. The printer
usage shall be logged and audited on regular basis.

13
8 Help Desk Policy
8.1 Objective
The objective of this policy is to establish guidelines for computer-related technical
support provided by the Helpdesk of AHIML.
8.2 Scope
1. Outlines the responsibilities of the Helpdesk personnel.
2. Formalizes the processes of Helpdesk at AHIML.
3. Provides assistance to the Management of AHIML in identifying the major causes
of the problems.
8.3 Policy
1. A centralized Helpdesk for computer-related issues shall be established by
Information Technology Department
2. A formal request shall be sent to the Helpdesk by the user through email. A
specific email address shall be assigned for this purpose.
3. All the user queries received at the Helpdesk shall be logged in an electronic
database. Daily summary report shall be generated from this database and
reviewed by the Head of IT.
4. Helpdesk personnel shall establish severity level based on the information
available at the initial receipt of the call or e- mail.
5. Helpdesk personnel shall estimate the time it should take to resolve the issue. He
should subsequently compare it with the actual time taken.
6. Helpdesk personnel shall use appropriate algorithms to resolve user problems e.g.
priority queue, FIFO, etc.
7. Helpdesk personnel shall be responsible for the following:
a. Answering phone calls from system users, diagnosing problems and
logging the problems into a Helpdesk database.
b. Solving or routing the problems for resolution purposes.
c. Following up on problems either inside or outside of the IT department.
d. Maintaining and suggesting improvements for the Helpdesk that includes
procedures to diagnose and resolve problems.
e. Performing analysis of the nature of problems logged at the Helpdesk.
This analysis shall be used subsequently for identifying the major cause of
the problems so that efforts can be made to minimizing the cause of the
problems.

14
8. Written acknowledgment from the user should be taken which shall confirm that
the query has been resolved
9 Desktop Usage Policy
9.1 Objective
The purpose of this policy is to develop a standardized computing environment
with procedures and practices related with the Desktop usage to ensure maximum
protection of the AHIML IT infrastructure from internal and external sources of
threats and to minimize IT risks associated with Desktops.
9.2 Scope
This policy applies to every single Desktop and its affiliated users within AHIML
and its usage except those, which are classified as Server by the IT and which are
not under single user control for his/her associated official tasks. Here the word
Desktop is referred to the Computer, Notebook, Laptop, Palmtop & PDA)
This policy also applies to all those Desktops, which are in use outside the AHIML
premises for official tasks and assignments. The policy is also applicable to all
those external resources which are working in AHIML networking environment as
vendors / contractors representatives.
9.3 Policy
9.3.1General Desktop Usage
1. AHIML has provided desktops to the employees for facilitating and improving
job performance and to keep pace with the current technology adoption and
changes within and outside AHIML. All Desktops and computing facilities are
the property of AHIML and users shall handle their desktop computers and
associated devices with due care and responsibility.
2. Only IT shall provide Desktops to individual employees or departments within
the entire organization after completion of the associated formalities and
requirements. Desktops are taken off with signoff copy of an acknowledgment.
3. Users shall not be allowed to move/relocate Desktops from their designated
place and department and if such movement is necessary, IT shall be informed
prior to the movement for help, guidance and setup at that location.
4. Users shall not be allowed to connect/plug- in/install any extra piece of
hardware to any available port (COM, USB, LPT, ISA or PCI) either internal or
external within the Desktop without prior permission of IT.
5. Users shall not be allowed to eat, drink or smoke near the Desktop as it may
cause damage to the Desktop.
6. Users shall not be allowed to play computer games and engage in any other
kind of entertaining activities on their Desktops.

15
7. Desktops shall only be connected with UPS power points.
8. Any problem related to Desktop shall be reported to IT via email.
9. All access to the Desktop hardware setting including the sensitive BIOS setup
shall be administered by IT and that users shall not be allowed to access or
change these settings as this may cause improper functioning or complete
halt/crash of the Desktop. CMOS/BIOS setting password shall be kept by IT
designated staff only.
10. Users shall shut down their desktops computers along with monitors before
leaving for home.
9.3.2 Domain and Network Usage
1. All desktops shall be joined with their domain (ahiml- main.com for KHI)
2. Users shall be allowed to logon to their assigned Desktop only.
3. Users shall be accountable for what is being done on their Desktop with their
User ID. User shall lock their Desktops before leaving their workplace for any
length of time.
4. If multiple users shall share a single Desktop, then each user shall login by
his/her unique User ID and password and shall logout before leaving the
Desktop.
5. Users shall not be allowed to keep or inquire upon the local administrative
passwords of the Desktops. Only IT designated staff shall hold such passwords
and under special operational requirements, such passwords or equivalent
administrative rights shall be given only after approval from the appropriate
authority of the user.
In such cases the following applies:
1. User shall be required to provide written approval from their respective
authorities, those special operational needs, which require such
privileges.
2. User shall not misuse the password in any circumstances by installing or
removing software or by altering other Desktop configurations
3. IT shall have full rights to revoke such privileges in case of non-
compliance.
9.3.3 Antivirus
All virus- infected file shall be marked as Quarantine for one week after which
the file shall be automatically deleted.
9.3.4 Network/ Dialup connectivity
1. Users shall not be allowed to plug their personal home computers on AHIML
network under any circumstances.

16
2. Users shall not be allowed to use their Desktops as a tool for accessing other
systems on the network without any purpose within and outside AHIML and
for which they are not entitled to be as authorized users.
3. Users shall not be allowed to connect their Desktops with the Internet using
dialup modem connections as this may potentially harm or even seize the whole
AHIML computing environment.
9.3.5 Operating System(s)
No Server Class operating system shall be allowed for user or department. Only
client operating system will install at user desktop level.
9.3.6 File System Security / Permissions / Local Sharing
1. NTFS level security shall be implemented i.e. on System Partition (partition
where operating system files reside). Users shall only be given read only rights
and shall have change rights on user partitions/User folder (partitions other
than system partitions).
2. Users shall not be allowed to share their local hard drive(s)/folder(s) for
information sharing among the colleagues. For such sharing of information
central file server shall be used with the help of IT. Such usage shall be on
complete discretion of user and any harm to the desktop shall be the sole
responsibility of the user.
3. Users shall be responsible for taking back ups of their critical data residing on
their l ocal hard drive. Central file server shall be used to keep backups of
critical data.
9.3.7 Removable Devices/ Peripherals
1. The computer systems shall be restricted from using any kind of storage
devices CD-ROM, Floppy Drive, USB etc. Any type of data transfer to and
from a system shall be done through request to the I.T department with
approval from Department Head.
2. All printers shall be managed by IT.
9.3.8 Password
1. Users shall logon to the AHIML network domain with their authorized User ID
and Password provided by the IT. No other domain or local login shall be
allowed.
2. Users shall change their passwords periodically or when the system prompts for
a password change after certain interval of time set by IT. Users shall not be
allowed to share or disclose their password with anyone as this may lead to
severe password misuse.
3. The Minimum password length is 5 characters. Users cannot repeat last 5
passwords once it has been assigned.

17

10Email Usage
10.1 Objective
AHIMLs email facility is intended to provide effective communication within the
Company and externally with clients on business matters. The aim of this policy is
to provide guidance to the staff of AHIML on the use of the email, to ensure the
proper use of the Companys email system and make users aware of what Company
deems as acceptable and unacceptable use of its email system.
10.2 Scope
The procedures apply to all AHIML employees and covers e- mails resident on
AHIML personal computers and servers (Internal and External).
10.3 Procedure
10.3.1Company Property
As a productivity enhancement tool, AHIML encourages the business use of
electronic communications (e- mail). Electronic communications systems and all
messages generated on, including back-up copies, are considered to be the property
of AHIML, and are not the property of the users of the electronic communication
services.
10.3.2 Access
AHIML will provide employees with email accounts depending on need basis. To
create an email account of user, the relevant department head will issue an
instruction to the I.T dept using I.T Access Form.
The email accounts of all out-going employees shall be removed after taking
backup of all their emails. His/her emails shall be handed over to the
Departmental Head. In case a Departmental Head resigns, his/her emails shall be
handed over to a person authorized by the senior management.
10.3.3 Authorized Usage
AHIML electronic communications systems generally must be used only for
business activities. Occasional personal use is permissible as long as:

It does not consume more than trivial amount of resource.
It does not interfere with staff productivity.
It does not block any business activity.
It does not include any abusive communication or vulgarities.

18
10.3.4 User Accountability
Regardless of the circumstances, individual passwords must never be shared or
revealed to anyone else besides the authorized user. To do so expose the
authorized user to responsibility for actions the other party takes with the
password.
To prevent unauthorized users from obtaining access to e- mail, users must choose
passwords that are difficult to guess.
10.3.5 Signature and Scanning
Systems Administrator shall ensure that content scanning software is used to
block all emails containing offensive, racist or obscene remarks. Disciplinary
action shall be taken against any employee found in sending such mails. If any
user receives an e- mail of this nature, he/she must promptly notify their
supervisor.
Systems Administrator shall ensure that signatures are included in every
outgoing email; it shall include senders name, job title and company name. A
disclaimer shall be added underneath the signature by the server, if not by the
user. Following disclaimer shall be added:
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed
.Please note that any views or opinions presented in this email are solely
those of the author and do not necessarily represent those of Arif Habib
Investment Management Ltd. Finally, the recipient should check this email
and any attachments for the presence of any viruses. Arif Habib Investment
Management Ltd accepts no liability for any damage caused by any virus /
error transmitted by this email.
Systems Administrator shall configure the email server such that the size of
the files being attached is restricted to 5 MB to ensure smooth functioning of
the network. IT Department shall reevaluate this restriction in view of the
changing conditions (e.g. user requirements, network capacity, server
performance).


19
11Network and Physical Security Policy
11.1 Objective
The purpose of this policy is to provide specific guidelines of network and physical
security.
11.2 Scope
This policy applies to all AHIML networks, devices, data center and its physical
accessibility.
11.3 Policy
11.3.1Network Security
1. All WAN connections shall terminate on parameterized router.
2. Only system administrator shall allow to access and maintain the parameterized
router and shall be responsible to update patches and IOS of routers.
3. Exchange of data between remote branches and head office shall be encrypted.
4. Centralized firewall shall be installed to restrict unauthorized access of users,
and blockage of ports, networks and protocols.
5. Content filtering shall apply on firewall for screening and blocking of web sites.
6. Centralized Anti Virus Suite shall deploy in AHIML network that prevent
intrusions on networks and protect computer systems from the blended attacks
and threats like virus, worms and Trojans etc.
7. Virus definition file shall update on daily basis.
8. All network cables shall properly conduit.
9. Spyware software shall be used to block all illegal and unintentional software
installation.
10. Database and O.S event viewer of all servers shall be monitor regularly to
ensure smooth operation of databases and servers.
11.3.2 Physical Security
1. Fire prevention, detection and suppression equipment shall install to avoid any
fire accident.
2. CCTV camera shall be installed to monitor the whole environment including
datacenter.
3. Biometric access control shall be installed to authorize access to I.T dept and
datacenter.
4. Log of access control shall review randomly.

20
12Internet Usage Policy
12.1 Objective
AHIML provides Internet access to staff to enable them to perform their duties. The
purpose of this policy is to provide guidance to the staff of AHIML on the use of the
Internet.
12.2 Scope
1. Depicts the acceptable use of Internet access in the office.
2. Outlines the roles and responsibility of end users, Departmental Heads and IT
3. Assigns responsibilities for data security and confidentiality.
12.3 Policy
1. Access to Internet shall be allowed to only those users who are specifically
authorized for this purpose.
2. Internet shall only be used to access information necessary for performing job
responsibilities e.g. government information, statutory information, general
internet etc. It shall not be used for entertainment. Websites accessed by the users
shall be logged and reviewed. Users shall be held responsible for the entire
Internet activities performed from their Internet account.
3. Systems Administrator shall ensure that connection to the Internet is given only
via proxy. No workstation shall be connected directly to the Internet.
4. Users shall not download freeware/shareware software from Internet, as these are
highly prone to virus infections and other vulnerabilities.
5. All the ports other than those required for Internet (http/https-www), emails (pop
& smtp, only exceptions allowed) and file transfers (ftp only exceptions allowed)
shall be blocked. Any exceptions shall be clearly intimated to IT.
6. Use of chatting and messaging software/sites shall not be allowed.
7. Users shall not send companys confidential information over the Internet. In
addition, users shall not submit any other confidential information e.g. credit card
numbers, account numbers etc. over the Internet. If it needs to be submitted, only
a website that runs on Secured Socket Layer (SSL) shall be used.
8. Misuse of the Internet is a disciplinary offence. All, but not limited to, the
following are considered a misuse and can result in disciplinary actions:
a. Downloading and/or playing of games.
b. Downloading of utility programs.

21
c. Any text or multimedia that contains a pornographic material shall neither
be accessed nor downloaded. Additionally, any material in any electronic
form that contains a racist or extreme political statement, or which incites
violence, hatred or any illegal activity shall not be accessed as well.
d. Downloading and/or use of chatting and messaging software.
e. Misrepresentation of ones identity as another person i.e. spoofing.
f. Use of Internet to transmit confidential, political, obscene, threatening, or
harassment materials.
9. Firewall shall be used to protect the corporate network from the Internet security
threats e.g. hacking.
10. The Network Administrator shall be responsible for managing firewall. Firewall
shall have the following properties:
a. All network traffic from inside to outside, and vice- versa, shall pass
through the firewall
b. Internet traffic shall be exchanged through the firewall at the application
layer only.
c. The firewall architecture shall deploy strong authentication for
management of its components. As a minimum this shall include:
i. Proper physical access controls like secure location of firewall,
access provided via electronic locks etc.
ii. Proper logical access controls like password protection etc.
iii. Maintenance of logs
11. The firewall architecture shall hide the structure of the internal network.
12. The firewall architecture shall provide an audit trail of all communications to or
through the firewall system and shall prompt when suspicious activity is detected.
13. The firewall architecture shall defend itself from direct attack (e.g., through active
monitoring of traffic and pattern recognition technology).
All executable code shall be scanned for malicious code (e.g., viruses, malicious applets)
before it is introduced to the internal network. All malicious codes or files identified
through the antivirus logs shall be blocked at firewall level.

Ahiml It Policy

Cargado por

Información del documento

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

Ahiml It Policy

Cargado por

Copyright:

Formatos disponibles

Arif Habib Investment Management Ltd IT Infrastructure

Ar i f Habi b I nvest ment s

También podría gustarte