B-GDL-1602.370001-ver.01 - IT Access and Security Management Guidelines
B-GDL-1602.370001-ver.01 - IT Access and Security Management Guidelines
B-GDL-1602.370001-ver.01 - IT Access and Security Management Guidelines
Management Guidelines
B-GDL-1602.370001-ver.01
INTRANET.BOURBON-ONLINE.COM/QMS
IT Access and Security Management Guidelines
B-GDL-1602.370001
Table of Contents
1 Purpose...................................................................................................................................................... 3
2 Scope ......................................................................................................................................................... 3
4 Description ................................................................................................................................................ 6
4.1 Connection to the BOURBON network ............................................................................................. 6
4.1.1 User name .................................................................................................................................. 6
4.1.2 Password control ........................................................................................................................ 6
4.1.3 Workstation security ................................................................................................................... 7
4.1.4 Access security ........................................................................................................................... 7
4.2 IT assets security .............................................................................................................................. 7
4.3 Data protection and retention ............................................................................................................ 8
4.3.1 Personal data .............................................................................................................................. 9
4.4 Use of software ................................................................................................................................. 9
4.5 Using the Internet .............................................................................................................................. 9
4.6 Using the e-mail ................................................................................................................................ 9
4.6.1 General rules ............................................................................................................................10
4.6.2 Unsolicited e-mail (spam) .........................................................................................................10
4.7 Access to BOURBON applications from the Internet ......................................................................10
4.7.1 Pin safe .....................................................................................................................................10
4.8 Wireless Internet for Frequent Interface access .............................................................................11
4.9 Outsourcing .....................................................................................................................................11
4.10 Biometrics ........................................................................................................................................11
4.11 Penetration testing ..........................................................................................................................11
4.12 Use of social networks ....................................................................................................................11
5 Records....................................................................................................................................................13
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 2 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
1 Purpose
The purpose of these guidelines is to define the security requirements for the proper and secure use of the
Information Technology (IT) services in BOURBON. Its goal is to protect the Organization and users to the
maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and
business outcomes.
2 Scope
This document applies to all Employees onshore and offshore (such as, but not limited to, Seafarers), in
BOURBON, including temporary users, visitors with temporary access to services and partners with limited
or unlimited access time to services. Compliance with requirements in these guidelines is mandatory.
IT assets refer to desktops, laptops, smart phones, printers and other IT equipment; applications and
software; anyone using those assets, including internal users, temporary workers and visitors; and in general
to any resource and capabilities involved in the provision of the IT services.
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 3 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
3.1 Corporate
Vice President Information Technology has the responsibility, authority and accountability for:
a) Being accountable for all aspects of the Organization’s information security.
Telecom, Network and Security Manager has the responsibility, authority and accountability for:
a) The security of the IT network;
b) Planning against IT security threats, vulnerabilities and risks;
c) Implementing and maintaining IT security policy documents;
d) Ensuring IT security training programs;
e) Ensuring IT network supports IT security policies;
f) Responding to information on IT security incidents;
g) Helping in disaster recovery plans.
Infrastructure and Operations Manager has the responsibility, authority and accountability for:
a) The security of the IT infrastructure;
b) Planning against IT security threats, vulnerabilities and risks;
c) Implementing and maintaining IT security policy documents;
d) Ensuring IT security training programs;
e) Ensuring IT infrastructure supports IT security policies;
f) Responding to information on IT security incidents;
g) Helping in disaster recovery plans.
Each employee from IT department has the responsibility, authority and accountability for:
a) Implementing and operating IT security;
b) Implementing the privileges and access rights to the resources;
c) Supporting IT security policies.
3.2 Affiliate
Managing Director has the responsibility, authority and accountability for:
a) Ensuring that these guidelines are being implemented locally.
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 4 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 5 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
4 Description
Every user shall have a separate, private identity for accessing IT resources.
4.1.2.1 Construction
Each identity should have a strong, private, alphanumeric password to be able to access any service. The
minimum length of the password is eight characters.
No personal identifiers should be included (i.e. name, surname, date of birth, etc.) that can be linked to the
user; use of complete or easy to guess words should also be avoided.
4.1.2.2 Maintenance
Passwords shall be kept secret and should not be kept in places or ways that make it easy for other people
to find it.
At the first logon, the system will advise the user to change the password.
4.1.2.3 Lock/unlock
The user account will be locked after five failed attempts to access the network.
If an account is locked, the user should call Help Desk to unlock the account (Help Desk/Telephone
number: 1000; E-mail address: helpdesk@bourbon-online.com).
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 6 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
Recommendations:
Sharing of passwords is forbidden. They should not be revealed or exposed to public sight.
Whenever a password is deemed compromised, it shall be changed immediately.
For critical applications, multiple factor authentications shall be used whenever possible.
Identities shall be locked if password guessing is suspected on the account.
This section defines the requirements for the proper and secure control of access to IT services and
infrastructure in the Organization. It applies to all the users in the Organization, including temporary users,
visitors with temporary access to services and partners with limited or unlimited access time to services.
1. Any system that handles valuable information shall be protected with a password-based access
control system.
2. A discretionary access control list shall be in place to control the access to resources for different
groups of users.
3. Mandatory access controls shall be in place to regulate access by process operating on behalf of
users.
4. Access to resources shall be granted on a per-group basis rather than on a per-user basis.
5. Access shall be granted under the principle of “less privilege”, i.e., each identity should receive the
minimum rights and access to resources that he/she needs to be able to perform successfully his/her
business functions.
6. Whenever possible, access should be granted to centrally defined and centrally managed identities.
7. Users should refrain from trying to tamper or evade the access control in order to gain greater
access than they are assigned.
8. Automatic controls, scan technologies and periodic revision procedures shall be in place to detect
any attempt made to circumvent controls.
In practices, the user account will be disabled after three months without use and will be removed after six
months without use.
The loss, theft or damage to hardware equipment shall be immediately reported to the relevant department.
For laptops in particular: lock the laptop with appropriate steel cables or docking station locks, where
possible; never leave the laptop in poorly protected places (i.e. hotel rooms, cars, etc.); if travelling by plane,
the laptop shall be carried on board as hand luggage.
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 7 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
1. IT assets shall only be used in connection with the business activities they are assigned to and/or
authorized.
2. Every user is responsible for the preservation and correct use of the IT assets he/she has been
assigned.
3. All the IT assets shall be in locations with security access restrictions, environmental conditions and
layout according to technical specifications of the aforementioned assets.
4. Active desktop and laptops shall be secured if left unattended. This policy is automatically enforced
by the fact that workstations lock automatically after a timeout is passed (10 minutes) without
activity; main critical business application sessions automatically end after a timeout is passed
without activity.
5. Smart phones and mobile devices shall be secured with a Personal Identification Number (PIN) code
or password.
6. Access to assets is forbidden for non-authorized personnel. Granting access to the assets involved
in the provision of a service shall be completed through the approved request form.
7. All personnel interacting with IT assets shall have the proper training.
8. Users shall maintain the assets assigned to them clean and free of accidents or improper use.
9. Access to assets in the Organization location shall be restricted and properly authorized, including
those accessing remotely. Organization’s laptops, smart phones and other equipment used at
external location shall be periodically checked and maintained.
10. The IT technical teams are solely responsible for maintaining and upgrading configurations. No other
users are authorized to change or upgrade the configuration of the IT assets - this includes
modifying hardware or installing software.
11. Special care shall be taken for protecting laptops, smart phones and other portable assets from
being stolen. Be aware of extreme temperatures, magnetic fields and falls.
12. When travelling by plane, portable equipment like laptops and smart phones shall remain in
possession of the user as hand luggage.
13. Losses, thefts, damages, tampering or other incidents related to assets that compromise security
shall be reported as soon as possible to the Helpdesk.
14. Disposal of assets shall be completed according to the specific procedures for the protection of the
information. Assets storing sensitive information shall be completely erased before disposing.
IT assets shall be requested to Help Desk with the appropriate document dedicated to Employee IT
request (cf chapter 6, Related documents).
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 8 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
BOURBON complies with the regulations* through prior notification and applications for authorizations for
personal data used in its information system.
BOURBON loyally collects data in order to guarantee the quality of personal data regarding the following
aspect:
Personal data will be treated as confidential and will not be shared with third parties.
*NOTE: Regarding the French law “Informatique et Libertés” of 06 January 1978, modified in 2004, the European Union Data Protection
Directive (95/46/EC).
Per default, Organization computers are provided with standard software and all software needed by
Employees follow technical validation before installation.
All new software shall be requested to Help Desk. Employees do not have the right to install any
software, except for IT Officer.
IT department has implemented a Universal Resource Locator (URL) filter that prevents access to a number
of categories of sites (violence, pornography, etc.) and consumer websites with high bandwidths usage
(YouTube, social networking, etc.) in accordance to BOURBON Corporate network constraints (using small
bandwidth and expensive satellite links).
Personal use of internet is tolerated if it is reasonable and does not affect network security or
productivity.
Personal use of e-mail is tolerated if it is reasonable and does not affect network security or
productivity.
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 9 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
Avoid sending and forwarding large attachments unless strictly necessary and in this case use the ZIP
function (file extension) which will help to reduce network traffic, especially when sending to other locations.
Keep your mailbox tidy, deleting unwanted messages. Important messages can be saved in a personal
folder on a local disk (regular backup of this personal folder is advised). Beware for messages of dubious
origin or from unknown addresses. Above all, never open attachments from these messages because they
may contain viruses.
Do not respond to unsolicited e-mails, nor to those of dubious origin. In particular, do not request to be
removed from subscription lists using ‘REMOVE’ buttons (this is a trick used by spammers to verify that an
address is active).
The Swivel PINsafe solution provides authentication for access via Virtual Private Networks (VPN), websites
and Corporate web-applications, by using mobile devices and web-browsers. PINsafe is designed to combat
threats ranging from skimming, phishing and spyware to shoulder-surfing, key-logging. Its unique
combination of registered PINs and randomly generated security strings delivered simply to the user makes it
the safest, easiest and most reliable and cost-effective authentication solution available.
PINsafe has a full range of user interface options, including mobile and image based authentication models,
all included in the license. The different user interface options can be assigned to different users based on
Corporate security and access policies.
For example: if PIN is 2-4-6-8 and the security string is 5173920648 the One-Time Code (OTC) would be the
second, fourth, sixth and eighth digits: 1-3-2-6. See below for illustration:
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 10 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
4.9 Outsourcing
This section defines the requirements needed to minimize the risks associated to the outsourcing of IT
services, functions and processes. It applies to the Organization; the services providers to whom IT services,
functions or processes have been outsourced, and the outsourcing process itself.
1. Before outsourcing any service, function or process, a careful strategy shall be followed to evaluate
the risk and financial implications.
2. Whenever possible, a bidding process should be followed to select between several service
providers.
3. In any case, the service provider should be selected after evaluating their reputation, experience in
the type of service to be provided, offers and warranties.
4. Audits should be planned in advance to evaluate the performance of the service provider before and
during the provision of the outsourced service, function or process. If the Organization does not have
enough knowledge and resources, a specialized one should be hired to do the auditing.
5. A Service Contract and defined service levels shall be agreed between the Organization and the
service provider.
6. The service provider shall get authorization from the Organization if it intends to hire a third party to
support the outsourced service, function or process.
4.10 Biometrics
Access to the datacenter (laboratory and servers room) is secured by a biometric system. The objective is to
protect computer servers against intrusion.
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 11 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
4) Always think twice before posting content regarding BOURBON. Your words are binding and can
engage BOURBON.
5) Generally, show restraint regarding anything related to your professional life at BOURBON.
In the Organization, the use of social networks is authorized only in certain time periods and if it is
reasonable and does not affect network security or productivity.
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 12 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
5 Records
Employee (New/Leave/Move/Update) IT Request Forms
Help Desk ticketing
TM
Oracle records
Penetration tests reports
Service Contracts
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 13 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
6 Related documents
B-CHR-1603.550001 – New Employee IT Request Flow-Chart
B-CHR-1603.550002 – Employee Update IT Request Flow-Chart
B-CHR-1603.550003 – Employee Move IT Request Flow-Chart
B-CHR-1603.550004 – Employee Leave IT Request Flow-Chart
B-FRM-1603.550001 – New Employee IT Request Form
B-FRM-1603.550002 – Employee Update IT Request Form
B-FRM-1603.550003 – Employee Move IT Request Form
B-FRM-1603.550004 – Employee Leave IT Request Form
B-INS-14.0001 - Social Media Guidebook
BOURBON Applications Access Security (IN PROJECT)
B-POL-01.0016 – Information Technology Policy
European Union Data Protection Directive through the U.S. Department of Commerce Safe Harbor
Program
Fair information practices established by the Organization for Economic Co-operation and Development
(OECD)
French law “Informatique et Libertés” of 06 January 1978, modified in 2004
TM
Oracle
Remote Access Guidelines (IN PROJECT)
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 14 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
IT
Information Technology.
IT assets
Desktops, laptops, smart phones, printers and other IT equipment, to applications and software, to anyone
using those assets including internal users, temporary workers and visitors, and in general to any resource
and capabilities in the provision of the IT services.
TM
Oracle
Oracle is a DBMS (Database Management System Data) edited by the same name, the world of databases.
OTC
One-Time Code.
PIN
Personal Identification Number.
URL
Uniform Resource Locator.
VPN
Virtual Private Network.
WIFI
Wireless Internet for Frequent Interface.
ZIP
File extension.
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 15 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
IT Access and Security Management Guidelines
B-GDL-1602.370001
Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 16 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.