Purpose

The purpose is to ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. The employees and contractors are aware of and fulfill their information security responsibilities. To protect the organisation’s interests as part of the process of changing or terminating employment.

Scope

The scope is to define the functioning of the XXX focusing on the manpower & IT that is used to run the XXX. This policy applies to all those personnel working in the XXX as staff, contractors and also covers the aspect where any staff who requires access to XXX’s information systems or information of any type or format (paper or electronic).

Human Resource Security Policy

3.1 Screening

• As per ISMS HR Procedure, Screening of the candidate shall be carried out for all candidates
• Information on all candidates being considered for positions within the XXX is collected and handled in accordance with Indian legislation existing in the Pune jurisdiction. Depending on applicable legislation, the candidates are informed beforehand about the screening activities.

3.2 During Employment

• All staff/contractors are to follow Clear Desk and Clear Screen Policy.
• Management responsibilities shall include ensuring that staff and contractors:
  • Are properly briefed on their information security roles and responsibilities prior to being granted access to confidential information or information systems
  • Are provided with guidelines to state information security expectations of their role within the XXX
  • Are motivated to fulfill the information security policies of the XXX
  • Achieve a level of awareness on information security relevant to their roles and responsibilities within the XXX
  • Conform to the terms and conditions of employment/association, which includes the XXX’s security policy and methods of working
  • Continue to have the appropriate skills and qualifications and are educated on a regular basis.
• If staff and contractors are not made aware of their information security responsibilities, they can cause considerable damage to the XXX. Motivated personnel are likely to be more reliable and cause fewer information security incidents.

3.3 Terms And Conditions Of Employment

• The agreement with staff and contractors states their and the XXX’s responsibilities for the functioning within the XXX and in relation to information security.
• The agreements for staff or contractors reflect the XXX’s policies for the functioning of information security in addition to clarifying and stating:
  • That all staff and contractors who are given access to confidential information are also briefed upon the guidelines of information security.
  • Responsibilities for the clarification of information and management of XXX’s assets associated with information, information processing facilities and information services handled by the staff or contractor.
  • Responsibilities of the staff or contractor for the handling of information received from Interested parties;
  • Actions to be taken if the staff or contractor disregards the XXX’s security requirements.
  • Information security roles and responsibilities should be communicated to job candidates during the pre-employment process.
• The XXX ensures that staff and contractors agree to terms and conditions concerning information security, appropriate to the nature and extent of access they will have to the XXX’s assets associated with information systems and services.
• Where appropriate, responsibilities controlled within the terms and conditions of employment should continue for a defined period after the end of the employment.
• A Non- Disclosure Agreement (NDA) shall be signed by all staff, contractors.

3.4 Information Security Awareness And Training

• All employees of the XXX and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in XXX policies and procedures, as relevant for their job function.
• Awareness, education and training can be part of, or conducted in collaboration with, other training activities, for example general IT or general security training. Awareness, education and training activities shall be suitable and relevant to the individual’s roles, responsibilities and skills.
• An assessment of the employees/contractors understanding is conducted at the end of an awareness, education and training course to test knowledge transfer.

3.5 Compliance With Rules And Regulations

• By signing the Appointment letter an employee is deemed to have expressed his/her acceptance of all the policies, rules, regulations, terms and conditions framed from time to time by the concerned authorized officers.
• During employment, the terms of employment of employee/ contractors shall be governed by the policies and rules framed from time to time covering, among others, Discipline, Code of Conduct etc.

3.6 Confidentiality And Non-Disclosure

Whether information in written or verbal, or contained in computer hardware or software, disk, hard disk, tape or other media, this information is of substantial value, highly confidential and is not known to the general public. Such Information is being provided and disclosed to the staff, contractor solely for use in connection with his/her employment or work of the XXX. NDA is to be signed by all employee/ contractors. Signing to be followed as per Procedure.

3.7 Alteration In The Terms Of Employment

• • XXX reserves the right to make reasonable changes to the duties of an employee, contractor according to the needs of the operation including, relocating/shifting such staff’s workplace and / or transferring such staff to serve at any other location of the XXX.
• • The XXX reserves the right to make reasonable changes to any terms or conditions of employment of any staff with prior notice.

3.8 Termination and Change Of Employment

• Information security responsibilities and duties that remains valid after termination or change of employment is defined, communicated to the staff or contractor and enforced.
• Changes of responsibility or employment are managed as the termination of the current responsibility or employment combined with the initiation of the new responsibilities or employment.
• The Human Resources function is generally responsible for the overall termination process and shall work together with the supervising Dept in change of the person leaving to manage the information security aspects of the procedures. In the case of a contractor provided through an external party, this termination process is undertaken by the external party in accordance with the contract between the XXX and the external party.
• Establishment Department shall inform employee or contractors of changes to personnel and operating arrangements.

3.9 Disciplinary Action

• There shall be a formal and communicated disciplinary process in place to take action against employee who have committed an information security breach.
• Disciplinary action shall be taken by the management depending upon the severity of the event.

3.10 Discharge/Dismissal/Termination

The services of employee may be terminated after giving him one month’s prior notice as per the terms of appointment / service agreement, if any, or payment of basic salary, in lieu thereof or for that matter clearance of any pending salary or financial reimbursements and terminate him immediately after settlement of the same.

3.11 Staff Exit Policy

• Processes are implemented to ensure that all access rights of users of XXX’s information systems are removed in a timely manner upon termination or suspension of their employment, contract or agreement.
• Processes and responsibilities are agreed upon and implemented to enable emergency suspension of a user’s access when that access is considered a risk to the XXX or its systems as defined. Establishment Dept. fill user’s clearance certificate & get it signed by their reporting Dept in charge before user’s last working day.

Enforcement

Any staff, contractor who is found to have violated the policies may be subject to disciplinary action, up to, including termination of employment or legal case against the staff, depending on the degree of the offense committed.

Sample Employment Contractual Agreement

Purpose

XXX applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.

Scope

XXX apply security engineering principles primarily to new development information systems or systems undergoing major upgrades. For legacy systems, organizations apply security engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware within those systems. Security engineering principles include, for example

• developing layered protections;
• establishing sound security policy, architecture, and controls as the foundation for design;
• incorporating security requirements into the system development life cycle;
• delineating physical and logical security boundaries;
• ensuring that system developers are trained on how to build secure software;
• tailoring security controls to meet organizational and operational needs;
• performing threat modeling to identify use cases, threat agents, attack vectors, and attack patterns as well as compensating controls and design patterns needed to mitigate risk; and
• reducing risk to acceptable levels, thus enabling informed risk management decisions.

Policy

Top management at XXX understands that principles for engineering secure systems should be established, documented, maintained and applied to any information system implementation effort. To this end XXX has produced this secure system engineering principles policy to ensure that the Company:

Produces principles that will be applied to in-house information system engineering activities

– Ensures that security will be designed into all architecture layers balancing the need for security with that of accessibility

• Ensures that new technology is analysed for security risks
• Ensures that the design is reviewed against known attack patterns
• Ensures that Principles are reviewed to ensure their effectiveness in contributing to enhanced standards of security within the engineering process
• Ensure that Principles are reviewed to ensure they remain up-to-date in terms of combating any new potential threats and in advances in technology

Top management also understand that certain suppliers may have inadequate information security management and will, in such cases, identify and apply controls necessary to ensure security is maintained. It will use
confidentiality agreements

• non-disclosure agreements and
• second party audits where appropriate.

• The Company will also take into account any Data Protection regulations and will be aware of all legal and contractual responsibilities in the area.
• Application development procedures will also apply secure engineering principles when developing applications for both input and output interfaces.
• Responsibility for upholding this policy is truly company-wide under the authority of the Managing Director who encourages the personal commitment of all staff to address information security as part of their skills.

Principle for Engineering secure system

Security Foundation

Principle 1: Establish a sound security policy as the “foundation” for design.
A security policy is an important document to develop while designing an information system. The security policy begins with the organization’s basic commitment to information security formulated as a general policy statement. The policy is then applied to all aspects of the system design or security solution. The policy identifies security goals (e.g., confidentiality, integrity, availability, accountability, and assurance) the system should support and these goals guide the procedures, standards and controls used in the IT security architecture design. The policy also should require definition of critical assets, the perceived threat, and security-related roles and responsibilities.

Principle 2: Treat security as an integral part of the overall system design.
Security must be considered in information system design and should be integrated fully into the system life-cycle. Experience has shown it to be both difficult and costly to introduce security measures properly and successfully after a system has been developed, so security should be implemented in the design stage of all new information systems, and where possible, in the modification and continuing operation of all legacy systems. This includes establishing security policies, understanding the resulting security requirements, participating in the evaluation of security products, and in the engineering, design, implementation, and disposal of the system.

Principle 3: Clearly delineate the physical and logical security boundaries governed by associated security policies.
Information technology exists in physical and logical locations, and boundaries exist between these locations. An understanding of what is to be protected from external factors can help ensure adequate protective measures are applied where they will be most effective. Sometimes a boundary is defined by people, information, and information technology associated with one physical location. But this ignores the reality that, within a single location, many different security policies may be in place, some covering publicly accessible information and some covering sensitive or confidential information. Other times a boundary is defined by a security policy that governs a specific set of information and information technology that can cross physical boundaries. Further complicating the matter is that, many times, a single machine or server may house both public-access and sensitive information. As a result, multiple security policies may apply to a single machine or within a single system. Therefore, when developing an information system, security boundaries must be considered and communicated in relevant system documentation and security policies.

Principle 4: Ensure that developers are trained in how to develop secure software.
Ensure that developers are adequately trained in the design, development, configuration control, integration, and testing of secure software before developing the system.

RISK BASED

Principle 5: Reduce risk to an acceptable level.
Risk is defined as the combination of (1) the likelihood that a particular threat source will exercise (intentionally exploit or unintentionally trigger) a particular information system vulnerability and (2) the resulting adverse impact on organizational operations, assets, or individuals should this occur. Recognize that the elimination of all risk is not cost-effective. A cost-benefit analysis should be conducted for each proposed control. In some cases, the benefits of a more secure system may not justify the direct and indirect costs. Benefits include more than just prevention of monetary loss; for example, controls may be essential for maintaining public trust and confidence. Direct costs include the cost of purchasing and installing a given technology; indirect costs include decreased system performance and additional training. The goal is to enhance mission/business capabilities by mitigating mission/business risk to an acceptable level. (Related Principle: 6)

Principle 6: Assume that external systems are insecure.
The term information domain arises from the practice of partitioning information resources according to access control, need, and levels of protection required. Organizations implement specific measures to enforce this partitioning and to provide for the deliberate flow of authorized information between information domains. The boundary of an information domain represents the security perimeter for that domain. An external domain is one that is not under your control. In general, external systems should be considered insecure. Until an external domain has been deemed “trusted,” system engineers, architects, and IT specialists should presume the security measures of an external system are different than those of a trusted internal system and design the system security features accordingly.

Principle 7: Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.
To meet stated security requirements, a systems designer, architect, or security practitioner will need to identify and address all competing operational needs. It may be necessary to modify or adjust security goals due to other operational requirements. In modifying or adjusting security goals, an acceptance of greater risk and cost may be inevitable. By identifying and addressing these trade-offs as early as possible, decision makers will have greater latitude and be able to achieve more effective systems. (Related: Principle 4)

Principle 8: Implement tailored system security measures to meet organizational security goals.
In general, IT security measures are tailored according to an organization’s unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT security-related, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub- domains. Recognizing the uniqueness of each system allows a layered security strategy to be used – implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas.

Principle 9: Protect information while being processed, in transit, and in storage.
The risk of unauthorized modification or destruction of data, disclosure of information, and denial of access to data while in transit should be considered along with the risks associated with data that is in storage or being processed. Therefore, system engineers, architects, and IT specialists should implement security measures to preserve, as needed, the integrity, confidentiality, and availability of data, including application software, while the information is being processed, in transit, and in storage.

Principle 10: Consider custom products to achieve adequate security.
Designers should recognize that in some instances it may not be possible to meet security goals with systems constructed entirely from commercial off-the-shelf (COTS) products. In such instances, it may be necessary to augment COTS with non-COTS mechanisms.

Principle 11: Protect against all likely classes of “attacks.”
In designing the security controls, multiple classes of “attacks” need to be considered. Those classes that result in unacceptable risk need to be mitigated. Examples of “attack” classes are: passive monitoring, active network attacks, exploitation by insiders, attacks requiring physical access or proximity, and the insertion of back doors and malicious code during software development and/or distribution.

EASY TO USE

Principle 12: Where possible, base security on open standards for portability and interoperability.
Most organizations depend significantly on distributed information systems to perform their mission or business. These systems distribute information both across their own organization and to other organizations. For security capabilities to be effective in such environments, security program designers should make every effort to incorporate interoperability and portability into all security measures, including hardware and software, and implementation practices.

Principle 13: Use common language in developing security requirements.
The use of a common language when developing security requirements permits organizations to evaluate and compare security products and features evaluated in a common test environment. When a “common” evaluation process is based upon common requirements or criteria, a level of confidence can be established that ensures product security functions conform to an organization’s security requirements. The Common Criteria (CC; available at http://www.commoncriteriaportal.org/) provides a source of common expressions for common needs and supports a common assessment methodology. Use of CC “protection profiles” and “security targets” greatly aids the development of products (and to some extent systems) that have IT security functions. The rigor and repeatability of the CC methodology provides for thorough definition of user security needs. Security targets provide system integrators with key information needed in the procurement of components and implementation of secure IT systems.

Principle 14: Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
As mission and business processes and the threat environment change, security requirements and technical protection methods must be updated. IT-related risks to the mission/business vary over time and undergo periodic assessment. Periodic assessment should be performed to enable system designers and managers to make informed risk management decisions on whether to accept or mitigate identified risks with changes or updates to the security capability. The lack of timely identification through consistent security solution re-evaluation and correction of evolving, applicable IT vulnerabilities results in false trust and increased risk. Each security mechanism should be able to support migration to new technology or upgrade of new features without requiring an entire system redesign. The security design should be modular so that individual parts of the security design can be upgraded without the requirement to modify the entire system.

Principle 15: Strive for operational ease of use.
The more difficult it is to maintain and operate a security control the less effective that control is likely to be. Therefore, security controls should be designed to be consistent with the concept of operations and with ease-of-use as an important consideration. The experience and expertise of administrators and users should be appropriate and proportional to the operation of the security control. An organization must invest the resources necessary to ensure system administrators and users are properly trained. Moreover, administrator and user training costs along with the life-cycle operational costs should be considered when determining the cost-effectiveness of the security control.

INCREASE RESILIENCE

Principle 16: Implement layered security (ensure no single point of vulnerability).
Security designs should consider a layered approach to address or protect against a specific threat or to reduce vulnerability. For example, the use of a packet-filtering router in conjunction with an application gateway and an intrusion detection system combine to increase the work-factor an attacker must expend to successfully attack the system. Add good password controls and adequate user training to improve the system’s security posture even more. By using multiple, overlapping protection approaches, the failure or circumvention of any individual protection approach will not leave the system unprotected. Through user training and awareness, well-crafted policies and procedures, and redundancy of protection mechanisms, layered protections enable effective protection of information technology for the purpose of achieving mission objectives. The need for layered protections is especially important when COTS products are used. Practical experience has shown that the current state-of-the-art for security quality in COTS products does not provide a high degree of protection against sophisticated attacks. It is possible to help mitigate this situation by placing several controls in series, requiring additional work by attackers to accomplish their goals.

Principle 17: Design and operate an IT system to limit damage and to be resilient in response.
Information systems should be resistant to attack, should limit damage, and should recover rapidly when attacks do occur. The principle suggested here recognizes the need for adequate protection technologies at all levels to ensure that any potential cyber attack will be countered effectively. There are vulnerabilities that cannot be fixed, those that have not yet been fixed, those that are not known, and those that could be fixed but are not (e.g., risky services allowed through firewalls) to allow increased operational capabilities. In addition to achieving a secure initial state, secure systems should have a well-defined status after failure, either to a secure failure state or via a recovery procedure to a known secure state. Organizations should establish detect and respond capabilities, manage single points of failure in their systems, and implement a reporting and response strategy. (Related: Principle 14)

Principle 18: Provide assurance that the system is, and continues to be, resilient in the face of expected threats.
Assurance is the grounds for confidence that a system meets its security expectations. These expectations can typically be summarized as providing sufficient resistance to both direct penetration and attempts to circumvent security controls. Good understanding of the threat environment, evaluation of requirement sets, hardware and software engineering disciplines, and product and system evaluations are primary measures used to achieve assurance. Additionally, the documentation of the specific and evolving threats is important in making timely adjustments in applied security and strategically supporting incremental security enhancements.

Principle 19: Limit or contain vulnerabilities.
Design systems to limit or contain vulnerabilities. If a vulnerability does exist, damage can be limited or contained, allowing other information system elements to function properly. Limiting and containing insecurities also helps to focus response and reconstitution efforts to information system areas most in need. (Related: Principle 10)

Principle 20: Isolate public access systems from mission critical resources (e.g., data, processes, etc.).
While the trend toward shared infrastructure has considerable merit in many cases, it is not universally applicable. In cases where the sensitivity or criticality of the information is high, organizations may want to limit the number of systems on which that data is stored and isolate them, either physically or logically. Physical isolation may include ensuring that no physical connection exists between an organization’s public access information resources and an organization’s critical information. When implementing logical isolation solutions, layers of security services and mechanisms should be established between public systems and secure systems responsible for protecting mission critical resources. Security layers may include using network architecture designs such as demilitarized zones and screened subnets. Finally, system designers and administrators should enforce organizational security policies and procedures regarding use of public access systems.

Principle 21: Use boundary mechanisms to separate computing systems and network infrastructures.
To control the flow of information and access across network boundaries in computing and communications infrastructures, and to enforce the proper separation of user groups, a suite of access control devices and accompanying access control policies should be used. Determine the following for communications across network boundaries:

• What external interfaces are required
• Whether information is pushed or pulled
• What ports, protocols, and network services are required
• What requirements exist for system information exchanges; for example, trust relationships, database replication services, and domain name resolution processes

Principle 22: Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
Organizations should monitor, record, and periodically review audit logs to identify unauthorized use and to ensure system resources are functioning properly. In some cases, organizations may be required to disclose information obtained through auditing mechanisms to appropriate third parties, including law enforcement authorities. Many organizations have implemented consent to monitor policies which state that evidence of unauthorized use (e.g., audit trails) may be used to support administrative or criminal investigations.

Principle 23: Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
Continuity of operations plans or disaster recovery procedures address continuance of an organization’s operation in the event of a disaster or prolonged service interruption that affects the organization’s mission. Such plans should address an emergency response phase, a recovery phase, and a return to normal operation phase. Personnel responsibilities during an incident and available resources should be identified. In reality, contingency and disaster recovery plans do not address every possible scenario or assumption. Rather, focus on the events most likely to occur and identify an acceptable method of recovery. Periodically, the plans and procedures should be exercised to ensure that they are effective and well understood.

REDUCE VULNERABILITIES

Principle 24: Strive for simplicity.
The more complex the mechanism, the more likely it may possess exploitable flaws. Simple mechanisms tend to have fewer exploitable flaws and require less maintenance. Further, because configuration management issues are simplified, updating or replacing a simple mechanism becomes a less intensive process.

Principle 25: Minimize the system elements to be trusted.
Security measures include people, operations, and technology. Where technology is used, hardware, firmware, and software should be designed and implemented so that a minimum number of system elements need to be trusted in order to maintain protection. Further, to ensure cost-effective and timely certification of system security features, it is important to minimize the amount of software and hardware expected to provide the most secure functions for the system.

Principle 26: Implement least privilege.
The concept of limiting access, or “least privilege,” is simply to provide no more authorizations than necessary to perform required functions. This is perhaps most often applied in the administration of the system. Its goal is to reduce risk by limiting the number of people with access to critical system security controls (i.e., controlling who is allowed to enable or disable system security features or change the privileges of users or programs). Best practice suggests it is better to have several administrators with limited access to security resources rather than one person with “super user” permissions. . Consideration should be given to implementing role-based access controls for various aspects of system use, not only administration. The system security policy can identify and define the various roles of users or processes. Each role is assigned those permissions needed to perform its functions. Each permission specifies a permitted access to a particular resource (such as “read” and “write” access to a specified file or directory, “connect” access to a given host and port, etc.). Unless permission is granted explicitly, the user or process should not be able to access the protected resource. Additionally, identify the roles/responsibilities that, for security purposes, should remain separate (this is commonly termed “separation of duties”).

Principle 27: Do not implement unnecessary security mechanisms.
Every security mechanism should support a security service or set of services, and every security service should support one or more security goals. Extra measures should not be implemented if they do not support a recognized service or security goal. Such mechanisms could add unneeded complexity to the system and are potential sources of additional vulnerabilities. An example is file encryption supporting the access control service that in turn supports the goals of confidentiality and integrity by preventing unauthorized file access. If file encryption is a necessary part of accomplishing the goals, then the mechanism is appropriate. However, if these security goals are adequately supported without inclusion of file encryption, then that mechanism would be an unneeded system complexity.

Principle 28: Ensure proper security in the shutdown or disposal of a system.
Although a system may be powered down, critical information still resides on the system and could be retrieved by an unauthorized user or organization. Access to critical information systems must be controlled at all times. At the end of a system’s life-cycle, system designers should develop procedures to dispose of an information system’s assets in a proper and secure fashion. Procedures must be implemented to ensure system hard drives, volatile memory, and other media are purged to an acceptable level and do not retain residual information.

Principle 29: Identify and prevent common errors and vulnerabilities.
Many errors reoccur with disturbing regularity – errors such as buffer overflows, race conditions, format string errors, failing to check input for validity, and programs being given excessive privileges. Learning from the past will improve future results.

DESIGN WITH THE NETWORK IN MIND

Principle 30: Implement security through a combination of measures distributed physically and logically.
Often, a single security service is achieved by cooperating elements existing on separate machines. For example, system authentication is typically accomplished using elements ranging from the user- interface on a workstation through the networking elements to an application on an authentication server. It is important to associate all elements with the security service they provide. These components are likely to be shared across systems to achieve security as infrastructure resources come under more senior budget and operational control.

Principle 31: Formulate security measures to address multiple overlapping information domains.
An information domain is a set of active entities (person, process, or devices) and their data objects. A single information domain may be subject to multiple security policies. A single security policy may span multiple information domains. An efficient and cost effective security capability should be able to enforce multiple security policies to protect multiple information domains without the need to separate physically the information and respective information systems processing the data. This principle argues for moving away from the traditional practice of creating separate LANs and infrastructures for various sensitivity levels (e.g., security classification or business function such as proposal development) and moving toward solutions that enable the use of common, shared, infrastructures with appropriate protections at the operating system, application, and workstation level. Moreover, to accomplish missions and protect critical functions, organizations have many types of information to safeguard. With this principle in mind, system engineers, architects, and IT specialists should develop a security capability that allows organizations with multiple levels of information sensitivity to achieve the basic security goals in an efficient manner.

Principle 32: Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
Authentication is the process where a system establishes the validity of a transmission, message, or a means of verifying the eligibility of an individual, process, or machine to carry out a desired action, thereby ensuring that security is not compromised by an untrusted source. It is essential that adequate authentication be achieved in order to implement security policies and achieve security goals. Additionally, level of trust is always an issue when dealing with cross-domain interactions. The solution is to establish an authentication policy and apply it to cross-domain interactions as required. Note: A user may have rights to use more than one name in multiple domains. Further, rights may differ among the domains, potentially leading to security policy violations.

Principle 33: Use unique identities to ensure accountability.
An identity may represent an actual user or a process with its own identity, e.g., a program making a remote access. Unique identities are a required element in order to be able to:

• Maintain accountability and traceability of a user or process
• Assign specific rights to an individual user or process
• Provide for non-repudiation
• Enforce access control decisions
• Establish the identity of a peer in a secure communications path
• Prevent unauthorized users from masquerading as an authorized user

1.0 Purpose

The purpose of the XXX’s Information Asset Management Policy is to establish the rules for the control of hardware, software, applications, and information used by XXX

2.0 Scope

The scope of this policy extends to all XXX departments, employees, third parties, vendors and partners who utilize or who are responsible for the development, management and maintenance of all XXX’s information assets. The XXX’s Information Asset Management Policy applies to individuals who are responsible for the use, purchase, implementation, management, and/or maintenance of XXX information resources.

The XXX categorises information assets as:

• Information and Information Systems:
  • Databases
  • Data files
  • Hardcopy documents
  • User guides
  • Notebooks
  • Training material
  • Policies, Procedures
  • Business Continuity plans
  • Financial Data
• Software:
  • Applications
  • System software
  • Development software
  • Utilities software
• Physical:
  • Computer equipment
  • Communications equipment
  • Portable and local Media – storage and recording
  • Property and accommodation
• Services:
  • Communications
  • Utilities (power. lighting, environmental controls)
• Personnel:
  • Knowledge
  • Skills
  • Experience
• Intangibles:
  • Reputation

3 Some terms used

3.1 Information Asset Owner
The owners of an information asset are those individuals who have primary responsibility for the viability and suitability of the asset. The owner is a senior person within an organization with sufficient authority and officially designated as accountable for a specific business process / function within an organization. The owner must determine what information assets are they responsible for. The responsibility is not restricted to the information systems within their domain and should go beyond in defining the information that needs to be managed within those systems. Such information may include Personally Identifiable Information (PII) along with critical business data in both electronic and non-electronic formats. It is the owner’s responsibility to set the security requirements for information assets and communicate those requirements to all of the assets’ custodians. Owners are also responsible to assess these requirements from time to time based on the changing threat profiles and / or the value of information with passage of time. Owners should ensure that the defined security requirements are implemented and maintained by the data custodians. Further, the effectiveness of the controls implemented should be assessed at regular intervals (e.g. through audits). An owner may delegate these security responsibilities, but the owner remains ultimately responsible for the protection of the asset.

3.2 Custodian of an Information Asset
The term “custodian” refers to any individual in the organization who has the responsibility to protect an information asset as it is stored, transported, or processed in line with the requirements defined by the information asset owner. “Custodians” includes users from the Information Technology / Information Security function along with the staff who may be responsible for transporting information (e.g. paper records / CDs / USBs etc) from one place to another or even the facilities or security staff who may have physical access to information processing and storing facilities. Certain roles within the organization such as IT staff with administrative / root privileges may have unlimited access to the agency’s information system, these are critical roles and sufficient controls and procedures must be developed for such privileged access. Data Users also have a critical role to protect and maintain an organization’s information systems and data. For the purpose of information security, a Data User is any employee, contractor or third-party provider who is authorized by the Data Owner to access information assets. At times, the data custodian may play the role of a trusted advisor to the owner advising him on the risks and controls suitable for the information asset. However, the ultimate responsibility lies with the Owner and in no circumstances, the data custodian shall deem the role of an owner.

3.3 Risks to Information Assets
An Information Asset Owner should assess the risks to the information assets and ensure adequate controls to protect against:

1. Loss of Confidentiality: Inappropriate access to, or disclosure of, protectively marked or personal data by Data users, public and / or malicious actors, whether accidental or deliberate
2. Loss of Integrity: Data users acting in error or deliberately, or external parties accessing your information illegally, acting maliciously to compromise the integrity of your data with an intention to defraud you or your customers or to cause reputation damage to your organization
3. Loss of Availability: This could be either temporary or permanent.
   • Information loss – particularly during transfer or movement of information, or because of business change (mergers, acquisitions, restructuring).
   • Loss of access to information due to system / network outages caused due to errors or deliberate actions.
   • Loss of digital continuity – i.e. losing the ability to use your information in the way required when needed. By use we mean being able to find, open, work with, understand and trust your information. The lifecycle of a piece of information – how long you need to use and keep it – is often different to the lifecycle of the IT system used to access and support it.
4. Information Currency: Business needs change, systems change, the value of an information asset may change or the organization’s information risk appetite may change. An organization’s processes should be agile to manage the information security of the asset in accordance to the changing business environment.

4 Policy Statement

The XXX’s Information Governance Group (IGG) co-ordinates responsibility for the management of information assets by appointing nominated information asset owners across departments. All identified information assets must be recorded and managed by information asset owners in accordance with the XXX’s Information Security Management System. The XXX must take the following steps to ensure all information assets are appropriately identified, recorded and maintained:

4.1 Information and Information Systems

Information held and maintained by the XXX can either be in hard copy form stored in physical locations, filing systems, office locations or stored electronically using software and electronic backup systems.

Types of Information and Information Systems assets:

• Databases – Access to these must be given to authorised employees only and logs should be maintained to record all access to and changes made to any data held within any database system.
• Data files – Access to any data file(s) must be given to authorised employees only and logs must be maintained to record all access to and changes made to any data held within database systems.
• Hard copy documents – All hard copy documents containing sensitive and personal information must be accessed, processed, maintained and securely stored in accordance with the XXX’s Information Safe Haven guidance. Restricted hard copy documents requiring controlled access must have a signing in/out record maintained wherever appropriate.
• User guides – All user guides which assist and aid in the understanding of processes, procedures or systems should be safely stored and should be easily and readily accessible to all relevant employees – wherever possible. Guides which exist only in physical form should be digitised to include an electronic version which can be stored electronically on the XXX’s ICT Network.
• Notebooks – Information contained in notebooks which are used to record sensitive or personal information must be transferred to secure information systems as soon as possible and either the pages or entire notebook must be securely destroyed once the information has been transferred.
• Training material – All relevant training material(s) must be stored and made readily accessible to all relevant employees. Duplication or physical reproduction of training manuals must be kept to a minimum and avoided wherever possible.
• Policies and Procedures – All XXX Policies and Procedures should be made available and disseminated via the XXX’s main website. All original copies of Policies and Procedures documents whether electronic or hardcopy must be safely stored, regularly reviewed and a version history control record must be maintained for each document to ensure they are up to date.
• Business Continuity plans – All Business Continuity plans must be regularly reviewed, disseminated to appropriate employees and stored safely for easy retrieval as and when necessary.
• Financial Data – Data and Information relating to XXX financial data must be restricted to authorized employees only. Recording mechanisms must be in place for logging access, changes and use of financial data and information.

4.2 Software

Computer and IT systems software is widely used across the XXX and is vital to the day to day running of the XXX .The use of software has continued to change the way the XXX works. Substantial investment has been made in Software along with accompanying ongoing costs and expenditure such as annual software/systems support, licensing and staff training.

• Applications – Software used by the XXX must be appropriately sourced using XXX approved suppliers and must be evaluated for business need, suitability, efficiency, and ease of use, cost effectiveness and integration into existing XXX systems. All software approved for use by the XXX must be recorded on an approved software list. Appropriate numbers of software licenses must be purchased to cover volume of use and to satisfy legal requirements. Software media must be stored (physically and electronically) in a secure, centralized location along with software installation codes and registration numbers. Access to software media by employees must be controlled and limited to authorized employees only. A record must be maintained of all installations of software, licensing volumes SLA documentation and references in a centralized location where access is provided to authorize employees only. A signing in/out system should be used for controlling the use of physical software media.
• System software – Server/system software such as Operating Systems, must be evaluated for business need, suitability, efficiency, cost effectiveness and integration into existing XXX systems. Operating System installation media must be stored in a secure, centralized location along with installation codes. Access to Server/system software media by employees must be controlled and limited to authorized employees only. A record must be maintained of all installations of software, licensing volumes SLA documentation and references in a centralized location where access is provided to authorize employees only. A signing in/out system should be used for controlling the use of physical software media. Backups of complete Server/systems installations must be routinely carried out for disaster recovery purposes. Installation, configuration and maintenance of Server/system software must only be undertaken by employees who are trained and qualified to do so.
• Development software – software for the support of existing systems and for the development of in-house solutions must follow the same processes for procurement and use as for the applications and Server/systems software. Development software should only be used by employees who are trained or who are undergoing training to use the development software.

All types of software (with the exception of routine security updates and patches verified by software vendors) must go through agreed purchasing procedures and must be recorded on a XXX approved software list. Where the software is used in the storing, handling, processing or retention of data including personal data relating to the XXX’s information or services commissioned by the XXX, then the purchasing procedure should follow the guidelines contained within the XXX’s ‘Supplier Information Security Policy’ and approved by the Director of Finance and ICT Services in line with the ‘Protocol for the Approval of new Systems or Changes to Existing Systems by the Director of Finance’.

4.3 Physical

The XXX’s most visible information assets are those which are physically located throughout the XXX such as computers, printers and phones etc. Offices and buildings must also be considered as information assets – providing location for the housing and installation of the XXX’s ICT Data and Communications Network infrastructure and physically stored documents and information.

• Computer equipment – A large number of computing devices are in use across the XXX. Computers are one of the most costly single items of equipment and must be subject to controls from procurement to disposal. The XXX must be able to track all activity and use relating to all XXX computing devices using various means such as via the computer network and/or using logging systems such as signing in and out and other such recording mechanisms. All computers must be allocated a unique asset tag number which is recorded against the manufacturer’s serial number and model which should never be altered or exchanged with any other computer. Throughout its life, a computer may be subject to hardware upgrades, new software installations, configuration changes and maintenance and all such activity must be appropriately recorded, maintained and updated by the ICT Service.
• Communications equipment – Mobile and office phones are widely used communications devices across the XXX. Other network and communications devices identified as information assets include routers, switches, video conferencing equipment etc. Along with computing equipment, these devices must be allocated an asset tag number. All communications equipment must be identified, recorded and appropriately maintained by the ICT Service.
• Portable, local media storage – Media such as CD/DVDs, Magnetic tape, flash/portable hard disks are valuable information assets because they are used to save and retrieve XXX information and data. Irrespective of the information stored on them, all such media must be classified and handled as ‘RESTRICTED’ in accordance with the XXX’s Information Classification and Handling Policy. The portable nature of this type of media requires responsible use and adherence to all XXX policies, procedures and processes which are in place for the protection of information and data. Appropriate labelling and recording mechanisms should be in place to ensure the safety and integrity of media – enabling tracking of essential media such as for data backups e.g. media required to carry out data/file restores must be signed in and out from a secure location. Portable media must be used in accordance with the XXX’s Encryption & Cryptographic Controls Policy, Desktop and Mobile Device Procedures and Data Protection and Storage Media Handling Procedures. All physical computer, communications and storage media/devices must go through purchasing procedures and must be recorded on a XXX approved hardware inventory.
• Property and accommodation – The XXX’s Corporate Asset Management Plan provides comprehensive information relating to buildings and property as information assets. ICT equipment along with Data and Network Communications infrastructure equipment is housed in many buildings and property owned by the XXX and is therefore subject to the Corporate Asset Management Plan

4.4 Services

• Communications – It is vital for the XXX to maintain its ability to communicate in many different forms. Communications equipment must be maintained and clear processes, policies and procedures for the provision of this service must be in place. E-mail is also a vital means of communication and as such, requires a robust, reliable infrastructure to enable the XXX to communicate effectively and reliably, both internally and externally.
• Utilities (power. lighting, environmental controls) – These services are information assets as they provide fundamental requirements for the XXX to function appropriately, safely and effectively. It is essential that property maintenance and inspections are routinely carried out and that employees are proactive in reporting faults, whenever noted, to the XXX’s Property Services division.

4.5 Personnel

The XXX cannot function without its workforce – it is its largest asset. The provision of good public services requires XXX employees to have the necessary skills, knowledge and ability to work within many different areas and departments across the XXX. The number of unique functions and specialisms across the XXX requires a varied knowledge and skills base which must be supported by robust recruitment processes, appropriate training provision and good management of employee skill identification, work placement and allocation.

• Knowledge and Experience – The XXX has a great pool of employees who have a wide knowledge and experience base to draw on and as such, is a valuable information asset.
• Skills – All XXX employees must possess the necessary skills and ability to do their jobs.

4.6 Intangibles

Reputation – The XXX is very aware that public perception and confidence in its ability to deliver effective, efficient public services is of the utmost importance. Reputation is an asset which promotes confidence and generates support in what the XXX is trying to achieve. The XXX takes its reputation seriously and proactively engages to develop policies and procedures along with a consistent approach in maintaining and presenting the right image. The XXX encourages good reputation and is assisted by:

• Good working practices
• Corporate Image Branding
• Public Consultation

4.7 Information Classification and Handling

All XXX information has a value to the organization, however not all of the information has an equal value or requires the same level of protection. Being able to identify the value of information assets is key to understanding the level of security that they require. The XXX maintains an Information Classification and handling scheme which involves grouping information and categorizing content to establish the most appropriate way of handling, storing, retrieving and to determine who is authorized to access particular Information. All information in both electronic and physical forms must be categorized using either ‘PUBLIC’, ‘CONTROLLED’ or ‘RESTRICTED’ and must be appropriately labelled.
Any information that is not specifically marked as being ‘RESTRICTED’ or ‘CONTROLLED’ will be deemed to be ‘PUBLIC’. Where information is grouped together, the highest classification must be applied to all information in the group. The XXX’s information classification and handling policy and procedures provide further information

4.8 Guidelines for an Information Asset Owner

Information asset owner are individuals who are responsible and accountable for the information assets within an organization. Information asset owners shall define the controls necessary for the information asset and work with information custodians to ensure that they are implemented and effective.

• Classification: Asset owner should support the ISM in the task of asset classification by explaining the need and importance for all information asset assigned under his /her responsibility.
• Labelling: Asset owner SHOULD identify the appropriate labels for all assets as per their classification to support the Need-To-Know requirement and data labelling education and awareness for the staff, employees and contractors.
• Controls allocation: Owner SHOULD ensure the application of all baseline controls to all classified assets. Additional, stronger controls MAY be applied, if necessary and based on the risk assessment conducted. The controls shall consistently protect the Information Asset throughout their life cycle.
• Access Control and Physical Security: Asset Owner must authorize access to only those who have a business need for the information, and ensure that access is removed for those who no longer have a business need for the information. The Access control shall include physical as well as logical access to the information asset. The controls shall be chosen based on an assessment of risk.
• Logging & Security Monitoring: The asset owner shall identify suitable technical controls and processes to log and monitor systems for potential malicious activities or system disruptions.
• Awareness: The asset owner shall ensure that all personnel having access to the information asset are aware of the organization’s security requirements and any legal or regulatory responsibilities.
• Retention & Archival: The asset owner shall determine and document the retention periods of information assets governed by the organization’s policies and regulatory requirements.
• Incident Handling: The asset owner shall be responsible for the information asset. Any incident that compromises the confidentiality, integrity or availability of data should be reported and managed.
• Business Continuity: The information asset owner shall ensure the availability of information as and when required for the continuance of business.
• Ensure compliance: The asset owner shall ensure that the information asset is secured in compliance with the organizational security policy and state of Qatar laws and regulations.

4.9 Guidelines for the Information Asset Custodian

Information asset custodians are individuals in physical or logical possession of information. Information asset custodians are expected to work with information asset owners to gain a better understanding of these requirements. The information security controls implemented by the custodian must be documented and shared with the asset owner.

4.9.1 Information Technology Manager (IT Function)

• Classification: Assist the Asset owner along with the ISM in the task of asset classification.
• Labelling: Implement the data labeling as identified by the Asset owner. Advise the owner on technical limitations if any and possible technical mitigating solutions.
• Controls allocation: Identify and apply all controls (baseline and additional) to all information assets to protect the confidentiality, integrity, and availability of the information asset. The controls shall consistently protect the Information Asset throughout their life cycle.
• Access Control and Physical Security: Implement the necessary processes and controls to manage access control to information assets. Access shall be provided to only those who have a business need for the information, and ensure that access is removed for those who no longer have a business need for the information. The Access control shall include physical as well as logical access to the information asset. The controls shall be chosen based on an assessment of risk.
• Logging & Security Monitoring: Implement suitable technical controls and processes to log and monitor systems for potential malicious activities or system disruptions.
• Retention & Archival: Design and implement systems that shall ensure that information assets and the information life cycle are managed in line with the document retention policy.
• Incident Handling: Implement procedures for managing incidents. This should include incident reporting and incident response.
• Business Continuity: Design and implement the necessary procedures and controls to ensure the availability of information as and when required for the continuance of business.

4.9.2 Information Security Manager (Information Security Function)

• Information Governance: The Information Security Manager will manage the information security program of the organization. The ISM will develop information security policies to ensure that the organization’s information assets are secured adequately in line with the Information owner requirements and corporate policies and national regulations such as NIA Policy, Information Privacy Protection Law and Cyber crime law amongst others. IG and AC
• Information Classification: Assist the information owner in identifying assets and classifying them. The ISM should also assist the information asset owner and the ITM in selecting appropriate controls to provide the necessary assurance to information asset owners.
• Controls: Ensure the application of all baseline controls to all information assets.
• Risk Management: Conduct a Risk assessment in association with the information asset owner and prepare an appropriate Risk treatment plan. Monitor the effectiveness of risk treatment processes and plans periodically.
• Awareness: Design and deliver an information security awareness to all personnel having access to the information assets. The awareness shall elevate among the users an understanding of the organization’s security requirements and any legal or regulatory responsibilities.
• Incident Management: Define an Incident Management policy and necessary procedures. Work with the ITM to detect, respond and contain incidents. Inform and report senior management about critical incidents.
• Maintain co-ordination with government and law enforcement agencies to report and manage critical incidents.

4.9.3 Guidelines for Data User

• Information Governance: The Data user shall be responsible for the information assets (systems / infrastructure) provided to them to carry out their official responsibilities.
• Information Classification: The Data User shall adhere to the information classification scheme approved by the management and maintain the classification (label) provided by the information asset owner.]

5 Acceptable Use of Assets

All XXX departments, employees, elected members, contractors, vendors and partner agencies must observe and abide by all Acceptable Use policies and procedures pertaining to all XXX owned information assets.

6 Breaches of Policy

Breaches of this policy and/or security incidents can be defined as events which could have, or have resulted in, loss or damage to XXX assets, or an event which is in breach of the XXX’s security procedures and policies. All XXX employees, elected members, partner agencies, contractors and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible through the XXX’s Incident Reporting Procedure. This obligation also extends to any external organization contracted to support or access the Information Systems of the XXX. The XXX will take appropriate measures to remedy any breach of the policy and its associated procedures and guidelines through the relevant frameworks in place. In the case of an individual then the matter may be dealt with under the disciplinary process.

Example of Information Asset Register Format

1.0 Purpose

The purpose is to detect events, analyse them and determine an appropriate control action.This is to ensure that:

• Operational activities are performed as required and scheduled
• Operations are monitored, measured, reported and remediated
• All significant changes of information security is detected
• Appropriate control actions are determined for events and these are communicated to the appropriate
  functions.
• Provide the trigger, or entry point, for the execution of service operation processes and operations
  management activities.

2.0 Scope

The scope includes detection and management of all critical services and IT infrastructure in XXX. The scope predominantly includes, but not limited to the following infrastructure and any services provided via these.

• Servers
• Desktops/ Laptops
• Applications
• Databases
• Backup
• Storage
• Network Devices
• Security Devices

3.0 Process

3.1 Event Generation

• Requirements for events generation shall be established based on a risk assessment exercise.
• Systems and network infrastructure shall have the capability to capture and store security events based on the business / legal / regulatory / security requirements.
• Adequate and appropriate logging shall be enforced to ensure that security events / details related to the user / system activity are maintained.

3.2 Fault Logging

• Faults reported by Staff / Users or through an automated process related to problems with technology resources shall be logged, maintained and action taken by XXX
• Automated real-time alerts when faults / errors occur shall be enabled for infrastructure where feasible and required. Restricted or confidential information shall be masked from logging in the logs.

3.3 Contents of Audit Trails / Records

• Requirements for Audit Trails and Records shall be established based on a risk assessment exercise.
• Systems and network infrastructure shall have the capability to capture and store Audit Trails / Records based on the business / legal / regulatory / security requirements.
• The audit trail shall include sufficient information to establish ‘what activity occurred when and who (or what) caused them’.

3.4 Audit Log Reviews

• Audit trails shall be monitored and reviewed to detect suspicious or malicious activities and noncompliance to policies.
• Any activity that falls into these categories shall be investigated and the results of this analysis shall be recorded.

3.5 Time Synchronization

The time for all devices shall be configured to be synced / retrieve time from a centralized source to establish the time frames of the event generated / performed within the IT systems and infrastructure.

3.6 Audit Trail Security

• Access to audit logs shall be controlled.
• Audit logs shall be protected from intentional or unintentional deletion or modification.
• Adequate segregation of duties between staff performing the administration / review of audit trails and operational activities shall be enforced.

3.7 Log Rotation and Storage / Archiving

Logs shall be backed-up or archived regularly to a log management system or media to prevent alterations based on the business / legal / regulatory requirements and shall be stored in a physically secure environment.

3.8 Monitoring and Log Review

• Regular monitoring and review of audit logs shall be implemented to detect any suspicious activities / potential breach such as recurring failed logon attempts.
• Information security events detected because of the monitoring and review procedures shall be reported as stipulated by the XXX’s incident management policy.

3.9 Event Management Inputs & Outputs

3.9.1 Process Main Inputs
Alerts and events generated by the monitoring tools. While designing event management process, decision is taken on events need to be generated and how this can be done.
3.9.2 Process Main Outputs

3.9.2.1 Managed Events
Each type of event trigger will initiate actions prior to closure.

• Informational events do not require any actions to be taken
• Warnings are used to notify the appropriate teams/ processes so that corresponding actions can be
  taken
• Exceptional events get triggered when a service or application fails and when a CI doesn’t function
  normally.

3.9.2.2 Trigger to incident management
For those incidents that arise out of Exception events, the monitoring group assigns them to the appropriate resolver group in and informs the stakeholders and the Incident Manager .

3.9.2.3 Trigger to availability and capacity management
As a part of preventive and corrective actions taken to resolve exceptions which caused incidents,Availability and/or Capacity Management processes get triggered.

3.10 Define event logging criteria

• XXX Information security manager will define and identify the following:
• Identify and document the criteria for logging events considering risk and performance impact;
• Identify the event logging thresholds; and
• Define rules to report threshold breaches and event conditions.

3.11 Define what needs to be monitored

• XXX IS manager prepares a list of infrastructure assets that need to be monitored based on service criticality.
• Procedure documents are created to log events based on the rules defined.
• The duration for retention of event logs to meet legal/regulatory requirements and assist future investigations, is also defined at this stage.

3.12 Detect, filter events and create event logs

<Name the tool you are using>are monitoring tools which trigger the event management process. The monitoring tools are configured to monitor the critical and non-critical applications and servers. In the course of monitoring, three different types of events are generated: • Informational • Warning • Exceptional

3.13 Manual monitoring

Manual monitoring (wherever monitoring tools are not configured) is done for certain applications or servers on continuous basis in order to capture the events.

3.14 Gather monitoring data

The IS manager gathers the entire data with regard to manual monitoring for consolidation purpose.

3.15 Manual consolidation of events

Based on the Events occurred through manual monitoring, the IS Manager does manual consolidation.

3.16 Trigger alerts
Whenever an event occurs, the monitoring tools generate alert notifications. Separate monitoring tools are
configured to generate alerts for critical and non-critical systems

3.17 Correlate events

• All the events arising out of monitoring tools (for both critical and non-critical applications and servers) and manual monitoring are correlated.
• The decision on the significance and what actions need to be taken to deal with the events based on business rules is determined as a part of correlation.
• Correlation will take into account previous occurrences of the similar or related events, the CIs involved, component involvement in the event to arrive at the decision.

3.18 Enrichment process

• Event Management tool/team uses industry standard activities such as event correlation, suppression and
  aggregation; collectively known as “Event Enrichment”:
• Event Suppression: Event suppression is about ignoring events that are generated due to a higher-level
  event, thus significantly reducing the number of events that the monitoring team will handle.
• Event Correlation: The event correlation activity automatically clears active and related events,
  resulting in monitoring staff not having to manually clear all the related events.
• Event Aggregation: Event aggregation activity, also known as event de-duplication, is where duplicates
  of the same event are merged.

3.19 Type of event

Based on the event type ,XXX monitoring teams will transfer to the respective resolver groups. Events can be classified into:
3.19.1 Informational:

• An Informational event refers to an event which does not require any action. These events are the results of status checks of devices or services or confirmation of an activity.
• As the incidents created through the informational events do not affect the service, the Monitoring Group closes these incidents with “Status Reason” as “No action required”.

3.19.2 Warning:

• Warnings are generated when a service or device is approaching a predefined threshold. These are used to notify the appropriate person, process or tool so that corresponding action can be taken.
• As the incidents created through warnings may or may not impact the service, the Monitoring Group alerts the respective Resolver Group for appropriate action.

3.19.3 Exception:

An Exceptional event gets triggered in case an application service fails, or configuration item does not function normally. They may represent total failure, impaired functionality or degraded performance.

3.20 Inform the right resolver group

For those incidents that arise out of exception events, the monitoring group assigns them to the appropriate resolver group in service desk and informs the stakeholders/ incident manager.

3.21 Initiate preventive action

The Resolver Group will take the appropriate actions to prevent incidents from occurring. The action taken may trigger the availability and/or capacity management processes.

3.22 Update event log

• The preventive action initiated by the Resolver Group may or may not be effective.
• If it is not effective treat the event as an Incident and trigger the predefined Incident Management process.
• If the type of incident is either an exception or the actions taken in response to the warning event are
  not effective, then the predefined Incident Management process is triggered.
• The outcome of Incident Management may trigger Problem Management or Change Management. The
  output from all this process will be checked for effectiveness.
• If the action taken is effective, the event ticket is updated with actions taken

3.23 Close the event

The event related incident will be updated and closed

1.0 Purpose:

Non-disclosure agreements are contracts intended to protect information considered to be sensitive or confidential. Information technology resources shall be used only for intended purposes as defined by XXX and in compliance with applicable laws. All individuals are accountable for their actions relating to information technology resources and shall formally acknowledge that they will comply with the XXX security policies and procedures or they shall not be granted access to information technology resources. All employees will complete a non-disclosure agreement for information technology resources on an annual basis.

2.0 Scope:

The Non-Disclosure Agreement Policy applies to all authorized users who utilize XXX’s information technology resources (including, but not limited to, Employees, workers, temporary employees, vendors, consultants, employees of independent contractors, and visitors.)

3.0 Confidentiality

All employees/ workers/ temporary employees/ vendors/ consultants/ employees of independent contractors, must, from the date of the commencement of employment or other form of engagement, and thereafter, observe strict confidentiality in respect of any information held by the practice, and by each individual working on behalf of the practice. This includes dealings, transactions, procedures, policies, decisions, systems and other matters of a confidential nature concerning the practice and its affairs.
Other than in the proper course of their duties, employee must not, either during or at any time after the termination of their employment, exploit or disclose confidential information. Also, they must not, through negligence, wilful misconduct or inadvertence, allow the use, exploitation or disclosure of any confidential information relating to the affairs of the practice, processes, technology,customers, products , partners, employees, contractors, business partners or suppliers. There must be no attempt to use any confidential information in a manner that may either directly or indirectly cause, or be calculated to cause loss to the business, reputation or compromise Information security.

Non-disclosure of information
It is an obligation upon all employees during employment, or engaged under other contractual arrangements, to maintain information in confidence and not, directly or indirectly, disclose it other than for the purposes it was gathered. Any such information in the possession of an individual, either in electronic format or hard copy, shall be returned to the practice before or at the point in time that employment/contract ceases, however such cessation occurs.
Following the cessation of employment, or other contractual engagement , an individual must not, directly or indirectly, use for gain, discuss or pass on to others confidential information that can be classed as objective knowledge in that it has been gained during the course of employment. This includes information relating to partners, employees, contractors, customers, business, associates, suppliers, market information, contractual arrangements, dealings, transactions, policies, procedures, decisions, technology and systems or other matters of a confidential nature concerning the practice.

Third-party requests for information
Any employee approached by any third party, including any media source, and asked to make any comments or provide any information relating to the practice and its affairs (or the affairs of its customer, partners, employees, contractors or any business associate) must under no circumstances respond without having sought permission and guidance from the practice manager.

Whistle-blowing or protected disclosures
Nothing in this policy will prevent or limit an employee in making a protected disclosure under the practice’s whistle-blowing policy, in respect of any malpractice or unlawful conduct.

Non-disclosure agreement
All persons engaged to work for and on behalf of the practice will be required to sign the following nondisclosure agreement, which will be recorded on their personnel file.

CONFIDENTIALITY AND NON-DISCLOSURE AGREEMENT

To be signed by any individual employed or otherwise engaged by the practice.
I acknowledge that I have read and understood the confidentiality and non-disclosure policy, dated …………. issued by the practice and I agree to abide by that policy.

Signed:

Dated:

Name:

Purpose

To ensure that information security is designed and implemented within the development life cycle for applications and information systems.

Scope

All XXX applications and information systems that are business critical and/or process, store, or transmit sensitive data. This policy applies to all internal and external engineers and developers of XXX software and infrastructure.

Secure Software and System Development Policy

1 Data Storage

Personal Data information and its availability. It describes procedures for the secure storage of information in databases. It details the management of access permissions and distribution of passwords to be adopted for the operationalization of these structures.

1.1 Procedures and Media for Data Storage

You should not use a storage medium that does not have access for reading and writing restricted by password. You should preferably store encrypted data.

1.2 Permissions for Accessing Information in Databases

• Applications should not have access to any database utilizing a user login with root permissions.
• Applications should not have access to any database utilizing a user login with permissions to execute commands in Data Definition Language (DDL).
• Applications should not have access to any database utilizing a user login with permissions beyond those strictly necessary for its operation.

1.3 Password Management and Distribution for Data Access

• The creation of passwords that do not follow the standards established by Epimed Solutions should not be allowed. Passwords must have at least 6 (six) alphanumeric characters, using special characters (@ # $%).
• Password storage in source code should not be used.
• User data and systems using each password provided must be securely stored.
• The same passwords should not be used for development, testing, homologation and production environments.

2 – Password Management and Distribution of Data Access

2.1 Authorization and Authentication of Users

• Passwords should not be stored in plain text without using a salted secure hash algorithm.
• Nominal user and password control must be used to determine the user’s identity.
• Authentication via AD should be used whenever possible to authenticate internal users.
• Users must be made aware of the permissions and levels of access they have.
• Active Directory (AD) groups should be used to determine access policies and user roles.

2.2 Authentication on Web Systems

Since HTTP is a stateless protocol, which uses cookies to maintain user sessions, it is necessary to guarantee both the security of the exchange of credentials and also that of other pages accessed by users of web systems. The HTTPS protocol aims to contribute to ensuring that security is guaranteed.Thus, HTTPS must be used in all system screens

3 – Secure communication

This deal with the secure transmission of Sensitive Personal Data between systems, in order to safeguard the integrity, authenticity and other attributes pertinent to the use of communicated data. A communication channel with control of duplication and loss of information/messages must be used. Thus, HTTPS must be used in all system screens. A communication channel that provides integrity control of transmitted data (HTTPS) must be used. A communication channel with authentication control (HTTPS, digital certificates generated by trusted authorities, VPNs) must be used. The data to be transmitted at both ends of the communication must be securely stored. A communication channel that provides confidentiality of the transmitted data (HTTPS and VPNs) must be used.

4 – Attacks on Systems and their Defenses

It is recommended that the main known attacks be prevented, in order to prevent malicious attacks from compromising the security of the system, exposing Sensitive Personal Data and performing unauthorized operations, among other possible vulnerabilities.

• SQL injection attacks (SQL Injection) must be prevented.
• SQLs should not be created by concatenating textual parameters from non-secure sources, such as parameters filled in by users or even stored in the database.
• Access permissions to the database for application users must be restricted.
• It is necessary, whenever possible, to pass parameters in SQL commands (DML or DDL) using prepared statements. Queries that cannot be parameterized should receive special treatment, such as escapes or hexadecimal coding.
• HTML and Javascript injection attacks must be prevented.
• Cross-site scripting (XSS) attacks should be prevented.
• Broken Authentication and Session Management attacks must be prevented.
• Systems must be subjected to intrusion testing tools.

5 – Auditing, Tracking and Logs

This section presents guidelines for the maintenance of records/logs for subsequent auditing, tracking and consultation of incidents related to system security. Each system has a different criticality in terms of data access restriction, non-repudiation and history of operations carried out in the database. For this reason, this section does not define what information should be audited, but rather suggests possible items that can be audited, tracked or logged. These items, then, must be evaluated by product managers.

Examples of events that can be logged:

• Login and logout operations;
• Access to certain screens or sections of the system;
• Access to information with some restrictions (For example: confidential documents, personal data);
• Operations for the inclusion, alteration or deletion of records in the database;
• Change of access profile (for systems that have access with different profiles);
• Execution of jobs and automated tasks.

Examples of information that can be stored, related to each event:

• Date and time;
• User who performed the operation;
• IP address;
• User session identifier (when applicable, for example: cookies);
• Screen (page) of the system in which the operation was performed;
• Instance identifier (for clustered systems);
• For insertion, alteration or deletion operations, the type of operation, name of the table that was manipulated, record ID and, if applicable, previous and current values for each field;
• Parameters informed by the user (Examples: GET or POST parameters), being careful not to store Sensitive Personal Data, such as passwords;
• System response time;
• To execute jobs and automated tasks, store the result of the operation; failure, success, cancelation, etc.

6 – Prevention, Reaction, and Mitigation of security Breaches.

6.1 Backups

• The specification of the need and the assignment of the responsibility for making backups of the database and of the system source codes, as well as the access policies for this backup, must be included in the project plan.
• A structured procedure for restoring backups must be defined.
• Personnel in charge of the recovery of backups must be properly designated and trained.
• Baselines of the system versions must be created, facilitating the agile recovery to a previous version.
• Simulation of data restoration must be carried out continuously.

6.2 Tests

• Manual security tests must be carried out before each version of the software that changes its structure (login screens, unauthenticated services, new forms with user interaction, etc.).
• It must be ensured, through automated tests, that the services and confidential data are protected and available only to the users who hold the information.
• A specific testing policy must be developed, whether automated or not, aiming at guaranteeing non-vulnerability to the main known attacks on systems.
• Test scenarios should be defined to guarantee the non-functional software requirements, preferably carried out by a test team different from the software development team, in order to avoid bias.
• Test scenarios should be defined, mainly in terms of security, for cases of updates to the system architecture (application servers, database, browser versions, operating system versions, etc.).

6.3 Incidents

• A planned procedure must be maintained for immediate system unavailability and corrective maintenance.
• A specific policy to foster the follow-up on security breach incident response must be defined.
• Lessons learned from past incidents should be used to review the testing policy and increase system security.

7 – Development Environment .

Security is a requirement that must be included within every phase of a system development life cycle.  A system development life cycle that includes formally defined security activities within its phases is known as a secure SDLC. Per the Information Security Policy, a secure SDLC must be utilized in the development of all applications and systems. At a minimum, an SDLC must contain the following security activities. These activities must be documented or referenced within an associated information security plan. Documentation must be sufficiently detailed to demonstrate the extent to which each security activity is applied. The documentation must be retained for auditing purposes.

1.  Define Security Roles and Responsibilities
2.  Orient Staff to the SDLC Security Tasks
3.  Establish a System Criticality Level
4.  Classify Information
5.  Establish System Identity Credential Requirements
6.  Establish System Security Profile Objectives
7.  Create a System Profile
8.  Decompose the System
9.  Assess Vulnerabilities and Threats
10.  Assess Risks
11.  Select and Document Security Controls
12.  Create Test Data
13.  Test Security Controls
14.  Perform Certification and Accreditation
15.  Manage and Control Change
16.  Measure Security Compliance
17.  Perform System Disposal

There is not necessarily a one-to-one correspondence between security activities and SDLC phases. Security activities often need to be performed iteratively as a project progresses or cycles through the SDLC. Unless stated otherwise, the placement of security activities within the SDLC may vary in accordance with the SDLC being utilized and the security needs of the application or system.. Finally, it is important to note that the Secure SDLC process is comprehensive by intention, to assure due-diligence, compliance, and proper documentation of security-related controls and considerations. Designing security into systems requires an investment of time and resources. The extent to which security is applied to the SDLC process should be commensurate with the classification (data sensitivity and system criticality) of the system being developed and risks this system may introduce into the overall environment.  This assures value to the development process and deliverable.  Generally speaking, the best return on investment is achieved by rigorously applying security within the SDLC process to high risk/high cost projects. Where it is determined that a project will not leverage the full Secure SDLC  process – for example, on a lower-risk/cost project, the rationale must be documented, and the security activities that are not used must be identified and approved as part of the formal risk acceptance process.

Note: Data classification cannot be used as the sole determinate of whether or not the project is low risk/cost.  For example, public facing websites cannot be considered low risk/cost projects even if all the data is public.  There is a risk of compromise of the website to inject malware and compromise visitor’s machines or to change the content of the website to create embarrassment.

7.1 Source Code Access

A version control system with access control and recovery in case of failures must be used. (For example: Microsoft Team Foundation Server).

7.2 Separation of Environments

• The Development/Testing/Homologation environments must be separated from the Production environment.
• Different databases must be used for each environment.
• Different application/web servers must be used for each environment.
• Access to the Development/Testing/Homologation environment should only be provided to members of the development team and to those interested in the project (stakeholders).
• Periodic tests must be carried out to ensure the security of the development/testing/homologation environment.
• Developers should not be provided with passwords to access the production environment.

8 – Data Protection

8.1 Cryptography and Hashing

• A cryptographic method that follows the Kerckhoffs’ Principle should be used. The encryption method and its parameters must be public and documented, only the cryptographic key must be kept confidential.
• An encryption that admits a known method for breaking the cryptographic key (brute force), based on trial and error, should not be used.
• Electronic codebook (ECB) block encryption mode or less secure modes should not be used.
• A key size of less than 128 bits (symmetric encryption) or 1024 bits (asymmetric encryption) should not be used.
• The hash function should not be used without some type of salt.
• Algorithms that are considered obsolete for cryptography and cryptographic hashing should not be used. Examples: MD5, SHA1, DES/3DES, RC2, RC4, MD4.
• A key size of less than 192 bits (symmetric encryption) or 2048 bits (asymmetric encryption) should not be used.
• Cryptographic keys should not be distributed without the use of a public key infrastructure and, therefore, without the use of asymmetric encryption.
• A key size of less than 256 bits (symmetric encryption) or 4096 bits (asymmetric encryption) should not be used.

8.2 Passwords

• Password size: Passwords with less than 6 characters should not be used.
• Variation of symbols: At least upper and lower case letters must be used, together with at least one type of character (digit, symbol).
• Randomness: Passwords should not be created without the aid of random password generator software, configured to meet the parameters established below:
• Tests: You should not use a password that has not been validated by password strength checker software.
• Change frequency: Same passwords should not be used for more than 6 months.
• Password change and recovery: The use of the same password validation channel should not be allowed. The old password should not be sent to users, under no circumstances.
• Storage (user): You should not store a password that is not encrypted following the standard level of encryption set out in this document.
• Number of attempts: Password validation rate should not be allowed to exceed 5 attempts per minute. Passwords must be blocked in case of a maximum of 5 consecutive validation errors and its recovery must rely on a specific process.

9 – Software Life cycle

9.1 Design

• The software design model should include the following:
• Threat modeling stage;
• Clear definition of security risks;
• Severity level that the compromise of Sensitive Personal Data would bring to the system and institution.
• It should not be omitted, during the system development design and its execution, the definition of responsibilities for system data security and how this responsibility will be verified.
• A design schedule that includes security check points of the system developed during its construction must be used.

9.2 Coding

Protective measures applied in the source code must be documented, including in the application code, in order to indicate precisely the procedure used and its peculiarities.

9.3 Maintenance

• Automatic updates of software or components used in the construction of a system should not be enabled, otherwise security breaches may, inadvertently, come up.
• Third party software should not be modified, except when strictly necessary. Internal security controls can be invalidated. This change should be made by the original system developer whenever possible.

9.4 Personnel

Training and qualification of programmers should be provided for the acquisition and review of computer security principles and the development of secure software.

10. Framework for development of Software and System

10.1 Prepare the Organization

1 Define Security Requirements for Software Development

• Identify and document all security requirements for the organization’s software development infrastructures and processes, and maintain the requirements over time.
• Identify and document all security requirements for organization-developed software to meet, and maintain the requirements over time.
• Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization’s own software.

2 Implement Roles and Responsibilities

• Create new roles and alter responsibilities for existing roles as needed to encompass all parts of the SDLC. Periodically review and maintain the defined roles and responsibilities, updating them as needed.
• Provide role-based training for all personnel with responsibilities that contribute to secure development. Periodically review personnel proficiency and role-based training, and update the training as needed.
• Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development- related roles and responsibilities.

3 Implement Supporting Tool chains

• Specify which tools or tool types must or should be included in each tool chain to mitigate identified risks, as well as how the tool chain components are to be integrated with each other.
• Follow recommended security practices to deploy, operate, and maintain tools and toolchains.
• Configure tools to generate artifacts of their support of secure software development practices as defined by the organization.

4 Define and Use Criteria for Software Security Checks

• Define criteria for software security checks and track throughout the SDLC.
• Implement processes, mechanisms, etc. to gather and safeguard the necessary information in support of the criteria.

5 Implement and Maintain Secure Environments for Software Development

• Separate and protect each environment involved in software development
• Secure and harden development endpoints (i.e., endpoints for software designers, developers, testers, builders, etc.) to perform development-related tasks using a risk-based approach.

10.2 Protect Software

1 Protect All Forms of Code from Unauthorized Access and Tampering

• Store all forms of code – including source code, executable code, and configuration-as-code – based on the principle of least privilege so that only authorized personnel, tools, services, etc. have access.

2 Provide a Mechanism for Verifying Software Release Integrity

• Make software integrity verification information available to software acquirers.

3 Archive and Protect Each Software Release

• Securely archive the necessary files and supporting data (e.g., integrity verification information, provenance data) to be retained for each software release.
• Collect, safeguard, maintain, and share provenance data for all components of each software release (e.g., in a software bill of materials [SBOM]).

10.3 Produce Well-Secured Software

1.Design Software to Meet Security Requirements and Mitigate Security Risks

• Use forms of risk modeling – such as threat modeling, attack modeling, or attack surface mapping – to help assess the security risk for the software.
• Track and maintain the software’s security requirements, risks, and design decisions.
• Where appropriate, build in support for using standardized security features and services (e.g., enabling software to integrate with existing log management, identity management, access control, and vulnerability management systems) instead of creating proprietary implementations of security features and services.

2. Review the Software Design to Verify Compliance with Security Requirements and Risk Information

• Have 1) a qualified person (or people) who were not involved with the design and/or 2) automated processes instantiated in the tool chain review the software design to confirm and enforce that it meets all of the security requirements and satisfactorily addresses the identified risk information.

3. Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality

• Acquire and maintain well-secured software components (e.g., software libraries, modules, middleware, frameworks) from commercial, open- source, and other third-party developers for use by the organization’s software.
• Create and maintain well-secured software components in-house following SDLC processes to meet common internal software development needs that cannot be better met by third-party software components.
• Verify that acquired commercial, open-source, and all other third-party software components comply with the requirements, as defined by the organization, throughout their life cycles.

4. Create Source Code by Adhering to Secure Coding Practices

• Follow all secure coding practices that are appropriate to the development languages and environment to meet the organization’s requirements.

5. Configure the Compilation, Interpreter, and Build Processes to Improve Executable Security

• Use compiler , interpreter and build tools that offer features to improve executable security.
• Determine which compiler, interpreter, and build tool features should be used and how each should be configured, then implement and use the approved configurations.

6. Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

• Determine whether code review (a person looks directly at the code to find issues) and/or code analysis (tools are used to find issues in code, either in a fully automated way or in conjunction with a person) should be used, as defined by the organization.
• Perform the code review and/or code analysis based on the organization’s secure coding policy, and record and triage all discovered issues and recommended remediations in the development team’s workflow or issue tracking system.

7. Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements

• Determine whether executable code testing should be performed to find vulnerabilities not identified by previous reviews, analysis, or testing and, if so, which types of testing should be used.
• Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediation in the development team’s workflow or issue tracking system.

8. Configure Software to Have Secure Settings by Default

• Define a secure baseline by determining how to configure each setting that has an effect on security or a security-related setting so that the default settings are secure and do not weaken the security functions provided by the platform, network infrastructure, or services
• Implement the default settings (or groups of default settings, if applicable), and document each setting for software administrators.

Respond to Vulnerabilities

1.Identify and Confirm Vulnerabilities on an Ongoing Basis

• Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports.
• Review, analyze, and/or test the software’s code to identify or confirm the presence of previously undetected vulnerabilities.
• Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.

2. Assess, Prioritize, and Remediate Vulnerabilities

• Analyze each vulnerability to gather sufficient information about risk to plan its remediation or other risk response.
• Plan and implement risk responses for vulnerabilities.

3. Analyze Vulnerabilities to Identify Their Root Causes

• Analyze identified vulnerabilities to determine their root causes.
• Analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently.
• Review the software for similar vulnerabilities to eradicate a class of vulnerabilities, and proactively fix them rather than waiting for external reports.
• Review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created.

1.0 Introduction

Brief introduction of your company.

This manual shall cover all the requirement of Quality Control and Quality Assurance for the YYY to be performed by ZZZ subsidiary of ABC . This Manual is prepared to comply the general procedures and guidelines to be followed by the manufacturing personnel in carrying out all aspects of the tasks in production process. This Plan mainly provides procedures for carrying out tasks related to inspection, testing and reporting. However, this Plan does not deal with day-to-day technical requirements, nor does it provide solutions to technical problems, as these technical issues are usually administered by the Specifications, drawing and other Documents.
This document is prepared based on the latest version of Qatar Construction Specification since, all the works in the State of Qatar have to fulfill the requirements of this National Standards. Any special requirements for the projects or refer to the international standards, also be follow determined and amended for the projects specific.
It is to be noted that although the intention of this Plan is to provide efficient, high quality and safety, adherence to the adopted guidelines does not necessarily guarantee that these attributes are achieved. This directs to the need, therefore, for all users to exercise judgment based on good engineering practice in all cases rather than blind adherence to the adopted guidelines. This also directs to the urgent need to periodically review and update relevant guidelines and procedures, and hence the Plan is to be seen as an involving guide.
i. Production and Manufactured items
ii. Handling & Storage level
There are some other tasks which has to be undertaken by other parties, since XXX do not carry out any design and development. It has been determined that all the parties have their own Quality Control and Quality Assurance plan to execute their scope of works.
This Quality Control and Assurance plan is intended for use by XXX- ABC as a Contractor in execution of the works.

2.0 Quality Policy Statement

Enter you Quality Policy here

3.0 Definition

3.1 Quality Assurance: Quality Assurance is defined as all the planned and systematic activities implemented within the Quality System and demonstrated as needed to provide adequate confidence that an entity will fulfill the requirements.

3.2 Quality Control and Assurance Plan: Quality Control and Assurance Plan is a base document outlining policy, procedures, responsibilities, compliance, acceptance criteria and documentation needed for the successful implementation of a project. It should be prepared and accepted by all parties concerned before the start of a project. It generally covers the following:

• Identification of all parties involved in QA and their interrelationship;
• Internal QA System of each party;
• Levels of Cross-checking/verification in case of multiple verification/ controls, including systems of inspection and audit wherever applicable;
• Organization of personnel, responsibilities and lines of reporting for QA purposes;
• Criteria for acceptance/rejection, including identification of proper authorities for such decision;
• Inspection at the end of defect liability period;

3.3 Quality Control: Operational techniques and activities that are used to fulfill requirements for quality, all of those are planned and systematic, actions necessary to provide confidence that a product or service will satisfy given requirements for quality.

3.4 Corrective Action: An action taken to eliminate the cause of a detected nonconformity or other undesirable situation

3.5 Defect: The non-fulfillment of a requirement that is recognized and corrected while in current process. For example, a misplaced cleat detected at the fit checking stage may be directed back to the fitting station for proper relocation; this may be considered a defect and not a nonconformity.

3.6 Document: Information and its supporting medium used to define and/or establish quality requirements

3.7 Nonconformity: The non-fulfillment of a requirement

3.8 Objective Evidence: Data supporting the existence or verity of something

4.0 Management System

4.1 Understanding the organization and its context:

XXX – ABC which is a division of XXX has been in operation since year of 0000. Designing, cutting, bending, welding and rolling of steel including prefabrication works (Steel moulds, tanks, etc.) as well as steel pipes as per the client’s requirements,. The Quality Assurance Plan is the methodology that is selected for ensuring that the project incorporates all elements that are needed for the successful completion of the project. The QAP shall deals with all aspects of selections and testing of materials acceptance criteria, guidance for nonconforming materials and works and documentations. All the testing activities have been subcontracted to an Independent third party laboratory that is responsible for the sampling, testing, and preparing reports of tests. However the test reports shall be reviewed by the QA/QC Engineer and deals with if there is any deviation. ABC as part of XXX has a established Quality Management System Plan (part of the integrated Management System), implemented and committed to continual improvement of Quality Management system as per the ISO 9001 standard requirements. As thrive to give highest quality products and services, XXX always focus on the customer requirements collect their feedback and improve in quality of products and services. The Management of construction projects is basically focused on the same as Quality Management system. XXX reviews and analyses the key aspects of itself and its stakeholders to determine the strategic direction of the organization. Internal and external issues that make impact on the XXX’s core business process and its stakeholder’s interest are taken into consideration, monitored and implemented. Changes in the market, technologies, laws, regulations, economy, government policies competitors, cultural and social responsibilities, are also being taken into consideration while carrying out business operation, by:

• Understanding our core products and services, and scope of management system
• Maintaining a Register for the internal and external issues determined by QDC which is reviewed annually.

Outsourcing of activities are strictly controlled and ensured that the requirements of the product and QA/QC requirements of the XXX are maintained throughout the product manufacturing lifecycle

4.2 Understanding the needs and expectations of the interested parties

Understanding needs and expectations of the interested parties are of key concern to XXX and have ensured through regular meeting with relevant section managers to clearly understand who they are and how they can affect the organizational ability to consistently perform. For this XXX,

• Maintains a register for determining who are the relevant interested parties and are monitored in regular frequency
• Regularly updates the needs and expectations of the interested parties so that they are clearly understood and met
• Where applicable to be added as legal and other requirements the respective process owners shall inform the management and update it.

4.3 Scope and Application:

XXX – ABC (ZZZ) aims to provide highest quality of product and services to its customers. Towards achieving this overall policy, XXX – R&M Division realize the importance of Quality assurance in the production process. Quality Assurance Systems are needed for manufacturing at various levels.

4.4 Process

Enter your process map here

5.0 Leadership

5.1 Leadership Commitment

Management is responsible for ensuring that:

1. A documented statement is in place that describes the Fabricator’s Quality Policy with respect to commitment and quality objectives,
2. All employees are made fully aware of their authority and role in the Quality System
3. A Quality System that conforms to the requirements of this Quality plan is implemented,
4. A senior-level management representative Mr Pretesh Biswas is appointed to ensure that the requirements of the Quality System are maintained and reported,
5. A quality system audit is carried out by a third party at a maximum interval of one year,
6. The Quality System is reviewed at a senior management level at a maximum interval of one year, or more frequently, to ensure its continuing suitability and effectiveness,
7. Adequate resources are provided to carry out the Quality System including performance and verification of work.

5.2 Organization Roles, Responsibilities and Authorities

Each employee is responsible for the quality of his or her own work and carries an equally important share in the effectiveness of the quality assurance process. All employees are responsible to ensure that the work performed by them conforms to a standard of workmanship required by the company in accordance with the applicable contract requirements. Management is responsible for ensuring that responsibility and authority is defined for carrying out the following:

• ensuring that all product quality verification are carried out on a continuous basis,
• dealing with nonconformities and ensuring that the specified dispositions are carried out on a continuing basis,
• communicating with the customer’s appointed inspection representative(s),
• work is carried out in accordance with the applicable codes and standards;
• all welding is in accordance with the applicable codes and standards
• nonconformities of a technical nature are dealt with in accordance with the applicable codes and standards,
• ensuring that all production personnel understand the contract requirements pertinent to their assignment,
• providing sufficient notice and making proper arrangements for required inspection,
• ensuring that all contract requirements, including revisions, are conveyed to the relevant departments and incorporated into the detail drawings and other fabrication data,
• purchasing all items in accordance with the contract requirements, including revisions and obtaining the required documentation.

The Section Manager shall be responsible for managing all resources. The Section Manager shall designate the Quality Control and operation staffs and deliver the duties and responsibilities of all workforce as per the requirement. Section Manager shall be responsible to plan the daily production, communicate the programme and ensures the availability of all necessary resources.

QA/QC Engineer shall be responsible to establish the quality control procedures, measuring and monitoring procedures as per the defined standards and product requirements. Pre/Post-Inspection of the material to assure compliance with client requirement, prepare sampling and testing plan and supervise testing, receive test reports, check the compliance and submit to the clients as quality assurance documents for approval.

Safety Officer shall be responsible to establish safety Plan, guidance, identification of Safety Hazards, measure/monitor the safety appliances at yard area, also identifies the safety training course as per the requirements and other task as per the HSE plan.

Enter your organization chart

6.0 Planning

6.1 Actions to address risks and opportunities

Management system risk identification, assessment and risk treatment shall be appropriate to XXX’s needs and situations. These processes shall be undertaken in the following sequence:

• Identifying risks
• Analyzing risk
• Evaluating risk
• Identifying and evaluating existing risk controls
• Further risk treatment and opportunity for improvement

Management system risk assessment shall be a live process and the process of risk identification, assessment and risk treatment shall be reviewed and performed once a year or when one of the following may occur

• New management system (new service, association, acquisition etc)
• Changes within the organization (Organizational change)
• Major client dissatisfaction
• Changes in legislation
• Changes in the management system
• Changes in the needs and expectations of the interested parties
• Incidents (Major only – Fatality or permanent disability due to management system processes, other shall be assessed in the hazard risk assessment procedure)
• Changes brought about by corrective action

The process owners will decide based on the criticality of the process to review and update the management system risk assessment.

6.1.1 Risk Identification

The process owners shall identify the processes which are identified as Critical for the management system while identification of management system risks. Identification of management system risks shall cover, but not limited to, the following:

• Routine and non-routine activities
• All management system processes including ones associated with consultants, sub consultants contractors, sub-contractors, management system partners, suppliers, government , public, customer representatives, service providers, employees, etc
• Information’s received and processed
• Physical Asset and finances – Infrastructure, materials, equipment at work place (both owned by Organization or service providers), financial risks on projects.
• Changes or proposed changes in organization or its activities or type of materials used
• Modification of management system and its effects on activities
• Applicable legal obligations and implementation of necessary controls
• Past, ongoing and future activities and services
• Needs and expectations of interested parties
• Internal and external issues

The process owners in consultation with the top management, and with appropriate participation of XXX employees, shall ensure that management system risks associated with the processes under their responsibility and control are identified. The process owners/ managers in consultation with the MR, Top Management, QC/QA incharge and with appropriate participation of the employees, shall ensure that management system risks associated with the processes under their responsibility and control are identified and documented. All the identified risks shall be documented in the Risk Assessment Register (QF 01) format.

6.1.2 Analyzing Risk
Likelihood & consequence
The identified management system risk shall be assessed taking account of the likelihood (L) of its occurrence and the Consequences (C) of its effect. The consequences and likelihood shall be documented based on the risks identified in Risk Assessment Register (QF 01).
Tabular information
The following table lists the Level & Criteria/ Score for the Likelihood &Consequences of the Risk. The risk analysis is carried out with reference to the tabular information.

Risk rating & calculation of risk
The rating of the risk is generated from the combination of its likelihood of occurrence and severity of effect indicated as
Risk = Consequences X Likelihood

6.1.3 Evaluating Risk

Risk rating & risk level
The rating of the risk is generated from the combination of its likelihood of occurrence and consequence of effect. The risk Level for the risk rated is analyzed using the following risk assessment matrix.

Levels

E – Extreme, H – High, M – Moderate, L – Low

After evaluating the risk the levels of the risks shall be document on the Risk Assessment Register (QF 01) as per the table above

Identifying and evaluating existing risk controls

The Process owners (& Team) shall review the existing controls which are applied while evaluating the risk and results of the risk shall be discussed with the team and where required with the Management.

6.1.4 Further risk treatment and opportunities for improvement

Risk Treatment

Additional risk treatment
Based on the results of the risk assessment and evaluation, the process owner shall advocate the additional risk treatment measures required for “controlling” the identified risk and keeping it at “Low” where possible.
“Extreme” and “High” risks necessitate controls and actions shall be taken immediately after consultation with the Top Management.
“Medium” risks necessitate controls and actions shall be taken within one month after consultation with the process owners and management.

“Acceptable and Low” risks, No additional controls are required unless mandatory of felt necessary.
Identified additional Risk treatment measures shall be recorded in the Risk Assessment Register (QF 01).

Risk treatment measures
Based on the ‘risk’ identified by the process owners the following risk treatment measure shall be taken but not limited to:

• Eliminate risk by appropriate measure
• Substitute the risk
• Change or prepare policies and procedures to address the risk
• Set objectives and targets to mitigate the risk
• Implementation of management programs to reduce the risk
  

Risk treatment status & reporting
Status of the risk treatment and its achievement in addressing the risk shall be reviewed by the process owners on a regular basis and reported to the Top Management in the Management review meeting.

6.1.5 Opportunities for improvement

Those opportunities which are identified during the risk assessment and found beneficial to the organization in terms of

• Management system improvement
• Market reputation
• Cost improvement
• Process efficiency
• Process or Service reliability
• Opportunities to eliminate or reduce OH&S risks
• Beneficial environmental impacts
• Compliance obligations
• Any other which may benefit the organization in short or long term

Opportunities for Improvement shall be implemented/initiated by the Process owners and reported to the Top Management in the Management review meeting.

6.2 Objectives

Objectives in line with the stated policy, measurable and monitored is established. The General Manager in coordination with the respective section manager(s) reviews and recommends, where needed, to process owners to revise the objectives in the management review meeting to ensure that the objectives are relevant to the conformity of products and services provided to the customers and serves to enhance customer satisfaction. The Quality objective for ABC is as follows

7.0 Support

7.1 Resources

XXX has identified the personnel and the corresponding level of education, training, skills, and experience required in order to ensure that work affecting product quality is carried out in the required manner. Welders, welding operators, tack welders, welding supervisors, and welding engineers are qualified to the latest requirements

7.2 Competency requirement identification

The ZZZ manager identifies the competency requirements of all the individual designations in the section. The competency requirements are identified based on the works assigned for the designation and shall be documented in the respective Job descriptions and skill matrix of the employees. These shall be evaluated in the candidate interview and assessment form (QF 047). The competency requirements shall be reviewed by the section manager once in a year or whenever there is a change in the requirements of designated work. The necessary competence of persons doing work under its control that affects the performance and effectiveness of the Quality Management System shall be identified, reviewed. It shall be ensured that these persons are competent on the basis of appropriate education, training, or experience; where applicable, necessary actions shall be taken to acquire the necessary competence. Actions taken to ensure competence can include;

• individual capabilities
• roles & responsibilities
• Verification with other competent person who is performing the same job.

The MR shall ensure that persons doing work under the organization’s control are aware of:

• The company policy;
• Relevant objectives;
• Their contribution to the effectiveness of the Integrated Management System, including the benefits of improved performance;
• The implications of not conforming to the Integrated Management System requirements.

Management Representatives/or respective operational supervisor ensures that all the personnel are aware of their responsibilities and importance of their activity in achieving conformity to product requirement and Integrated Management System.

Section Managers shall:

• Define and document the level of competency needed to match the job requirements (descriptions) of their subordinates.
• Plan a training program to reconcile any deficiencies with current or future job Requirements.
• Evaluate and document the effectiveness of the training program.
• Identify training need for their subordinates to achieve their functional objectives.
• Forward a copy of the Training Record (QF 012) to MR
• Modify the training program as required ).

7.3 Competency requirement evaluations:

The competency requirement evaluation shall be done by respective section manager. Laboratory technician’s competency is evaluated by QC manager or Laboratory Supervisor. Education level, skills and work experiences on the respective testing and handling of equipment are evaluated. The level of competency as per the requirement for the designation by the individual shall be maintained in the training records. For the laboratory, the competency requirements are determined as per the tests and work assigned, the summary of the tests shall be used for evaluation of the competency and shall be recorded in the training records (QF 012).

7.4 Training need identification

Competence criteria of personnel, whose work affect the quality of service / have a significant impact on the environment / may have an OHS risk are defined through Job descriptions. The training need shall be identified for all employees under the following circumstances:

• New recruitment
• Introduction of any new technology/system / product
• Corrective action(s)
• Technical and communication skill
• Difference from the required competence level
• Opportunity for improvement,
• Skills and competencies development in relevant standards procedures
• Refreshment

The section managers shall identify the training need for the personnel and shall identify external / internal arrangements and decide training subject / topic which are common to all and document the same in Training Record (QF 012). The induction checklist shall be used as a guide (QF 023). Where required, the section managers can recommend training requirements in their area to the General Manager.
Training in general is divided into following:

• Induction training
• On job training
• Other in house training
• Training conducted by external agencies

7.5 Calibration,

Equipment required for calibration is listed in the log sheet (QF 006) which defines Name of equipment, unique identification (Assets No.), Location Calibration date, Frequency and current status. For laboratory equipment Calibration record (QF.067) form is used to have record. Respective process owner shall maintain this log sheet and ensure that calibration is done on time. Equipment is calibrated by third party independent calibration author. QA/QC Manager shall evaluate the uncertainty and errors and make decision for its suitability. Calibrations will be conducted by an approved calibration agency.

7.5.1 Re-calibration

Operator of respective /equipment shall ensure the performance of the equipment and within tolerable criteria. The permitted tolerance of the each equipment shall be recorded in the calibration report together with degree of uncertainty which applicable with require traceability to national reference standards (e.g. mass or weight). Prior to its expiry all the equipment are calibrated. In case of any results are out of tolerance or suspected changes or deterioration in the reading, such equipment shall be re calibrated.

7.5.2 Maintenance

The equipment shall be maintained to ensure that it continues to be capable of producing intended results to the required specifications and tolerances. Any movement of calibrated equipment in the laboratory should be authorized by QC Manager. A maintenance Plan QF 045 and Equipment Maintenance Checklist QF 079 is established for laboratory equipment. If any equipment found not performing to deliver the intended results immediately remove from the use and send for maintenance and shall be calibrated to ensure its accuracy.

7.5.3 Calibration Verification Records

Calibration report is reviewed by QC Manager and maintained the record of review in Q F 044. Results of calibration, tolerance, error and uncertainty are reviewed and made the decision by QC Manager.

7.6 Documented Information

7.6.1 Work instruction and Method statement

XXX has already identified and established Work Instructions/ Method Statement formats for the standard scope of work provided by Steel Engineering Works. These formats shall be used as guidance for the preparation product specific method statement/ work instruction as required. The method statement shall have full details of equipment to be deployed (size/number/capacity), the sequence of operation, filed trials if any are involved, design of the product, QA/QC requirements, inspections and records maintained temporary works erection launching, safety precautions, environmental protection measures etc. The method statement shall also have the details of manpower requirements with competency requirements related to the work. Prior to the commencement of work and activities, the project specific Work Instruction/Method statement shall be consulted to the all concerned including quality and safety related to the scope of works, based on the specification, National standards and International Standards for review. The reviewed Work Instruction/Method Statements shall be submitted to the client/Client representative as applicable for their approval. Any comments received from the client/client representative shall be incorporated in order to meet entire satisfaction of the client. All the standard Work Instructions/Method Statement shall be prepared and approved for use prior the work. The QA/QC shall ensure that all the approved Work Instructions/Method Statement are communicated and available at point of use. A copy of the Work Instruction for “Production/Welding process” is attached for as a reference for the type of the documents prepared for works.

7.6.2 Work Programme

Based on the timeline framed out in the contract/project, XXX – ABC shall submit a Work Programme to be approved by the Client/Consultant that provides for completion of the works in accordance with these datelines. Following approval Work Programme, the programme shall be reviewed periodically based on the execution of works and if any amendment or priority to be given based on the client requirements shall be incorporated as instructed.

7.6.3 Working Drawing

The drawing provided to XXX – ABC for the execution of works is integral part of contract documents which has to be followed to perform the works. All documents received from external as a part of the project shall be maintained as “documents of external origin” and their versions controlled. The QA/QC shall ensure that the control of documented information procedure is applied to the incoming drawings and records maintained at point of use.
Consequently, to achieve proper administration of the contract the transmittal of the approved design drawings and subsequently submitted drawing related to “work” and “daily work” orders, shall be handled with circumspection and properly recorded at all stages to avoid unnecessary disputes and claims. The QA/QC shall ensure that only applicable and approved versions of the drawings are available at the shop floor for execution.

7.6.4 Inspection, Daily reports and diaries

7.6.4.1 Inspection
As an evidence of compliance with contracts documents it is essential that all the personnel charged with inspection responsibilities properly prepare themselves in advance through detailed study and understanding of the plans and specifications. The inspections shall be based on the approved Inspection Test Plan (ITP) and records of the approved ITP shall be communicated to all concerned. One site (including shop floor and locations) observations of the supervisor/engineer’s activities and procedures shall be reviewed by the Manager as applicable/ITP to ensure compliance with plans and specification. The format of inspection shall be approved as a part of the documented information related to the project and shall be approved by the client/client representative as applicable. Inspection reports shall be documented as per the requirements of project quality plan/ contractual obligations or the quality management system of XXX. The site(including shop floor and locations) shall be inspected to confirm compliance with the day to day works requirements as per the ITP. If any deviation or defect found same shall be reported and no works shall be preceded without written approval of the QA/QC /consultant to resume the works.

7.6.4.2 Daily Inspection report
A Daily report shall be completed by each Supervisor/Engineer. These reports shall be reviewed and complied by the Section Manager and will be constitute part of the projects Quality Documents to be kept in Projects file. The daily report from each Supervisor/Engineer shall include but not limited to the following items:

• Quantities of works performed under their inspection
• Site conditions
• Usual or unsatisfactory conditions;
• Delays encountered;
• Equipment, plant, methods used
• Numbers of workers deployed;
• Test performed to satisfy quality control, and as samples taken,;
• Weather conditions and effect on the works and
• Day works records

8.0 Operations

8.1 Quality Planning and Control

XXX shall determine the procedures, documentation, records and resources required to ensure that his product meets the customer requirements.
8.1.1 Types of Quality Control
One of the most important tasks is quality control while execution of the works is technical quality control. It has to be ensured that materials delivered to site have met the technical requirements in the contract specification. There are four (4) types of quality control, which are described was below:
8.1.1.1 Process Control Methods
Process Control Method control is usually carried out initially prior to the execution of the work, where the processes required ensuring the quality and compliance are maintained. This is usually done by the section manager and the engineering reviewing the contractual requirements and preparations of Quality documents, this include Project Quality Plan, Work Instructions, method Statements, Inspection test Plans, QA/QC plan , etc as applicable. All the process documents shall be approved for use prior to the work initiation, where applicable approval from the Client/Client representative as well.
8.1.1.2 Materials Control Methods
Material Control Methods are done for all incoming materials used in the project, all incoming materials shall be reviewed and inspected as per the approve ITP prior to use in the work shop. Records of inspection and approval shall be maintained by the Engineers.
8.1.1.3 Production Control Methods
Production Control methods is usually carried out by the Consultant’s filed staffs whose job it is to be on the site and supervise the contractor during executing the works. At the same time the field staff will perform simple measurements, such as the recording of the thickness of fill layers, the temperature of asphalt materials and the slump of cement concrete.
8.1.1.4 Final product Control Methods
End-result control includes field tests e.g. control of the evenness of completed pavement layers and laboratory tests. E.g. Marshall tests, on asphaltic materials. Other tests are a combination of field and laboratory test as per the requirement of Qatar Construction Specification. End results control is carried out by laboratory technicians, and most of the work consists of laboratory tests.

8.2 Customer communication

8.2.1 Customer Satisfaction:
Customer feedback is collected and analyzed regularly using customer satisfaction and survey forms by the respective section managers once in six (6) months or upon completion of the project. MR reviews the external communication performance periodically through surveys (Customer Satisfaction Survey – QF 018) and ensures that appropriate actions are taken to address the concerns expressed.

8.2.2 Customer Complaints:

• The Management Representative shall log all customer complaints in the Customer Complaint Register.
• Any individual in the organization, who identifies a customer’s complaint whether verbal or written, shall communicate the same to the section heads and the Management Representative for investigation.
• The Management Representative shall study the complaints and necessary corrective action shall be taken in consultation with the section managers and staff as appropriate.
• Details of actions taken on the complaint shall be registered in the Customer complaint register. Complaints shall be registered only when the complaint is serious or is a repeating type of complaint.
• Corrective measures taken to prevent such situations in future will be intimated to customer.

8.3 Contract Review

XXX shall have a system in place to ensure that contract requirements are reviewed and incorporated into the work. The Fabricator shall ensure that the necessary expertise, personnel, equipment, and plant resources are available to meet the contract requirements. The Fabricator shall ensure that all additions and revisions to contract requirements are duly communicated to the necessary personnel, and incorporated into the work.

8.4 Design and Development

The design engineer prepares the design and development plan as per products requirements received from the customers. The plan consist of stages required for the design and developments, review verification, and validation appropriately to each stages and responsibility of design and development stages also the raw materials requirements, specification, volume, of raw materials, quality sources etc. Details of products, characteristic, handling, storage and preservation and installation instruction shall be prepared. Review of all stages during design and development is carried out, and status of review is documented on the suitable reports as per the nature of design. The review results are discussed with Production Engineer and communicate with Customers for the verification. As necessary meeting shall be arranged with all the parties and discussion output is recorded in Minutes of Meeting (QF 004) and documented. Such minutes also shall be constituent of contract. Basically, during design stages, new identified techniques and methods which will be integrated for the products designing and production process shall be taken approval from General Manager. Validation of design stages is carried out, and documented, same will be part of quality records. The testing requirements of each process during the production period are also identified (design stages). Prior to finalize the design, same is submitted to production engineer for his review and comments and final approval from General Manager. Following information shall contain in the design:

• Designed by (Name, Signature and Date)
• Reviewed by (Name, Signature and Date)
• Approved by (Name, Signature and Date)
• Title of the project
• Product Code, name and dimensions, volume
• Revision date & status
• Final approval

The design is submitted to the customer for their approval prior to proceed for the production, The Design Review and Approval Form (QF 027) shall be the control documents for the transmittal and obtaining approval.

8.5 Control of externally provided products and services

8.5.1 General
All the materials proposed to use for the projects shall be approved first. XXX- ABC shall submit materials submittal along with company prequalification initially and materials have been classified as below:

8.5.2 Identification of external providers (Evaluation and approving)
The new external providers are identified as a result of the requirements from the process owner through an evaluation process involving the Purchasing In-charge. Potential external providers are evaluated on the basis of the following criteria:

• Price,
• Quality of Service/Product (based on samples and quality assurance records.
• Terms and Conditions (Contractual terms including financial)
• Location of providers,
• Market Reputation of the providers and products/services
• Communication,
• Technical Capability (In terms of services or product after sales service)
• Environmental impacts
• OHS hazards
• Any others,

The purchase in charge shall evaluate the external providers based on these criteria in the New External provider Evaluation Form (QF 015). If the external provider attains more than 60% score in the evaluation criteria, they shall be approved and listed as Approved External providers. Records of evaluation shall be maintained by the Purchase in charge. In case of sole external providers and having a score less than 60%, then prior approval from the management has to be attained for approving and listing in the Approved External provider List. All existing external providers are maintained as approved external providers and maintained in the Approved External Provider List (QF008). Once they have entered into the list, they shall be evaluated once in a year for re-approval (Re-evaluation).

8.5.3 Re – Evaluation Criteria:

All the external providers shall be evaluated every year in order to measure and monitor their performances. The re-evaluation shall be based on the following criteria

• Delivery performance,
• After sales services,
• Quality of service/Product
• Technical performance or after sales services e of Service)
• Communication,
• Environment impacts
• Occupational health and safety
• Any other (if any)

The Re-evaluation of the external providers is recorded in the external provider re- evaluation form (QF 18). All external providers’ performances are documented and discussed in the management review. The minimum scoring required by an external provider in re-evaluation is set as 70%. Where the external provider has failed to meet the required score, actions shall be taken in discussion with the process owners and top management in the management review meeting. All the records of evaluations shall be maintained by the purchase in charge.

8.5.4 Approved External provider List

External providers who are selected are enlisted on an Approved External provider List (QF 008), which is controlled by the document controller and are available with the Purchasing In charge. The General Manager – ABC approves additions and deletions to this list.

8.5.5 Outsourced activities:

Where it is essential to outsource activities that are performed by the company, the external providers of such activities are also identified and selected in a similar manner. The list of such companies or agencies to which activities are outsourced, is also maintained in the same manner using the approved external provider list. In all cases, where found that the external provider is not performing or not delivering the desired results, a corrective action request will be issued through a Non Compliance Form (QF 007). The number of NCR’s issued to the external provider shall be also be used as a criterion during their re-evaluation.

8.5.6 Requisitions & Purchase order
Any purchases within QR. 3,000.00 shall be purchased from petty cash upon approval of Petty Cash Request (QF 006) from the General Manager; the documents are documented by requester under his custody for petty cash. All requirements for credit purchasing or above than QR. 3,000.00 cash are documented on a Material Requisition Slip (QF 001) and the result of all discussions and negotiations are documented. The final document Local Purchase Order (QF 003) for credit purchase that is reviewed and signed for adequacy and after ensuring that all relevant details are communicated adequately to the external provider (Janitorial purchases are also made similarly).
The General Manager – ABC or his appointed deputy approves the Local Purchase Order (QF003)
Purchasing of assets shall be upon approval of the Group Commercial Manager with comparative evaluation of three (3) proposals from different external providers as far as possible. If three external providers are not identified for required assets, justification shall be documented for the reason of not having three external providers. The comparative reports shall be prepared on External Provider Canvass Form (QF 006).

8.5.7 Inspections

The purchased material is inspected by the stores in-charge or his deputy (if required). The inspection is documented using Inspection report (QF004). Prior to use in the process, the requisitioned personnel or the department Head/In-Charge acknowledges the conformance of the product on the Inspection Report (QRF004) In case of any problems identified with regard to quality, quantity, damage, etc. the same is communicated to the Management Representative who initiates the corrective actions, insurance processes, claims etc. as required. He also records the problem to take Corrective action in Non-Compliance Report QF007.

8.5.8 Type and extent of control for externally provided processes, products & services

The organization shall ensure the adequacy of requirements to be maintained by the external providers prior to their communication to the external providers. The type and extend of the controls to be applied to the external providers shall be documented in the List of Externally provided Processes, Products & Services . The controls applied shall consider the potential impact of the externally provided providers not able to meet the organizations ability to consistently deliver conforming products (including environmental and OHS requirements) and services to its customers. The purchase in charge along with the process owners shall ensure that the external providers shall

• Remain within the control of the Quality management system
• Provide outputs that meets the QMS requirements and are within the tolerance limits of the controls applied.

8.6 Performance of Quality Control

8.6.1 Testing Facilities
Based on the contract, XXX – ABC shall establish a site Laboratory as per the client requirements. The required testing facility shall be made available i.e.

• All testing equipments shall be available
• All testing equipments shall be valid, calibrated and qualified,
• Qualified laboratory technician shall be deployed.
• Test reports shall be prepared on the Standard reports format

Any special testing facility not available in the site laboratory shall be taken to independent laboratory office. XXX – ABC shall always allow access to the testing activities if client/consultant would like to witness the testing.

8.6.2 Test Specification:
Specification usually describes test methods by referring to standards methods. Qatar Construction Specification has described the testing procedures to be followed ASTM, BS and CML same shall be followed.

8.6.3 Testing Frequency:
The frequency of the testing is usually laid down by the consultant at the beginning of a project and generally related to the project specifications. A testing plan giving the test frequency standards acceptance criteria and third party laboratory for the testing shall be prepared and submitted to the Client/consultant for the approval.

8.6.4 End – Result control
The frequency of end – result control depends on the quality parameters that are to be checked. Parameters which can vary considerably are continuously controlled. i.e. the binder content, stiffness of asphalt materials and the compaction of asphalt course. As regards regulating laboratory tests the specification usually determines the number of test. When the works are started and in cases where difficulties as regards compliance with quality requirements are encountered, laboratory testing shall normally be intensified.

8.6.5 Reporting of Test result
Test results shall be recorded systematically in the specified format, which is signed by be testing authority and approved by head of Quality Control Department. The formats are designed by the Third Party laboratory who is representing as sub contractor or XXX – ABC.

8.6.6 Interpretation of Test Results
The Test results shall be plotted on a graph sheet showing the dates/sample numbers, type of materials, method of sampling, Test method, test date. The minimum and maximum criteria are set on the graphs; also the results are show in the table format. Any reports results falls out of criteria, the process shall be stopped. And a thought investigation made to the entire process, and the cause for faulty performance determined. Suitable remedial action shall be immediately taken and process brought under control.

8.6.7 Monitoring of Quality Control
Third party laboratory has designed also to take care of the quality control requirements but still the quality control engineer has authority and responsibility for monitoring the use of quality control system and ensuring that the procedures has been implemented, and achieved, any changes required in the sampling method, testing procedures and reporting, shall be discussed with clients/consultant and incorporated the requirements.
The Quality Control Engineer shall be responsible for the following:
a. Sampling and supervise the testing
b. Measurements and analyze the reports

8.6.8 Site laboratory
The site testing laboratory, including all furniture, testing equipment and apparatus as required by the Specifications shall be provided and maintained together with all provision of all necessary utilities (Electricity, water and drainage). The design and layout of the laboratory shall be provided to client/consultant engineer for their approval if required. The Site laboratory shall be equipped with basic required testing equipments and qualified lab technician, under supervision of QA/QC Engineer. Testing equipments are approved and calibrated by authorized agent in Qatar. Periodic maintenance is carried out necessary, special precautions are applied to avoid unnecessary adjustment and kept damage free. Testing procedures guidance shall be available to be followed by the technician. Also the all office equipments and stationary shall be available to print the reports. Testing which are not possible to carry-out in the site laboratory shall be forwarded to main office. The subcontracted third party laboratory shall provide site laboratory and all resources; however the control and morning of their activities shall liaise on QA/QC Engineer.

8.6.9 Third party testing laboratory
XXX- ABC shall appoint a third party laboratory approved by Public Works authorities of Qatar and Qatar General Organization for Standards and Metrology as subcontractor to carry out the testing activities at site. However XXX undertakes full responsibility to provide quality assurance and have full control on the subcontractor’s activities to meet the entire satisfaction of the Client/Consultant engineer and meet the specifications and standards. Their prequalification shall be submitted prior to deploy them for this task.

8.6.10 Testing and Preparing Test reports
Most of the test shall be carried out at subcontractor’s laboratory; the rest reports are prepared, documented and submitted to QA/QC Engineer. Consultant/Client shall have always access to visit and witness the tests. Reports are reviewed and submitted after complete all testing procedures. A copy of reports shall be documented and kept in the projects file. All the reports shall be retained for a period even after finished the guarantee period of the project or such similar manner considering the project time.

8.7 Control of Non-conforming products and works

Any materials not conforming to the relevant standards and projects specifications shall be removed from the site with approval and documented records. The work not satisfying the required project standards and specification and rejection of Client/Consultant engineer also shall me subject to remedial action with proper approval of rectification works as same. The identified nonconforming products are removed so that it will not get mixed up with other products. In the case of products where the defects are identified after delivery, it is identified and recalled, where applicable or necessary actions are done based on the level of the deviation. Only the General Manager can recall products delivered to the client.

Identification of nonconforming outputs (products/services) – Incoming Materials/Services:
It is the responsibility of the ZZZ manager to ensure that adequate processes and persons are maintained for inspections of Incoming materials (Raw Materials/equipment) to ensure that Nonconforming outputs (products and services) are not incorporated in the system. In case of identification of any, ZZZ’s manager shall ensure that corrective action is taken as per the procedure for corrective action

Identification of Nonconforming outputs – during service delivery/after service delivery:
It shall be the responsibility of the respective manager to ensure that adequate processes and persons are maintained for inspections of production/service to ensure that Nonconforming services are not produced and maintained. It shall be the responsibility of the respective manager to ensure that adequate processes and persons are maintained for inspections of final products to ensure that Nonconforming services are not sent to clients, this shall be done through various tests done in the laboratory. Customer complaints regarding non-conforming products are recorded in the customer complaint register and proceeded with corrective action, investigate the complaints and take necessary action to satisfy the customers.

Actions taken for Nonconformities:
Whenever the products/services delivered to customers are identified under Nonconforming products/outputs, a Noncompliance Report is initiated by the Process Owner.
In consultation with all the responsible functions, the process owners shall deal with nonconformities in one of the following ways

• Correction
• Segregation, containment, return or suspension of provision of products or service
• Informing the Customer
• Obtaining authorization for acceptance under concession

In case of Incoming materials Raw materials/equipment) details of nonconformity are informed to external providers for taking necessary actions and review of the “Controls applied for externally provided services’ shall be done by the process Owners and Management Representative In case of products delivered (finished products) details of nonconformity are shared with the responsible team/processes for taking necessary actions and details of actions are recorded in the Non Compliance Report QF 007.
The Non-compliance Report shall have as a minimum the following requirements

• The description of the Nonconformity
• The description of the action taken
• The description of any concession if given
• Identifies the authority deciding the action in respect to the Nonconformity.

9.0 Performance Evaluation

9.1 Analysis of Data

Management Representative reviews the data collected like customer complaints and identifies the statistical techniques for establishing, controlling and verifying process capability, product characteristics. As soon as suitable technique is identified, it is used in the relevant area. The analysis of data provides information relating to;

• Customer satisfaction
• Customer Complaints
• Self – Assessment
• Audit Results
• Conformity to product requirements.
• Nonconformities and product failures identified after delivery or use, provided the product or documented evidence is available to facilitate the determination of the cause
• Characteristics and trends of process and products including opportunities for preventive action.
• Suppliers Performance
• Information on Quality objectives

Corrective actions taken are to ensure their effective. The Data Analysis record is maintained. The data from the above is analyzed periodically (at least once in 3 months) and statistical report is prepared and submitted to the top management (CHAIRMAN) for information and necessary follow-up for the corrective action and continual improvement of the system/area. Summary of the statistical analysis is produced in the Management Review Meeting.

9.2 Internal Audit

9.2.1 Internal audit planning:
The MR shall prepare the plan for Internal Audit once in a year and document in the Audit Plan (QF 009). Planning shall cover all areas of activities covered by the QMS. The MR shall ensure that there are at least two internal audits done in year and that all the processes are covered at least once in a year.
In case of any rescheduling or revising of audit plan, it is circulated to all concerned. After completion of audit, the management representative shall update the Audit Plan (QF 009).
Trained internal auditors who are independent of the process being audited shall conduct the internal audit or any third party external providers shall be subcontracted to carryout Internal Audit.
The management representative shall maintain a list of trained auditors (QF 010).

9.2.2 Qualification and training to internal auditors:
Internal audit is undertaken by qualified auditors. The management shall arrange recognized training course in the respective standards from external and qualified external providers to train the internal auditors.
Note: Minimum three audits should be attended with qualified auditor to be an internal auditor.
The MR shall also maintain qualified external providers as internal auditors (Records of training shall be maintained). The approval processes shall be as per the procedure for control of externally provided services (PR 008).
The MR shall ensure that the auditors shall have independency of the audit and does not audit own process.

9.2.3 Scheduling of audit:
The MR shall determine the scope of the audit based on the requirement of the QMS and need to adequacy and improvement prior to the communication of the audit programme. The scope of the audit shall be documented in the QMS Audit Programme (QF 034)

• Previous audit results/ findings
• Responsibility and authorities of auditees
• Integrated management system Plan and standard operating procedures
• Other documentation underQMS
• Records of the concerned auditees department
• Processes and their inter-relationships
• Effectiveness of processes
• Improvement requirements and opportunities
• Working environment
• Corrective action opportunities
• Changes affecting the organization
• Environmental importance of processes
• Risks/ opportunities & effectiveness of action taken (where applicable)
• Internal/ external issues

Auditor shall carry out the audit activity within the scope and exercise the objectivity of the audit.

9.2.4 Auditing and reporting

The selected auditors shall perform the internal audit as per the scope of the audit and shall record the objective evidence of audit findings in Audit Observation Sheet QF011).
After completion of the audit, the auditor(s) shall discuss with the auditee section head all findings and categorize the findings based on the objective evidence collected and audit criteria.
All the findings (both positive and negative) shall be reported through the Audit Observation Sheet (QF011) or the subcontractor’s Audit Reports. Negative findings and Observations shall be written down in Non-compliance Report (NCR) (QF007). All NCR’s shall be forwarded to the respective section heads (process owners) to take corrective action and follow up.
The Auditor/ MR shall ensure that the results of the internal audit are reported to the respective Management.
Note: The MR can where applicable request the external providers (internal auditors) to document the audit findings XXX’s format or external providers format as deemed most appropriate.
Audit finding shall be categorized into the following criteria

The section head (process owner) shall write down the corrective action, proposed completion dates and put their signatures in consultation with management representative.

The management representative shall follow up on the corrective action and verify it prior to close out. NCR shall be closed out giving priority, based on its complexity and time required but not later than next audit. 

1. Follow up and analysis activities

The proposed close out dates of the corrective actions  are agreed upon with the auditee by the MR. Follow-up audit is conducted by the auditors designated by the MR at specified target dates/planned audit in the report and write the follow-up comments in the Non-compliance Report (IMSF007).

The effectiveness of corrective action is reviewed by the auditor within the specified period and is documented in the Non-compliance Report (IMSF007). The MR/auditor shall ensure that where it is related to OHS, the relevant process owners have communicated, consulted and have effectively engaged participation of workers for identification of root cause.

The Non-compliance Report (IMSF007) is closed by the person who initiated the report or management representative only when corrective action is implemented and effectiveness results achieved. Non-conformities raised in the areas where the Management Representative is responsible for the activity have to be closed out by the General Manager/external Auditor.

The MR shall discuss the trends of corrective actions and non-conformances found audit and status in the management review meeting for any further improvement.

1.2         Management Review

Management review meetings are conducted at least once in a year and where possible it shall be conducted twice in a year. The MR shall notify the sections regarding the MRM through a memo.

The General Manager (GM) shall chair the MRM. The members of this meeting shall be:

• General Manager – Roads & Maintenance Division
• Assistant Manager – Roads  and Maintenance Division
• Management Representative (MR)
• Document controller (DC)
• All section heads
• Any other special invitee

The members submit the input summary data (IMSF003) and LOG Sheet (Objective) IMSF022 to the Management Representative or General Manager- ABCwho ensure that input summary submitted is adequately addressed. In case of the absence of any of members an alternate representative will be deputed and the member shall notify the MR or GM in writing.

Based on the input submitted, management review meeting is conducted and the General Manager review effectiveness of the entire IMS system and record his comment.

The MR prepares minutes of meeting (IMSF004) including any corrective actions identified, person responsible for implementation and target date for its completion are recorded in minutes of meeting.

The MR monitors the implementation of actions initiated in a meeting and provides the details by including as input for the next management review meeting.

The MR maintains the records of MRM.

10. Improvement

The General Manager – XYZ Division, Management Representative and the respective section managers identify the areas for improvement based on the Quality policy and objective of the company. The areas of improvement shall also be based on:

• Corrective action reports
• Management review meeting output
• Audit reports
• Analysis of data
• Risk assessment study
• Legal identification and compliance evaluation

Respective section manager shall make prioritized action plan for the areas of continual Improvement and the same shall be followed to complete the assignment in time. Respective section managers shall sum-up the benefits that has been achieved by adapting the continual improvement assignment and the same shall be presented to the management during Management Review Meetings.The continual improvement shall be identified in all areas of operation and every effort shall be taken to ensure that the continual improvement is on continual basis. The Management Representative shall sum-up all the areas of improvement and shall document the same in Continual Improvement Projects Plan Form (QF 014) received from all the sections prior to the management review meeting

1.    Purpose:

To provide opportunities to recognize and reward Employees for their contribution, commitment, towards Health, Safety and Environment.

2.    Scope:

This procedure encompasses all XXX’s staff, workers and contract workers.

3.    Definitions:

• Incident

Occurrence arising out of, or in the course of, work that could or does result in injury and ill health

• Near miss / dangerous occurrence

An incident where no injury, ill health or death occurred, but there is potentiality to occur the accident or ill health in case of not tacking corrective action, (i.e. unnecessary moving of vehicles and equipment in the work space and there is no safety measures applied, unsafe materials handling, improper lifting system & etc.)   

• Awards

In the context of this Procedure, Awards are defined as formal recognition of achievements by Employees. It typically involves a planned event or presentation where Employees are recognized by the XXX for their HSE achievements.

4.    Process:

A safety award scheme will be implemented to recognize employees who contribute above their normal duties as an employee in keeping the site, themselves and other personnel safe from injury or ill health. Categories of safety award and recognition may include the following:

• Safety leadership – anyone who shows leadership or takes the initiative to ensure the safety of themselves or others Safety initiatives/improvements/suggestions
• Near miss reporting
• Towards enhancing HSE culture and improving human behavior XXX shall initiate campaigns e.g. Work-At-Height, Hand Safety, Beat the Heat etc. throughout the year to raised awareness among workforce.
• Campaign plan and safety award program will be aligned to the organization’s strategic vision and planning.
• To acknowledge the contributions that employees make in fostering a culture of health and safety in the workplace a quarterly recognition award will be held on site.
• All essential criteria shall be met in order to be eligible for an award which include the following
• Demonstrated commitment to health and safety in the workplace. Commitment goes beyond the requirements of the employee(s) role, it is proactive and preventative. Works towards continuous improvement of health and safety in the workplace. For example activities/actions taken to prevent injuries or illnesses, prevention of unsafe conditions or practices. Promote a work and service environment that is respectful, collegial and supportive

4.1 Formal recognition – Excellence Awards

Formal recognition of Employees’ contribution, commitment, and service is provided through a variety of Excellence Awards, usually presented at a formal event.  Excellence Awards normally consist of a financial grant and a certificate. Excellence Award categories are provided in the Employee Excellence Awards Schedule.

4.2 Application, assessment and approval process

4.2.1 Application

All Employees are eligible to apply for any Excellence Award. Each Excellence Award will be given to the applicant who best meets the selection criteria for each Excellence Award as outlined in the relevant guidelines.

4.2.2 Individual Evaluation Criteria- Annual Awards

4.3.1.2 Assessment

All applications will be reviewed by an appropriately constituted assessment panel.

Panels will normally consist of a minimum of three members and will contain an appropriate gender mix.  Any panel member who supervises, has nominated, or acts as a referee for, a candidate for the Excellence Award must declare their Conflict of Interest and not participate in deliberation or voting in relation to that nominee. The assessment panel will evaluate the merits of all Excellence Award nominations against the relevant selection criteria and provide a recommendation to the Health and Safety in charge for approval.

5.    Related Documents/FORMS:

HSE Recognition Certificate

1 Purpose

This HSE plan is applicable to XXX in connection with the Project ABCDEFGHIJKLMNOPQRSTUVWXYZ” at TUVWXYZ. All the activities related to occupational health and safety and environmental activities conducted will be carried out in accordance with the requirements of this HSE Plan (HSE Plan). This HSE plan shall demonstrate how the project’s HSE requirements shall be managed throughout the project and once the project is awarded this shall be detailed in accordance with the project requirements and HSE requirements. The purpose of this document is not to substitute the Contractual HSE requirements, but to provide clear guidelines to members of the Project Management Team on the HSE criteria to be applied during the Project cycle.

2 Scope

This HSE plan is applicable for all the works of XXX within the scope of tender. This HSE plan outlines the main aspects of Health, Safety and Environmental elements to be adopted by Main Contractor i.e. XXX for all works, as applicable to the scope of work of the project to ensure compliance to contract documents and ISO standards related to HSE (ISO 45001:2018 and ISO 14001:2015).

2.1 Brief Scope of Works

2.2 Brief Details about this project

Introduction to HSE Plan

This HSE Plan of XXX describes the Health, Safety and Environmental systems established in accordance with the Contract requirement ISO 45001:2018 and ISO 14001:2015 standard. This HSE Plan is intended for the company’s employees, for the needs of audits performed by the customer or a third party and for the presentation of company’s Health, Safety and Environmental requirements. This HSE Plan is aimed at the continuous improvement of company’s effectiveness, satisfaction of its employees, customers and other interested parties. The organizational controls include management of health and safety as well as environment. This HSE Plan is valid in XXX and it is binding for all employees of the company. This HSE Plan describes briefly the operation method of Health, Safety and Environmental Management System.

Normative References

This HSE Plan is prepared based on the guidance taken from the following reference documents.

• ISO 45001:2018 – Occupational Health & Safety Management Systems – Requirements
• ISO 14001:2015 – Environmental Management Systems – Requirements
• ABC HSE Regulations – ABC –Reg-S-001

3 Terms and Definition

For the purpose of this document, the following terms and definitions apply:

3.1 Acceptable Risk
Risk that has been reduced to a level that can be tolerated by the organization having regard to its legal obligations and its own

3.2 Audit
Systematic, Independent, Documented Process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled

3.3 Continual Improvement
Recurring activities to increase the ability to fulfill the requirements

3.4 Corrective Action
Action to eliminate the cause of a detected nonconformity or other undesirable situation Document: Information and its supporting medium

3.5 Hazard
Source, situation or act with a potential for harm in terms of human injury or ill health, or a combination of these

3.6 Hazard identification
Process of recognizing that a hazard exists and defining its characteristics

3.7 Injury and III Health
Identifiable, adverse physical or mental condition arising from and/or made worse by a work activity and/or work-related situation

3.8 Incident
Work related event(s) in which an injury or ill health (regardless of severity) or fatality occurred, or could have occurred. An incident where injury and ill health occurs is sometimes referred to as an “accident”. An incident where no injury and ill health occurs, but has the potential to do so, may be referred to as a “near-miss”, “near-hit” or “close call”.

3.9 Interested party
Person or group, inside or outside the workplace, concerned with or affected by the H&S performance of an organization

3.10 Non-Conformity: non-fulfillment of set requirement
Health and Safety (H&S): conditions and factors that affect, or could affect the health and safety of employees or other workers, visitors and other person in the workplace

3.11 H&S Management System
Part of an organization’s management system used to develop and implement its OH&S policy and manage its OH&S risk

3.12 H&S Objective
H&S goal, in terms of H&S performance, that an organization sets itself to be achieve

3.13 H&S Performance
Measurable performance related to the effectiveness of the prevention of injury and ill health to workers and the provision of safe and healthy workplaces

3.14 H&S Policy
Policy to prevent work-related injury and ill health to workers and to provide safe and healthy workplaces.

3.15 Organization
Company, Corporation, firm enterprise, authority or institution, or part or combination thereof, whether incorporated or not, public or private, that has its own function and administration

3.16 Risk
Combination of the likelihood of an occurrence of a hazardous event or exposure (s) and the severity of injury or ill health that can be caused by the event or exposure

3.17 Risk assessment
Process of evaluating the risk(s) arising from a hazard(s), taking into account the adequacy of any existing controls, and deciding whether the risk(s) is acceptable Workplace: any physical location in which work related activities are performed under the control of the organization

3.18 Audit
Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled

3.19 Interested Party
Stakeholder, person or organization that can affect, be affected by, or perceive it to be affected by a decision or activity

3.20 Outsource
Make an arrangement where an external organization performs part of XXX’s function

3.21 Participation
Involvement in decision making

3.22 Worker
Person performing work or work-related activities that are under the control of XXX.

3.23 Consultation
Seeking view before making a decision

3.24 Sub-Contractor
External organization providing services to XXX in accordance with agreed specifications, terms and conditions.

3.25 Legal requirements and other requirements
Legal requirements that XXX has to comply with and client requirements.

3.26 Cross Functional Team
Cross Functional Team comprising of PM & Project Management Team.

3.27 Client Satisfaction
Client’s Opinion or perception of the degree to which a transaction has met the Client’s need and expectation.

3.28 Fires and Explosions
All fires that necessitate the use of a fire extinguisher or other extinguishing means, including fires with no visible flames and all flammable explosions or over pressure explosions, irrespective of the extent of escalation or spread

3.29 First Aid Case (FAC)
Any one-time treatment and subsequent observation of minor scratches, cuts, burns, etc., which do not normally require medical care by a physician. Such treatment is considered first aid, even if provided by a physician or registered medical personnel.

3.30 Lost Time Injury (LTI)
An injury (other than fatal), which renders the injured person unable to perform his duties/attend his duties either fully or partially on any day after the day on which the injury was received. (Note: If in a single incident, 3 people sustain Lost Time Injuries, then it is accounted for corporate reporting purpose as 3 LTI’s).

3.31 Lost Workdays (man-days)
The total number of calendar days on which the injured person was unable to work as a result of a lost time injury (LTI). In the case of a fatality, no lost workdays are recorded.

3.32 Medical Treatment Case (MTC)
An injury that involves neither Lost Workdays nor Restricted Workdays but in which the injured person requires medical treatment / is under medical attention, for some period of time by a qualified medical professional and return to his normal duties on the same day or next day.

3.33 Near Miss
An event that had potentiality to cause illness, injury or damage to assets, environment or company reputation, but did not. Its actual severity rating is ‘0’ but can have any potential severity rating except ‘0’

3.34 Non- Accident Death
Any case of death of a person either when there is no identifiable incident or trauma involved, or result of an apparent suicide.

3.35 Restricted Work Case (RWC):
Duties and which results in a work assignment on any day after the day the incident occurred that does not include all the normal duties of the person’s regular job.

3.36 Requirement
Need or expectation that is stated, generally implied or obligatory

4 Context for health, safety and environment for Project

4.1 Internal and external issues of XXX

XXX shall identify a team under the General Manager to determine the internal and external issues that are relevant to the purpose and strategic direction and that can affect its ability to achieve the intended results of its Health, safety and environmental requirements of the project. For this, XXX shall understand the core services and scope of its Health, safety and environmental management system related to the project and identify the “External” and “Internal” issues with the methods and responsible persons for monitoring and maintaining them.

4.2 Needs and expectations of workers and other interested parties

Needs and expectations of workers, XXX, Sub contractors, ABC and other interested parties are of key concern XXX and have ensured through regular meeting with relevant Process Owners to clearly understand who they are and how they can affect the organizational ability to consistently perform. For this, XXX has determined who are the relevant the workers and other interested parties, their requirements related to H&S and are monitored and reviewed during every management review meeting. Needs and expectations of the interested parties are updated regularly so that they are clearly understood and met. Where applicable to be added as legal and other requirements the respective process owners shall inform the management and update it.

4.3 Scope of the H&S management system

XXX has defined its scope for H&S in section 1 of this HSE Plan. Scope has been defined based on external and internal issues specified in clause 4.1 of this HSE Plan. The requirements of all interested parties including customers, suppliers, subcontractors, Government and regulatory bodies, certification bodies, technical communities, planned or performed work-related activities, authority and ability to exercise control and influence, Etc. have been taken into consideration while defining the scope of XXX.

4.4 HSE management system

XXX shall establish, implement, maintain and continually improve the HSE management system, including the procedures, work instructions needed and their interactions, in accordance with the requirements of this HSE Plan.

5 Leadership and worker participation

5.1 Top Management commitment

Top management of XXX demonstrates its leadership and commitment for HSE by:

• Taking accountability for the effectiveness of health, safety and environment management system.
• Taking overall responsibility and accountability for the prevention of work-related injury and ill health.
• Ensuring that the HSE policies and objectives are established and are compatible with the context and strategic direction of XXX.
• Promoting the use of the process approach and risk based thinking.
• Ensuring that the resources needed for health, safety and environment system requirements are met.
• Communicating the importance of effective health, safety and environment.
• Ensuring health, safety and environment system achieves its intended results.
• Engaging, directing and supporting persons to contribute to the effectiveness of health, safety and environment.
• Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
• Provide safe and healthy workplaces and activities.
• Developing, leading and promoting a culture in the company that supports the intended outcomes of health, safety and environment system.
• Protecting workers from reprisals when reporting incidents, hazard, risks and opportunities.
• Ensuring the establishment and implementation of process for workers consultation and participation.
• Supporting the establishment and functioning of health and safety committees

5.1.1 Management Representatives

XXX’S senior management shall, if warranted due to company workforce size, designate one or more representatives of management who, irrespective of other responsibilities, shall have defined roles, responsibilities and authority for ensuring that this HSEMS is established, maintained and reviewed to support:

• Effective processes to identify and eliminate or control work-related hazards and risks;
• Reporting on the performance of the HSEMS to senior management, employees, and employee representatives (if present) as appropriate for review and as the basis for improvement.

5.1.2 EMPLOYEE PARTICIPATION

Employee participation is an essential aspect of the HSEMS. XXX shall provide employees and employee representatives, if warranted due to company workforce size, with time and resources to participate effectively in the development of the Health, Safety, and Environment policy and in the process of HSEMS planning, implementation, training, evaluation, and corrective action; and encourage employee participation by providing mechanisms that:

• Support employee participation, such as identifying and removing barriers to participation;
• Establish workplace health and safety committees or employee representatives where required by legislation and, where applicable, collective agreements or other requirements; and
• Ensure that employees and employee representatives are trained in and consulted on, all aspects of HSEMS associated with their work.

5.2 HSE Policy of XXX

Top management shall establish, implement and maintain policies regarding health and safety and environment which

• Are appropriate to the purpose and context of the organization including the nature, scale, and environmental impacts of its activities, products and services.
• Provides a framework for setting health & safety and environment objectives.
• Includes a commitment to satisfy applicable requirements.
• Includes a commitment to continual improvement of health & safety and environmental management systems.
• Established policies shall be made available and maintained, they shall be communicated understood and applied within XXX. They shall be made available to relevant interested parties as appropriate.
• Meeting and exceed our client’s requirements the first time and every time
• Preventing injury and ill health to all those who have access to our workplace by effectively controlling hazards and risk posed by our activities and operations
• Protecting environment and prevent pollution that may cause any adverse impact to the environment
• Complying with all applicable requirements, statutory or regulatory related to the scope of work The HSE Policy shall be signed by the General Manager or equivalent senior managers declaring safety shall be the number one priority.
• The HSE Policy shall be displayed in all key areas such as Site Offices, Workshop, Canteens, Notice Boards, etc. to gain maximum visibility to personnel. The Policy will be available in English as a minimum and translated into other relevant languages where necessary.

XXX continually review the suitability of the HSE Policy and improve the effectiveness of Management Systems (HSE) in accordance with the requirements of ISO 45001:2018 and ISO 14001:2015.

5.3 Organizational roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within XXX. While assigning the responsibilities and authorities the following shall be considered:

• Conformity to ISO 45001:2018, ISO 14001:2015 and other relevant international standards.
• Processes are delivering their intended outputs.
• Reporting on the performance of HSE management system and on opportunities for improvement.
• Emphasis on customer focus for improving safety.

XXX’s maintained documented information for roles, responsibilities. Workers at each level of the company are made responsible for those aspects of the HSE management system over which they have control as per their job description.

1. General Manager

The General Manager has the overall responsibility to ensure the Health, Safety and welfare of all employees and non-employees who may be affected from the works being carried out. In particular:

• Ensure the safety and welfare of the workforce via the provision of suitable and sufficient environment, plant, equipment and resources to carry out the works
• Coordinate for effective control & execution of projects with all Heads of Departments for their functional backup and ensure that company’s policies & objectives are achieved
• Promote HSE within the company and ensure at all time the safety system procedures are followed and continue improvement until effectiveness of the HSE Management System is achieved
• Implement KPI’s and Monitor progress of Health and Safety Objectives and Targets
• Carry out regular inspections of the construction areas

2. Project Manager

The Project Manager is responsible to the General Manager and safety responsibilities include;

• Ensure safety rules, regulations and standards as per the safety plan and Client requirements are implemented at all times
• Ensure that employees are suitably trained prior to commencing work
• Participate in accident investigation and reporting and ensure that the necessary corrective actions are taken
• Deploy sufficient resources in line with work requirements
• Ensure suitable and sufficient tools and equipment is provided
• Make regular inspections of the construction area
• Monitor activities of all engineers and supervisors to ensure safety procedures and standards are being followed at all times
• Cooperate with the Project Safety team and implement any additional safety requirements identified

3. Supervisors

• The Supervisor are responsible for all activities on his job including the prime responsibility for HSE.
• HSE rules, regulations and standards noted in this program, and the laws and regulations of various statutory bodies are complied with and enforced.
• It is his to responsibility to ensure safe working conditions for his workmen.
• To give the adequate training and instructions to the employees.
• Safety inspection of job and equipment as required are carried out.
• Reporting of accidents / incidents and near misses to the project safety engineer/officer & to the HSE Manager
• Accidents receive prompt investigation and reporting and that the necessary corrective action is taken.
• Monthly HSE meetings are instituted.
• Work in close co-operation with the HSE Officer to eliminate and correct all practices and Conditions that are deemed to be unsafe.
• Delegate safe work procedure that will ensure safe Operation.
• Ensure that assigned tools and equipment are in sound condition and fit for purpose.
• Inspect Work area to implement a safe system of work.
• Observe activities of employees to evaluate they are following correct procedure.
• Accompany HSE Representative on site audits.

4. HSE Supervisor/Officer

The HSE Supervisor/Officer shall be responsible for the inspection and monitoring of the project site, workers accommodation and the project office to ensure Safe System of Works are maintained and all health and safety requirements to specific tasks or situations are adhered to.

• They shall be present on site during all working hours each day.
• Shall diligently identify all unsafe practices or non-conformity and unsafe work conditions through Risk Assessments and take immediate corrective measures in coordination with line supervisors. Liaise with the construction team in the event of an unlikely major oversight or non-conformance that will lead to immediate Work stoppage and subsequently make the necessary reports and follow up. Shall carry out daily and routine inspection of safety provisions of the ongoing site activities (excavations, scaffoldings, plant & equipment, Lifting & rigging gear, Fire extinguishers, Electrical connections, etc.) prior to start of each working day.
• Ensure that daily toolbox talks are carried out and pre task briefing done prior to commencement of work crew activities at the site. Ensure compliance of all operatives of the required PPE. Designing appropriate escape, assembly areas and methods to implement the Emergency Response
• Plan.
• Specify and determine appropriate Personal Protective Equipment.(PPE)
• Perform safety audits and inspections focusing on corrective action closure.
• Advise Supervisors on safe work practices.
• Traffic control and management
• Performing risk assessments focusing on site hazard identification. Inspecting and evaluating hazardous work areas for issuance of work permits (Hot work, Confined space, Excavations, Work at Heights etc.) Implementing the scaffolding permit program by inspecting and properly making scaffolds prior to their use. Implementing the Lockout /Tag out program to ensure that electrical, pressure and hazardous material lines are properly isolated and cannot be activated during the installation or repair process.
• Implementing an inspection program for safety related equipment.
• Note: All HSE Staff are only permitted to carry out HSE related work.

5. Employees

• To observe and comply with all the safety rules, regulations and standards as per Qatar Law and the safety plan and Client requirements so to protect themselves and their fellow workmen.
• To maintain and properly utilize all personal protective equipment (PPE) provided by the company.
• To seek appropriate first aid treatment for all injuries.
• To report all incident or accidents to their supervisor immediately. To seek advice from their supervisor:
  • When an unusual situation develops which might be appear dangerous to them.
  • When they do not understand the instructions;
  • When they do not know how to do the job.
• To maintain good housekeeping in their work sites
• To proper use of tools and equipment.
• To render their full co-operation and assistance in the event of an emergency.
• To avoid anything that may injure themselves or their fellow workmen

6. Subcontractors

• Subcontractor will be employed in the event where any work falls outside the skills or XXX’s scope of works. Prior to the appointment of any subcontractor the XXX will:
• Assess and evaluate the subcontractor/s safety standards and competence for the proposed work to be undertaken
• Ensure that the terms and conditions of any subcontract for which subcontractors personnel will be employed on the works, include the requirement for the subcontractor to comply with all the XXX’s HSE requirements. Notify the ABC Representative (For Information only) of the nature and extent of any subcontracts.

5.4 Consultation and participation of workers

XXX has established, implemented and maintains a Process for consultation and participation of workers down the non-managerial positions and functions. The worker’s representatives are involved in development, planning, implementing, performance evaluation and actions to be taken for improvement of the HSE managements system. XXX shall create as safety committee involving the workers for consultation and participation, provided resources, access to clear, understandable and relevant information about the HSE management system and removes barriers to participation and minimize those that cannot be removed.
The Top Management has ensured that the employees are involved and consulted in the development and review of policies and procedures to manage OH&S risk, environmental aspects/impacts, any changes that affect the workplace, other health and safety matters, the HSE personals are assigned for all the processes and the same is communicated to all the employees. Feedbacks from the employees/workers will be received by the HSE personnel/ Manager/worker representative and these would be discussed in the quarterly HSE meeting.

PROCEDURE

Methods used to involve employees in hazard identification, risk assessment and risk control and to encourage employee involvement in the Health, Safety, and Environment process include:

1. Open Door Policy
It is preferred that the immediate supervisor and/or project management be consulted for resolution of the concern; however, XXX maintains a strong open door policy to report problems or concerns to any level of management without fear of reprisal of any employee.

2. Behavior Based Safety Program (BBS)

• Employees may report any suggestions, unsafe act, unsafe condition or recognition, even anonymously, via XXX’s Safety Observation Card. . The Card is to be immediately forwarded to XXXHSE coordinator. Employees may use other observation forms if another safety observation program is present. Observations by fellow employees are to be performed in a positive, non-judgmental manner and the observing employee must give permission prior to the observation.
• No disciplinary action may result from safety observations by fellow employees. Supervisors will always allow time for safety observations to be made based on operational scheduling. Supervisors do not conduct observations.

3. HSE PROGRAM

1. DAILY
   • Toolbox talk
   • Checking / inspection of vehicles and equipment and documentation.
   • Coordination meeting with supervisors and engineers.
   • Issue of appropriate PPE.
2. WEEKLY
   • Training
   • House keeping
   • Maintenance of heavy equipment
3. MONTHLY
   • Safety statistics reports to head office and clients.
   • Safety site audit internal.
   • Safety review meeting
   • Inspection of safety harness (when taken from stores daily).
4. QUARTERLY
   • Safety committee meeting
   • Safety audit head office.
5. ANNUALLY
   • Annual maintenance for equipment.
   • Internal Audit for ISO 14001 and ISO 45001
   • Certification Audit for ISO 14001 and ISO 45001
   • Refilling of fire extinguisher when required.

6 Planning

6.1 Actions to address risk and opportunities

6.1.1 General

During the planning phase of addressing the risks and opportunities following points to be considered:

• Able to give assurance that health, safety and environment can achieve its intended results.
• The needs and expectations of the external interested parties which affect environment and safety are incorporated.
• Enhance desirable effects for HSE Management system.
• Prevent or reduce undesired effects, hazards and risks.
• Achieve improvement in HSE Management system.
• HSE management system achieves continual improvement.

HSE risks and opportunities are defined by respective department heads and reviewed by the General Manager and Project Manager. These HSE risks & opportunities are reviewed during every management review meeting and updated. In the case of planned changes, permanent or temporary an assessment of risks and opportunities is carried out before the change is implemented.

6.1.2 Hazard and environmental aspects, risks and opportunities

a) Hazard Identification and Environmental Aspects

A complete inspection of all work site tasks will be carried out by the HSE Manager in conjunction with employees. This will develop an inventory of all of the tasks conducted throughout the work site. Additional areas for Hazard/Aspect identification include:

• Activities of all persons having access to the workplace including contractors and visitors.
• Infrastructure, equipment and materials at the workplace
• Changes or proposed changes in XXX, its activities or materials
• Modifications to the HSEMS including temporary changes and their impacts on operations, processes & activities.
• The design of work areas, processes, installations, machinery, operating procedures including their adaption to staff capabilities.

At existing locations employees shall be continually involved in the identification of hazards. Unidentified hazards are to be reported immediately and assessed for risk. Additional sources for ongoing hazard identification shall include:

1. Routine Activities
   • Job Hazard Analyses
   • Field Level Risk Assessments
   • Monitoring of HSE parameters
   • Ergonomic assessments
   • Industrial hygiene surveys
   • Workplace Inspections
   • Purchasing and procuring
   • Job observations
   • Audits
   • Document review
2. Non-routine Activities
   • Accident/incident investigations
   • Emergency situations

It is also necessary to consider future tasks or situations that involve a change to the existing premises or process, or those which are non-routine.

b) Recording Health and Safety Hazard/ Environmental Aspect Identification Data
Once gathered, the hazard identification data will be recorded by the HSE Coordinator on the HSE Risk Assessment register. It shall be dated and signed.
c) Review of HSE Risk Assessment
Hazard Identification Risk Assessment are formally reviewed annually.
d) Risk Assessment Procedure
Each identified hazard is assessed for risk based on potential consequences of effecting injury to people, damage to assets, the environment or reputation of XXX. The frequency of risk Rating is then considered. Following risk assessment steps each risk assessed becomes classified as low, medium or high in accordance with XXX’s Risk Assessment Matrix shown below.

E) Job Hazard Analysis

It is a procedure used to review job methods and find hazards. The person best suited to develop the analysis is the supervisor. Once the analysis rough draft is done, it shall be reviewed by a safety person. The safety person should review the analysis on a technical level, check to see that no hazards were overlooked, and examine the control measures to see that the most effective measures were used. A safety person is intended to mean any person within the organization that has safety responsibilities within their job duties. Steps in the JHA process

1. The first step in process hazard analysis is to break the process down into all the simple, discrete tasks that make up the process. This allows to look at all the hazards involved in performing the process-including hidden hazards and risks.
2. Step two is to identify the hazards involved in each task that must be performed to complete the process. Depending on the process, you could end up with a long or short list. Some hazards and risks may be repeated in several or all the tasks that make up the process.
3. Step three involves evaluating each hazard so that you can determine what to do about it and how to prevent injuries or work-related illness.
4. Step four is to determine safe procedures and protective measures to prevent accidents, injuries, and illness as a result of each hazard or risk.
5. And finally, step five has to be done if the current JHA has become outdated because of changes in the process. A JHA might also have to be revised if hazards are eliminated, reduced, or controlled thanks to the previous hazard analysis.

F) Assessment of HSE risks and other risks to the HSE Management system

XXX has established as procedure to assess HSE risks from the identified significant hazards considering the effectiveness of existing controls. The company determines and assess the other risk related to the establishment implementation, operation and maintenance of the HSE management system.

G) Assessment of HSE opportunities and other opportunities for HSE management system.

XXX has established as procedure to assess HSE opportunities to enhance HSE performance while taking into account planned changes to the organization, policy processes and activities. XXX considers opportunities to adapt work, work organization and work environment to workers, opportunities to eliminate hazards and reduce HSE risks while identifying HSE opportunity for improvement.

H) Compliance obligations

The applicable legal and other requirements for Organization level, environmental, health and safety aspects have been identified and shall be updated periodically. The applicable legal and other requirements to which XXX subscribes have been taken into account while establishing, implementing and maintaining the HSE Management System in the project. Relevant information on legal and other requirements shall be communicated to its employees during appointment of the employees and if necessary will be updated during meetings and on notice boards. Relevant legal and other requirements for environmental, health and safety information shall be communicated to customers and interested parties through company profile, HSE Plan, company policy. Records of assessment and program are also provided upon request. All work is to be undertaken in compliance with the requirements of Qatar Law. Particular regard shall be paid to:

1. ABC HSE Regulations for contractors
2. ABC specifications for waste management
3. ABC Specification for Environmental site selection Abandonment and Restoration of Facilities    
4. ABC procedure for HSE Incident Reporting Investigation Learning
5. State of Qatar Labour Law N0. 14 of 2004
6. State of Qatar Traffic Law No. 19 of 2007
7. Executive By – Law for the Environment Protection Law Issued by the Decree Law No. 30
8. ABC Permit to Work procedure
9. ABC Standard for Lifting Equipment and Operations
10. ABC VI Heat Stress Management Guidelines
11. ABC Standard for Road Safety
12. ABC Life Saving Rules-Code of Practices
13. ABC Standard of HSE Risk Management
14. ABC Standard for Job Hazard Analysis
15. ABC Procedure for Conducting Tool Box Talks
16. ABC Standard for Worksite Safety

All records will be maintained and available for inspection at the relevant work locations by any authorized person. Further information on legislation, standards and specifications be maintained and will be submitted, where applicable.

6.2 Objectives and planning to achieve them

Objectives for HSE shall be established at relevant functions, levels, and processes. Objectives shall be consistent with the policies, be measurable, conforming to applicable requirements. All objectives shall be monitored, communicated and updated as appropriate. All objectives shall be set, communicated and monitored during the management review meeting. The results of consultation and participation of workers are taken into account while identifying the HSE objectives and targets. XXX’s goal is for ZERO HARM by preventing injury and ill health to their employees or anyone who may be affected as a result of their operations and work. Zero Harm is defined as:

• Zero fatalities
• Zero permanent disabling injuries
• Zero injuries to members of the public
  • Zero long term harm to health

XXX is committed to a Zero Harm philosophy and follows the principles that:

• All accidents are preventable Health and Safety is a Top Down process Management must lead by example
• Positive behaviors are to be reinforced and negative behaviors are to be challenged

Everyone has the right to stop work if what they are being asked to do is unsafe, without fear of any action taken against that person A high standard of health and safety on the site shall be promoted and encouraged at all times. In addition XXX shall implement health and safety incentives and award schemes at all levels of management, supervisors, foremen and workers. XXX’s KPI’s will measure health and safety performance, progress of objectives and targets. The KPI’s both lagging (e.g. Incident Reporting, Inspection close out, Audit report, NCR Closeout, Enforcement Closeout Report) and leading indicators (e.g. Emergency Drill, Inspection and Tour, HSE Audits, Induction, Toolbox Talk, Training, Meetings) shall be developed and established including the list of identified by the Consultants and quarterly report will be submitted.

6.3 Planning of changes

When XXX determines need for changes for HSE management system, the changes shall be carried out in a planned manner. XXX will consider the purpose of the changes and their potential consequences, the integrity of the HSE management system, availability of resources and the allocation or reallocation of responsibilities and authorities. Similarly, XXX shall consider the impact of any changes for the HSE Management System.

7 Support

7.1 Resources

XXX shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of health and safety management system.

7.2 Competence

7.2.1 HSE Competency Assurance Process

Competence is a combination of knowledge, understanding and skill, and the appropriate level of competence cannot be acquired simply by attending a training session. The understanding and skill are acquired by experience. For individuals managing HSE hazards and risks experience and training are essential. The following components are to be considered for each worksite’s delivery team for competency assurance:

• Experience
• Level of Knowledge
• Capability to Perform

Upon hire with XXX, every employee will participate in the Competency Assurance Process. This process begins with the selection of personnel and enters a continuous improvement loop that will stay with the employee during his career with XXX. At XXX view of competency assurance involves the continuous assessment of training and development needs against a person’s responsibilities, abilities and critical activities. Not only will employees gather evidence of competence, they will also participate in an annual appraisal to assess their performance, behaviors and personal development. This process enables the continuous improvement loop that feeds back into training and development activities that ensure competency assurance is an ongoing career cycle process.

• Job Description Identified → Candidate Selection and Hiring Process (Reference and Background Check, Drug Screen, Physical Assessment) → Person Assessed and Hired for Open Position
• Experience, Qualifications Assessed for Initial Training ↔ Initial Induction Training Completion
• Further Training Required? If no → Ready for Work → On the Job Training → Competency Continually Assessed

Additional competency regarding Health, Safety, and Environment is demonstrated during inspections employees are interviewed for knowledge to determine competency to work safely and be knowledgeable of their responsibilities within XXX’s Health, Safety, and Environment Management System. For individual directly managing risk the specific requirements will be matrixed with training for areas such as legislative requirements, client HSE requirements and recognized certification and licensing.

7.2.2 Identification of Training and Competency Needs
Training is identified in our training matrix which specifies Health, Safety, and Environment training needs by job title. Our training matrix is updated based on changing risks.

7.2.3 Training Records
All training records are maintained on site either by XXX’s HSE Manager or senior representative of management or their designee.

7.2.4 Delivery of Induction, Transfer & Refresher Training
Employees receive initial induction training. No work by any employee is allowed to begin until the orientation is completed. Training requirements are tracked by XXX’s HSE Manager and formal training sessions are conducted either on or off site by the HSE Manager or competent/qualified instructor for the required subject matter.

7.2.5 Training Documentation
All training must be documented with: date; employee name, employee signature; instructor name; instructor signature and title of course. Each new employee shall receive an orientation prior to beginning any work.

7.2.6 Supervisor Safety Management Training
Supervisors and managers receive annual, documented safety management system training.

7.2.7 Employees
Attend and follow requirements of Health, Safety, and Environment management training.

7.2.8 Safety Induction Program
• Daily activity talks shall be given at site office before going to the site. All employees shall attend this meeting. The Induction talks are conducted by Safety personal. Subject of the talk shall be about HSE rules and procedures applicable to the hazards of current work. The following are the general safety Induction discussion topics

• Scope of work
• Introduction of key personals
• Description of work area and the client’s safety standards (about cell phone, smoking, etc.).
• Gate pass and other pass requirement.
• Defensive driving and requirements of permissions inside hazardous area.
• Personnel protective equipment.
• Work permit system (Hot work, Cold work etc.)
• Availability of first aid boxes and clinic and introduction of first aiders
• Accident reporting procedures
• Emergency response plan

7.3 Awareness

XXX shall ensure that persons working under the organization’s control are aware about health & safety and environmental policies, relevant objectives, each person’s contribution to the effectiveness of health and safety and environmental management systems and meeting customer requirements. They should also be aware of the implications of not conforming with the health & safety and environmental management system requirements.

7.4 Communication & Consultation

7.4.1 Internal Communication
XXX shall determine on what it will communicate, when to communicate, with whom to communicate, how to communicate and who communicates. The process sequence, linkage/interrelation, interactions, method of operation and control and process criteria of monitoring and measurement are carried out as stated in general requirement and are communicated across all levels of the organization through the HSE Management System. As a part of this HSE Plan, effective communication is established throughout organization via:

• Internal Memo
• Intranet
• Verbal instructions
• Display of HSE policy statements and objectives
• Circulars
• Monitoring and Measurement Reports

7.4.2 Health and Safety Meetings
Health and safety meetings will be established to review Health and Safety performance, arrangements and the implementation of the Health and Safety Plan (HSE Plan). Project Manager will chair health and safety meetings. Minutes of all health and safety meetings shall be minuted and retained. The frequency of meetings, minimum attendees shall be finalized as per the project requirement. All subcontractors employed must have a representative in attendance at all health and safety meetings.

• Monthly safety meeting shall be conducted in the site along with supervisor and engineers.
• Project Safety representative shall preside such meeting and can review the patrol observations.
• Discussion regarding accidents, new employee Induction training requirement shall be carried out
• Latest information related to site inspection shall be discussed.
• Plan for the next month work related to execution and its necessary precautions shall be discussed.
• The minutes of such meeting shall be recorded.

7.4.3 External Communication
Method for receiving, documenting and response to relevant communication from external interested parties of has been defined in the Procedure for Communication. The Top Management of XXX has decided to communicate externally about its significant environmental aspects and OH&S hazards to interested parties if they ask or enquire about it. It will be the responsibility of the Safety team on how to give a report to the interested parties on HSE matters. Change of decision to communicate would be discussed during MRM and method for the same will be finalized. Responsibilities and mode in different communication requirements are provided.

7.4.4 Toolbox talk
Daily toolbox talks shall be given at work location before starting work. Before toolbox talks, general discussion shall be made with site in-charge, HSE coordinator for all discipline about the days plan and type of work to be executed. For execution, types of permit required for the work, method of statement to execute safe work, Health and Safety hazard / Environmental aspect analysis and risk assessment to be discussed. After the discussion for particular work to be executed safely, for each location as on the type of work permit, tool box to be prepared by Site safety Officer and explain to the Project Engineer, line supervisor and foremen regarding safe work, hazard/Aspect identification, proper execution without violation. Line supervisor or foremen shall give the tool box talks to their workforce. Site safety officer shall attend the toolbox talks conducted by the Line supervisor/ foremen to the subcontractor and workers to check the knowledge of the employees at site regarding safety. Duration of the toolbox talks should be for 10 minutes, but particularly for hazardous operations it may require extended team talks. The evacuation assembly points shall be indicated in case of emergency such as fire, or toxic gas release etc. Emergency contact numbers shall be explained to all employees, so that in case of emergency safe actions can be taken without delay. All toolbox talks shall be signed and recorded. According to the hazards, the tool box talks shall be given for the following activities to the workforce,

• Electrical safety
• LOTO
• Manual handling
• Working at height
• Interface with other contractors
• Fuel filling
• Defensive driving technique
• Emergency Response plan
• Confine space awareness
• Use of breathing mask
• Lifting of heavy materials etc.
• Painting
• Sandblasting
• Carpentry
• Maison work

8 Operation

8.1 Operational planning and control

XXX ensures that operations and activities associated with identified hazards and risks and Significant Environmental aspects are controlled and related responsibilities and accountability are determined and defined. Hazardous activities and operations & Significant Environmental Aspects are identified, resultant risks and impacts are rated and adequacy of controls is determined. Controls include:
• Operational controls in the form of method statements, work instructions, safe systems of work and effective supervision;
• Controls related to purchased goods, equipment and services (i.e. obtaining material samples and approval prior to purchase, supplier evaluation, availability of product information, documents for safe transportation, etc.).
• Controls pertaining to contractors and other visitors to the workplace (i.e. access control procedure, safety induction, operating procedures, work supervision and monitoring).

1. Alcohol and Drugs
The effects of alcohol or drugs at work can create serious health and safety risks. Therefore, the following rules must be adhered to:

• Do not come to work under the influence of alcohol or drugs.
• Do not bring alcohol or non-prescribed drugs on to the company’s premises or work areas.
• Check with your doctor or pharmacist about the side effects of prescribed medications. Never drive or operate machinery, as alcohol and drugs will affect your responses.
• Ask your general practitioner for guidance and advice on sensible limits of alcohol consumption
• Notify your manager if you suspect alcohol or drug abuse: do not “protect” abusers by keeping silent
• Notify the Project Manager of any conditions, which necessitate medication, e.g. diabetes, med pens etc. Searches may be conducted of project premises and personal effects of employees when management considers such searches appropriate. Searches will be conducted by the site security and/or in cooperation with local law enforcement.
• Anyone found under the influence or in possession of alcohol or non-prescribed drugs or under the influence of any declared none prescribed substance, which may impair judgement, will be immediately removed from the site and shall not be employed again in connection with the work under the Contract.

2. Health and Safety Enforcement
Failure to manage health, safety matters effectively will result in enforcement action being taken against offenders and will include verbal and formal warnings and the issuances of Improvement and Prohibition Notices and may be subject to disciplinary action by XXX in line with Ministry authorized penalties. An Improvement Notice will require the receiving organization or individual to take the necessary action to remedy the contravention within the specified time period. Failure to address the requirements of an improvement Notice will result in the issuing of a Prohibition Notice, however Prohibition Notices will be issued where immediate or imminent risk to the health and safety of personnel is identified. On receipt of a Prohibition Notice the receiving organization or individual must stop work immediately. Work may not commence until remedial actions have been taken to prevent a recurrence and these have been signed off by the issuer. Serious or repeated breaches of the health and safety responsibilities or requirements, or other disregard for the health and safety of any person will be subject to disciplinary action by XXX in line with Ministry authorized penalties, however are not reasons for the removal from the site of any person employed by XXX.

3. Method Statements
Method statements are logical construction guides designed for use on site and will contain a detailed risk assessment covering the task or operation; a hazard analysis and methods for preventing injury, including engineering controls and personal protective equipment. Development of work methodology will also be considered at the planning stage of the construction of all the identified list of activities. The contractor shall submit a Method of Statement schedule no later than the start of construction. Work will not commence without an approved method statement where applicable. The contents of method statements are to be briefed out to those personnel responsible for the works and a copy kept on site at all times. Where subcontractors are involved in the works they are to submit method statements and include risk assessment in accordance with the above requirements.

4. Task Briefings
Task briefings are to be used to support method statements and be briefed by the work supervisor to the workforce before the start of any new task and must be given in the native language of the workers. Supervisors will ensure all the workers under his responsibility are made aware of the hazards and controls measures associated with the task or activity. All briefings must be recorded and signed by all attendees stating they understood the briefing and kept by the site supervisor until the task is complete. On completion of the task the task briefing record must be attached to the method statement. Supervisors will stop the activity and re-brief workers if safety controls are not being correctly implemented, there is a change in the work methodology or where new hazards have been identified. Task briefings will be regularly attended to carry out checks of the documentation and ensure the process is being correctly implemented.

5. First Aid Provisions
First Aid provisions and First Aiders must be provided as required under the current Labour Law No. (14) 2004 and QCS 2014, to a ratio of 1/25 up to 100 personnel on site. A minimum of one trained first aider and first aid box is to be provided for every 5 – 25 workers and be available at all work locations. Where the workforce exceeds 100 personnel a full-time Ministry of Public Health, registered male nurse must be appointed and a First Aid Centre must be constructed to the specifications, equipped, inspected and registered by the prior to use. First aiders are to be recognizable by displaying a first aid sticker on their safety helmet or have ‘first aider’ written on the rear of their hi-visibility vest. Eye wash stations will be provided in work, welfare and high-risk areas such as workshops, battery charging etc. A register of all persons receiving first aid treatment will be maintained and any treatment as a result of a work injury will be notified to the HSE Officer.

6. Medical Requirements
The recruitment process under current legislation requires a number of medical examinations pre and post arrivals, prior to being issued a work permit such as: (Listed in the Labor Diseases Risks, 2005) – The Periodic medical examination by Medical Association (Post arrival) The Medical Association registered Male Nurse will carry out ongoing Health Screening, the day to day medical requirement within his competency and the referral of patients to relevant medical authority such as the Company designated Medical Practitioner or Hospital. . In addition the Male Nurse is responsible under Article (105) Labour Law No. (14) Of the Year 2004 for:

• Carrying out Periodical Medical check-ups as stipulated in Resolution 19 (2005) – The Periodic Medical Examination for Workers Exposed to Occupational Diseases Risks, for all workers exposed to the dangers of the vocational diseases listed in the Labour Law No. (14) of The Year 2004, Table No (1), Occupational Diseases
• Refer all patients suspected of being afflicted of any vocational disease to the Company designated Medical Practitioner for professional assessment Notify the Human Resource Manager and Senior HSE Manager immediately of any positive results of occupational disease Maintain the First Aid Centre and provisions as per Hamad Medical Association requirements for site facilities Maintain medical records (‘Confidential but may be viewed by the individual upon request, forwarded to Head Office on completion of the project. Workers must not return to work before date indicated on a medical certificate

7. Temporary Works (Construction Phase)
Temporary works is an “engineered solution” used to support or protect either:

• An existing structure
• The permanent works during construction
• Support an item or plant or equipment
• The vertical sides or side-slopes of an excavation during construction, or
• To provide access

A design brief is to be prepared to serve as the starting point for subsequent decisions, design work, calculations and drawings. The brief is to include all data relevant to the design of temporary works. Any person involved in the design or coordination of temporary works is to have relevant up to date training and both the qualifications and experience appropriate to the complexity works. The Site Engineer is responsible for the implementation of the design in accordance with drawings and specifications and for the day to day progress. A method statement and risk assessment is required for support temporary works. Where a permit is required in accordance with the design no work must commence until the permit has been issued by the Site Engineer in charge. Temporary works must not be altered or dismantled without the permission of the Site Engineer in charge and work will only commence after review of the method statement and risk assessment.

8. Formwork (Construction Phase)
Formwork will be designed, erected, supported, braced and maintained so as to safely support any and all vertical and lateral loads that may be imposed upon it during placement of concrete. Designed detailed drawings showing the jack supports layout, formwork, shoring, working decks and scaffolding will be available onsite. A competent person shall design the form work and shoring system where applicable.

9. Fire
A Fire risk assessment will be undertaken and all necessary precautions against fire as required by local legislation and relevant standards. Emergency plans will provide the arrangements and action to take in the event of a fire. Adequate firefighting equipment shall be provided and regularly checked and maintained. Fire escape routes, exits and assembly areas will be provided and all such areas will be kept free from obstructions at all times. Wherever possible in permanent structures under construction the fire escape routes, exits and assembly areas used will be those designed for use in the occupied structure

10. Electricity
All permanent and temporary electrical installations are to be designed, installed, modified, maintained and repaired by a competent electrical person. Any electrical systems, circuits, installation equipment is to be safe for its intended purpose and suitable inspected and tested before it is put into service and thereafter every 12 months by a competent electrical person. Users of electrical equipment are to inspect them before and where a fault or damaged is found the equipment is not to be used but tagged and removed from service. All electrical equipment including portable equipment and installations should be maintained so as to prevent danger and include a portable appliance test (PAT) by someone with the necessary knowledge and experience to interpret the tests.

11. Confined Spaces
A confined space will:
Have poor access and egress and not meant for continuous human occupancy. Have unsuitable atmosphere for human respiration – lack or excess of oxygen, presence of toxic gases and vapours (these can be created by activities within an otherwise safe environment)

12. Working at Height
Working at height is to be avoided whenever possible. Where working at height cannot be avoided:

• Work at height must be properly planned, organized and supervised by a competent person
• Weather conditions are taken into account
• Those involved in the work are trained and competent
• The place where work at height is carried out is safe
• Equipment is appropriately inspected
• The risk from falling objects are adequately controlled The type of work and duration will determine what equipment is to be use when working at height. The following hierarchy is to be used when providing a safe place of work:
  • Edge protection with guard rails and toe boards General access scaffold Mobile scaffold towers
  • Mobile Elevating Work Platform (MEWP)
  • Man basket Fall protection systems
  • Ladders or step ladders

13. Ladders and Step Ladders
Wherever possible a work platform or other mean should be provided before ladder and stepladders are used. In general, ladders and stepladders should only be used:

• In one position for a maximum of 30 minutes. For light duty work
• Where three points of contact can be maintained
• Where the work does not require the person to overreach Ladders and stepladders are to meet a recognized international standard such as BS EN 131 Ladders. The use of site-made ladders is prohibited. Where there is a risk of electrocution the use of aluminium ladders are prohibited, only timber or glass reinforced ladders are to be used. Ladders are to be tied or footed at all times and extend 1m above any access or egress point. Ladders and stepladders are to be inspected before use and have an identification plate showing the asset number and date of last monthly inspection.

14. Floor and Wall Openings
All openings in floors, wall, platforms, walkways etc. are to be protected against a person or vehicle from falling. Floor and wall openings are to be protected using covers of adequate strength to withstand the expected load that will be imposed and securely fixed. A suitable sign is to be displayed to warn personnel of the dangers and the requirement not to remove covers unless other arrangements have been put in place to protect the opening. Penetrations in walls such as those provided for lift shafts, door openings etc. are to have fixed protective barriers around the penetration with a sign warning personnel of the danger of falling. Where personnel need to work adjacent to unprotected openings and penetrations they are to be protected from falling by other means (i.e. fall restraint system). Tools and equipment are to be kept clear and the work area directly beneath the activity is to be cordoned off. Openings and penetrations are to be inspected daily to ensure they remain protected.

15. Machinery and Equipment
Machinery such circular saws, drills, lathes, bench grinders etc. are only to be operated by trained competent personnel. All plant and equipment or machinery will be submitted once new machinery arrive at site. It is to be installed by a competent person and inspected before use by the operator. They are to be fitted with suitable guards and interlocks to prevent body parts from coming into contact with moving parts. Hand and Power Tools.

16. Hand Tools
Hand tools are to be used for their intended purpose; be the correct tool, size and type for the job and be inspected for damage and wear before use. Any damaged tools are not to be used and removed from use until repaired. Hand held tools such as chisels and saws are to be kept sharp, free from mushroom heads and placed in a safe place when not in use. The manufacture and use of site-made tools is prohibited.

17. Power Tools
Personnel using power tools are to be trained in their use. All power tools are to be inspected before use and every 3 months by a competent person. Any power tool found damaged is to be removed from service and returned to the store for repair. Power tools are to be suitable stored in a dry well-ventilated area when not in use.

18. Pneumatic Tools
Compressed air used for cleaning purposes is to have a reduced pressure not exceeding 30psi. The use of compressed air from cleaning or blowing dust from any part of the body is prohibited. Air lines are to have ‘whip checks’ fitted at all tool and hose connections to protect the user and those in the immediate vicinity if connections become separated. Air hoses with an internal diameter greater than 12.5mm (1/2 inch) a safety excess flow valve must be installed at the source of the air supply to reduce pressure in case of failure. Adequate arrangements must be in place to protect personnel from the risk from noise and vibration when using pneumatic tools.

19. Traffic Management – Safe Movement of Plant and Vehicles on Site
Man/machine interface is a key issue on construction sites. The main hazards associated with man/machine interface are:

• Personnel being struck by plant and vehicles
• Personnel being crushed by plant and vehicles

Collision between plant and vehicles Sites are to properly design the layout and traffic routes in order to manage the separation of personnel and plant and vehicles. Where possible one-way-systems, and drive through loading and unloading areas are to be provided. Movement of plant and vehicles are to be minimised through appropriate measures including:

• Controlling entry into sites by barriers and gates providing parking spaces clear of work areas
• Locating main loading and unloading areas away from construction areas
• Providing pedestrian only areas from which vehicles are completely excluded
• Installing safe designated pedestrian routes to work locations providing safe vehicle routes around site
• Install barriers and signs to warn and prevent personnel entering restricted zones
• Position banksmen or spotters in safe areas to warn other personnel not to enter into restricted zones
• Approach plant and vehicles from the front when there is a need, speak with a driver
• Speed restriction must be introduced and imposed and traffic calming measures such as speed bumps are to be used to control speed on site.
• Plant and vehicles are not to position themselves creating crush zone (i.e. when an excavator or a crane slews close to a fixed structure).
• A minimum safe clearance of 600mm is to be provided at all times.
• Designated bus stops in safe areas are to be provided to ensure the safety of personnel when they are getting on/off buses.
• Where reversing of plant and vehicles is unavoidable the following controls are to be implemented as a minimum:
  • Reversing alarms and lights are to be working at all times Mirrors are to be fitted and kept clean Operators and drivers are to have an unrestricted view when reversing Operators and drivers are to look in the direction of travel where possible (i.e. when reversing a pickup look out the rear window when reversing) When reversing up to excavations or loading areas use stop blocks/logs As a last resort use banksmen to control reversing vehicles

20 Permit to Work
Permit-to-work (PTW) is a formal recorded process and is used to control work that is identified as potentially high risk. A PTW will be issued but not limited to the following activities:

• Working at height
  Working in confined spaces Hot works (welding, flame cutting, grinding etc.) Work on high voltage electrical equipment or other works on electrical equipment that may give rise to danger such as working under live overhead power lines
• Work involving the use of hazardous substances
• Work involving ionising radiation
  Demolition work, Pressure testing of pipelines or systems During any excavation or breaking ground Removal of passive guardrails system Formworks Shuttering and De-shuttering works Loading and Unloading of Materials Concrete Pouring works
  A competent person is to be assigned responsibility and ensure an appropriate PTW system is introduced and suitable procedures are to be established and maintained

21. Noise and Vibration
Exposure to high noise and vibration levels whilst at work can cause harm to personnel. Where noise and vibration levels exceed a certain degree, controls must be introduced to mitigate the potential damage. The table below shows the exposure action level and exposure limit values for both noise and vibration.

22. Housekeeping
Sites are to be kept clean and tidy and free from slip, trip and fall hazards. All personnel are to be trained in the importance of good housekeeping and managers and supervisors must undertake regular monitoring and inspection of the workplace. Workplace are to be left clean and tidy at the end of each shift and where there is an accumulation of materials throughout the shift, at regular intervals as required to maintain a clean and safe site. Buildings under construction and nearing completion must ensure that all combustible and flammable materials are removed at the end of each shift.

23. Night Work
Before any work at night commences authority is to be sought from the Engineers Representative and suitable arrangements are to be in place. HSE coverage will be provided for night shift activities. Area and task lighting is to be provided for all work areas and activities and the minimum. Designated walking routes and work areas are to be adequately lit and personnel are to be excluded from work areas or be protected against being struck by plant or vehicles. All trenches and excavations barricaded to be provided with blinkers and reflective lightings especially those located along vehicle and pedestrian access routes.

24 Climatic Conditions Extremes of weather will include as a minimum:
• High temperatures and humidity
• High winds
• Dust storms

25 Personal Protective Equipment (PPE) and Work Clothing
Personal Protective Equipment
• Suitable and sufficient PPE will be provided to all employees in line with current legislation. PPE that is provided is to meet recognised international standards as outlined in QCS 2014, such as BS EN or ANSI. The following PPE is mandatory and is to be worn at all times on site (including visitors):
• Safety helmet Safety boots Hi-visibility vest
Work Clothing
All personnel are to wear clothing appropriate for the work being performed. The wearing of shorts or sleeveless shirts by the workforce is prohibited. Clothing contaminated with grease, oils, fuels and other hazardous substances is not to be worn.

26 Safety Signs and Signals
Safety signs are to be displayed where the risks to health and safety cannot be avoided by other means. Safety signs are to be pictorial wherever possible and where lettering is used it must be in English, Arabic and the native language of the workers on site. The colours and shapes of safety signs are to be consistent with BS 5499:2006 Code of Practice for Safety Signs including Fire Safety Signs,

27. Welfare Facilities
Suitable and sufficient site welfare facilities must be provided and available when work on site commences (i.e. mobilisation phase) and throughout the work. Everyone on site must have access to adequate toilet and washing facilities, a place for preparing and consuming refreshments and somewhere for storing and drying clothing and personal protective equipment. Welfare facilities are to be easily available to people working on the site. Toilets need to be easily accessible from where the work is being done. Washing facilities should be as close as possible to the toilets. Washing facilities also need to be close to canteens and rest rooms so that people can wash before eating.

28. Toilets
The numbers of toilets required will depend on the number of people working on the site and the different locations where work is taking place, (The ratio of 1:25 as a minimum). Wherever possible toilets should be flushed by water and connected to a mains drainage system. If this is not possible, toilets with a built-in water supply and drainage tank may be provided. If neither option is possible chemical toilets may be used as a last resort.

29. Washing Facilities
Washing facilities are to be provided next to toilets, changing rooms and rest areas, they are to include:

• A supply of hot and cold running water
• Soap or other means of cleaning
• Towels or other means of drying
• Sufficient ventilation and lighting
• Sinks large enough to wash face, hands and forearms
• Specialized facilities will be provided for certain activities when necessary.

30. Drinking Water
A suitable supply of cool drinking water is to be readily available. During the high summer season the necessary additives to replace lost minerals and salts will be provided. Where additives are provided the container must be clearly marked. Water is to be protected from contamination and its quality is to be tested on a half-year basis conducted by external independent laboratory samples will be taken in presence of Client or consultants representatives.
Filters on coolers are to be checked and changed as required. Drinking water tankers are only to be used for their intended purpose, they are not to be used to for dust suppression by filling them with other than drinking water. Employees are to be provided with cups or a personal water bottle, the use of empty drinks bottles is prohibited.

31. Rest Facilities
Rest facilities are to be clean and tidy and be adequately maintained. They are to have sufficient tables and chairs and provide cover from the elements (wind, dust, rain, heat). Rest areas are to be well lit and suitably ventilated by a sufficient quantity of fresh or purified air.

32. Smoking Areas
Smoking is prohibited in all areas, including but not limited to:

• Eating and rest areas
• Accommodation and kitchens
• Stores and storage areas
• Refuelling areas

At all work sites, Designated smoking areas are to be set up in a safe area clear of any flammable or combustible materials. Smoking areas will be cleaned on a daily basis and a suitable means of extinguishing cigarettes is to be provided.

33. Slips Trips and Fall
An injury resulting from a slip, trip or fall is the most common type of injury on construction sites. Procedures for managing slips, trips and falls that consider the ever-changing and dynamic nature of the worksite must be developed. The risks from slips trips and falls must be assessed and suitable controls implemented across all work areas and workplaces. Regular monitoring and inspection of the work areas (including offices and walking routes) is to be scheduled and carried out. All personnel are to be trained in the dangers of slips, trips and falls and instructed on the controls to be implemented and maintained.

34. Manual Handling
Wherever possible, manual handling is to be avoided by using mechanical means (i.e. crane, forklift, trolley etc.). Additionally lifting aids such as kerb lifters, manhole lifters, suction pads used for carrying and fitting glazing etc. must be provided as appropriate. Where manual handling cannot be avoided the risk of injury must be reduced as far as possible by undertaking an assessment and identifying suitable controls.

35 Lifting & Shifting Equipment

• Only authorized operators with valid driving licenses shall be permitted to operate lifting & shifting equipment
• Do not allow any person other than the operator to travel on the equipment
• All equipment shall carry the name plate showing the weight of the equipment along with its rated capacity.
• Operate the equipment at the most minimum speed depending on areas and load conditions.
• Avoid making quick starts, jerky stops or quick turns.
• Never use the reverse control for braking
• The operator shall keep feet and legs inside the operating station
• The operator shall not leave the equipment in running condition.
• A load backrest extension shall always be used to prevent danger to operate from the load.
• Tie around the objects like pipe to prevent rolling
• Operators shall regularly inspect their machines
• All drivers shall attend the Defensive Driving training program. It is mandatory.
• All Contractors Vehicles that require operation in Company Hazardous areas will be subjected to inspection by the permit issuer as per Company Fire & Safety Check list before entering the area.
• Drivers working hours are strictly defined with suitable rest periods.

36. Material Handling
The safety aspects during the material handling operations such as loading, unloading, transportation, stacking and stores arrangement must be duly considered. The material, which is greasy, wet, and slippery or dirty, shall be wiped dry before handling. While using lifting appliances, the workers must not stand directly under a suspended load and must keep away from wires or ropes under strain. Workers must have conversant with the safety in lifting & rigging operations as well as have trained banks man signals for such operations.

37. Planning
The storage and movement of materials shall be carefully planned and arranged to make optimum use of the machines so that efficient service can be provided. Selection and storage shall be made taking into consideration of drainage and protection requirements against the elements. Storage areas shall be planned to minimize maneuvering of trucks into or out confined areas. Access ways shall be of sufficient width to accommodate over width loads. Materials such as cement and other bulk items shall be stored on racks or pallets to ensure that material is not in contact with the ground surface.

38. Mechanical Handling
Appropriate lifting devices shall be utilized for lifting heavy items and bulk handling of materials. Drums shall be stacked on a pallet and similarly loose items should be secured inside a container before lifting or shifting with mechanical device. The materials inside a fragile container shall be protected with a substantially strong outer covering. Extreme precaution shall be applied while handling hazardous, explosive, toxic or flammable materials. The weight shall be verified prior to lifting the materials. The ground realities such as any spillage, prevalent danger or obstruction in the material handling area should be properly assessed. The load must be properly secured prior to raising or lowering it to prevent any accidental fall. The materials must not be stacked loosed on a platform, grating or pallet being hoisted.

39. Waste management
A detailed waste management plan shall be made based on the different phases of the project and the nature of the waste generated at each phases. The waste management shall be documented, reviewed and approved for use, in case of use of third party for collection and disposal, they shall have legal license and method of collection, transportation and disposal shall be approved prior to use.

40. Leakage / Spillage

• Make every effort to contain the spill immediately.
• Avoid contact and instruct others to avoid contact with spilled materials as well as inhalation of vapor, fumes, smoke and dust.
• Secure the spill area to prevent access until a spill response team can complete cleanup activities.
• Exposed personnel shall obtain medical treatment for any resulting injury.
• To remove contaminated clothing and flush / wash the affected the parts of an exposed person’s body to remove the chemicals and minimize the injury.
• Wear all necessary PPE and immediately begin clean up, using any means of available to perform the cleanup.
• Report the spill or leak immediately to the supervisor, plant manager and company HSE representative.
• Review the SDS and determine the appropriate clean up procedure.
• Before cleaning the spill the following terms to be considered,
• Appropriate spill control material and cleanup material are available.
• Appropriate PPE’s are available
• Personnel familiar with equipment and clean up procedures

41. PAINTS & COATINGS
In addition to the usual hazards associated with work activities, labor engaged in surface preparation and paint application can be exposed to the dangers of fire, explosion, toxic fumes, dust and insufficient air.
41.1 Spray Painting Safety

• Do not point the spray gun toward any part of your body or at anyone else.
• Store rags that have paint on them in closed metal containers labeled “oily rags.”
• Press the pressure relief valve on painting canisters and painting guns prior to disconnecting them.
• Do not store food or eat where spray painting is being performed.
• Close the lids of containers of paint and thinner tightly after each use or when not being used.
• Return containers of thinners, mineral spirits and other liquids labeled “Flammable” to the storage cabinet labeled “Flammable Storage,” when painting is finished.
• Always wash your hands with soap and water after using paints or other toxic solvents to remove paint from your skin.

41.2 Fire and Explosion Hazards from Solvents

• In paint systems normally the solvent vapor are flammable. In general other components are less dangerous. The danger of fire exists when solvents are in use.
• The lower and upper flammable (explosive) limits define the range of vapor/air concentrations that are potentially explosive. The lower explosive limit (LEL) is readily obtained in the area near open solvent containers and near the nozzle of a spray.
• Ventilation is required because all solvent vapors are heavier than air and tend to settle to the lower level in confined areas. Natural ventilation is rarely adequate. In general forced ventilation shall be applied, especially in small enclosures and always during spray painting.
• Even with forced ventilation vapor concentrations during spray painting will be high. All labor shall wear adequate personnel protective equipment as appropriate.
• Fire precautions shall be maintained. Smoking or the use of open flames is permitted only at designated areas.

41.3 Hazards Involved During Painting
41.3.1 Toxicity
Most of the solvent contained in paints or used for cleaning are toxic in varying degrees. The dangers can arise from inhalation, ingestion or skin adsorption. Examples are turpentine, toluene, thinner, naphtha and enamel. Turpentine is very irritating and mineral spirits are mildly irritating. Extremely toxic solvents include benzene and all chlorinated solvents and the like. These solvents should not be used unless specifically necessary.
41.3.2 Skin Irritations
Vapors from many solvents can cause mild to quite severe allergic skin irritations. Strong degreasing solvents remove natural skin oils and promote skin cracking. Adequate and readily available washing facilities shall be provided. Barrier creams may protect the skin against paint and solvents. The use of personnel protective equipment will help to prevent health problems.
41.3.3 Hazards from Flame Cleaning
Major danger of explosion and fire exists when flame cleaning is done in the presence of flammable materials such as paint solvents. Flammable materials shall be removed prior to start of flame cleaning operations. Flame cleaning in confined spaces shall only be done when adequate ventilation is provided to remove fumes.
41.3.4 Hazards from Solvent Cleaning
Solvents for wiping include mineral spirits, petroleum naphtha, turpentine and other products. Benzene, gasoline and carbon tetrachloride are dangerous and shall be selective used. Adequate ventilation shall be provided while solvent cleaning.
41.3.5 Hazards from Paint Preparation and Equipment Cleaning
The solvents for the majority of paint systems used are toxic and flammable. Paints based on water solvents are used in limited locations. Paints shall be mixed in areas with adequate ventilation and washing facilities shall be available so that paints and solvents splashed on the body or in the eyes can be washed immediately.

8.2 Management of change

Management programs, identified risk control measures and Action Plans are amended, if required. If necessary, planning is also carried out through Management review meetings. Regarding management of change (MOC) the organization shall identify the OH & S hazards and OH & S Risks associated with changes in the organization, HSE management system, or its activities, prior to the introduction of the changes. XXX also ensures that the results of these assessments are considered for determining the appropriate controls.

8.3 Procurement requirement for OHSMS

XXX takes into consideration the HSE management system to control the ‘procurement of products & services’ to control the HSE risks arising from
a) The contractors’ activities and operations that impact the organization;
b) The organizations’ activities and operations that impact the contractors’ workers;
c) The contractors’ activities and operations that impact other interested parties in the workplace.

8.3.1 General procurement

XXX has established, implemented and maintained a process to control the procurement of products and services in order to ensure their conformity to its HSE management system.

8.3.2 Contractors OHSMS requirements

XXX coordinates its procurement requirements with its contractors, in order to identify hazards and to assess and control the OH&S risks arising from the contractors’ activities and operations, XXX’s activities and operations that impact the contractors’ workers, contractors’ activities and operations that impact other interested parties in the workplace. XXX ensures that the requirements of its HSE management system are met by contractors and their workers. Procurement department includes occupational health and safety as a criteria during the selection of contractors.

8.3.3 Outsourcing OHSMS requirements

XXX controls outsourced functions and processes by ensuring that outsourced processes are consistent with legal requirements and other requirements and with achieving the intended outcomes of the HSE management system. The type and degree of HSE control are applied to these functions and processes are defined in the contract agreement.

8.4 Emergency preparedness

8.4.1 Mock Drills:

Are practical drills designed to test the capability of personnel or organization to perform a specific function (i.e., Fire, Spill response, communications, First Aid and Rescue). The HSE Coordinator, in co-ordination with other departments, shall identify all potential emergency situations or scenarios arising from the risk assessment associated with the company’s activities, operations and processes, including the means to eliminate, control and minimize the hazards and risk associated with it.

8.4.2 Emergency Drills

• The Safety Officer, in coordination with the MR and Project Manager, shall plan and emergency drills at least once every Year.
• Emergency drills shall cover all but not limited to different types of emergencies as follows:
  • Evacuation
  • Fire fighting
  • First aid.
• Designated fire exits and evacuation areas (or “assembly points”) within or near the company premises shall be clearly marked and made clear to all personnel. Selected and assigned personnel shall supervise the evacuation, including headcount.
• If planned results are not achieved, appropriate corrective actions shall be planned and carried out in accordance with “Non-conformance, Corrective & Preventive Action Procedure”.
• The Safety Officer shall prepare and maintain records of “Emergency Drill Report” duly signed by the MR.

8.4.3 Emergency Equipment Monitoring & Inspection

The MR shall ensure that appropriate emergency equipment is provided, deployed and easily accessible in strategic areas of the company premises, where a potential environmental emergency and associated risk could potentially occur.
Emergency equipment shall cover all but not limited to the following:

• Fire Extinguishers
• Fire Alarms
• Fire Hose
• Emergency Lights
• Spill kits (in the event of chemical/oil spills)
• First Aid Kit

The MR/HSE Officer and/or its assigned staff shall periodically check and monitor all emergency equipment. Frequency of inspection and maintenance shall be specified in the list. It shall be the responsibility of the HSE Officer and his designated staff to ensure that all emergency equipment are in good operational condition and easily accessible in the event of an incident and other emergency situation.

8.4.4 Emergency Situations
Emergency situation can arise due to:

1. Fire

Handling Fire Emergency:
The person who discovered the fire shall promptly report the matter to any ERT member and/or the Safety Officer through telephone, mobile phone or any other means of communication. In the event of fire, the following guidelines shall be as follows:

1. Call the ERT and report the location of fire.
2. Use the nearest fire extinguisher.
3. Wait for announcement.
4. Move out of the affected area.
5. Press the fire alarm.
6. Or shout “fire, fire, fire!”

Upon receipt of emergency call, the ERT shall respond immediately and shall act according to the following:

1. Use firefighting techniques.
2. Responds to emergencies as required.
3. Initiate orders and command activity with firefighting.
4. Call external Fire Department if the situation is out of control.
5. If situation is getting worse, evacuation shall be planned upon HSE’s recommendation and approval of the PLANT MANAGER.

The ERT and/or designated personnel (referred to as “fire fighters”) shall direct and lead all personnel/workers towards the designated evacuation area (or “assembly point”). Employees and visitors shall follow the following evacuation guidelines:

1. Proceed to the nearest exits or stairs.
2. Walk fast. Do not run.
3. Proceed to the designated evacuation area.
4. Do not go back to get personal items.
5. Wait for a further announcement.

The Safety Officer, in consultation with the Plant Manager shall make a recommendation if there is to be suspension of work, and shall take any necessary action if suspension is announced.

2 Handling Injury/illness of Personnel

a) In case of serious injured:

1. Shout for help.
2. Recover the injured person and administer first Aid as per injury treatment.
3. Do not attempt to move the injured person if you are not aware of handling back or neck injuries.
4. Call the ambulance and report the accident to the management as well as to control room.
5. If the injured person conscious ask if can walk, transport him to the nearest hospital.
6. If injured person is unconscious wait for the arrival of the rescue team

b) In case of illness:

1. Inform the supervisor.
2. The Supervisor or first aid nominated person must transfer the sick person to the hospital for proper medical treatment.
3. If vehicle not available call : AMBULANCE

3 Reporting & Meeting:

1. The Safety Officer, MR and other relevant personnel shall review and discuss any reported incident and shall plan corrective measures to avoid recurrence of the same environmental and OH&S emergency situation and incident.
2. Emergency procedures shall be reviewed and revised as necessary to reflect continual improvement on the company’s emergency preparedness and response plan
3. All matters discussed shall be communicated to all employees, contractors and other person working for or on behalf of the company through meetings and bulletin boards for general awareness.

4 Handling Chemical/Oil Spills
The guidelines below shall be used in HSE emergencies such as oil or chemical spills and leaks resulting from handling, accidents and explosions that pose immediate danger to employees and environment:

1. For minor spills, clean the spills or leaks with absorbent materials and put the contaminated materials in a hazardous waste bin.
2. For major spills, call the ERT and report immediately the matter to HSE Officer and the HSE manager.
3. Then identify the type of chemical or oil spilled in the area and determine the source of all spills or leaks.
4. Use appropriate protections in handling spilled chemicals or oils.
5. Stop the source of leaks or spills.
6. Contain the spill or leaks using the techniques that best fit the situation.
7. For oil leaks, place an empty container under the source of the leak.
8. Tie-up the pipe or hose where a chemical comes out.
9. Replaced the defective pipe or hose.
10. Put the leaking container in a recovery or inside another container.
11. Rotate or shift the container to a position that stops the leak.
12. Use appropriate absorbent materials to remove the spills or leaks.
13. Limit the spill or leak to as small an area as possible.
14. Contain the spill chemicals within a salvage drum.
15. Remove the contaminated clothing & dispose them accordingly, then shower.
16. Decontaminate any tools used in the removal and clear-up of hazardous materials.
17. ERT shall ensure that appropriate PPE (Personal Protective Equipment) is used when handling chemical or oil spills.

5 Preparedness

1. Test the plans and procedures for adequacy at least once in 6 months.
2. Ensure the effectiveness of the emergency training through exercises and Mock drills.
3. Regularly inspect the existing emergency facilities, supplies and equipment and rectify any deficiencies.
4. Ensure provisions for notification, initial assessment and communication during an emergency situation.
5. Response
   o Ensure a safe and efficient evacuation during emergencies.
   o Ensure to maintain right level of security during any emergencies.
   o Communicate to news media and general public in the event of any emergency, accident or other incident, only after seeking concurrence from Chairman.
   o The steps taken in response to a fire, hazardous material incident, and situations requiring medical and/or rescue response shall be documented in detail.
   

6 Duties and responsibilities

1. HSE Officer
   • He will be in-charge of handling any emergency under the overall guidance of the Project Manager.
   • Guiding the various controllers end and co-ordinates in carrying out their function effectively.
   • Depending on the seriousness of the emergency ensure outside help.
2. Project manager
   • Immediately on knowing about the emergency he will proceed to the scene.
   • Quickly assess the scale of emergency.
   • To give instructions to managers for control of operations in other sections/shutdown
   • Ensure safety of personnel at site. Evacuate all unwanted persons from the site through operators or supervisors

9 Performance evaluation

9.1 Monitoring, measurement, analysis and evaluation

9.1.1 General
Processes are monitored to verify such process parameters that have influence on the environment or personal safety and health. Monitoring and measuring are performed at appropriate stages of the Project implementation process. If required by customer, XXX follows the process monitoring and measuring procedures stated in relevant technological procedures, method statements or working directions. As the evidence of process conformity with the specified HSE requirements, the documented information with clear identification of a person responsible for product release are kept and maintained. The results of monitoring and measurement shall be analyzed and evaluated.

9.1.2 Customer Satisfaction and Legal Compliance Evaluation

9.1.2.1 Customer Satisfaction
XXX shall collects information on customer perception to see whether or not the customer’s expectations were met by assessing the customer satisfaction related to the project and the performance of the HSE requirements. Any method can be used to collect this information like customer surveys, customer feedback on delivered products and services, meetings with customers, compliments or letters received from customers etc.

9.1.2.2 Evaluation of compliance
XXXhas committed to compliance of applicable legal and other requirements it subscribes related to its environmental aspects and OH&S issues. XXXevaluates its compliance with its applicable legal and other requirements during MRM.

9.1.2.3 Analysis and Evaluation
Data analysis represents a process of the transformation of inputs (data and information) into outputs (analysis result, proposed actions) in terms of detecting the rate of conformance, development trends, objective implementation, action effectiveness, degree of customer satisfaction, performance and effectiveness of management systems, actions taken to address risks and opportunities, performance of external providers etc. The evaluation of compliance to HSE requirements on regular basis and being discussed during the management review meeting and is monitored as stated in procedure for Legal and other requirements. XXXshall ensure that the

• Frequency of the evaluation is determined
• Evaluation of compliance is done as per determined frequency and take action If needed
• Knowledge and understanding of its compliance status is maintained.

9.2 Internal audit

XXX shall conduct internal Audits at planned intervals to determine whether the HSE management system:

• Conforms to the planned arrangements to the requirements of ISO 45001:2018, ISO 14004:2015 and to the HSE management system requirements established by XXX as per this HSE Plan for the project.
• Whether or not the system has been effectively implemented and maintained.

An audit program shall be planned, taking into consideration the status and importance of the processes and areas to be audited, as well as the results of the previous audits. The audit criteria, scope, frequency and methods shall be defined. The selection of auditors and conduct of audits shall ensure objectivity and impartiality of the audit process. Auditor shall not audit their own work. XXX have established a documented procedure for Internal Audit, and to define the responsibilities and requirements for planning and conducting audits, establishing records and reporting results. It is ensured that relevant audit results are reported to workers, and, where they exist, workers’ representatives, and other relevant interested parties. The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected non conformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of the verification results. The response time for submission of an action plan to address detected non conformities shall be identified.

9.3 Inspections and Audits

Statutory Inspections
Statutory inspections. will be in accordance with the requirements as per ABC guideline’s and requirements. A record of inspection checklists and inventory details will be maintained by MR. Any of the above equipment lifting gear that is found to be defective will be removed from service and marked or sprayed with Red tag to indicate that it is not to be used. All defective equipment will be removed from the worksite.

Monitoring
Management, supervisors, engineers and health and safety staff are to carry out regular monitoring of the workplace as they pass through. Supervisors have a key responsibility for the safety of workers under their control and are to continually assess and be constantly on the lookout for any hazard that might arise in the work areas. Supervisors should ensure that workers are carrying out pre-operational checks and are alert for any unsafe conditions and actions. All monitoring and measurement HSE equipment used for verification shall be controlled and calibrated to ensure that such devices are available to guarantee continuity of in-process measurement capabilities. Monitoring and measuring equipment must be:

• Calibrated or verified at specified intervals or prior to use, based on recognized standards.
• Adjusted or re-adjusted as necessary in accordance with manufacturer’s instructions.
• Identified to enable calibration status to be determined.
• Safeguarded from adjustment, which would invalidate measurement results.
• Protected from damage or deterioration during handling, maintenance or storage.

Inspections and Audits
Inspections, tours and audits will be carried out by all levels of management and supervision. An inspection and audit programme will be established by XXX in accordance with the final HSE Plan. Results of health and safety inspections, tours and compliance audits must be recorded in an agreed format and will be analyzed on a regular basis to identify any negative trends. Inspection verification shall be done by XXX’s HSE Co coordinator and team before equipment or power tools are used. HSE audit will be carried out internally (Site quality audit team) on a monthly basis, 6 monthly (XXX’s quality audit team). Copies of inspections and audits are to be issued to the Engineers Representative, where applicable.

9.4 Management review

The management review meetings take place in order to evaluate the business activities and HSE Management System as a whole. It shall be at planned intervals to ensure its continuing suitability, adequacy and effectiveness. During these meetings the effectiveness of the HSE management system is reviewed. The review shall include assessing opportunities for improvement and the need for changes to the HSE management system, including the policies and objectives. Data will be studied to see if objectives and plans are being achieved, and areas where action is needed will be identified and action taken accordingly.
Customer and interested parties feedbacks is studied and suggestions are made for improvements and guidance to maintain good relationships with them.
We at XXX, ensure that the frequency of the management review meeting is enough to ensure the effectiveness of the system. These meetings will be held on a six monthly basis.

The following are the inputs identified for the management review:

1. Status of actions from previous management reviews
2. Changes in external and internal issues that are relevant to management systems
3. Information on the performance and effectiveness of the HSE management systems including trends in :
4. feedback from relevant interested parties
5. The extent to which all the HSES objectives have been met
6. Non-conformities and corrective action
7. Monitoring and measurement results
8. Audit result
9. Performance of external providers
10. Results of workers participation and consultation
11. Legal changes
12. HSE performance
13. Serious incidents/accidents
14. Legal compliance
15. The adequacy of resources
16. The effectiveness of actions taken to address risks and opportunities
17. Opportunities for improvement

The outputs of the management review shall include decisions and actions related to:

1. Opportunities for improvement
2. Any need for changes to HSE management system
3. Resource needs
4. Reviewed and revised HSE policy and objectives
5. opportunities to improve integration of the HSE management system with other business processes;
6. Any implications for the strategic direction of the organization.

XXXshall maintain documented information as evidence for the management review process.

10 Improvement

10.1 General

XXX shall determine and select opportunities for improvement enabling it to achieve enhanced customer satisfaction or to meet any customer requirements.

10.2 Incident investigation, non-conformity and corrective action

All Incidents with OHS and environmental concerns are reported to HSE Officer by the section in charge immediately after the incident. HSE Officer, upon receiving the information, immediately visits the site of incident to collect all possible available information from incident site. After assessing the potential/actual severity of the incident, HSE Officer reports the same to Project Manager who constitutes an investigation team to investigate & analyze the incident as per the Procedure for Incident Reporting & Investigation. Incidents, investigation and actions taken are communicated to relevant workers and other relevant interested parties. The incident management procedure of ABC shall be incorporated into the final HSE plan for the project and ensure that the requirements are understood and implemented. The investigation team submits a report by including underlying OHS and environmental deficiencies & factors causing & contributing to the incidents need for corrective action, opportunities for preventive action and for continual improvement. Concerned section heads/process owners have to initiate corrective action as per the investigation report. XXX shall ensure that product which does not conform to customer or statutory requirements is identified and controlled to prevent its unintended use or delivery. The need for corrective action is determined on the basis of identified actual non-conformities. Corrective action requests are typically triggered by such events as a failed inspection, customer complaint and/or product return on quality issues, non-conforming delivery from a supplier, or a system audit finding. The corrective action Program in the XXX typically encompasses a Plan-Do-Check-Act cycle and involves the following activities.

• Investigating the Non conformity to determine the root cause
• Assessing the magnitude and impact of the problem
• Initiating measures for correction of the Non conformity
• Identifying and recording actions taken to prevent recurrence of the Non conformity
• Update risks and opportunities determined during planning, if necessary;
• Follow up action to review the effectiveness of any corrective action taken.

10.3 Continual improvement

XXXshall continually improve the suitability, adequacy and effectiveness of its management systems. Continual improvement is demonstrated by the effectiveness of its management systems through the use of its policies, objectives, and audit results, analysis of data, corrective actions and management review. Continual Improvements shall be identified in all areas of operation and every effort shall be taken to ensure that the improvements initiated are carried out on continual basis. Training shall be imparted to all concerned on the concept of continual improvement and the tools to be used to achieve the improvement where required. The effectiveness of Continual Improvement Plans shall be monitored and reviewed periodically and the same shall be discussed in MRM.

10.4 Safety Culture and Awards
A safety award scheme will be implemented to recognize employees who contribute above their normal duties as an employee in keeping the site, themselves and other personnel safe from injury or ill health. Categories of safety award and recognition may include the following:

• Safety leadership – anyone who shows leadership or takes the initiative to ensure the safety of themselves or others Safety initiatives/improvements/suggestions
• Near miss reporting
  Towards enhancing HSE culture and improving human behaviour XXXshall initiate campaigns e.g. Work-At-Height, Hand Safety, Beat the Heat etc. throughout the year to raised awareness among workforce.
  Campaign plan and safety award program will be aligned to the organisation’s strategic vision and planning.
  To acknowledge the contributions that employees make in fostering a culture of health and safety in the workplace a quarterly recognition award will be held on site.
  All essential criteria shall be met in order to be eligible for an award which include the following
• Demonstrated commitment to health and safety in the workplace. Commitment goes beyond the requirements of the employee(s) role, it is proactive and preventative. Works towards continuous improvement of health and safety in the workplace. For example activities/actions taken to prevent injuries or illnesses, prevention of unsafe conditions or practices. Promote a work and service environment that is respectful, collegial and supportive

1.0 Introduction

1. This document states the procedures required for creating and maintaining a secure environment for the storage and dissemination of information at Information Processing Facilities.
   • It is critical that all the staffs at Information processing facilities are fully aware of the Policy, procedures, guidelines and best practices and commit to protecting the information of the XXX. Common sense and high ethical standards are required to complement the Procedure.
   • The procedures outlined represent the minimum security levels required at the Information Processing Facilities and must be used along with the  detailed security plan and additional policies

1.1 Background

1. This procedures applies to XXX’s Information processing facilities and are inclusive of their hardware facilities, software installations, and communication networks as well as information.
2. CISO has, among other responsibilities, the mandate to establish this procedure for information security and internal controls as well as contingency planning and disaster recovery at Information Processing facilities.

1.2 Audience

The procedures are for distribution to XXX’s Information Processing Facilities through their respective Security Representative who will then be responsible for communicating the details to XXX’s employees as well as contractors or other entities whose position responsibilities include the creation, maintenance, or access of XXX’s information residing on any computer system or platform.

2.0  Information

Management of information requires a working set of procedures that provide guidance and direction with regards to security. The primary focus is on the confidentiality and integrity of the information required for delivering information throughout the Organization.

2.1 Information Confidentiality

1. The overriding premise is that all information hosted or created at XXX’s Information Processing Facilities is property of the XXX. As such, this information will be used solely for performance of position related duties. Any transfers or disclosures are governed by this rule.
2. The confidentiality of all information created or hosted by XXX’s Information Processing Facilities is the responsibility of all XXX’s employees. Disclosure is governed by legislation, regulatory protections, rules as well as policies and procedures of the XXX and of the owning XXX. The highest of ethical standards are required    to prevent the inappropriate transfer of sensitive or confidential information.
3. Release of information is strictly for job related functions. Confidentiality is compromised when knowingly or inadvertently, information crosses the boundaries of job related activities.
4. Users must be required to follow good security practices in the selection and use of passwords. Passwords provide a means of validating a user’s identity and thereby establish access rights to information processing facilities or services. All agency staff must be advised to:
   • keep passwords confidential,
   • avoid keeping a paper record of passwords, unless this can be stored securely,
   • change passwords whenever there is any indication of possible system or password compromise,
   • select quality passwords with a minimum length of eight characters which are:
     • easy to remember,
     • not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers and dates of birth etc.,
     • free of consecutive identical characters or all-numeric or all- alphabetical groups,
   • change passwords at regular intervals (passwords for privileged accounts should be changed more frequently than normal passwords),
   • avoid reusing or cycling old passwords,
   • change temporary passwords at the first log-on,
   • not include passwords in any automated log-on process, e.g. stored in a macro or function key, and

2.2 Information Content

1. All information content hosted by XXX’s Information Processing Facilities is owned by and is the primary responsibility of the Facility in charge responsible for collecting and maintaining the authenticity, integrity and accuracy of information. The objective of the owning XXX’s Information Processing Facilities is to protect the information from inadvertent or intentional damage as well as unauthorized disclosure or use according to the classification standards and procedural guidelines of the owning XXX.
2. The following procedures must be followed by all staff at XXX’s Information Processing Facilities:
   • All information content must reflect the actual state of affairs of the Information Processing Facilities. Changes in the status of personnel who have system access are entered in the system immediately and the appropriate authorization / change form sent to the hosting Security Administration.

2.3 Information Access

1.Information access is subject to Access Control Policy and to the appropriate approval processes of the XXX. The Facilities in charge is responsible for maintaining current and accurate access authorities and communicating these in an agreed upon manner to the security function at the XXX’s Information Processing Facilities hosting the information.

2. XXX has a designated a security representative whose role includes:

• communicating the information security Policy to all their respective a employees,
• Communicating the appropriate procedures to the responsible user, owner, or people directly responsible for hosting   activities at Information Processing Facilities.
• granting user access to system functions, and
• reporting all deviations to the Policy, procedure.

3. Procedures for the Security Administration function are:

• Confirm set up to the Director and the individual concerned via  email when the set-up is complete for the role of Security Representative.
• Confirm set up to the Security Representative and the individual concerned when the set-up is complete for the use roles assigned.
• A daily report will be run by the dept. to list terminations. Security Administration will lock the access privileges at the end of day on the effective date. This does not preclude the responsibility of Facility in charge to notify the HR of terminations using agreed upon formal notice or by the phone and/or email in the case of dismissals.
• The HR dept. will run a weekly report of transfers and follow up with the Facility in charge concerned if a change notification is not received.
• Users not using the system for 60 days will be automatically deactivated. Security Administration will notify the Facility Head and will require an email or new activation form from the user dept.’s security representative to reactivate the individual.

4. The Facility in charge has the responsibility to adhere to procedures and put   into effect all authorized changes received from the CISO in a timely manner.

2.4 Information Security

1. The facility in charge collects and maintains (owns) the information is responsible for interpreting all confidentiality restrictions as well as establishing information classification and approving information access. It will staff a Security Administration  function whose responsibility will be operational control and timely implementation of access privileges.
2. System limitations may prevent all of the following procedures to be implemented, however, when possible, these rules apply:
   • Passwords will be required to be a minimum of 8 characters long, containing at least one (1) numeric character.
   • Passwords will expire in a maximum of 90 days.
   • Passwords will be deactivated if not used for a period of 60 days.

3. Employees that access the systems have the responsibility to protect the confidentiality of information which they use in the course of their assigned duties.

2.5  Information Availability

Information availability is the responsibility of the employees. Access to information will be granted as needed to all employees to support their required processes, functions and timelines. Proven backup and recovery procedures for all information elements to cover the possible loss or corruption of system data are the responsibility of the hosting employees. Required availability will vary with normal cycles of use (i.e. information is used constantly throughout the day, but is only periodically accessed during the evening by a backup process, becomes archival after the backup is complete). The following asset availability definitions should include a statement detailing over what time period the definition is accurate for (i.e. Constant during business hours, archival after year-end, etc.):

The Facilities Security in charge will be responsible for:

1. publishing a Service Level Agreement for all users of the system including response time, hours of availability and all other services contracted,
2. ensuring all backups are current, secure and accessible,
3. ensuring information facilities and data can be recovered, and
4. ensuring adequate technical support for systems, data base access and operating systems.

3. Incident Management

1.Incident management responsibilities and procedures must be established by the CISO and its associates to ensure a quick, effective and orderly response to security incidents. Procedures must be established to cover all potential types of security incidents, including:

(A) information system failures and loss of service,
(B) denial of service,
(C) errors resulting from incomplete or inaccurate business information, and
(D) breaches of confidentiality.

2.In addition to normal contingency plans (designed to recover systems or services as quickly as possible), the procedures must also cover:
(A) analysis and identification of the cause of the incident,
(B) planning and implementation of remedies to prevent recurrence, if necessary,
(C) collection of audit trails and similar evidence,
(D) communication with those affected by or involved with recovery from the incident, and
(E) reporting the action to the security administration function at the hosting agency.

3.Audit trails and similar evidence must be collected and secured as appropriate, for:
(A) internal problem analysis,
(B) use as evidence in relation to a potential breach of contracts, policies, or regulatory requirements,
(C) use in the event of civil or criminal proceedings, e.g. under computer misuse or information protection, and
(D) use in negotiating for compensation from software and service suppliers.

4. Action to recover from security breaches and correct system failures should be carefully and formally controlled. The procedures must ensure that:
(A) only clearly identified and authorized staff are allowed access to live systems and information,
(B) all emergency actions taken are documented in detail,
(C) emergency action is reported to management and reviewed in an orderly manner, and
(D) the integrity of business systems and controls is confirmed with minimal delay.

4. Event Logging and Monitoring

1.Audit logs recording exceptions and other security-relevant events must be produced and kept for an agreed period to assist in future investigations and access control monitoring. Audit logs should include:

• user IDs,
• dates and times for log-on and log-off,
• terminal identity or location if possible,
• records of successful and rejected system access attempts, and
• records of successful and rejected data and other resource access attempts.

2. Certain audit logs may be required to be archived as part of the record retention procedures or because of requirements to collect evidence.

3. Procedures for monitoring use of information processing facilities must be established and the result of the monitoring activities reviewed regularly. Such procedures are necessary to ensure that users are only performing activities that have been explicitly authorized. The level of monitoring required for individual facilities should be determined by a risk assessment. Areas that should be considered include:

1. Authorized access, including detail such as:
   • the user ID,
   • the date and time of key events,
   • the types of events,
   • the files accessed, and
   • the program/utilities used.
2. All privileged operations, such as:
   • use of supervisor account,
   • system start-up and stop, and
   • I/O device attachment/detachment.
3. Unauthorized access attempts, such as:
   • failed attempts,
   • access procedure violations and notifications for network gateways and firewalls, and
   • alerts from proprietary intrusion detection systems.
4. System alerts or failures such as:
   • console alerts or messages,
   • system log exceptions, and
   • network management alarms.

5. Risk Management

Risk management encompasses risk assessment, risk mitigation as well as evaluation and assessment. The risk assessment process includes identification and evaluation of risks and risk impacts and recommendation of risk-reducing measures. Risk mitigation refers to prioritizing, implementing and maintaining the appropriate risk-reducing measures recommended from the risk assessment process. Through a continual evaluation process, the facility in charge is responsible for determining whether the remaining risk is at an acceptable level or whether additional security controls should be implemented to further reduce or eliminate the residual risk.

5.1 Risk Assessment

1. The Facility in charge will be responsible for determining the likelihood of an adverse event, the threats to system resources, the vulnerability of the system and the impact such an adverse event may have.
2. To determine the likelihood of an adverse event, consider:
   • Motivation
   • Nature of the vulnerability
   • Current controls
3. A threat needs, and cannot exist without a vulnerability. A vulnerability is a weakness that can be intentionally or accidentally triggered. Threats can be posed from a lot of sources, some of which are:
   • System Intruders (hackers)
   • Criminals
   • Terrorists
   • Espionage
   • Insiders which could be malicious or a result of poor training
4. In identifying the vulnerabilities, consideration must be given to:
   • Hardware
   • Software
   • Network
   • System Interfaces
   • Data and information
   • People who support and use the system.
   • Information sensitivity
5. The impact of an adverse event is the:
   • Loss of Integrity
   • Loss of Availability
   • Loss of Confidentiality

5.2 Risk Mitigation

Facility in charge is responsible for reducing risk to all information assets. The following are options provided in analyzing the alternatives.

1. Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level.
2. Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified).
3. Risk Limitation. To limit the risk by implementing controls that minimizes the adverse impact of a threat exercising a vulnerability (e.g., use of supporting, preventive, detective controls).
4. Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements and maintains controls.
5. Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability.
6. Risk Transference. To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.

6.0 Personnel/ User Issues

1. Personnel awareness of the information security Policy, procedures, guidelines and best practices is the responsibility of all employees. Adherence to the Policy, procedures, guidelines and best practices is the responsibility of Facility in charge on behalf of the employees.
2. Information security must be adopted at all levels as a “norm” of job performance. Information systems and data are vulnerable. With constant re-enforcement and monitoring, individuals will accept their responsibility to protect the information assets of the State and relate their performance in this area to standards of performance.
3. The IT staff must be alert and trained in offensive and defensive methods to protect the information assets. Adequate staffing and key position backup are essential to run and maintain a secure environment.

6.1 Staffing

Adequate staffing, training and backup are the responsibility of facility in charge. Facility in charge will be responsible for

1. ensuring qualifications meet position requirements,
2. identifying roles that will impact operations when not filled, i.e. if the incumbent leaves or cannot perform the function,
3. ensuring training is in place to keep key individuals current with the technology available in the marketplace (this is particularly important with regards to the Internet and data base controls), and
4. documenting contingency plans if critical functions are not available.

6.2 Awareness/ Training

1.The purpose of awareness presentations are simply to focus attention on security and are intended to allow individuals to recognize IT security concerns and respond accordingly. Awareness relies on reaching broad audiences, whereas training is more formal, having a goal of building knowledge and skills to facilitate job performance.

2.Effective IT security awareness presentations must be designed. Awareness presentations must be on-going, creative and motivational, with the objective of focusing attention so that the learning will be incorporated into conscious decision- making.

3.The CSIO will be responsible for:

• communicating the minimum standards for all related policies and procedures,
• providing recommendations for best practices in selected areas related to information security, and
• providing all necessary information for the development of an awareness program

4.Facility in charge will:

• create and present security awareness sessions for their staff members, and
• ensure all staff members have attended an awareness session.

5.All current employees as well as new employees or contractors when hired that have access to any information assets must be briefed by the Facility in charge as follows:

• the access requirements of their position or contract,
• their responsibilities for safeguarding sensitive information and assets,
• all information security policies, procedures, guidelines and best practices, and
• a written document outlining the contents of the briefing and the date, which should be signed by the individual briefed acknowledging receipt of its contents.

6.3 Personal Computer Usage

1.All users are given access to computers and other equipment at Information Processing Facilities for job related duties and this usage must remain in compliance with XXX’s policies as well as all laws governing usage and communication of information. Failure to comply will result in the denial of access privileges and may for employees lead to disciplinary action up to and including dismissal. For contractors, it may lead to the cancellation of the contractual agreement. Litigation may ensue.

2. In the effort to protect the integrity of the network and its systems, any proof of unauthorized or illegal use of any computer and/or its accounts will warrant the immediate access to these files, accounts and/or systems by the
security and information systems staff and appropriate action will be taken.

3.Information Security Policy for computer usage prohibits the use of its resources to:

• Send email using someone else’s identity (Email forgery).
• Take any action that knowingly will interfere with the normal operation of the network, its systems, peripherals and/or access to external networks.
• Install any system or software on the network without prior approval.
• Install any software systems or hardware that will knowingly install a virus, Trojan horse, worm or any other known or unknown destructive mechanism.
• Attempt IP spoofing.
• Attempt the unauthorized downloading, posting or dissemination of copyrighted materials.
• Attempt any unauthorized downloading of software from the Internet.
• Transmit personal comments or statements in a manner that may be mistaken as the position of the XXX.
• Access, create, transmit (send or receive), print or download material that is discriminatory, derogatory, defamatory, obscene, sexually explicit, offensive or harassing based on gender, race, religion, national origin, ancestry, age, disability, medical condition, sexual orientation or any other status protected by state laws.

4. Furthermore, it is the XXX’s position that all messages sent and received, including personal messages and all information stored on the electronic mail system, voicemail system or computer systems are XXX property regardless of the content. As such, it reserves the right to access, inspect and monitor the usage of all of its technology resources including any files or messages stored on those resources at any time, in its sole discretion, in order to determine compliance with its policies, for purposes of legal proceedings, to investigate misconduct, to locate information or for any other business purpose.

6.4 Email Usage

1. Electronic mail (email) is a highly efficient form of modern communication media. Used appropriately, email provides people with a means to communicate thereby facilitating business contact. However, this convenience also tempts users to experiment or take advantage of this media, resulting in email of unwelcome types (collectively known along with other unwelcome activity as Net Abuse). The improper use of this email technology may jeopardize systems integrity, security and service levels. Access to email is provided to users to assist them to perform their work and their use of email must not jeopardize operation of the system or the reputation and/or integrity of the XXX.

2. Email accounts are made available to all staff that require the service for the performance of job related functions. The following statements apply:

• All email and associated system resources are the property of the XXX. Email is subject to the restrictions on its use and the review process as per policy of Access control. Its use and content may be monitored.
• Users must comply with all applicable legislation, regulations, policies and standards. This includes complying with copyright and license provisions with respect to both programs and data.
• While email is provided as a business tool to users, its reasonable, incidental use for personal purposes is acceptable. This use must not, however, detrimentally affect employee productivity, disrupt the system and/or harm the XXX’s reputation.

3. Users may not:

• use email for commercial solicitation or for conducting or pursuing their own business interests or those of another organization,
• use email to distribute hoaxes, chain letters or advertisements and/or send rude, obscene, threatening or harassing messages,
• use email to distribute pornographic material or hate literature,
• use email to harass other staff members,
• use email to send executable programs or games,
• use email to send potentially offensive material, and
• propagate viruses knowingly or maliciously.

4. Users must not send, forward and/or reply to large distribution lists concerning non-XXX business. In addition, users must consider the impact on the network when creating and using large, work-related distribution lists.

5. Email is a record and therefore management of email must comply with existing legislation, regulations, policies and standards.

6. Alleged inappropriate use of the email technology will be reviewed by the facility in charge on a case by case basis and may lead to disciplinary action up to and including dismissal. In respect to contractors, it may lead to cancellation of the contractual arrangement. In any of the cases, it may lead to litigation.

6.5 Internet/ Intranet security

1.The World Wide Web (WWW) is a system for exchanging information over the Internet. An Intranet is a proprietary network that is specific for our entity.

2.At the most basic level, the Web can be divided in two principal components:Web servers, which are applications that make information available over the Internet (in essence publish information) and Web browsers (clients), which are used to access and display the information stored on the Web servers. The Web server is the most targeted and attacked host on most organizations’ network. As a result, it is essential to secure Web servers and the network infrastructure that
supports them.

3.The specific security threats to Web servers generally fall into one of the following categories:

• Malicious entities may exploit software bugs in the Web server, underlying operating system or active content to gain unauthorized access to the Web server. Examples of unauthorized access are gaining access to files or folders that were not meant to be publicly accessible or executing privileged commands and/or installing software on the Web server.
• Denial of Service attacks may be directed to the Web server denying valid users an ability to use the Web server for the duration of the attack.
• Sensitive information on the Web server may be distributed to unauthorized individuals.
• Sensitive information that is not encrypted when transmitted between the Web server and the browser may be intercepted.
• Information on the Web server may be changed for malicious purposes. Web site defacement is a commonly reported example of this threat.
• Malicious entities may gain unauthorized access to resources elsewhere in the organization’s computer network via a successful attack on the Web server.
• Malicious entities may attack external organizations from a compromised Web server, concealing their actual identities and perhaps making the organization from which the attack was launched liable for damages.
• The server may be used as a distribution point for illegal copies software attack tools, or pornography, perhaps making the organization liable for damages.

4.The Facility in charge is responsible for the Web server. Some examples of controls to protect from unauthorized access or modification are:

• install or enable only necessary services,
• install Web content on a dedicated hard drive or logical partition,
• limit uploads to directories that are not readable by the Web server,
• define a single directory for all external scripts or programs executed as part of Web content,
• disable the use of hard or symbolic links,
• define a complete Web content access matrix that identifies which folders and files within the Web server document directory are restricted and which are accessible (and by whom), and
• use host-based intrusion detection systems and/or file integrity checkers to detect intrusions and verify Web content.

5.Maintaining a secure Web server is the responsibility of the facility in charge and involves the following steps:

• configuring, protecting and analyzing log files,
• backing up critical information frequently,
• maintaining a protected authoritative copy of the organization’s Web content,
• establishing and following procedures for recovering from compromise,
• testing and applying patches in a timely manner, and
• testing security periodically.

6.A firewall environment must be employed to perform the following general functions:

• filter packets and protocols,
• perform inspection of connections,
• perform proxy operations or selected applications,
• monitor traffic allowed or denied by the firewall, and
• provide authentication to users using a form of authentication that does not rely on static, reusable passwords that can be sniffed.

7.The Facility in charge’s responsible for Internet security will:

1. Keep operational systems and applications software up to date. Because software systems are so complex, it is common for security related problems to be discovered only after the software has been in widespread use. Although most vendors try to address known security flaws in a timely manner, there is normally a gap from the time the problem is publicly known, the time the vendor requires to prepare corrections and the time you install the update. This gap gives potential intruders an opportunity to take advantage of this flow and mount an attack on computers and networks. To keep this time interval as short as possible, it is required to stay aware of:
   • announcements of security-related problems that may apply,
   • immediate actions to reduce exposure to the vulnerability, such as disabling the affected software and
   • permanent fixes from vendors.
2. Restrict only essential network services and operating system on the host server.
   • Ensure that only the required set of services and applications are installed on the host server. Either do not install unnecessary services or turn the services off and remove the corresponding files (and any other unnecessary files) from the host.
3. Configure computers for file backup.
4. Protect computers from viruses and programmed threats.
5. Allow only appropriate physical access to computers.
6. Design, implement and monitor an effective firewall system.

7.0 Physical and Environmental Security

1.The Facility in charge has the responsibility for documentation, execution, monitoring and testing of a physical security plan for both computer and telecommunication assets. This physical security plan would evaluate the risks from potential losses due to

• physical destruction or theft of physical assets,
• loss or destruction of information and program files,
• theft of information,
• theft of indirect assets, and
• delay or prevention of computer processing.

2.Included in the plan would be measures for reducing the possibility of a loss and must address:

• changes in the environment to reduce exposure,
• measures to reduce the effect of a threat,
• improved control procedures,
• early detection, and
• contingency plans.

7.1 Operations center

The following are guidelines of the action items for establishing, implementing and maintaining a physical security program at the hosting agency:

• conduct a risk analysis,
• determine local natural disaster probabilities,
• protect supporting utilities.
• ensure computer reliability,
• provide physical protection.
• implement procedural security,
• plan for contingencies,
• develop security awareness, and
• validate the program.

7.2 Operations Monitoring

1.Facility in charge can monitor security effectiveness by comparing performance to the metrics in a service level agreement and incidents that occur in violation of security policies and procedures.

2.Guidelines for hosting agencies in establishing a service level agreement are:

• hours of system availability,
• hours of application system support,
• hours of technical support,
• off hours support,
• average system response time, and
• other metrics as suitable for agency specific applications.

3. Facilities in charge should have a goal of achieving 99.9%+ of the metrics established in the service level agreement. Failure to achieve these targets could be an indication of security breaches.

4. In so far as incidents are concerned, both offensive and defensive actions to protect the security of physical assets should be considered routine. Examples of offensive actions include:

• routine changes of passwords,
• develop an escalation procedure of incidents,
• routine changes of locks or combinations to the facilities,
• have more than one person knowledgeable for critical functions,
• rotate shifts or people between functions,
• monitor all incursion attempts,
• install latest versions of firewall software,
• maintain 24×7 vendor contact list,
• routine backups,
• off-site storage of system information and programs,
• redundant components, lines for critical systems, and
• testing of recovery procedures.

5. Examples of defensive actions include:

• report and action all deviations to security policies and procedures,
• shut down any infected machine immediately,
• disconnect any problem areas from the network,
• revoke privileges of users violating policies,
• assign severity to an issue and escalate, and
• acquire knowledgeable resources.

7.3 Back- Up of Information

Back-up copies of essential business information and software must be taken regularly. Adequate backup facilities should be provided to ensure that all essential business information and software can be recovered following a disaster or media failure. Backup arrangements for individual systems should be regularly tested to ensure that they meet the requirements of business continuity plans. The following controls must be considered:

• A minimum level of back-up information, together with accurate and complete records of the back-up copies and documented restoration procedures, should be stored in a remote location at a sufficient distance to escape any damage from a disaster at the main site. At least three generations or cycles of back-up information should be retained for important business applications.
• Back-up information should be given an appropriate level of physical and environmental protection consistent with the XXX’s Back up policy. The controls applied to media at the main site should be extended to cover the back-up site.
• Back-up media should be regularly tested, where practicable, to ensure that hey can be relied upon for emergency use when necessary.
• Restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time allotted in the operational procedures for recovery.
• The retention period for essential business information and also any requirement for archive copies to be permanently retained should be determined.

7.4 Access Control

Logical and physical access controls are required to ensure the integrity of the information and physical assets and should be done at per the XXX’s Access control policy. The following guidelines for controlling logical access should be implemented by the facilities in charge.

• document and adhere to procedures for granting, modifying and revoking access,
• ensure segregation of duties for access
• install detection mechanisms for unauthorized access attempts,
• timeout a session after 15 minutes of inactivity, and
• revoke access after an inactivity period of 60 days.

Physical access control guidelines for all employees include:

1. all telecommunication and computer related equipment are to be in a secured, locked environment,
2. access codes for secure environments must be changed at least every 60 days or in the event of an individual departing that previously had access,
3. account for all keys issued for those facilities using this method and replace locking mechanism when a key is missing,
4. when the system permits, log all accesses and retain, and
5. secure all peripherals such as air conditioning, generators, etc.
6. segregation of duties must be implemented to prevent unauthorized access to systems or data

7.5 Network

1. Unsecured connections to network services can affect the whole organization. Users must only have direct access to the services that they have been specifically authorized to use. This control is particularly important for network connections to sensitive or critical business applications or to users in high-risk locations, e.g. public or external areas that are outside the organization’s security management and control.
2. The use of networks and network services covers:
   • the networks and network services which are allowed to be accessed,
   • authorization for determining who is allowed to access which networks and networked services, and
   • management controls to protect the access to network connections and network services.
3. The path from the user terminal to the computer service must be controlled. Networks are designed to allow maximum scope for a sharing of resources and flexibility of routing. These features may also provide opportunities for unauthorized access to business applications, or unauthorized use of information facilities. Incorporating controls that restrict the route between a user terminal and the computer services its user is authorized to access, e.g. creating an enforced path can reduce such risks. The objective of an enforced path is to prevent any users selecting routes outside the route between the user terminal and the services that the user is authorized to access. This usually requires the implementation of a number of controls at different points in the route. The principle is to limit the routing options at each point in the network, through predefined choices.
4. The following methods should be implemented to limit the path to a service:
   • allocating dedicated lines or telephone numbers,
   • automatically connecting ports to specified application systems or security gateways,
   • limiting menu and submenu options for individual users,
   • preventing unlimited network roaming,
   • enforcing the use of specified application systems and/or security gateways for external network users,
   • actively controlling allowed source to destination communications via security gateways, e.g. firewalls, and
   • restricting network access by setting up separate logical domains, e.g. virtual private networks, for user groups within the organization.
5. External connections provide a potential for unauthorized access to business information, e.g. access by dial-up methods. Therefore, access by remote users must be subject to authentication. There are different types of authentication method, some of these provide a greater level of protection than others, e.g. methods based on the use of cryptographic techniques can provide strong authentication. It is important to determine from a risk assessment the level of protection required. This is needed for the appropriate selection of an authentication method.
   • Authentication of remote users should be achieved using one of the following techniques:
   • a cryptographic based technique,
   • hardware tokens,
   • a challenge/response protocol,
   • dedicated private lines or a network user address checking, and
   • call-back.
6. Dial-back and controls, e.g. using dial-back modems, can provide protection against unauthorized and unwanted connections to an organization’s information processing facilities. This type of control authenticates users trying to establish a connection to an organization’s network from remote locations. When using this control an organization should not use network services which include call forwarding or, if they do, they should disable the use of such features to avoid weaknesses associated with call forwarding. It is also important that the call back process includes ensuring that an actual disconnection on the organization’s side occurs. Otherwise, the remote user could hold the line open pretending that call back verification has occurred. Call back and controls should be thoroughly tested for this possibility.
7. A facility for automatic connection to a remote computer could provide a way of gaining unauthorized access to a business application. Connections to remote computer systems must therefore be authenticated. This is especially important if the connection uses a network that is outside the control of the organization’s security management. Node authentication can serve as an alternative means of authenticating groups of remote users where they are connected to a secure, shared computer facility.
8. Access to diagnostic ports must be securely controlled. Many computers and communication systems are installed with a dial-up remote diagnostic facility for use by maintenance engineers. If unprotected, these diagnostic ports provide a means of unauthorized access. They should therefore be protected by an appropriate security mechanism, e.g. a key lock to ensure that they are only accessible by arrangement.
9. Networks are increasingly being extended beyond traditional organizational boundaries as business partnerships are formed that may require the interconnection or sharing of information processing and networking facilities. Such extensions will increase the risk of unauthorized access to already existing information systems that use the network, some of which might require protection from other network users because of their sensitivity or criticality. In such circumstances, controls must be introduced in networks to segregate groups of information services, users and information systems.
10. The security of large networks should be controlled by dividing them into separate logical network domains, e.g. an organization’s internal network domains and external network domains, each protected by a defined security perimeter. Such a perimeter should be implemented by installing a secure gateway between the two networks to be interconnected to control access and information flow between the two domains. This gateway should be configured to filter traffic between these domains and to block unauthorized access in accordance with the organization’s access control procedures. An example of this type of gateway is what is commonly referred to as a firewall. The criteria for segregation of networks into domains should be based on the access control procedures and access requirements and also take account of the relative cost and performance impact of incorporating suitable network routing or gateway technology.
11. The connection capability of users must be restricted in shared networks, in accordance with the access control procedures.
12. Such controls should be implemented through network gateways that filter traffic by means of pre-defined tables or rules. The restrictions applied should be based on the access procedures and requirements of the business applications and should be maintained and updated accordingly. Examples of applications to which restrictions should be applied are:
    • electronic mail,
    • one-way file transfer,
    • both-ways file transfer,
    • interactive access, and
    • network access linked to time of day or date.
13. Shared networks must have routing controls to ensure that computer connections and information flows do not breach the access control policy of business applications. This control is essential for networks shared with third party (non-organization) users.
14. Routing controls should be based on positive source and destination address checking mechanisms. Network address translation is also a very useful mechanism for isolating networks and preventing routes to propagate from the network of one organization into the network of another. They can be implemented in software or hardware. Implementers should be aware of the strength of any mechanisms deployed. A wide range of public or private network services is available, some of which offer value added services. Network services may have unique or complex security characteristics.
15. A clear description of the security attributes of all network services used by the organization must be provided.

7.6 Electronic Commerce Security

1. Electronic commerce can involve the use of electronic data interchange (EDI), electronic mail and on line transactions across public networks such as the Internet. Electronic commerce is vulnerable to a number of network threats which may result in fraudulent activity, contract dispute and disclosure or modification of information and must be protected. The following issues must be resolved:
   • Authentication. What level of confidence should the customer and trader require in each other’s claimed identity?
   • Authorization. Who is authorized to set prices, issue or sign key trading documents? How does the trading partner know this?
   • Contract and tendering processes. What are the requirements for confidentiality, integrity and proof of dispatch and receipt of key documents and the non-repudiation of contracts?
   • Pricing information. What level of trust can be put in the integrity of the advertised price list and the confidentiality of sensitive discount arrangements?
   • Order transactions. How is the confidentiality and integrity of order, payment and delivery address details and confirmation of receipt, provided?
   • Vetting. What degree of vetting is appropriate to check payment information supplied by the customer?
   • Settlement. What is the most appropriate form of payment to guard against fraud?
   • Ordering. What protection is required to maintain the confidentiality and integrity of order information and to avoid the loss or duplication of transactions?
   • Liability. Who carries the risk for any fraudulent transactions?
2. Electronic commerce arrangements between trading partners should be supported by a documented agreement which commits both parties to the agreed terms of trading, including details of authorization. Other agreements with information service and value-added network providers may be necessary.
3. Consideration should be given to the resilience to attack of the host used for electronic commerce and the security implications of any network interconnection required for its implementation.

7.7 Mobile Computing

1. This must be in place and appropriate controls must be adopted to protect against the risks of working with mobile computing facilities, in particular in unprotected environments. For example, it should include the requirements for:
   • physical protection,
   • access controls,
   • cryptographic techniques,
   • back-ups, and
   • virus protection.
2. It should also include rules and advice on connecting mobile facilities to networks and guidance on the use of these facilities in public places.
3. Care should be taken when using mobile computing facilities in public places, meeting rooms and other unprotected areas outside of the organization’s premises. Protection should be in place to avoid the unauthorized access to, or disclosure of the information stored and processed by these facilities, e.g., using cryptographic techniques.
4. It is important that when such facilities are used in public places care is taken to avoid the risk of overlooking by unauthorized persons.
5. Equipment should be available to enable the quick and easy back-up of information. These back-ups should be given adequate protection against, e.g., theft or loss of information.
6. Suitable protection should be given to the use of mobile facilities connected to networks.
7. Remote access to business information across public network using mobile computing facilities should only take place after successful identification and authentication and with suitable access control mechanisms in place
8. Mobile computing facilities should also be physically protected against theft especially when left, for example, in cars and other forms of transport, hotel rooms, conference centers and meeting places. Equipment carrying important, sensitive and/or critical business information should not be left unattended and, where possible, should be physically locked away, or special locks should be used to secure the equipment.

7.8 Remote Computing

1. Remote computing uses communications technology to enable staff to work remotely from a fixed location outside of XXX. Suitable protection of the remote computing site should be in place against, e.g., the theft of equipment and information, the unauthorized disclosure of information, unauthorized remote access to the organization’s internal systems or misuse of facilities. It is important that remote computing is both authorized and controlled by management and that suitable arrangements are in place for this way of working.
2. Facility in charge should only authorize remote computing activities if they are satisfied that appropriate security arrangements and controls are in place and that these comply with the XXX’s security procedures and policies. The following should be considered:
   • the existing physical security of the remote computing site, taking into account the physical security of the building and the local environment,
   • the communications security requirements, taking into account the need for remote access to the organization’s internal systems, the sensitivity of the information that will be accessed and passed over the communication link and the sensitivity of the internal system, and
   • the threat of unauthorized access to information or resources from other people using the accommodation.
3. The controls and arrangements to be considered include:
   • the provision of suitable equipment and storage for the remote computing activities,
   • a definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the user is authorized to access,
   • the provision of suitable communication equipment, including methods for securing remote access,
   • physical security,
   • the provision of hardware and software support and maintenance,
   • the process for back-up and business continuity, and
   • audit and security monitoring.

7.9 External Facilities

1. The use of an external contractor to manage information processing or communication facilities may introduce potential security exposures, such as the possibility of compromise, damage or loss of data at the contractor’s site.
2. Prior to using external facilities, the risks must be identified, and appropriate controls agreed with the contractor and incorporated into the contract. Particular issues that should be addressed include:
   • identifying sensitive or critical applications better retained in-house,
   • obtaining the approval of business application owners,
   • implications for business continuity plans,
   • security standards to be specified and the process for measuring compliance,
   • allocation of specific responsibilities and procedures to effectively monitor all relevant security activities, and
   • responsibilities and procedures for reporting and handling security incidents.

7.10 Encryption

1. Encryption should be applied to protect the confidentiality of sensitive or critical information.
2. Based on a risk assessment, the required level of protection should be identified taking into account the type and quality of the encryption algorithm used and the length of cryptographic keys to be used.
3. Specialist advice should be sought to identify the appropriate level of protection, to select suitable products that will provide the required protection and the implementation of a secure system of key management. In addition, legal advice may need to be sought regarding the laws and regulations that might apply to the organization’s intended use of encryption.
4. The use of cryptographic controls for the protection of information must be developed and followed. Such procedures are necessary to maximize benefits and minimize the risks of using cryptographic techniques and to avoid inappropriate or incorrect use.
5. The following should be considered:
   • the management guidelines on the use of cryptographic controls across the organization,
   • including the general principles under which business information should be protected,
   • the approach to key management, including methods to deal with the recovery of encrypted information in the case of lost, compromised or damaged keys,
   • roles and responsibilities, e.g. who is responsible for: the implementation of the procedures; the key management,
   • how the appropriate level of cryptographic protection is to be determined, and
   • the standards to be adopted for the effective implementation throughout the organization (which solution is used for which business processes).

8.0 Business Continuity

1. Information Technology facilities and systems are vulnerable to a variety of disruptions, some of which are short term (measured in minutes and hours) and others lasting for a day or longer. The intent of Business Continuity Planning is to be alert and ready to sustain an organization’s processes during and following a significant unforeseen disruption in services caused by disasters and security failures.
2. Business continuity should begin by identifying events that can cause interruptions to business processes, e.g., equipment failure, flood and fire. This should be followed by a risk assessment to determine the impact of those interruptions (both in terms of magnitude and recovery time frame). Both of these activities should be carried out with full involvement from owners of business resources and processes. This assessment considers all business processes and is not limited to the information processing facilities.
3. A strategy plan, based on appropriate risk assessment, must be developed for the overall approach to business continuity.
4. CISO will develop contingency plans for each major application or general support system to meet the needs of critical IT operations in the event of a disruption extending beyond a given time period. The length of the time period may vary with the system or facility involved. The execution of such a capability will be documented in a formal contingency plan, be reviewed annually and updated as necessary by the hosting agency. It must account for differential daily backups and complete weekly backups to be conducted and sent to a designated off-site facility. As well, the plans should assign specific responsibilities to designated staff or positions to facilitate the recovery and/or continuity of essential IT functions. Designated personnel will be trained to execute contingency procedures. An annual test of the recovery procedures will be conducted.
5. Business continuity management should include controls to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.

8.1 Contingency Plan

1. A contingency plan provides the documented organizational plan to mitigate risks of business interruption and minimize the impact of any disruption of service. It must maintain instructions for achieving a full or minimally acceptable set of business objectives in the absence of assets, through cost-effective strategies to provide replacements for assets as they become unavailable. The Plan must involve advance planning and preparations to respond to external circumstances as determined by a risk assessment and continue to provide a pre-determined acceptable level of business functionality. It must be defined, implemented, tested and maintained to ensure continuity of organizational services in the event of a disruption. Each contingency plan is unique and must be tailored to organization’s requirements; it must be flexible enough to allow additions, modifications and maintenance. The plan should minimize dependency on individuals for interpretation and implementation – in the event of emergency, key personnel may not be available. It must ensure completeness and establish critical decisions. Always make sure that the plan remains current. The following questions must be answered:
   • What risks the organization is facing in terms of their likelihood and their impact, including an identification and prioritization of critical business processes?
   • How long can the enterprise operate without this asset?
   • What are the impact interruptions are likely to have on the business (it is important that solutions are found that will handle smaller incidents, as well as serious incidents that could threaten the viability of the organization), and establishing the business objectives of information processing facilities?
   • What is the maximum acceptable delay before which temporary systems must be made available?
   • What is the minimum time in which temporary systems may be expected to become available?
   • At what minimally acceptable level of functionality can the enterprise operate?
   • How long can the enterprise operate at a minimally acceptable level of performance?
   • At what point can the enterprise begin to resume normal operations?
   • At what point must the enterprise begin to resume normal operations?
2. A Contingency Plan should contain the roles, responsibilities and procedures for restoring a system or facility following a major disruption. The following guidelines represent the stages to be followed in preparing and executing a Contingency Plan:
   • Documentation – A plan must be documented, tested and communicated. Included in the plan should be a mission, a scope of what is included and not included assumptions, requirements, staffing and responsibilities.
   • Notification/Activation – Internally within IT, the notification, timing and paths should be documented. There should only be one voice talking for the recovery team for communication and escalation outside the boundaries of IT. Immediately following damage assessment, the plan is activated.
   • Recovery – The sequence of recovery activities should be documented in procedures. These activities are to restore operations which may be in temporary locations or with incomplete data.
   • Reconstitution – Restoring facilities and systems to the “norm” will include testing and proof of operations viability.
   • What equipment / facilities are expected to be unavailable?
   • What is the timing of the disruption?
   • What records, files and materials may / may not be expected to be protected from destruction?
   • What resources are available or required following the event?
     • Applications / Processes
     • Functionality / Capacity
     • Equipment / Infrastructure
     • Staff /Skills
     • Connectivity / Network
     • Data Sources
     • Facilities / Services / Physical Premises
     • Transportation
     • Documentation / Reference material
     • Security Policies and Procedures
     • Specific Policies and Procedures
     • Authorization
3. Following is a list of considerations that, at a minimum, must be addressed in creating contingency plans:
   • What additional security measures are required to protect assets in the planning, execution and maintenance of procedures to assure business continuity?
   • What degree of functionality is still available at the main facility, if any?
   • Availability of staff to perform critical functions defined within the plan.
   • Ability of staff to be notified and report to the backup site(s) to execute contingency plans.
   • Backup files and recovery methods.
   • Off-site storage facilities and materials availability.
   • Disaster recovery plan.
   • Suitability of subsets of the overall plan, to be used to recover from minor interruptions.
   • Availability of an alternate facility.
   • Off-site availability of critical forms and supplies, either at an alternate facility or off-site storage.
   • Existence of a backup site for processing the organization’s work.
   • Availability of long distance and local communications lines.
   • Quality of surface transportation in from local to remote sites.
   • Ability of vendors to perform according to their general commitments to support the organization in a disaster.
   • Provisions for staff while at off-site location (food, water, telephones, beds, etc.) This list of considerations is not all inclusive and must be added to as appropriate.
4. General requirements of contingency plans must include:
   • Definitions of conditions under which the Business Recovery Strategy must be implemented.
   • Recovery point objective stages.
   • Recovery time objective stages.
   • Security preservation checklist.
   • Task Assignments.
   • Post-event Recovery Analysis.
   • Required resources, by priority.
   • Required recovery time / levels of availability of resources.
   • Documentation of normal and response procedures.

8.2 Disaster Recovery plan

1. A Disaster Recovery Plan is intended to maintain critical business processes in the event of the loss of any of the following areas for an extended period of time:

• desktop computers and portable systems,
• servers,
• Web sites,
• local area networks,
• wide area networks,
• distributed systems, and
• mainframe systems.

2. Teams should be formed to address each of the areas indicated consisting of a team lead and designate as well as key knowledge personnel required for that particular area. All contact information must be available for IT management, team members, all IT personnel and designated business unit management. When available, this information should include:

• work telephone number,
• pager number,
• home telephone number,
• cellular telephone number,
• work email address,
• home email address, and
• home address.

3. Upon receiving the information of a serious incident any member of management can invoke the Plan. Depending on the nature of the incident a command center will be established, and appropriate teams mobilized. Management and the team leads are responsible for contacting all required personnel. All roles would have designated in the event one or more individuals are unavailable.

4. Communications to the IT department is the responsibility of Management and the Team Lead. In respect to external communications, it is extremely important that there is a single point of disclosure in order to ensure accurate and timely updates. The following roles and individuals must be determined and documented:

• Upwards, within the affected part organization.
• Outwards to affected agencies.
• Outwards to the public.

5. Hard copies of the Plan must be:

• stored off site at a secure location,
• stored at the personal residence of the team leads,
• stored at the personal residence of all IT managers and directors, and
• stored on a secure internet site.

6. As soon as an emergency is detected:

• Identify the problem and,
  • Notify emergency services in cases of physical threats to personnel or facilities,
  • Notify the CISO and his alternate.
  • Notify the appropriate team leads. In the event of a mainframe disaster, notify all team leads.
  • Notify vendors and business partners.
• Evacuate the premises if there are concerns of personal safety. All personnel should:
  • be aware of evacuation routes and
  • have in possession or be aware of notification numbers.
• educe any exposure:
  • In the event of air conditioning failure (this usually involves powering down the systems at a temperature determined by the tolerances set by the manufacturer),
  • In the event of fire (this usually involves the automatic releasing of fire retardant, cutting of power, notification to emergency services and evacuation),
  • In the event of electrical failure (If a UPS and generator are available, usually the only action is to monitor fuel levels of the generator. If a UPS only is available, shut down procedures should begin and be terminated with at least 20% of rated capacity left),
  • In the event of flood, water or wind damage (this usually involves the normal powering down all systems if possible. If not, the immediate cut off of power is required, followed by notification to emergency services and evacuation),
  • In the event of malicious intrusion (this usually involves the immediate isolation of affected hardware from all networks and connectivity. Usually, the extent of exposure and damage is not immediately known so the immediate isolation of all network links is recommended and processing on affected facilities halted pending analysis by crisis teams).
• Initiate backup site process:
  • The Plan Coordinator establishes a command-and-control center (usually an onsite and offsite center have been previously identified and the necessary computer and communication links are readily available).
  • The Plan Coordinator ensures all team leaders are notified (usually it is the responsibility of the Team Lead to get in touch with all team members).
  • The Plan Coordinator notifies the off-site storage facility that a contingency event has occurred and to ship the necessary materials as determined in the damage assessment to the alternate site.
  • The Plan Coordinator notifies the alternate site that a contingency event has occurred and to prepare the facility for the organization’s arrival.
  • Both upward and outward communication on status is the responsibility of the Plan Coordinator (usually set times are pre-established such as: immediate after 1 hour, after 3 hours, etc. or at major milestones such as problem determination, resolution plan, when planned resumption of services is known and start-up of services is accomplished).
  • The Plan Coordinator is responsible for managing expectations.
• Initiate recovery at the alternate site:
  • Contingency plan is followed using documented recovery points and defined priorities.
  • The Plan Coordinator reviews responsibilities with all team members and establishes recovery logs.
  • Recovery goals and procedures are established and prioritized by the Plan Coordinator.

7. The Disaster Plan appendices should include:

• Personnel Contact List
• Vendor Contact List
• Equipment and Specifications.
• Service Level Agreements.
• Related Contracts.

8.3 Business Recover Strategy

1. A Business Recovery Strategy provides the documented organizational plan to restore full business functionality as quickly and as cost-effectively as possible. The Business Recovery Strategy is initiated as soon as the enterprise is deemed able to resume normal operations following a disaster.
2. The Business Recovery Strategy must involve advance planning and preparations to recover from external circumstances. Recovery strategies must be created, implemented, tested and maintained to ensure restoration of organizational services in the event of an interruption.
3. A “worst case scenario” must be the basis for developing the plan, where the worst-case scenario is the destruction of the main or primary facility. Because the plan is written based on this premise, less critical situations can be handled by using subsets of the plan, with minor (if any) alterations required. Recovery from, or mitigation of a scenario should not be considered an all-or-nothing proposition. Many stages may be required, each with its own success conditions, before a ‘final’ state of continuity or recovery is reached.
4. Specific goals of the Business Recovery Strategy must include:
   • Complete service functionality recovery objectives, in stages, by delay, duration and degree.
   • Details of processes already in place to recover from an incident.
   • Details of what degree of business functionality they may be expected to restore.
   • In what length of time existing process may be expected to restore service.
   • Requirements to bridge from existing processes to sufficient processes.
   • Lead time to secure additional resources.
5. The Business Recovery Strategy must include detailed, step-by-step instructions for how to replace / restore the following, in appropriate sequence:
   • Applications / Processes
   • Functionality / Capacity
   • Equipment / Infrastructure
   • Staff /Skills
   • Execution Duration / Delay
   • Connectivity / Network
   • Data Sources
   • Facilities / Services / Physical Premises
   • Transportation
   • Documentation / Reference material.

9.0 Data Center Management

1. Related specifically to security of information and data center management, the pace of change, the reality of the World Wide Web and the increasing numbers of internal and external portals demand constant monitoring with both offensive and defensive strategies.

9.1 Process

1. The process should specify the instructions for the detailed execution of each job including the following:
   • processing and handling of information,
   • scheduling requirements, including interdependencies with other systems, earliest job start and latest job completion times,
   • instructions for handling errors or other exceptional conditions, which might arise during job execution, including restrictions on the use of system utilities,
   • support and owner contacts in the event of unexpected operational or technical difficulties,
   • special output handling instructions, such as the use of special stationery or the management of confidential output, including procedures for secure disposal of output from failed jobs, and
   • system restart and recovery procedures for use in the event of system failure.
2. The process should also be prepared for system housekeeping activities associated with information processing and communication facilities, such as computer start-up and close-down procedures, back-up, equipment maintenance, computer room and mail handling management and safety.

9.2 Operational Change Control

1. Changes to information processing facilities and systems must be controlled. Inadequate control of changes to information processing facilities and systems is a common cause of system or security failures. Formal management responsibilities and procedures should be in place to ensure satisfactory control of all changes to equipment, software or procedures.
2. Operational programs should be subject to strict change control. When programs are changed an audit log containing all relevant information should be retained. Changes to the operational environment can impact applications. Wherever practicable, operational and application change control procedures should be integrated.
3. In particular, the following controls must be implemented:
   • identification and recording of significant changes,
   • assessment of the potential impact of such changes,
   • formal approval procedure for proposed changes,
   • communication of change details to all relevant persons, and
   • procedures identifying responsibilities for aborting and recovering from unsuccessful changes.

9.3 Segregation of Duties

1. Duties and areas of responsibility must be segregated in order to reduce opportunities for unauthorized modification or misuse of information or services.

2. Small agencies may find this method of control difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision must be implemented. It is important that security audit remains independent.

3. Care should be taken that no single person can perpetrate fraud in areas of single responsibility without being detected. The initiation of an event should be separated from its authorization.

4. The following controls must be implemented:

• It is important to segregate activities which require collusion in order to defraud, e.g. raising a purchase order and verifying that the goods have been received.
• If there is a danger of collusion, then controls need to be devised so that two or more people need to be involved, thereby lowering the possibility of conspiracy.
• Separation of duties of both physical and logical access controls must be implemented to separate the access and functions of:
  • information systems and infrastructure administration to include configuration;
  • security, audit, and accountability functions;
  • privileged users and power user functions.
  • data analysis and report generation functions.
  • general user functionality and associated access must be segregation between user and administrative functions and access must be maintained.

9.4 Separation of Development and Operational Facilities

1. Development and testing facilities must be separated from operational facilities. Rules for the transfer of software from development to operational status should be defined and documented.
2. Development and test activities can cause serious problems, e.g. unwanted modification of files or system environment or of system failure. The level of separation that is necessary, between operational, test and development environments, to prevent operational problems should be considered. A similar separation should also be implemented between development and test functions. In this case, there is a need to maintain a known and stable environment in which to perform meaningful testing and to prevent inappropriate developer access.
3. Where development and test staff have access to the operational system and its information, they may be able to introduce unauthorized and untested code or alter operational information. On some systems this capability could be misused to commit fraud or introduce untested or malicious code. Untested or malicious code can cause serious operational problems.
4. Developers and testers also pose a threat to the confidentiality of operational information. Development and testing activities may cause unintended changes to software and information if they share the same computing environment. Separating development, test and operational facilities is therefore desirable to reduce the risk of accidental change or unauthorized access to operational software and business information.
5. The following controls should be considered:
   • Development and operational software should, where possible, run on different computer processors, or in different domains or directories.
   • Development and testing activities should be separated the best way possible.
   • Compilers, editors and other system utilities should not be accessible from operational systems.
   • Different log-on procedures should be used for operational and test systems, to reduce the risk of error. Users should be encouraged to use different passwords for these systems and menus should display appropriate identification messages.
   • Development staff should only have access to operational passwords where controls are in place for issuing passwords for the support of operational systems. Controls should ensure that such passwords are changed after use.

9.5 Systems planning and acceptance.

To minimize the risk of systems failure:

1. Advance planning and preparation are required to ensure the availability of adequate capacity and resources.
2. Projections of future capacity requirements should be made, to reduce the risk of system overload.
3. The operational requirements of new systems should be established, documented and tested prior to their acceptance and use.

9.6 Capacity planning

1. Capacity demands must be monitored, and projections of future capacity requirements made to ensure that adequate processing power and storage are available. These projections should take account of new business and system requirements and current and projected trends in the organization’s information processing.
2. Mainframe computers require particular attention, because of the much greater cost and lead time for procurement of new capacity. Operations managers of mainframe services should monitor the utilization of key system resources, including processors, main storage, file storage, printers and other output devices and communications systems. They should identify trends in usage, particularly in relation to business applications or management information system tools.
3. These managers should use this information to identify and avoid potential bottlenecks that might present a threat to system security or user services and plan appropriate remedial action.
4. Acceptance criteria for new information systems, upgrades and new versions must be established and suitable tests of the system carried out prior to acceptance. Operations managers should ensure that the requirements and criteria for acceptance of new systems are clearly defined, agreed, documented and tested.
5. The following controls should be considered:
   • performance and computer capacity requirements,
   • error recovery and restart procedures and contingency plans,
   • preparation and testing of routine operating procedures to defined standards,
   • agreed set of security controls in place,
   • effective manual procedures,
   • business continuity arrangements as required,
   • evidence that installation of the new system will not adversely affect existing systems, particularly at peak processing times, such as month end,
   • evidence that consideration has been given to the effect the new system has on the overall security of the organization, and
   • training in the operation or use of new systems.
6. For major new developments, the operations function and users should be consulted at all stages in the development process to ensure the operational efficiency of the proposed system design. Appropriate tests should be carried out to confirm that all acceptance criteria are fully satisfied.

9.8 Operations and Fault logging

1. Operational staff must maintain a log of their activities. Logs should include as appropriate:
   • system starting and finishing times,
   • system errors and corrective action taken,
   • confirmation of the correct handling of data files and computer output, and
   • the name of the person making the log entry.
2. Faults must be reported, and corrective action taken. Faults reported by users regarding problems with information processing or communications systems should be logged. There should be clear rules for handling reported faults including:
   • review of fault logs to ensure that faults have been satisfactorily resolved, and
   • review of corrective measures to ensure that controls have not been compromised and that the action taken is fully authorized.

9.9 Management of Removable computer media

Appropriate Process must be established to protect documents, computer media (tapes, disks, cassettes, etc.), input/output data, and system documentation from damage, theft and unauthorized access. The following should be followed:

• If no longer required, the previous contents of any re-usable media that are to be removed from the organization should be erased.
• Authorization should be required for all media removed from the organization and a record of all such removals maintained.
• All media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications.
• All process and authorization levels should be clearly documented.

9.10 Disposal of Media

Process for the secure disposal of media should be established to minimize this risk. The following controls should be considered:

1. Media containing sensitive information should be stored and disposed of securely and safely, e.g., by incineration or shredding or emptied of information for use by another application within the organization.
2. The following list identifies items that might require secure disposal:
   • paper documents,
   • voice or other recordings,
   • output reports,
   • one-time-use printer ribbons,
   • magnetic tapes,
   • removable disks or cassettes,
   • optical storage media (all forms and including all manufacturer software distribution media),
   • program listings,
   • test information, and
   • system documentation.
3. It may be easier to arrange for all media items to be collected and disposed of securely, rather than attempting to separate out the sensitive items.
4. Disposal of sensitive items should be logged where possible in order to maintain an audit trail.
5. Disposal of certain hardware must conform to the current EPA requirements or other relevant legislation in effect.

9.11 Exchanges of Information and Software

1. Exchanges of information and software between organizations should be controlled and should be compliant with any relevant legislation.
2. Exchanges should be carried out on the basis of agreements. Procedures and standards to protect information and media in transit must be established. The business and security implications associated with electronic data interchange, electronic commerce and electronic mail and the requirements for controls should be considered.
3. Agreements, some of which must be formal, must be established for the electronic or manual exchange of information and software between organizations. The security content of such an agreement should reflect the sensitivity of the business information involved. Agreements on security conditions should include:
   • responsibilities for controlling and notifying transmission, dispatch and receipt,
   • process for notifying sender, transmission, dispatch and receipt,
   • minimum technical standards for packaging and transmission,
   • courier identification standards,
   • responsibilities and liabilities in the event of loss of information,
   • information and software ownership and responsibilities for information protection, software copyright compliance and similar considerations,
   • technical standards for recording and reading information and software, and
   • any special controls that may be required to protect sensitive items, such as cryptographic.
4. Information can be vulnerable to unauthorized access, misuse or corruption during physical transport, for instance when sending media via the postal service or via courier. As such, media being transported must be protected from unauthorized access, misuse or corruption.

9.12 Publicly Available systems

1. Information on a publicly available system, e.g., information on a Web server accessible via the Internet, may need to comply with laws, rules and regulations in the jurisdiction in which the system is located or where trade is taking place. There must be a formal authorization process before information is made publicly available and the integrity of such information must be protected to prevent unauthorized modification.
2. Software, data and other information requiring a high level of integrity, made available on a publicly available system, should be protected by appropriate mechanisms, e.g. digital signatures. Electronic publishing systems, especially those that permit feedback and direct entering of information, should be carefully controlled so that:
   • information is obtained in compliance with any information protection legislation,
   • information input to and processed by the publishing system will be processed completely and accurately in a timely manner,
   • sensitive information will be protected during the collection process and when stored, and
   • access to the publishing system does not allow unintended access to networks to which it is connected.

9.13 Use of system utilities

1. Most computer installations have one or more system utility programs that might be capable of overriding system and application controls. Use of these system utility programs must be restricted and tightly controlled. The following controls should be considered:
   • use of authentication procedures for system utilities,
   • segregation of system utilities from applications software,
   • limitation of the use of system utilities to the minimum practical number of trusted authorized users,
   • authorization for ad hoc use of systems utilities,
   • limitation of the availability of system utilities, e.g. for the duration of an authorized change,
   • logging of all use of system utilities,
   • defining and documenting of authorization levels for system utilities, and
2. removal of all unnecessary software-based utilities and system software.

9.14 Monitoring system access and use

1. Systems should be monitored to detect deviation from access control policy and record system events to provide evidence in case of security incidents. System monitoring allows the effectiveness of controls adopted to be checked.
2. Audit logs recording exceptions and other security-relevant events must be produced and kept for a period defined by the agency and within the mandate of legislation to assist in future investigations and access control monitoring. Audit logs should also include:
   • user IDs,
   • dates and times for log-on and log-off,
   • terminal identity or location, if possible,
   • records of successful and rejected system access attempts, and
   • records of successful and rejected data and other resource access attempts.
3. Certain audit logs may be required to be archived as part of the record retention procedures or because of requirements to collect evidence.
4. Process for monitoring use of information processing facilities must be established and the result of the monitoring activities reviewed regularly. Such process are necessary to ensure that users are only performing activities that have been explicitly authorized. The level of monitoring required for individual facilities should be determined by a risk assessment. Areas that should be included are:
   • authorized access, including detail such as:
     • the user ID,
     • the date and time of key events,
     • the types of events,
     • the files accessed, and
     • the program/utilities used.
   • all privileged operations, such as:
     • use of supervisor account,
     • system start-up and stop, and
     • I/O device attachment/detachment.
   • unauthorized access attempts, such as:
     • failed attempts,
     • access procedure violations and notifications for network gateways and firewalls, and
     • alerts from proprietary intrusion detection systems.
   • system alerts or failures such as:
     • console alerts or messages,
     • system log exceptions, and
     • network management alarms.
5. The result of the monitoring activities should be reviewed regularly. The frequency of the review should depend on the risks involved. Risk factors that should be considered include:
   • the criticality of the application processes,
   • the value, sensitivity or criticality of the information involved,
   • the past experience of system infiltration and misuse and
   • the extent of system interconnection (particularly public networks).
6. A log review involves understanding the threats faced by the system and the manner in which these may arise. System logs often contain a large volume of information, much of which is extraneous to security monitoring. To help identify significant events for security monitoring purposes, the copying of appropriate message types automatically to a second log and/or the use of suitable system utilities or audit tools to perform file interrogation should be considered. When allocating the responsibility for log review a separation of roles should be considered between the person(s) undertaking the review and those whose activities are being monitored.
7. Particular attention should be given to the security of the logging facility because if tampered with it can provide a false sense of security. Controls should aim to protect against unauthorized changes and operational problems including:
   • the logging facility being de-activated,
   • alterations to the message types that are recorded,
   • log files being edited or deleted, and
   • log file media becoming exhausted and either failing to record events or overwriting itself.

9.15 Control of Operational Software

1. Control must be applied to the implementation of software on operational systems. To minimize the risk of corruption of operational systems, the following controls should be considered:
   • The updating of the operational program libraries should only be performed by the nominated librarian upon appropriate management authorization.
   • Operational systems should only hold executable code.
   • Executable code should not be implemented on an operational system until evidence of successful testing and user acceptance is obtained and the corresponding program source libraries have been updated.
   • An audit log should be maintained of all updates to operational program libraries.
   • Previous versions of software should be retained as a contingency measure.
2. Vendor supplied software used in operational systems should be maintained at a level supported by the supplier. Any decision to upgrade to a new release should take into account the security of the release, i.e. the introduction of new security functionality or the number and severity of security problems affecting this version. Software patches should be applied when they can help to remove or reduce security weaknesses.

9.16 Access control to source library

In order to reduce the potential for corruption of computer programs, strict control must be maintained over access to program source libraries.

1. Program source libraries should not be held in operational systems.
2. A program librarian should be nominated for each application.
3. IT support staff should not have unrestricted access to program source libraries.
4. Programs under development or maintenance should not be held in operational program source libraries.
5. The updating of program source libraries and the issuing of program sources to programmers should only be performed by the nominated librarian upon authorization from the IT support manager for the application.
6. Program listings should be held in a secure environment.
7. An audit log should be maintained of all accesses to program source libraries.
8. Old versions of source programs should be archived, with a clear indication of the precise dates and times when they were operational, together with all supporting software, job control, data definitions and procedures.
9. Maintenance and copying of program source libraries should be subject to strict change control procedures.

9.17 Change Control Process

1. The implementation of changes must be strictly controlled by the use of formal change control procedures to minimize the risk of system corruption. These formalized change controls must be enforced. They should ensure that security and control procedures are not compromised, that programmers are given access to only those units required for their work and that formal approvals are obtained. Changing application software can impact the operational environment. Whenever practical, application and operational change procedures should be integrated. These processes should include:
   • maintaining a record of agreed authorization levels,
   • ensuring changes are submitted by authorized personnel,
   • reviewing controls and procedures to ensure they will not be compromised by the changes submitted,
   • identifying all the software, databases and hardware that require change,
   • obtaining formal approval before work commences,
   • ensuring the changes are carried out to minimize any possible disruptions,
   • ensuring the system documentation is current,
   • maintaining version control on all updates,
   • maintaining an audit trail of all change requests,
   • ensuring that operational documentation and user procedures reflect the new environment, and (K) ensuring that the changes are implemented without business disruption.
2. Test environments should be separated from development and production environments.

9.18 Restrictions on changes to software

Modification to software packages must be discouraged and essential changes controlled. Only when deemed essential, should the packages be modified. The following points should be considered:

1. the possibility of controls and processes included in the base software being compromised,
2. the necessity of obtaining the vendor’s consent,
3. the possibility of the vendor including the changes into the base offering, and
4. the impact of incorporating these changes in future releases of the base software.

9.19 Intrusion Detection System (IDS)

1. Network IDS utilize traffic analysis to compare session data against a known database of popular application attack signatures. On detection, the network IDS can react by logging the session alerting the administrator, terminating the session and even reconfiguring the firewall or router to block selected traffic
2. Host IDS compare application / internal service log events against a known database of security violations and custom policies. If a breach of policy occurs, the host IDS can react by logging the action alerting the administrator and, in some cases, stopping the action prior to execution.
3. Application-Level IDS rely upon custom applications to log unauthorized or suspect activity and / or produce an alert. An example of an Application-Level IDS would be a Web application which maintains its own internal user / password system. Attempts to circumvent this system would not be noticed by a Network IDS or recorded by a Host IDS.

9.20 Controls on Malicious software

1. Detection and prevention controls to protect against malicious software and appropriate user awareness procedures must be implemented. Protection against malicious software should be based on security awareness appropriate system access and change management controls. The following procedures should be implemented:
   • compliance with software licenses and prohibiting the use of unauthorized software,
   • protection against risks associated with obtaining files and software either from or via external networks or on any other medium, indicating what protective measures should be taken,
   • installation and regular update of anti-virus detection and repair software to scan computers and media either as a precautionary control or on a routine basis,
   • regular reviews of the software and information content of systems supporting critical business processes—the presence of any unapproved files or unauthorized amendments should be formally investigated,
   • verification of files on electronic media of uncertain or unauthorized origin, or files received over un-trusted networks, for viruses before use,
   • verification of any electronic mail attachments and downloads for malicious software before use—this check may be carried out at different places, e.g., at electronic mail servers, desk top computers or when entering the network of the organization,
   • assignment of responsibilities to deal with the virus protection on systems, training in their use, reporting and recovering from virus attacks,
   • appropriate business continuity plans for recovering from virus attacks, including all necessary data and software back-up and recovery arrangements,
   • verification of all information relating to malicious software and ensure that warning bulletins are accurate and informative, and
   • verification that qualified sources, e.g., reputable journals, reliable Internet sites or anti-virus software suppliers are used to differentiate between hoaxes and real viruses.
2. Staff should be made aware of the problem of hoaxes and what to do on receipt of them. These controls are especially important for network file servers supporting large numbers of workstations.

9.21 Firewalls

1. Firewalls’ functionality must be documented and detail how they manage security policy as applied to network traffic and how they maintain internal security.
2. System documentation must detail the following:
   • Purpose / Business rationale for the system
   • Services offered, including business rationale
   • Rationale for the choice of platform, operating system, components and configuration.
   • Adjacent or integrated systems.
   • Modifications to the default system software configuration
   • Installed software
   • Installed software configuration
   • Installed hardware
   • Installed hardware configuration
   • Support contracts
   • Software licenses
   • Hardware lease details
   • Process for shutdown, restart and recovery
   • System maintenance schedule

9.22 External Facilities Management

1. The use of an external contractor to manage information processing facilities may introduce potential security exposures, such as the possibility of compromise, damage, or loss of data at the contractor’s site. Prior to using external facilities management services, the risks must be identified, and appropriate controls agreed with the contractor, and incorporated into the contract.
2. Particular issues that should be addressed include:
   • identifying sensitive or critical applications better retained in-house,
   • obtaining the approval of business application owners,
   • implications for business continuity plans,
   • security standards to be specified, and the process for measuring compliance,
   • allocation of specific responsibilities and procedures to effectively monitor all relevant security activities, and
   • responsibilities and procedures for reporting and handling security incidents.

10.0 Legal Requirements

All security related aspects of information processing may be subject to statutory or contractual security requirements. Each agency must be aware of their responsibilities as dictated by legislation and other legal commitments particularly as they apply to the information systems and practices required by the federal and state governments. All agencies should put in place the appropriate procedures to ensure compliance with legal considerations.

10.1 Software Copyright

Proprietary software products are usually supplied under a license agreement that limits the use of the products to specified machines and may limit copying to the creation of back-up copies only. The following controls should be implemented:

1. publishing software copyright compliance procedures which define the legal use of software and information products,
2. maintaining awareness of the software copyright and acquisition procedures and giving notice of the intent to take disciplinary action against staff who breach them,
3. maintaining appropriate asset registers,
4. maintaining proof and evidence of ownership of licenses, master disks, manuals, etc.,
5. implementing controls to ensure that any maximum number of users permitted is not exceeded,
6. carrying out checks that only authorized software and licensed products are installed,
7. providing procedures for maintaining appropriate license conditions, and
8. providing procedures for disposing or transferring software to others

10.2 Protection of Information

1. Important records of an organization must be protected from loss, destruction and falsification. Some records may need to be securely retained to meet statutory or regulatory requirements as well as to support essential business activities. The time period and information content for retention may be set by federal and state laws or regulations.
2. Records should be categorized into record types, such as accounting records, database records, transaction logs audit logs and operational procedures, each with details of retention periods and type of storage media, e.g. paper, microfiche, magnetic, optical. Any related cryptographic keys associated with encrypted archives or digital signatures, should be kept securely and made available to authorized persons when needed.
3. Consideration should be given to the possibility of degradation of media used for storage of records. Storage and handling procedures should be implemented in accordance with Manufacturer’s recommendations.
4. Wherever electronic storage media are chosen, procedures to ensure the ability to access information (both media and format readability) throughout the retention period should be included, to safeguard against loss due to future technology change.
5. The system of storage and handling should ensure clear identification of records and of their statutory or regulatory retention period. It should permit appropriate destruction of records after that period if they are not needed by the organization.
6. To meet these obligations, the following steps should be taken within an organization:
   • Guidelines should be issued on the retention, storage, handling and disposal of records and information.
   • A retention schedule should be drawn up identifying essential record types and the period of time for which they should be retained.
   • An inventory of sources of key information should be maintained.
   • Appropriate controls should be implemented to protect essential records and information from loss, destruction and falsification.

10.3 Privacy of Personal information

1. In many cases, legislation controls the processing and transmission of personal information (generally information on living individuals who can be identified from that information). Such controls impose responsibilities on those collecting, processing and disseminating personal information.
2. Controls must be applied to protect personal information in accordance with relevant legislation. Compliance with information protection legislation requires appropriate management structure and control. It is the responsibility of the owner of the information to ensure the information is protected and that there is awareness by all users of the information protection principles defined in the relevant legislation.