Information Technology Policy, Code of Practice & Procedure Manual

INFORMATION TECHNOLOGY
POLICY, CODE OF PRACTICE

& PROCEDURE MANUAL
CONTENTS
SECTION A :
INFORMATION TECHNOLOGY POLICY

1.
2.
3.
4.
SECTION B :
SIB/MIS/P/001
SIB/MIS/P/002
SIB/MIS/P/003
SIB/MIS/P/004
INFORMATION TECHNOLOGY CODE OF PRACTICE

1.
2.
SECTION C :
Policy Statement
Information Technology Facilities
Usage
Electronic Mail
IT Equipment Lifecycle Policy
Physical Security of Information SIB/MIS/COP/001

Employment, Education & Training SIB/MIS/COP/002
INFORMATION TECHNOLOGY PROCEDURE MANUAL

1.
2.
E-Mail Services
Computer Usage Procedure
SIB/MIS/PM/001
SIB/MIS/PM/002
POLICY
SSAAPPUURRAAIINNDDUUSSTTRRIIAALLBBEERRHHAADD
IINNFFOORRM
MAATTIIOONN TTEECCHHNNOOLLOOGGYY PPOOLLIICCYY
PPOOLLIICCYY SSTTAATTEEM
MEENNTT
DDDooocccuuum
m
meeennntttNNNooo..:.::
IIIsssssuuueeeNNNoo..:.::
RRReeevvv...NNNooo:::
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
MIIISSS///IIITTTPPP///000000
111
111..0.00
000..0.00
111ssstt.t.M
Maaayyy222000000777
.M
111ooofff555
INTRODUCTION
1.1 GENERAL
1.1.1
Information System plays a major role in supporting the day-to-day activities of the
Company. The availability, reliability, confidentiality and data integrity of the Company
Information Systems are essential to success of company activities.
1.1.2
This manual outlines statements relating to the Information System Policies & Procedures
governing the employment of all employees in the Company. They relate to their use of
company-owned/ leased/ rented and onloan facilities, to all private systems, owned/
leased/ rented/ on-loan, when connected to the company network directly or indirectly to
all company-owned/ licensed data/ programs, be they on Company or on private systems,
and to all data/ programs provided to Company by external agencies or sponsors. It is
envisaged that by doing so, written policies and procedures will be interpreted equitably by
those in supervisory and management positions on regular basis within the Company.
1.1.3
The Company reserves the right to amend, delete, augment any policy or procedure or part
thereof as and when deemed necessary for any individual employee or group of
employees. The Senior Management and Managing Director shall approve all changes to
the policies and procedures.
1.1.4
The Information System Policies and Procedures in general may be reviewed at any time if
it needs to be reviewed. A task force shall be formed to review and make recommendation
on the revised policies or procedures. All revised policies and procedures shall require the
approval of the Senior Management and Managing Director Deviation from the approved
policies and procedures are to be notified to the Head of Department Management
Information System Department.
1.1.5
Head of Management Information System Department shall responsible for ensuring the
updating of this manual and communication any policy and procedure changes to
employees of the company. The head of subsidiaries or those assigned will be responsible
for disseminating the changes to employee. They shall notify the Head of Department
Management Information System whenever problems are encountered or when
improvements are to be made.
1.1.6
The Head of Department Management Information System of Sapura Industrial Berhad shall
be custodian of Information Technology Policies and Procedures.
1.1.7
This manual is assigned to all Head of Subsidiaries or any other personnel approved by
Senior Management of Sapura Industrial Berhad.
SIB/MIS/ITP/001
Page 1 of 5
IINNFFOORRM
MEENNTT
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
111
111..0.00
000..0.00
111ssstt.t.M
Maaayyy222000000777
.M
222ooofff555
1.2 POLICY OBJECTIVE

The objectives of the Policies are to:
Ensure that all of the Company computing facilities, programs, data, network and
equipment are adequately protected against loss, misuse or abuse.
Ensure that all users are aware of and fully comply with this Policy Statement and all
associated policies and are aware of and work in accordance with the relevant Code of
Practice.
Ensure that all users are aware of and fully comply with the relevant Malaysian legislation.
Create across the Company the awareness that appropriate security measures must be
implemented as part of the effective operation and support of Information Security.
Ensure that all uses understand their own responsibilities for protecting the confidentiality
and integrity of the data they handle.
1.3 EXCEPTION OF POLICIES

1.3.1
No exception will be made to the policies and procedures without the written approval of
the Head of Department Management Information System of Sapura Industrial Berhad
(unless otherwise provided for in this manual) who is the custodian of Information
Technology Policies and Procedure. In the event you feel dissatisfied with the action or nonaction of those implementing the Policies and Procedures in the allowing or disallowing
any exception, a written explanation describing the deviation is to be forwarded to the
Head of Department Management Information System of Sapura Industrial Berhad.
1.4 DEFINITIONS
The following definitions shall apply in the manual unless expressly stated otherwise:
1.4.1
The Company shall mean Sapura Industrial Berhad Groups of Companies.
1.4.2
Policy shall mean the companys specific standpoint or general of company goal
1.4.3
Procedure shall mean the methodology or specific steps used in the implementation of
the policy.
1.4.4
Management shall mean Executive who have supervisory responsibilities and or

accountable for the work performance of their subordinates.
1.4.5
Supervisor shall mean immediate supervisor, Head of Department, Head of Section or

Head of Unit.
SIB/MIS/ITP/001
Page 2 of 5
IINNFFOORRM
MEENNTT
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
1.4.6
SSSIIIBBB///M
M
111
111..0.00
000..0.00
111ssstt.t.M
Maaayyy222000000777
.M
333ooofff555
The masculine gender He shall include the feminine gender unless otherwise expressly
stated. Words in the singular will include the plural except the text clearly indicated
otherwise.
1.5 POLICY APPROVAL

This Policies and Procedures have been approved by the Managing Director, Chief Operating Officer
and Senior Management who has delegated the implementation of it to the Head of Management
Information System.
1.6 RESPONSIBILITIES FOR INFORMATION SYSTEMS SECURITY
1.6.1
The Managing Director is responsible for approving the Information System Policies and
Procedures and the associated policies and for ensuring that they are discharged to the
various subsidiaries, departments and staff through Heads of those units.
1.6.2
Head of Subsidiaries and Supervisor are required to implement the Policies with respect to
the systems that are operated by their Subsidiaries, Departments and Units. They are
responsible for ensuring that staff and anyone else authorized to use those systems are
aware of and comply with them and the associated Code of Practice. To assist them in this,
they are required to appoint a Custodian for each system operated by them, the duties of
which are set out in a Code of Practice associated with the Policies.
1.6.3
It is the responsibility of each individual to ensure his understanding of and compliance

with the Policies and the associated Code of Practice.
1.7 COMPLIANCE WITH LEGISLATION

1.7.1
The Company has an obligation to abide by Malaysian legislation. Of particular importance

in this respect is Computer Crimes Act 1997. The requirement for compliance devolves to all
users defined in (1.1.2) above, who may be held personally responsible for any breach of
the legislation.
1.8 RISK ASSESSMENT AND SECURITY REVIEW BY SUBSIDIARIES AND DEPARTMENT

1.8.1
Custodians must periodically carry out a risk assessment of the system that they are
currently responsible for, including the Information System security control currently in
place. This is to take into account changes to operating systems changing Company
requirement and priorities and any changes in the relevant legislation, hence revisiting
their security arrangements accordingly.
1.8.2
Head of Subsidiaries and Supervisor should establish effective Contingency Plans

appropriate to the outcome of any risk assessment. In addition, they are required to carry
out an annual assessment of the security arrangements for their Information Systems and
submit a report on this to MIS Department.
SIB/MIS/ITP/001
Page 3 of 5
IINNFFOORRM
MEENNTT
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
111
111..0.00
000..0.00
111ssstt.t.M
Maaayyy222000000777
.M
444ooofff555
1.9 BREACHES OF SECURITY

1.9.1
The MIS Department will monitor network activity, reports from Malaysian Computer
Emergency Response Team (MyCERT) and other security agencies and take action/ make
recommendations consistent with maintaining the security of the Company Information
System.
1.9.2
Any Head of Subsidiaries suspecting that there has been, or likely to be breach of
Information System security should inform the Head of MIS Department immediately, who
will then advise the Company on what actions should be taken.
1.9.3
In the event of the suspected or actual breech of security, the Head of MIS Department may,
after consultation with the relevant Custodian or Head of Subsidiaries, make inaccessible/
remove any unsafe user/ login names, data and/or programs on the system from the
network.
1.9.4
Any breach of security of an Information System could lead to destruction or loss of security
of personal information. This would be an infringement of the Computer Crime Act 1977
and could lead to civil or criminal proceedings. It is vital, therefore that users of the
Companys Information Systems comply with the Policies.
1.9.5
The Managing Director or Chief Operating Officer has the authority to take whatever action
is deemed necessary to protect the Company against breaches of security.
1.10 POLICY AWARENESS AND DISCIPLINARY PROCEDURES

1.10.1 The new members of staff will have a copy and /or explanations given by the Human
Resource Department. Existing staff of the Company, authorized third parties and
contractors given access to the Company network will be advised of the existence of this
Policy Statement and the availability of the associated policies, codes of practice and
procedures that are published on the Company Intranet.
1.10.2 Failure of an individual member of the staff to comply with the Policies my lead the
investigation of the relevant disciplinary procedures and in certain circumstances, legal
action may be taken. Failure of the contractor to comply could lead to the cancellation of a
contract.
1.11 SUPPORTING POLICIES, CODES OF PRACTICE AND PROCEDURES
1.11.1 The Supporting Policies, Code of Practice and Procedures associated with this Policy
Statement are available on the Company Intranet. Staff and any third parties authorized to
access the Company Intranet to use the systems and facilities identified in 1.1.2 of this Policy
Statement, are required to familiarize themselves with these and to work in accordance
with them.
SIB/MIS/ITP/001
Page 4 of 5
IINNFFOORRM
MEENNTT
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
111
111..0.00
000..0.00
111ssstt.t.M
Maaayyy222000000777
.M
555ooofff555
1.12 STATUS OF THE INFORMATION SYSTES SECURITY POLICIES

1.12.1 The Policies do not form part of a formal contract of employment with the Company, but it
is a condition of employment that employees will abide by the regulations and policies
made by the Company from time to time.
SIB/MIS/ITP/001
Page 5 of 5
IINNFFOORRM
FFAACCIILLIITTIIEESS UUSSAAGGEE
DDDooocccuuum
m
meeennntttNNNooo :::
IIIsssssuuueeeNNNoo... :::
RRReeevvvNNNooo... :::
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
222
000111
000000
111ssstttM
M
Maaayyy222000000777
111ooofff444
1.0 PURPOSE
1.1 To establish a procedure of the Information Technology facilities usage of the Company
1.2 To clearly define the use of all network, computer systems, computer hardware, software and
internal access and computer codes in the Company.
2.0 SCOPE
The policy applies to all the Company employees (hereinafter referred to as users) whose access to
use IT facilities owned, leased, rented or on-loan by the Company.
3.0 DEFINITIONS
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
HR
MIS
CAPEX
PO
DO
LAN
IT
Company
Human Resources
Management Information System
Capital Expenditure
Purchasing Order
Delivery Order
Local Area Network
Information Technology
Sapura Industrial Berhad Group of Companies
4.0 PROCEDURES
4.1 The use of the Company computer hardware and software is for official purpose.
4.2 Workstations shall be located in a physically protected environment where access control
measures are in place and applied consistently.
4.3 The maintenance of hardware and software shall only be done by authorized contractors who
have the appropriate security clearances.
4.4. Procurement of Computer Equipment
4.4.1 In order to acquire computer equipment or software, procurement process needs to
follow standard guidelines of the Company Capital Expenditure (CAPEX) procedure.
MIS Department shall advise on the need and specification of purchase equipment.
4.4.2
Upon received, Purchaser must fill up the Computer Registration Form and submit
it to MIS Department within seven (7) days together with the copy of documents.
SIB/MIS/ITP/002
Page 1 of 4
IINNFFOORRM
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
222
000111
000000
111ssstttM
M
Maaayyy222000000777
222ooofff444
4.5 Computer Security

4.5.1 Every computer must be protected by a password. The password must consist of at
least five (5) letters or/and numbers. It needs to be changed within three (3) months
interval or when necessary.
4.6 Unlicensed/Unauthorized Software (Anti-Piracy)
4.6.1 No unlicensed software, privately owned software, games, public domain software or
pornographic material shall be installed or loaded on official computer equipment.
4.7 Piracy
4.7.1 This involves the blatant copying of computer programs and the making of copies on
disks for distribution to others. Regardless of what is done with the copies, the action
of copying is against the law.
4.7.2 It is deemed an infringement even if copies are made for the copyist's own domestic
use, unless this is specifically allowed by the copyright owner under a "home use"
policy or the copies are legitimate back-up copies.
4.7.3 Whilst there may be a moral difference between people copying software to sell to
others and those copying for personal use, there is no legal distinction between the
two both are illegal.
4.8 Dealer Infringement
4.8.1 Dealers who load software packages on hardware that is then supplied to a client are
clearly infringing copyright. Providing reproductions of manuals to go with illicit
software is also an infringement.
4.9 End-user Infringement
This typically occurs in one of the following forms:4.9.1 Use of Infringing Copies
4.9.1.1
The end-user breaks the law whenever he or she uses a program that has
been illegally copied from a floppy, compact disk, hard disk (or whatever
other means) on to a computer.
4.9.1.2
Copyright is infringed not only by the person who initiated the copying but
by all subsequent people using copied programs. In addition, if an end-user
makes use of a legitimate copy of a program contrary to the terms of the
license, or in a situation where there is no implied license, copyright is
being infringed.
4.9.2 Use in a Local Area Network (LAN)
SIB/MIS/ITP/002
Page 2 of 4
IINNFFOORRM
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
4.9.2.1
SSSIIIBBB///M
M
222
000111
000000
111ssstttM
M
Maaayyy222000000777
333ooofff444
Whenever software packages are sold for use on a network, the number of
users is designated. As soon as an extra user is provided access to this
software, an infringement is constituted.
4.9.3. Use of Unauthorized Screen Savers

4.9.3.1
Screensavers may not be loaded by computer users. The reasons for this
are numerous, but the main reason is that many of these are "downloaded"
from the Internet and could contain "new" viruses which the latest virus
protection software cannot detect.
4.9.3.2
Secondly, some are not compatible with certain types of software and
cause endless problems (usually the computer "hangs" or "freezes" and all
unsaved work is lost when the computer has to be re-started), which is
unnecessary and unacceptable.
4.9.3.3
All screen-savers are memory resident (they are automatically activated

after a pre-determined period of time when the computer is not being
used) and this tends to slow the processing time of the computer down.
4.10 Pornographic Material

Persons found with any form of pornographic or offensive material within their directories
or on the hard-drives of their computers, or it is found that they are distributing this
material by whatever means (e-mail, diskettes, placing it on the computer network etc.), will
be formally charged with misconduct and, depending on the severity of the matter, handed
over to the Malaysian Police Services for prosecution.
4.10. System Security
The used of system utility programs (e.g. monitoring/sniffing tools), that might be capable
of overriding system and application controls, is prohibited. Where an employee might
want to load such software for whatever reason, a written request for the loading of the
software must be submitted to the Head of the MIS Department, stating the reasons for the
loading of the software and the duration that it will be required. It is the responsibility of
each user to ensure that no unauthorized software is installed on the computer systems
allocated to them.
4.12.
The user shall be held liable for any unlicensed software that is found in their possession,
and as such will take full responsibility of the consequences that might follow by
contravening the Malaysian Copyright Act.
4.13
General Care of Computer Equipment

4.13.1 Potted plants, coffee mugs, water decanters etc. must not be placed on computers
as any form of liquid can potentially damage the equipment and will most certainly
leave unsightly stains on the external casing.
4.13.2 Computer equipment must also not be decorated with anything non removable,
e.g.: stickers, graffiti etc., as such things reduce the value of the equipment
significantly.
SIB/MIS/ITP/002
Page 3 of 4
IINNFFOORRM
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
222
000111
000000
111ssstttM
M
Maaayyy222000000777
444ooofff444
4.13.3 Computer equipment should always be kept clean and dust free. Computer screens,
external casings, and keyboard keys can be cleaned with anti static cleaner and a
lint-free duster. Never use a dripping wet cloth to clean the equipment.
4.13.4 Practices such as eating, drinking and smoking should not be exercised whilst
working at a computer as cigarette ash and bits of food are invariably dropped or
spilt on the computers keyboard, resulting in damage.
4.14 Staff Leaving/ Staff Termination/ Resignation
4.14.1 When staff joining the Company, the subsidiary head arranges access to the
network on their behalf. It is therefore also the subsidiary heads responsibility to
ensure that when staff leaves the service that their user accounts are removed from
the network.
4.14.2 The subsidiary head or HR department must contact the MIS department and
provide the users particulars as well as instructions pertaining to the data that
resides in the users home directory on the network.
4.14.3 If this is not carried out, the ex-staff members user account will remain on the
network. Network security is therefore seriously breached as the ex-staff member
could easily gain access to data on the network and remove or manipulate it.
4.15 Asset Tracking & Recording
4.15.1 Upon delivery of the assets IT related hardware/software, purchasing department
shall submit copy of quotation/PO/DO/Invoice to MIS Department.
4.15.2 Purchasing/Account department inform the asset tagging, location & users name
for the asset.
4.15.3 Account department should inform for any transfer or dispose of assets.
SIB/MIS/ITP/002
Page 4 of 4
IINNFFOORRM
EELLEECCTTRROONNIICC M
MAAIILL
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
333
000111
000000
111ssstttM
M
Maaayyy222000000777
111ooofff444
1.0 PURPOSE
1.1
The purpose of this "Electronic Mail Policy" is to establish guidelines and minimum requirements
governing the acceptable use of the Company electronic mail (e-mail) services.
2.0. SCOPE
2.1
This policy applies to all the Company employees (hereinafter referred to as "users") whose access
to or use of e-mail services is funded by the Company or is available through equipment owned/
leased/ rented and on-loan facilities by the Company.
3.0 DEFINATIONS
3.1
E-mail
Electronic Mail refers to the electronic transfer of information, in

the form of electronic messages, memorandum and attached
documents from a sending party to one or more receiving parties
via an intermediate telecommunications system. Stated differently,
e-mail is a means of sending messages between computers using a
computer network.
3.2
Company
Sapura Industrial Berhad Group of Companies.
3.3
Virus
A virus is a piece of computer code that attacks itself the program

or file, so it can spread from computer to computer, infecting as it
travels. Viruses can damage your software, hardware and files.
3.4 Encryption
A method of scrambling data using a cryptographic algorithm

based on a secret key that is known only to the originating system
and the destination system.
4.0 RESPONSIBILITIES
4.1
The Company reserves the right to amend this policy from time to time at its discretion. In case of
amendments and revisions, users will be informed appropriately.
4.2
The management of the Company has the right to access or monitor the e-mail user contents of
massages and attached document.
4.3
The Company reserves the right to revoke or limit the Users access to this e-mail account and
address at any time. Common reasons for e-mail access revocation include the failure to comply
with the Company policies, and termination of the employees service with the Company.
SIB/MIS/ITP/003
Page 1 of 4
IINNFFOORRM
MAAIILL
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
333
000111
000000
111ssstttM
M
Maaayyy222000000777
222ooofff444
5.0 APPROPRIATE USE OF COMPANY E-MAIL RESOURCES

Use of e-mail facilities is subject to all the same laws, policies and codes of practice that apply to the use
of other means of communications and shall comply with the Company policy on Facilities Usage. Access
to the publication of information on the Web shall also subject to this policy.
5.1 Users may not use Company resources and facilities to transmit:
Commercial material unrelated to illegitimate business of the Company, including the

transmission of bulk e-mail advertising (spamming).
Bulk non-commercial-mail unrelated to the legitimate business activities of the Company

that is likely to cause offence or inconvenience to those receiving it. This includes the use email exploders (i.e. list servers) at the Company and elsewhere, where the e-mail sent is
unrelated to the stated purpose for which the relevant e-mail exploder was to be used
(spamming).
Unsolicited e-mail messages requesting other users, at the Company of elsewhere, to

continue forwarding such e-mail messages to others, where those e-mail messages have no
business information purpose (chain e-mails).
E-mails that purport to come from an individual other than the user actually sending the
massage or with forged addresses (spoofing).
Material that is sexist, racist, homophobic, xenophobic, pornographic, pedophilic or

similarly discriminatory and or offensive.
Material that advocates or condones, directly or indirectly, criminal activity or which may
otherwise damage the Companys activities in Malaysia or abroad.
Text or images to which a third party holds an intellectual property right, without the
express written permission of the copyright holder.
Material that is defamatory, libelous or threatening. Material that could be used in order to
breach computer security, or to facilitate unauthorized entry into computer systems.
Material that is likely to prejudice or seriously impede the course of justice in Malaysian
criminal or civil proceedings.
Material containing personal data about third parties, unless their permission has been
given explicitly.
5.2 Whilst the Company provides staff with access to e-mail systems for the conduct of Companyrelated business, incidental and occasional personal use of e-mails is permitted so long as such
use does not disrupt or distract the individual from the conduct of Company business (i.e. due to
SIB/MIS/ITP/003
Page 2 of 4
IINNFFOORRM
MAAIILL
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
333
000111
000000
111ssstttM
M
Maaayyy222000000777
333ooofff444
volume, frequency or time expended) or restrict the use of those systems to other legitimate
users.
6.0 PENALTIES FOR IMPROPER USE OF E-MAIL FACILITIES
6.1 Failure to comply with this e-mail policy could result in access to the facility being withdrawn or,
in more serious cases, to disciplinary action being taken.
6.2 The Head of MIS Department shall be the final arbiter of whether e-mail messages are in breach
of this e-mail policy or not.
7.0 PRIVACY
7.1 Data users must assume that all e-mail by default is not secure and thus, they should not send
via e-mail any information that is confidential, private or sensitive in nature. The use of e-mail
encryption technologies such as PGP (Pretty Good Privacy) will improve the confidentiality of
the e-mail, although they are by no means perfect.
7.2 Users may not under any circumstances, monitor and intercept or browse other users e-mail
messages unless authorized to do so.
7.3 In all other circumstances, monitoring, interception and reading of other users e-mail by
network and computer operations personnel or system administrators may only occur with the
permission of the Head of MIS Department.
7.4 The Company reserves the right to access and disclose the contents of a users e-mail
massages, in accordance with its legal and audit obligations and for legitimate operational
purposes. The Company reserves the right to demand those encryption keys, where used, is
made available so that it is able to fulfill its right of access to a users e-mail messages in such
circumstances.
8.0 BEST PRACTICES
8.1 The Company considers e-mail as an important means of communication and recognizes the
importance of proper e-mail content and speedy replies in conveying a professional image and
delivering good customer services. Users should take same care in drafting an-email as they
would for any other communication. Therefore the Company wishes users to adhere to the
following guidelines:
8.1.1 Writing e-mails:
Write well-structure e-mails and use short, descriptive subject.
The Company style is informal. This means that sentences can be short and to the
point. The use of internet abbreviations and characters such as smiley however, is
not encouraged.
SIB/MIS/ITP/003
Page 3 of 4
IINNFFOORRM
MAAIILL
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
8.1.2
SSSIIIBBB///M
M
333
000111
000000
111ssstttM
M
Maaayyy222000000777
444ooofff444
Signatures must include you name, job title and company name. and should follow
company branding guideline.
User must spell check all mails prior to transmission.
Do not send unnecessary attachments. Compress attachments larger than 1MB

before sending them.
Do not write e-mails in capitals.
Do not use cc. or bcc: fields unless the cc: or bcc: recipient is aware that you will be
copying a mail to him/ her and knows what action, if any to take.
If you forward mails, state clearly what action you expect the recipient to take.
Only send e-mails of which the content could be displayed on a public notice board.
If they cannot be displayed publicly in their current state, consider rephrasing the email, using other means of communication or protecting information by using a
password.
Only mark e-mails as important if they really are important.
Replying to e-mails:
E-mails should be answered within at least eight (8) working hours, but users must
endeavor to answer priority e-mails within four (4) hours.
Priority e-mails are emails from existing customers and business partner.
9.0 WRITTEN AGREEMENT REQUIRED

Users having access to state-provided e-mail services are advised that all such network activity is
the property of the group, and therefore, they should not consider any activity to be private. All
users of e-mail services are required to acknowledge acceptance of and intention to comply with
this "Electronic Mail Policy" by signing the Company E-Mail Request Form.
SIB/MIS/ITP/003
Page 4 of 4
CODE OF PRACTICE
CCOODDEE OOFF PPRRAACCTTIICCEE
PPHHYYSSIICCAALL SSEECCUURRIITTYY OOFF

IINNFFOORRM
MAATTIIOONN
DDDooocccuuum
m
IIIssssssuuueeeNNNooo... :::
DDDaaattteee :::
PPPaaagggeee :::
SSIIIBBB///M
M
MIIISSS///CCCOOOPPP///000000
11
00111
00000
11ssstt.t..M
M
Maaayyy222000000777
11 ooofff333
PURPOSE
To maintain the physical security of the hardware used to store and process information as it is to
ensure the security of information contained within the Company information systems.
2.0 SCOPE
2.1 Specific code of practice covering: physical security of Information System.
3.0
DEFINATIONS
3.1
4.0
PIN
Personal Identification Number
PROCEDURES
4.1
SECURITY OF PREMISES
4.1.1
Security of Premises
While it is difficult to make premises in accompany completely secure, buildings
and offices are now equipped with strong locks that provide a good level of
protection against opportunist intrudes so long as they are used intelligently and
correctly by those who have a right of access.
In order to reduce the risk of theft, the following rules should be adhered to:
4.1.1.1 Offices or rooms that house valuable equipment should not be left
unattended with the door unlocked or with window open.
4.1.1.2 Keep an eye open for anyone who appears to be loitering in the vicinity of
locked door, challenge him or her and report any suspicions to the
authorize personnel:
4.1.1.3 Where buildings/offices are secured by card controlled doors or keypads
looks, do not lend your card to anyone or give away details of PIN/ keypad
number;
SIB/MIS/COP/001
Page 1 of 3

IINNFFOORRM
MAATTIIOONN
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSIIIBBB///M
M
11
00111
00000
11ssstt.t..M
M
Maaayyy222000000777
22 ooofff333
4.1.1.4 Valuable equipment or equipment storing valuable data should not be

located in a vulnerable location such as just beside the fire escape door or
beside the window that can see from the outside.
4.1.2
Security of People
In order to ensure your personal safety and that of your colleagues:
4.1.2.1 Challenge anyone who you suspect has no right to be on the premises in a
friendly way by offering to help them find the location they are looking for.
4.1.2.2 Avoid confrontation and conflict with anyone who reacts aggressively and
contact your authorize personnel/ security lodge immediately.
4.1.2.3 Do not take any action that may endanger you or other members of the
Company by causing a potential or actual thief.
4.1.3
Security of Equipment
In order to ensure that you computing equipment itself is secure:
4.1.3.1 All computers and other equipment with a value of more than RM300.00
must be clearly marked as company property, security tagged and recorder
on company inventory. This should be done as soon as possible after the
installation and set-up of the equipment.
4.1.3.2 All computers, others equipments including hardware and software
marked as company property must be insured.
4.1.3.3 Carry out a risk assessment in relation to the cost of the replacing the
equipment and the value of the data stored on it in order to determine
what additional security measures need to be taken, such as marking, cable
restraint, lockdown fixtures, alarms and arrange fitting as soon as possible;
4.1.3.4 Dispose of any computer packaging as quickly as discretely as possible in
order not to advertise the arrival of new equipment.
SIB/MIS/COP/001
Page 2 of 3

IINNFFOORRM
MAATTIIOONN
4.1.4
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSIIIBBB///M
M
11
00111
00000
11ssstt.t..M
M
Maaayyy222000000777
33 ooofff333
Security of Data
4.1.4.1 Any media containing data that has been backed up should be held
securely i.e. in a locked container, drawer or cupboard and placed in
allocation commensurate with a departments procedures for ensuring
business continuity i.e. away from the area where that data is normally
processed.
Before disposing of computing equipment ensure that any data held on the hard
disk is destroyed by fully reformatting the hard disk, or using special tools to
overwrite the hard disks contents with random, useless data.
SIB/MIS/COP/001
Page 3 of 3
EEM
MPPLLOOYYM
MEENNTT,, EEDDUUCCAATTIIOONN
AANNDD TTRRAAIINNIINNGG
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSIIIBBB///M
M
22
00111
00000
11ssstt.t..M
M
Maaayyy222000000777
11 ooofff222
PURPOSE
To address the new staff on information security at the recruitment stage.
2.0 SCOPE
2.1 Specific code of practice covering: on relevant security responsibilities.
3.0
DEFINATIONS
3.1
3.2
4.0
IS
IT
Information System
PROCEDURES
4.1
SECURITY IN JOB DESCRIPTIONS

Security roles and responsibilities as laid down in the Company IS Security Policies should
be included in the job descriptions, where appropriate. These should include any general
responsibilities for implementing the security policies as well as any specific responsibilities
for implementing the security policies as well as specific responsibilities for the protection
of particular assets, or for the execution of particular security processes of activities.
4.2
RECRUITMENT SCREENING
Applications for employment should be screened if the job involves access to the company
Information Systems for handling of commercially or otherwise sensitive information, as
identified by the relevant Custodian. The checks should include obtaining two (2) character
references, checking the accuracy of CVs confirmation of academic or professional
qualifications and carrying out identification check.
4.3
CONFIDENTIALITY AGREEMENT
When signing acceptance of conditions of employment, user of IT facilities will be required
to agree to respect the confidentiality of any information that they encounter in their work.
Confidentiality agreements should be reviewed when there are changes to the terms of
employment or when contracts are due to be renewed..
4.4
INFORMATION SECURITY EDUCATION AND TRAINING

SIB/MIS/COP/02
Page 1 of 2
EEM
MPPLLOOYYM
MEENNTT,, EEDDUUCCAATTIIOONN
AANNDD TTRRAAIINNIINNGG
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSIIIBBB///M
M
22
00111
00000
11ssstt.t..M
M
Maaayyy222000000777
22 ooofff222
New users of IT facilities and staff should be instructed on the Company policies and codes
of practice relating to information security and given training on the procedures relating to
the security requirements of the particular work they are to undertake and on the correct
use of the Company IT facilities in general before access to IT services is granted They
should be made aware of the reporting procedures to be adopted in respect of different
types of incident (security breach, threat, weakness or malfunction) which might affect the
security of information they are handling, as set out in Information System Security Policies.
SIB/MIS/COP/02
Page 2 of 2
PROCEDURE MANUAL
PPRROOCCEEDDUURREE M
MAANNUUAALL
EE-- M
MAAIILL SSEERRVVIICCEESS
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
M
M///000000
MIIISSS///PPPM
111
000111
000000
111ssstttM
M
Maaayyy 222000000777
111ooofff222
1.0 PURPOSE
1.1
To establish and maintain the procedure or guidelines and minimum requirements governing the
acceptable use of the Company electronic mail (e-mail) services.
2.0. SCOPE
2.1
This policy applies to all SIB Group employees whose access to or use of e-mail services is funded
by the Group or is available through equipment owned or leased by the Company.
3.0 DEFINATIONS
3.1
Company
Sapura Industrial Berhad Group of Companies
32
E-mail
Electronic Mail refers to the electronic transfer of information, in

the form of electronic messages, memorandum and attached
documents from a sending party to one or more receiving parties
via an intermediate telecommunications system. Stated differently,
e-mail is a means of sending messages between computers using a
computer network.
3.3 MIS
Management Information System
4.1
User and MIS Department
5.0 ATTACHMENTS
5.1
5.2
E-Mail Services Form

E-Mail Services Process Flow
6.0 PROCEDURES
6.1
All E-mail address requested to be initiated by raising of E-mail Services Form and the step as
follows:
i.
ii.
iii.
iv.
New E-mail Account fill-up by requester

Reactivated Disabled/ Blocked Account fill-up by Human Resources Department
representative.
Approved by Head of Subsidiaries/ General Manager
Submit to MIS Department trough Human Resource Department
SIB/MIS/PM/001
Page 1 of 2
MAANNUUAALL
EE-- M
MAAIILL SSEERRVVIICCEESS
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
6.2
SSSIIIBBB///M
M
M
M///000000
MIIISSS///PPPM
111
000111
000000
111ssstttM
M
Maaayyy 222000000777
222ooofff222
All the E-mail Services Form shall clearly specify the requirement which my include the
followings:
i.
ii.
Desired e-mail ID (e.g. name@sapuraindustrial.com.my) , nick name are strongly avoided.

Justification and effective date.
6.3
The MIS Department shall determine the availability of e-mail accounts allocation and suitability
of desired e-mail ID.
6.4
E-mail account shall be created for the requester subject to availability of E-mail account and
notify the requester default password and the e-mail user shall be guided by MIS representative
to set an E-mail on Outlook Express and how to access E-mail trough Web Mail.
6.5
The representative of MIS Department shall inform the requester within five (5) working days
receipt of the application form if they require any additional information or ready to
commencement the e-mail account.
6.6
Copy of successful E-mail application form shall be sent to SIB Group Account/ Finance
Department for charges preparation.
6.7
Human Resources Department shall be notify MIS Department within five (5) working days on any
employee tendering their resignation or termination from his services or for temporary block
account/reactivated disabled due to his disciplinary action taken by the company.
SIB/MIS/PM/001
Page 2 of 2
SIB/ MIS / EMS/ 01-01
E-Mail Services Form

1. User Particulars
name
department :
designation
desired e-mail id
1.
company
2.
tel no./ext
(e.g: name@sapuraindustrial.com.my)
date of requested
2. Detail of Request
New Account
Effective Date:
Justification
Reactivate Disabled / Blocked Account
Justification
Effective Date:
Delet Exsiting Account

Justification
Effective Date:
Applicant Particulars
I have read, understood and acknowledge receipt of Acceptable E-mail policy below. I hereby agree to comply with the rules and regulations as stated
in the policy and understand the falure to comply will result in severe diascplinary action.
name
signature
date
signature
date
Approval by General Manager

name
MIS Use Only
date received:
e-mail account
created by
initial password
effective date:
SIB Account/ Finance Use

received date
approved by
charge to
date approved
3. Acceptable Internet & E-Mail Use Policy
Introduction
Sapura Industrial Berhad Group of Companies provides staff with Internet access and e-mail communication services as required for the performance
and fulfill of job responsibilities. These services are for purpose of increasing productivity and not for non-business activities.
Use Policy
Occasional and reasonable personnel use of SIB Group Internet & e-mail services is permitted, provided that this does not interfere with work performance
These services may be used outside of scheduled hours of work, provided that such use is consistent with professional conduct.
Users should have no expectation of privacy while using company-owned or company-leased equipment. Information passing through or stored on
company equipment can and will be monitored.
Violations of internet and e-mail use include, but are not limited to, accessing, downloading, uploading, saving, receiving or sending material that
includes sexually explicit content or other material using vulgar, sexist, racist, threatening, violent or defamatory language. Users should not use
SIB Group services to disclose corporate information without prior authorization. Gambling and illegal activities are prohibited on company resources.
Infringements of this policy will investigated on a case by-case basis.
Your signature indicate that you have read SIB Group internet and e-mail use policy. By signing this document means that you agree to
abide by the regulations set in this policy.
DOC NUM :
PFC/SIB/MIS/EMS/01-02
DATE ESTABLISH :01/04/07
REV : 0.0
PAGES : 1 of 1
PROCESS FLOW CHART
E-MAIL SERVICES FLOW CHART

INPUT
PROCESS FLOW
RECEIVED APPLICATION
FORM
WHO
OUTPUT
DESCRIPTION
ASST. SYS.
APPLICATION
Completed
Form
- Approved by GM of company
E-Mail Request Form
STOP
E-Mail Request Form
VERIFY
HEAD OF MIS
NO
YES
E-Mail Request Form
EVALUATE REQUISITION
E-Mail Request Form
PREPARE FOR E-MAIL

INSTALLATION
- Evaluation base on company

e-mail allocation.
MIS TECHNICIAN
E-mail Account
Created
- creat E-mail account base

on desired e-mail id
ASST. SYS.
APPLICATION
REQUESTER RECEIVED
E-MAIL ACC.
TEST RUN
REQUESTER
NO
REQUESTER
OK
END
INFORM SIB
ACC. DEPT.
ASST. SYS.
APPLICATION
- copy form send to SIB Acct.for

charges.
DOC NUM : PFC/SIB/MIS/

DATE ESTABLISH : 01/04/07
REV : 0
PAGES : 1 of 1
PROCESS FLOW CHART
E-MAIL TERMINATION
INPUT
E-Mail Termination Form
PROCESS FLOW
RECEIVED APPLICATION
FORM HR
WHO
OUTPUT
DESCRIPTION
ASST. SYS.
APPLICATION
Completed
Form
STOP
VERIFY
HEAD OF MIS
NO
YES
EVALUATE REQUISITION
PREPARE FOR E-MAIL

TERMINATION
INFORM
ACC. DEPT.
ASST. SYS.
APPLICATION
MIS TECHNICIAN
ASST. SYS.
APPLICATION
E-MAIL ACC.
TERMINATION
END
- copy form send to SIB Acct.
E-mail Account - E-mail account terminated base

Terminated
on HR application.
MAANNUUAALL
CCOOM
MPPUUTTEERR UUSSAAGGEE PPRROOCCEEDDUURREE
DDDooocccuuum
m
DDDaaattteee :::
PPPaaagggeee :::
SSSIIIBBB///M
M
M
M///000000
MIIISSS///PPPM
222
000111
000000
111ssstttM
M
Maaayyy222000000777
111ooofff111
1.0 PURPOSE
1.1
To ensure new employee have access to Information Technology resources and services should
dedicated to legitimate group business and is governed by rules of conduct.
2.0. SCOPE
2.1
Every time are made to newly appointed staff.
3.0 DEFINATIONS
3.1
Nil
4.1
The Human Resource Department Managers of subsidiaries or its appointed nominee.
5.0 ATTACHMENTS
5.1
5.2
Information Technology User Declaration Agreement.

Process Flow Information Technology User Declaration Agreement.
6.0 PROCEDURES
6.1
The Human Resource Manager or its appointee and the immediate superior shall responsible for
filling the Information Technology User Declaration Agreement as part of Employee Orientation
Checklist has to submit to Human Resource Department within five (5) working days of
completion.
6.2
Human Resources Department Manager or its appointee shall be explaining the contents of
Information Technology User Declaration Agreement to the newly appointed staff.
6.3
The completed declaration agreement shall keep safely in his personal file.
SIB/MIS/PM/002
Page 1 of 1
SIB/MIS/CUP/02-01
SAPURA INDUSTRIAL GROUP OF COMPANIES

INFORMATION TECHNOLOGY USER DECLARATION AGREEMENT
Access to information technology resources and services has been granted to me, as a privilege, for
performing job duties and responsibilities for my Directorate. I have read and agree to abide by the policies
and procedures which govern my use of these services:
COMPUTER, E-MAIL AND INTERNET ACCEPTABLE Usage Statement USE POLICY
I will refrain from monopolizing systems, overloading networks with excessive data, or wasting computer
time, connect time, disk space, printer paper, or other information technology resources. I will report to SIB
management any observations of attempted security violations or illegal activities. I will report to SIB
management if I receive or obtain information to which I am not entitled.
By signing this agreement, I certify that I understand and accept responsibility for adhering to the policies,
procedures, and additional Sapura Industrial Berhad Group terms and conditions listed above. I also
acknowledge my understanding that any misuse on my part may result in disciplinary action including, but
not limited to, termination of my access privileges.
Employee Name (Print): __________________________

Signature:
_______________________
Date:
_______________
Head of Section/Subsidiary:
Name:
______________________________
Signature:
__________________________
Date:
__________________
DOC NUM :
PFC/SIB/MIS/ITDA/0
DATE ESTABLISH :01/05/07
REV : 0.0
PAGES : 1 of 1
PROCESS FLOW CHART
DECLARATION AGREEMENT FLOW CHART
INPUT
Declaration Agreement Form
E-Mail Request Form
PROCESS FLOW
RECEIVED IT DECLARATION
AGREEMENT FORM
APPROVAL
WHO
OUTPUT
HR DEPT.
Completed
Form
HEAD OF
SUBSIDIARIES /
DESCRIPTION
GENERAL
MANAGER
FILLING
END
HR DEPT.
- Document keep in the Employee

Personnel File

Information Technology Policy, Code of Practice & Procedure Manual

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Information Technology Policy, Code of Practice & Procedure Manual

Hochgeladen von

Copyright:

Verfügbare Formate

INFORMATION TECHNOLOGY

POLICY, CODE OF PRACTICE

INFORMATION TECHNOLOGY POLICY

INFORMATION TECHNOLOGY CODE OF PRACTICE

Physical Security of Information SIB/MIS/COP/001

INFORMATION TECHNOLOGY PROCEDURE MANUAL

1.2 POLICY OBJECTIVE

1.3 EXCEPTION OF POLICIES

The Company shall mean Sapura Industrial Berhad Groups of Companies.

Management shall mean Executive who have supervisory responsibilities and or

Supervisor shall mean immediate supervisor, Head of Department, Head of Section or

1.5 POLICY APPROVAL

It is the responsibility of each individual to ensure his understanding of and compliance

1.7 COMPLIANCE WITH LEGISLATION

The Company has an obligation to abide by Malaysian legislation. Of particular importance

1.8 RISK ASSESSMENT AND SECURITY REVIEW BY SUBSIDIARIES AND DEPARTMENT

Head of Subsidiaries and Supervisor should establish effective Contingency Plans

1.9 BREACHES OF SECURITY

1.10 POLICY AWARENESS AND DISCIPLINARY PROCEDURES

1.12 STATUS OF THE INFORMATION SYSTES SECURITY POLICIES

4.5 Computer Security

4.9.2 Use in a Local Area Network (LAN)

4.9.3. Use of Unauthorized Screen Savers

All screen-savers are memory resident (they are automatically activated

4.10 Pornographic Material

General Care of Computer Equipment

Electronic Mail refers to the electronic transfer of information, in

Sapura Industrial Berhad Group of Companies.

A virus is a piece of computer code that attacks itself the program

A method of scrambling data using a cryptographic algorithm

5.0 APPROPRIATE USE OF COMPANY E-MAIL RESOURCES

Commercial material unrelated to illegitimate business of the Company, including the

Bulk non-commercial-mail unrelated to the legitimate business activities of the Company

Unsolicited e-mail messages requesting other users, at the Company of elsewhere, to

Material that is sexist, racist, homophobic, xenophobic, pornographic, pedophilic or

Write well-structure e-mails and use short, descriptive subject.

Do not send unnecessary attachments. Compress attachments larger than 1MB

Do not write e-mails in capitals.

Only mark e-mails as important if they really are important.

9.0 WRITTEN AGREEMENT REQUIRED

CCOODDEE OOFF PPRRAACCTTIICCEE

PPHHYYSSIICCAALL SSEECCUURRIITTYY OOFF

Personal Identification Number

CCOODDEE OOFF PPRRAACCTTIICCEE

PPHHYYSSIICCAALL SSEECCUURRIITTYY OOFF

4.1.1.4 Valuable equipment or equipment storing valuable data should not be

CCOODDEE OOFF PPRRAACCTTIICCEE

PPHHYYSSIICCAALL SSEECCUURRIITTYY OOFF

CCOODDEE OOFF PPRRAACCTTIICCEE

SECURITY IN JOB DESCRIPTIONS

INFORMATION SECURITY EDUCATION AND TRAINING

CCOODDEE OOFF PPRRAACCTTIICCEE

Sapura Industrial Berhad Group of Companies

Electronic Mail refers to the electronic transfer of information, in

Management Information System

User and MIS Department

E-Mail Services Form

New E-mail Account fill-up by requester

Desired e-mail ID (e.g. name@sapuraindustrial.com.my) , nick name are strongly avoided.

SIB/ MIS / EMS/ 01-01

E-Mail Services Form

Delet Exsiting Account

Approval by General Manager