1. Bhadale group of companies
TODO:
1. Extract for Article of Inc.from SOP.
2. Company ERP requirements based on SOP
3. Partner selection based on Services products identified.
4. International legal, tax, Company compliance all go into SOP
5. Use earlier IT Innovator guides to get service alignments, markets etc
Corporate Standard operating procedures
Can be used to load all docs in MS Sharepoint server
Please note this doc has Policies and SOP mixed, please make separate docs as per SEI process
A Standard Operating Procedure (SOP) is a set of written instructions that document a routine or repetitive activity followed by an organization. The
development and use of SOPs are an integral part of a successful quality system as it provides individuals with the information to perform a job properly,
and facilitates consistency in the quality and integrity of a product or end-result. The term “SOP” may not always be appropriate and terms such as
protocols, instructions, worksheets, and laboratory operating procedures may also be used. For this document “SOP” will be used.
3.0 SOP GENERAL FORMAT
SOPs should be organized to ensure ease and efficiency in use and to be specific to the organization which develops it. There is no one “correct” format;
and internal formatting will vary with each organization and with the type of SOP being written. Where possible break the information into a series of
logical steps to avoid a long list. The level of detail provided in the SOP may differ based on, e.g., whether the process is critical, the frequency of that
procedure being followed, the number of people who will use the SOP, and where training is not routinely available. A generalized format is discussed next.
3.1 Title Page
The first page or cover page of each SOP should contain the following information: a title that clearly identifies the activity or procedure, an SOP
identification (ID) number, date of issue and/or revision, the name of the applicable agency, division, and/or branch to which this SOP applies, and the
signatures and signature dates of those individuals who prepared and approved the SOP. Electronic signatures are acceptable for SOPs maintained on a
computerized database.
3.2 Table of Contents
A Table of Contents may be needed for quick reference, especially if the SOP is long, for locating information and to denote changes or revisions made
only to certain sections of an SOP.
3.3 Text
2. Well-written SOPs should first briefly describe the purpose of the work or process, including any regulatory information or standards that are appropriate to
the SOP process, and the scope to indicate what is covered. Define any specialized or unusual terms either in a separate definition section or in the
appropriate discussion section. Denote what sequential procedures should be followed, divided into significant sections; e.g., possible interferences,
equipment needed, personnel qualifications, and safety considerations (preferably listed in bold to capture the attention of the user). Finally, describe next
all appropriate QA and quality control (QC) activities for that procedure, and list any cited or significant references.
As noted above, SOPs should be clearly worded so as to be readily understandable by a person knowledgeable with the general concept of the procedure,
and the procedures should be written in a format that clearly describes the steps in order. Use of diagrams and flow charts help to break up long sections of
text and to briefly summarize a series of steps for the reader.
Attach any appropriate information, e.g., an SOP may reference other SOPs. In such a case, the following should be included:
1. Cite the other SOP and attach a copy, or reference where it may be easily located.
2. If the referenced SOP is not to be followed exactly, the required modification should be specified in the SOP at the section where the other SOP is cited.
[From IT Policies and Procedures Manual.pdf]
Purpose: To provide a policy framework to the CMMI processes Level 3 to be adopted; these polices will
apply across all programs and services; hence these are corporate level entities. Also the proposed
Bhadale IT project dev common framework for all the programs that have various needs should use
these wherever possible. These should be generic and able to accommodate the program features and
technologies. Agile, PMO & other guidelines not to be very detailed as these are at Level 3 or at a mid
range maturity level firm not depending on external auditors. All required docs, diagrams etc to be done
in-house with less external support.
Information Technology Policy and Procedure Manual
Table of Contents
Information Technology Policy and Procedure Manual ..................................................................... 1
Introduction ........................................................................................................................................ 3
Technology Hardware Purchasing Policy ........................................................................................... 4
Purpose of the Policy ....................................................................................................................... 4
Procedures....................................................................................................................................... 4
Policy for Getting Software ................................................................................................................. 9
3. Purpose of the Policy ....................................................................................................................... 9
Procedures....................................................................................................................................... 9
Policy for Use of Software ................................................................................................................ 11
Purpose of the Policy ..................................................................................................................... 11
Procedures..................................................................................................................................... 11
Bring Your Own Device Policy ......................................................................................................... 14
Purpose of the Policy ..................................................................................................................... 14
Procedures..................................................................................................................................... 14
Information Technology Security Policy .......................................................................................... 18
Purpose of the Policy ..................................................................................................................... 18
Procedures..................................................................................................................................... 18
Information Technology Administration Policy ................................................................................ 21
Purpose of the Policy ..................................................................................................................... 21
Procedures..................................................................................................................................... 21
Website Policy .................................................................................................................................. 23
Purpose of the Policy ..................................................................................................................... 23
Procedures..................................................................................................................................... 23
Electronic Transactions Policy .......................................................................................................... 25
Purpose of the Policy ..................................................................................................................... 25
Procedures..................................................................................................................................... 25
IT Service Agreements Policy ........................................................................................................... 27
Purpose of the Policy ..................................................................................................................... 27
Procedures..................................................................................................................................... 27
Emergency Management of Information Technology ....................................................................... 29
Purpose of the Policy ..................................................................................................................... 29
Procedures..................................................................................................................................... 29
4. Introduction
The {Municipality Name} IT Policy and Procedure Manual provides the policies and procedures for selection and use of IT within the institution which
must be followed by all staff. It also provides guidelines {Municipality Name} will use to administer these policies, with the correct procedure to follow.
{Municipality Name} will keep all IT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of
the policies and procedures, or to add new procedures.
Any suggestions, recommendations or feedback on the policies and procedures specified in this manual are welcome.
These policies and procedures apply to all employees.
Technology Hardware Purchasing Policy
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Computer hardware refers to the physical parts of a computer and related devices. Internal hardware devices include motherboards, hard drives, and RAM.
External hardware devices include monitors, keyboards, mice, printers, and scanners.
Purpose of the Policy
This policy provides guidelines for the purchase of hardware for the institution to ensure that all hardware technology for the institution is appropriate,
value for money and where applicable integrates with other technology for the institution. The objective of this policy is to ensure that there is minimum
diversity of hardware within the institution.
Procedures
Purchase of Hardware
Guidance: The purchase of all desktops, servers, portable computers, computer peripherals and mobile devices must adhere to this policy. Edit this
statement to cover the relevant technology needed.
Purchasing desktop computer systems
The desktop computer systems purchased must run a {insert relevant operating system here e.g. Windows} and integrate with existing hardware { insert
names of existing technology such as the institution server}.
The desktop computer systems must be purchased as standard desktop system bundle and must be {insert manufacturer type here, such as HP, Dell, Acer
etc.}.
The desktop computer system bundle must include:
Desktop tower
Desktop screen of {insert screen size here}
Keyboard and mouse You may like to consider stating if these are to be wireless
{insert name of operating system, e.g. Windows 7, and software e.g. Office 2013 here}
5. {insert other items here, such as speakers, microphone, webcam, printers etc.}
The minimum capacity of the desktop must be:
{insertspeed of computer size (GHz -gigahertz)here}
{insert memory (RAM) size here}
{insert number of USB ports here}
{insert other specifications for desktop here, such as DVD drive, microphone port, etc.}
Any change from the above requirements must be authorised by {insert relevant job title here}
All purchases of desktops must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the institution‟s server system.
All purchases for desktops must be in line with the purchasing policy in the Financial policies and procedures manual.
Purchasing portable computer systems
The purchase of portable computer systems includes {insert names of portable devices here, such as notebooks, laptops, tablets etc.}
Portable computer systems purchased must run a {insert relevant operating system here e.g. Windows} and integrate with existing hardware { insert names
of existing technology such as the institution server}.
The portable computer systems purchased must be {insert manufacturer type here, such as HP, Dell, Acer, etc.}.
The minimum capacity of the portable computer system must be:
{insert speed of computer size (GHz-gigahertz)here}
{insert memory (RAM) size here}
{insert number of USB ports here}
{insert other specifications for portable device here, such as DVD drive, microphone port, webcam, speakers, etc.}
The portable computer system must include the following software provided:
{insert names of software e.g. Office 2013, Adobe, Reader,Internet Explorer here}
{insert names of software e.g. Office 2013, Adobe, Reader, Internet Explorer here}
6. {insert names of software e.g. Office 2013, Adobe, Reader, Internet Explorer here}
Any change from the above requirements must be authorised by {insert relevant job title here}
All purchases of all portable computer systems must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the
institution‟s server system.
All purchases for portable computer systems must be in line with the purchasing policy in the Financial policies and procedures manual.
Purchasing server systems
Server systems can only be purchased by {insert relevant job title here, recommended IT specialist}.
Server systems purchased must be compatible with all other computer hardware in the institution.
All purchases of server systems must be supported by {insert guarantee and/or warranty requirements here} and be compatible with the institution‟s other
server systems.
Any change from the above requirements must be authorised by {insert relevant job title here}
All purchases for server systems must be in line with the purchasing policy in the Financial policies and procedures manual.
Purchasing computer peripherals
Computer system peripherals include {insert names of add-on devices such as printers, scanners, external hard drives etc. here}
Computer peripherals can only be purchased where they are not included in any hardware purchase or are considered to be an additional requirement to
existing peripherals.
Computer peripherals purchased must be compatible with all other computer hardware and software in the institution.
The purchase of computer peripherals can only be authorised by {insert relevant job title here, recommended IT specialist or department manager}.
All purchases of computer peripherals must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the institution‟s
other hardware and software systems.
Any change from the above requirements must be authorised by {insert relevant job title here}
All purchases for computer peripherals must be in line with the purchasing policy in the Financial policies and procedures manual.
Purchasing mobile telephones
A mobile phone will only be purchased once the eligibility criteria is met. Refer to the Mobile Phone Usage policy in this document.
The purchase of a mobile phone must be from {insert names authorised suppliers here, such as Telstra etc.} to ensure the institution takes advantage of
volume pricing based discounts provided by {insert names authorised suppliers here, such as Telstra etc.}. Such discounts should include the purchase of
the phone, the phone call and internet charges etc.
The mobile phone must be compatible with the institution‟s current hardware and software systems.
The mobile phone purchased must be {insert manufacturer type here, such as IPhone, Blackberry, Samsung, etc.}.
The request for accessories (a hands-free kit etc.) must be included as part of the initial request for a phone.
The purchase of a mobile phone must be approved by {insert relevant job title here} prior to purchase.
Any change from the above requirements must be authorised by {insert relevant job title here}
All purchases of all mobile phones must be supported by{insert guarantee and/or warranty requirements here}.
All purchases for mobile phones must be in line with the purchasing policy in the Financial policies and procedures manual.
Additional Policies for Purchasing Hardware
7. Guidance: add, link or remove the policies listed below as required.
Purchasing Policy
Mobile phone policy
Policy for Getting Software
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Purpose of the Policy
This policy provides guidelines for the purchase of software for the institution to ensure that all software used by the institution is appropriate, value for
money and where applicable integrates with other technology for the institution. This policy applies to software obtained as part of hardware bundle or pre-
loaded software.
Procedures
Request for Software
All software, including {insert relevant other types of non-commercial software such as open source, freeware, etc. here} must be approved by {insert
relevant job title here} prior to the use or download of such software.
Purchase of software
The purchase of all software must adhere to this policy.
All purchased software must be purchased by {insert relevant job title here}
All purchased software must be purchased from {insert relevant suppliers names or the words „reputable software sellers‟ here}
All purchases of software must be supported by{insert guarantee and/or warranty requirements here} and be compatible with the institution‟s server and/or
hardware system.
Any changes from the above requirements must be authorised by {insert relevant job title here}
All purchases for software must be in line with the purchasing policy in the Financial policies and procedures manual.
Obtaining open source or freeware software
Open source or freeware software can be obtained without payment and usually downloaded directly from the internet.
In the event that open source or freeware software is required, approval from {insert relevant job title here} must be obtained prior to the download or use
of such software.
All open source or freeware must be compatible with the institution‟s hardware and software systems.
Any change from the above requirements must be authorised by {insert relevant job title here}
Additional Policies for Obtaining Software
Guidance: add, link or remove the policies listed below as required.
Purchasing Policy
Use of Software policy
8. Policy for Use of Software
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Purpose of the Policy
This policy provides guidelines for the use of software for all employees within the institution to ensure that all software use is appropriate. Under this
policy, the use of all open source and freeware software will be conducted under the same procedures outlined for commercial software.
Procedures
Software Licensing
All computer software copyrights and terms of all software licences will be followed by all employees of the institution.
Where licensing states limited usage (i.e. number of computers or users etc.), then it is the responsibility of {insert relevant job title here} to ensure these
terms are followed.
{insert relevant job title here} is responsible for completing a software audit of all hardware twice a year to ensure that software copyrights and licence
agreements are adhered to.
Software Installation
All software must be appropriately registered with the supplier where this is a requirement.
{Municipality Name} is to be the registered owner of all software.
Only software obtained in accordance with the getting software policy is to be installed on the institution‟s computers.
All software installation is to be carried out by {insert relevant job title here}
A software upgrade shall not be installed on a computer that does not already have a copy of the original version of the software loaded on it.
Software Usage
Only software purchased in accordance with the getting software policy is to be used within the institution.
Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on
use of the software.
All employees must receive training for all new software. This includes new employees to be trained to use existing software appropriately. This will be the
responsibility of {insert relevant job title here}
Employees are prohibited from bringing software from home and loading it onto the institution‟s computer hardware.
Unless express approval from {insert relevant job title here} is obtained, software cannot be taken home and loaded on a employees‟ home computer
Where an employee is required to use software at home, an evaluation of providing the employee with a portable computer should be undertaken in the first
instance. Where it is found that software can be used on the employee‟s home computer, authorisation from {insert relevant job title here} is required to
purchase separate software if licensing or copyright restrictions apply. Where software is purchased in this circumstance, it remains the property of the
institution and must be recorded on the software register by {insert relevant job title here}
Unauthorised software is prohibited from being used in the institution. This includes the use of software owned by an employee and used within the
institution.
9. The unauthorised duplicating, acquiring or use of software copies is prohibited. Any employee who makes, acquires, or uses unauthorised copies of
software will be referred to {insert relevant job title here} for {insert consequence here, such as further consultation, reprimand action etc.}. The illegal
duplication of software or other copyrighted works is not condoned within this institution and {insert relevant job title here} is authorised to undertake
disciplinary action where such event occurs.
Breach of Policy
Where there is a breach of this policy by an employee, that employee will be referred to {insert relevant job title here} for {insert consequence here, such as
further consultation, reprimand action etc.}
Where an employee is aware of a breach of the use of software in accordance with this policy, they are obliged to notify {insert relevant job title here}
immediately. In the event that the breach is not reported and it is determined that an employee failed to report the breach, then that employee will be
referred to {insert relevant job title here} for {insert consequence here, such as further consultation, reprimand action etc.}
Additional Policies for Use of Software
Guidance: add, link or remove the policies listed below as required.
Technology Hardware Policy
Obtaining Software policy
Bring Your Own Device Policy
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: Edit this policy so it suits your needs.
At {Municipality Name} we acknowledge the importance of mobile technologies in improving institution communication and productivity. In addition to
the increased use of mobile devices, staff members have requested the option of connecting their own mobile devices to {Municipality Name}'s network
and equipment. We encourage you to read this document in full and to act upon the recommendations. This policy should be read and carried out by all
staff.
Purpose of the Policy
This policy provides guidelines for the use of personally owned notebooks, smart phones, tablets and {insert other types of mobile devices} for institution
purposes. All staff who use or access {Municipality Name}'s technology equipment and/or services are bound by the conditions of this Policy.
Procedures
Current mobile devices approved for institution use
The following personally owned mobile devices are approved to be used for institution purposes:
{insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}
{insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}
10. {insert type of approved mobile devices such as smart phones, tablets, iPhone etc.}
{insert type of approved mobile devices such as notebooks, smart phones, tablets, iPhone, removable media etc.}.
Registration of personal mobile devices for institution use
Guidance: You will need to consider if the institution is to have any control over the applications that are used for institution purposes and/or used on the
personal devices.
Employees when using personal devices for institution use will register the device with {insert relevant job title or department here}.
{insert relevant job title or department here} will record the device and all applications used by the device.
Personal mobile devices can only be used for the following institution purposes:
{insert each type of approved use such as email access, institution internet access, institution telephone calls etc.}
{insert each type of approved use such as email access, institution internet access, institution telephone calls etc.}
{insert each type of approved use such as email access, institution internet access, institution telephone calls etc.}.
Each employee who utilises personal mobile devices agrees:
Notto download or transfer institution or personal sensitive information to the device. Sensitive information includes {insert types of institution or
personal information that you consider sensitive to the institution, for example intellectual property, other employee details etc.}
Not to use the registered mobile device as the sole repository for {Municipality Name}'s information. All institution information stored on mobile
devices should be backed up
To make every reasonable effort to ensure that {Municipality Name}'s information is not compromised through the use of mobile equipment in a public
place. Screens displaying sensitive or critical information should not be seen by unauthorised persons and all registered devices should be password
protected
To maintain the device with {insert maintenance requirements of mobile devices such as current operating software, currentsecurity software etc.}
Not to share the device with other individuals to protect the institution data access through the device
11. To abide by {Municipality Name}'s internet policy for appropriate use and access of internet sites etc.
To notify {Municipality Name} immediately in the event of loss or theft of the registered device
Not to connect USB memory sticks from anuntrusted or unknown source to {Municipality Name}'s equipment.
All employees who have a registered personal mobile device for institution use acknowledge that the institution:
Owns all intellectual property created on the device
Can access all data held on the device, including personal data
Will regularly back-up data held on the device
Will delete all data held on the device in the event of loss or theft of the device
Has first right to buy the device where the employee wants to sell thedevice
Will delete all data held on the device upon termination of the employee. The terminated employee can request personal databe reinstated from back up
data
Has the right to deregister the device for institution use at any time.
Keeping mobile devices secure
The following must be observed when handling mobile computing devices (such as notebooks and iPads):
Mobile computer devices must never be left unattended in a public place, or in an unlocked house, or in a motor vehicle, even if it is locked. Wherever
possible they should be kept on the person or securely locked away
Cable locking devices should also be considered for use with laptop computers in public places, e.g. in a seminar or conference, even when the laptop is
attended
Mobile devices should be carried as hand luggage when travelling by aircraft.
Exemptions
This policy is mandatory unless {insert relevant job title or department here} grants an exemption. Any requests for exemptions from any of these
directives, should be referred to the {insert relevant job title or department here}.
Breach of this policy
12. Any breach of this policy will be referred to {insert relevant job title} who will review the breach and determine adequate consequences, which can include
{ insert consequences here such as confiscation of the device and or termination of employment.}
Indemnity
{Municipality Name} bears no responsibility whatsoever for any legal action threatened or started due to conduct and activities of staff in accessing or
using these resources or facilities. All staff indemnify {Municipality Name} against any and all damages, costs and expenses suffered by {Municipality
Name} arising out of any unlawful or improper conduct and activity, and in respect of any action, settlement or compromise, or any statutory infringement.
Legal prosecution following a breach of these conditions may result independently from any action by {Municipality Name}.
Additional Policies for Institution Mobile Phone Use
Guidance: add, link or remove the policies listed below as required.
Technology Hardware Purchasing Policy
Use of Software policy
Purchasing Policy
Information Technology Security Policy
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Purpose of the Policy
This policy provides guidelines for the protection and use of information technology assets and resources within the institution to ensure integrity,
confidentiality and availability of data and assets.
Procedures
Physical Security
For all servers, mainframes and other network assets, the area must be secured with adequate ventilation and appropriate access through {insert relevant
security measure here, such as keypad, lock etc.}
It will be the responsibility of {insert relevant job title here} to ensure that this requirement is followed at all times. Any employee becoming aware of a
breach to this security requirement is obliged to notify {insert relevant job title here} immediately.
All security and safety of all portable technology, {insert relevant types here, such as laptop, notepads, iPad etc.} will be the responsibility of the employee
who has been issued with the {insert relevant types here, such as laptop, notepads, iPads, mobile phones etc.}. Each employee is required to use {insert
relevant types here, such as locks, passwords, etc.} and to ensure the asset is kept safely at all times to protect the security of the asset issued to them.
In the event of loss or damage, {insert relevant job title here} will assess the security measures undertaken to determine if the employee will be required
to reimburse the institution for the loss or damage.
All {insert relevant types here, such as laptop, notepads, iPads etc.} when kept at the office desk is to be secured by {insert relevant security measure here,
such as keypad, lock etc.} provided by {insert relevant job title here}
Information Security
13. All {insert relevant data to be backed up here – either general such as sensitive, valuable, or critical institution data or provide a checklist of all data to be
backed up } is to be backed-up.
It is the responsibility of {insert relevant job title here} to ensure that data back-ups are conducted {insert frequency of back-ups here} and the backed up
data is kept {insert where back up data is to be kept e.g. cloud, offsite venue, employees home etc. here}
All technology that has internet access must have anti-virus software installed. It is the responsibility of {insert relevant job title here} to install all anti-
virus software and ensure that this software remains up to date on all technology used by the institution.
All information used within the institution is to adhere to the privacy laws and the institution‟s confidentiality requirements. Any employee breaching this
will be {insert relevant consequence here}
Technology Access
Every employee will be issued with a unique identification code to access the institution technology and will be required to set a password for access every
{insert frequency here}
Each password is to be {insert rules relating to password creation here, such as number of alpha and numeric etc.} and is not to be shared with any
employee within the institution.
{insert relevant job title here} is responsible for the issuing of the identification code and initial password for all employees.
Where an employee forgets the password or is „locked out‟ after {insert a number here e.g. three attempts}, then {insert relevant job title here} is authorised
to reissue a new initial password that will be required to be changed when the employee logs in using the new initial password.
The following table provides the authorisation of access:
Technology – Hardware/ Software Persons authorised for access
{insert name or type of technology
here}
{insert authorised persons or job
titles here}
{insert name or type of technology
here}
{insert authorised persons or job
titles here}
{insert name or type of technology
here}
{insert authorised persons or job
titles here}
{insert name or type of technology
here}
{insert authorised persons or job
titles here}
Employees are only authorised to use institution computers for personal use {insert when this is allowable and what they can personally use it for here, such
as internet usage etc.}
For internet and social media usage, refer to the Human Resources Manual.
It is the responsibility of {insert relevant job title here} to keep all procedures for this policy up to date.
Additional Policies for Information Technology Security
Guidance: add, link or remove the policies listed below as required.
Emergency Management of Information Technology Policy
Information Technology Administration Policy
14. Information Technology Administration Policy
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Purpose of the Policy
This policy provides guidelines for the administration of information technology assets and resources within the institution.
Procedures
All software installed and the licence information must be registered on the {insert where these records are to be kept}. It is the responsibility of {insert
relevant job title here} to ensure that this registered is maintained. The register must record the following information:
Whatsoftware is installed on every machine
What licence agreements are in place for each software package
Renewal dates if applicable.
{insert relevant job title here} is responsible for the maintenance and management of all service agreements for the institution technology. Any service
requirements must first be approved by {insert relevant job title here}.
{insert relevant job title here} is responsible for maintaining adequate technology spare parts and other requirements including {insert specific technology
requirements here, such as toners, printing paper etc.}
A technology audit is to be conducted {insert frequency here e.g. annually} by {insert relevant job title here} to ensure that all information technology
policies are being adhered to.
Any unspecified technology administration requirements should be directed to {insert relevant job title here}
Additional Policies for Information Technology Administration
Guidance: add, link or remove the policies listed below as required.
IT Service Agreements Policy
Purchasing Policy
Website Policy
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Purpose of the Policy
15. This policy provides guidelines for the maintenance of all relevant technology issues related to the institution website.
Procedures
Website Register
The website register must record the following details:
• List of domain names registered to the institution
• Dates of renewal for domain names
• List of hosting service providers
• Expiry dates of hosting
{insert any other records to be kept in relation to your institution website here}.
The keeping the register up to date will be the responsibility of {insert relevant job title here}.
{insert relevant job title here} will be responsible for any renewal of items listed in the register.
Website Content
All content on the institution website is to be accurate, appropriate and current. This will be the responsibility of {insert relevant job title here}
All content on the website must follow {insert relevant institution requirements here where applicable, such as a institution or content plan etc.}
The content of the website is to be reviewed {insert frequency here}
The following persons are authorised to make changes to the institution website:
{insert relevant job title here}
{insert relevant job title here}
{insert relevant job title here}
Basic branding guidelines must be followed on websites to ensure a consistent and cohesive image for the institution.
All data collected from the website is to adhere to the Privacy Act
Additional Policies for Website Policy
Guidance: add, link or remove the policies listed below as required.
Information Technology Security Policy
Emergency Management of Information Technology policy
Electronic Transactions Policy
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Purpose of the Policy
16. This policy provides guidelines for all electronic transactions undertaken on behalf of the institution.
The objective of this policy is to ensure that use of electronic funds transfers and receipts are started, carried out, and approved in a secure manner.
Procedures
Electronic Funds Transfer (EFT)
It is the policy of {Municipality Name} that all payments and receipts should be made by EFT where appropriate.
All EFT payments and receipts must adhere to all finance policies in the Financial policies and procedures manual.
All EFT arrangements, including receipts and payments must be submitted to {insert relevant department of the institution here, e.g. finance department}.
EFT payments must have the appropriate authorisation for payment in line with the financial transactions policy in the Financial policies and procedures
manual.
EFT payments must be appropriately recorded in line with finance policy in the Financial policies and procedures manual.
EFT payments once authorised, will be entered into the {insert title of payment system here e.g. NAB online system} by {insert relevant job title here}
EFT payments can only be released for payment once pending payments have been authorised by {insert relevant job title here}
For good control over EFT payments, ensure that the persons authorising the payments and making the payment are not the same person.
All EFT receipts must be reconciled to customer records {insert frequency here e.g. once a week etc.}
Where EFT receipt cannot be allocated to customer account, it is responsibility of {insert relevant job title here} to investigate. In the event that the
customer account cannot be identified within {insert length of time here, such as one month} the receipted funds must be {insert action here such as
allocated to suspense account or returned to source etc.}. {insert relevant job title here} must authorise this transaction.
It is the responsibility of {insert relevant job title here} to annually review EFT authorisations for initial entry, alterations, or deletion of EFT records,
including supplier payment records and customer receipt records.
Electronic Purchases
All electronic purchases by any authorised employee must adhere to the purchasing policy in the Financial policies and procedures manual.
Where an electronic purchase is being considered, the person authorising this transaction must ensure that the internet sales site is secure and safe and be
able to demonstrate that this has been reviewed.
All electronic purchases must be undertaken using institution credit cards only and therefore adhere to the institution credit card policy in the Financial
policies and procedures manual.
Additional Policies for Electronic Transactions Policy
Guidance: add, link or remove the policies listed below as required.
Information Technology Security Policy
Finance Policies
IT Service Agreements Policy
Policy Number: {insert unique number}
Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Purpose of the Policy
This policy provides guidelines for all IT service agreements entered into on behalf of the institution.
17. Procedures
The following IT service agreements can be entered into on behalf of the institution:
Guidance: Insert the acceptable IT services for your institution – the following dot points will assist.
Provision of general IT services
Provision of network hardware and software
Repairs and maintenance of IT equipment
Provision of institution software
Provision of mobile phones and relevant plans
Website design, maintenance etc.
{insert type of IT service here}.
All IT service agreements must be reviewed by {insert who should review, recommended lawyer or solicitor} before the agreement is entered into. Once
the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by {insert relevant job title here}
All IT service agreements, obligations and renewals must be recorded {insert where the agreements are to be recorded here}
Where an IT service agreement renewal is required, in the event that the agreement is substantially unchanged from the previous agreement, then this
agreement renewal can be authorised by {insert relevant job title here}.
Where an IT service agreement renewal is required, in the event that the agreement has substantially changed from the previous agreement, {insert who
should review, recommended lawyer or solicitor} before the renewal is entered into. Once the agreement has been reviewed and recommendation for
execution received, then the agreement must be approved by {insert relevant job title here}
In the event that there is a dispute to the provision of IT services covered by an IT service agreement, it must be referred to {insert relevant job title here}
who will be responsible for the settlement of such dispute.
Additional Policies for IT Services Policy
Guidance: add, link or remove the policies listed below as required.
Technology Hardware Purchasing Policy
Emergency Management of Information Technology
Policy Number: {insert unique number}
18. Policy Date: {insert date of policy}
Guidance: This policy should be read and carried out by all staff. Edit this policy so it suits your needs.
Purpose of the Policy
This policy provides guidelines for emergency management of all information technology within the institution.
Procedures
IT Hardware Failure
Where there is failure of any of the institution‟s hardware, this must be referred to {insert relevant job title here} immediately.
It is the responsibility of {insert relevant job title here} to {insert relevant actions that should be undertaken here} in the event of IT hardware failure.
It is the responsibility of {insert relevant job title here} to undertake tests on planned emergency procedures {insert frequency here, recommended
quarterly} to ensure that all planned emergency procedures are appropriate and minimise disruption to institution operations.
Point of Sale Disruptions
In the event that point of sale (POS) system is disrupted, the following actions must be immediately undertaken:
Guidance: Insert the actions required for your institution – the following dot points will assist.
POS provider to be notified
{insert relevant job title here} must be notified immediately
All POS transactions to be taken using the manual machine located below the counter
For all manual POS transactions, customer signatures must be verified
{insert other relevant emergency actions here}
{insert other relevant emergency actions here}.
Virus or other security breach
In the event that the institution‟s information technology is compromised by software virus or {insert other relevant possible security breaches here} such
breaches are to be reported to {insert relevant job title here} immediately.
{insert relevant job title here} is responsible for ensuring that any security breach is dealt with within {insert relevant timeframe here} to minimise
disruption to institution operations.
Website Disruption
In the event that institution website is disrupted, the following actions must be immediately undertaken:
Guidance: Insert the actions required for your institution – the following dot points will assist.
Website host to be notified
19. {insert relevant job title here} must be notified immediately
{insert other relevant emergency actions here}
{insert other relevant emergency actions here}.
/// Source: SEI-CMM process-pro. pdf
20. c
Common Components - 1
Process and Procedure components
• Identifier
• Name
• Purpose
• Owner
• Entry & Exit Conditions
21. • Input & Output required
• Roles & Activities (steps)
• Methods & Tools
• Measurement(s)
• Review(s)
• Training & References
Common Components - 2
Identifier
• Unique identifier; shows where the process fits within a hierarchy of
processes (e.g. SQA 1.2.1)
• Procedures may not necessarily have an identifier
• Not the same as the Configuration Identifier
Name
• The name of the process or procedure being performed
• Starts with a verb (e.g. Perform Document Peer Review)
Purpose
• Describes what is accomplished & when it is to be accomplished
Common Components - 3
Owner
• Describes what organization or work center “owns” and is responsible
for the process and its description
Entry & Exit Conditions
• Not the same as Input & Output – conditions are a “state”
• Conditions that must be met before starting or exiting
• Entry conditions can also be thought of as “trigger events”
Input & Output
• Items needed to perform the process/procedure (input)
• Items that are created (artifacts) as part of the process/procedure
(output)
• Input can be modified and become an output
Common Components - 4
Roles & Activities (steps)
• Activities define what steps are being performed
22. • Roles define who is performing the step
• Procedures are usually defined for a single role
• Process activities are defined at a high-level and decomposed into
lower levels (e.g. each step may be a sub-process)
Methods & Tools
• Lists what tools (e.g. MS Word, Test Director, etc.) is used
Common Components - 5
Measurement(s)
• What measurement(s) are performed as part of this process or
procedure (e.g. number of defects found, review time, etc.)
Review(s)
• Lists what reviews are accomplished as part of the process or
procedure (e.g. Branch Chief Review, QA Rep Review, etc.)
Common Components - 6
Training
• What training is needed in order to perform the process or procedure
References
• Lists reference material (e.g. checklists, AFIs, user manuals, etc.)
Necessary
Documentation Methods - 1
Different methods can be used
• Graphical
— Flowcharts
— Cross-functional diagrams
— Integrated Definition for Functional Modeling (IDEF) diagrams
• Narrative description
— Entry-Task-Verification/Validation-eXit (ETVX)
Documentation Methods – 2
• Flowcharts show activities,
decisions, etc
• Standard symbols used
23. Documentation Methods – 3
• Cross-Functional Diagram (a.k.a “swim lane” diagram)
• Shows roles and functions performed
• Uses standard symbols
Documentation Methods – 4
• IDEF Diagrams
• International standard
• Standard symbols used
• Shows input (material,
requirements, equipment,
etc.), Control
mechanisms, Agents
(humans, machines, &
software), and output
(products, services, etc.)
• Decomposed into lowerlevel
Activities
Documentation Methods – 5
• ETVX originated by IBM in 1980’s
• Indicates the entry criteria (state), the tasks to be performed, the validation/verification criteria, and exit conditions (state)
/// Source : Key Practices of the Capability Maturity Model
30. CMMI
Level
PA Key Process Area Comment
2 Level 2 - Managed At maturity level 2, the projects of the organization have ensured that requirements are managed and
that processes are planned, performed, measured, and controlled. The process discipline reflected by
maturity level 2 helps to ensure that existing practices are retained during times of stress. When these
practices are in place, projects are performed and managed according to their documented plans.
2 REQM Requirements
Management
The purpose of Requirements Management is to manage the requirements of the project's products and
product components and to identify inconsistencies between those requirements and the project's plans
and work products.
2 PP Project Planning The purpose of Project Planning is to establish and maintain plans that define project activities.
2 PMC Project Monitoring
and Control
The purpose of Project Monitoring and Control is to provide an understanding of the project's progress
so that appropriate corrective actions can be taken when the project's performance deviates significantly
from the plan.
2 SAM Supplier
Agreement
Management
The purpose of Supplier Agreement Management is to manage the acquisition of products from
suppliers for which there exists a formal agreement.
2 MA Measurement and
Analysis
The purpose of Measurement and Analysis is to develop and sustain a measurement capability that is
used to support management information needs.
2 PPQA Process and
Product Quality
Assurance
The purpose of Process and Product Quality Assurance is to provide staff and management with
objective insight into processes and associated work products.
2 CM Configuration
Management
The purpose of Configuration Management is to establish and maintain the integrity of work products
using configuration identification, configuration control, configuration status accounting, and
configuration audits.
31. CMMI
Level
PA Key Process Area Comment
3 Level 3 - Defined At maturity level 3, processes are well characterized and understood, and are described in standards,
procedures, tools, and methods. The organization's set of standard processes, is established and
improved over time. These standard processes are used to establish consistency across the organization.
Projects establish their defined processes by tailoring the organization's set of standard processes
according to tailoring guidelines.
3 RD Requirements
Development
The purpose of Requirements Development (RD) is to elicit, analyze, and establish customer, product,
and product component requirements.
3 TS Technical Solution The purpose of Technical Solution is to design, develop, and implement solutions to requirements.
Solutions, designs, and implementations encompass products, product components, and product-related
life-cycle processes either singly or in combinations as appropriate.
3 PI Product Integration The purpose of Product Integration is to assemble the product from the product components, ensure that
the product, as integrated, functions properly, and deliver the product.
3 VER Verification The purpose of Verification is to ensure that selected work products meet their specified requirements.
3 VAL Validation The purpose of Validation is to demonstrate that a product or product component fulfils its intended use
when placed in its intended environment.
3 RSKM Risk Management The purpose of Risk Management is to identify potential problems before they occur, so that risk-handling
activities may be planned and invoked as needed across the life of the product or project to mitigate
adverse impacts on achieving objectives.
3 DAR Decision Analysis
and Resolution
The purpose of Decision Analysis and Resolution is to analyze possible decisions using a formal evaluation
process that evaluates identified alternatives against established criteria. The Decision Analysis and
Resolution process area supports all the process areas by providing a formal evaluation process that
ensures that alternatives are compared and the best one is selected to accomplish the goals of the process
areas.
32. CMMI
Level
PA Key Process Area Comment
3 IPM Integrated Project
Management
The purpose of Integrated Project Management is to establish and manage the project and the involvement
of the relevant stakeholders according to an integrated and defined process that is tailored from the
organization's set of standard processes.
3 OPF Organizational
Process Focus
The purpose of Organizational Process Focus is to plan and implement organizational process
improvement based on a thorough understanding of the current strengths and weaknesses of the
organization's processes and process assets.
3 OPD Organizational
Process Definition
The purpose of Organizational Process Definition is to establish and maintain a usable set of
organizational process assets.
3 OT Organizational
Training
The purpose of Organizational Training is to develop the skills and knowledge of people so they can
perform their roles effectively and efficiently.
// https://en.wikipedia.org/wiki/Process_area_(CMMI)
Maturity Levels: CMMI for Development
There are Five maturity levels. However, maturity level ratings are awarded for levels 2 through 5. The process areas below and their maturity levels
are listed for the CMMI for Development model:
Maturity Level 2 - Managed
CM - Configuration Management
MA - Measurement and Analysis
PMC - Project Monitoring and Control
PP - Project Planning
PPQA - Process and Product Quality Assurance
REQM - Requirements Management
SAM - Supplier Agreement Management
Maturity Level 3 - Defined
33. DAR - Decision Analysis and Resolution
IPM - Integrated Project Management
OPD - Organizational Process Definition
OPF - Organizational Process Focus
OT - Organizational Training
PI - Product Integration
RD - Requirements Development
RSKM - Risk Management
TS - Technical Solution
VAL - Validation
VER - Verification
/// Sample SOP template
Xxxxxx Department
Xxxxxx Division/Function
SOP #
Revision #
Implementation Date
Page # 33 of xx Last Reviewed/Update Date
SOP Owner Approval
Standard Operating Procedure
1. Purpose
Describe the process for <official name of SOP>.
Describe relevant background information.
2. Scope
Identify the intended audience and /or activities where the SOP may be relevant.
3. Prerequisites
34. Outline information required before proceeding with the listed procedure; for example, worksheets, documents, IFAS reports, etc.
4. Responsibilities
Identify the personnel that have a primary role in the SOP and describe how their responsibilities relate to this SOP. If necessary, include
contact information.
5. Procedure
Provide the steps required to perform this procedure (who, what, when, where, why, how). Include a process flowchart.
6. References
List resources that may be useful when performing the procedure; for example, Admin policies, Municipal Code, government standards and
other SOPs.
7. Definitions
Identify and define frequently used terms or acronyms. Provide additional and/or relevant information needed to understand this SOP.
//c
A common layout of a SOP contains the following sections:
Purpose
References
Materials
Procedure
Forms and Documentation