Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Version

1.0

Owner

Head of Engineering

Last Updated On

Last Updated by

Bruno Belizario

Approved by

Purpose

To ensure the correct and secure operation of information processing systems and facilities.

Scope

All ecoPortal information systems that are business critical and/or process, store, or transmit company data. This Policy applies to all employees of ecoPortal and other third-party entities with access to ecoPortal networks and system resources.

Operations Security

Documented Operating Procedures

Both technical and administrative operating procedures shall be documented as needed and made available to all users who need them.

Change Management

Changes to the organization, business processes, information processing facilities, production software and infrastructure, and systems that affect information security in the production environment and financial systems shall be tested, reviewed, and approved prior to production deployment. All significant changes to in-scope systems and networks must be documented.

Change management processes shall include:

  • Processes for planning and testing of changes, including remediation measures

  • Documented managerial approval and authorization before proceeding with changes that may have a significant impact on information security, operations, or the production platform

  • Advance communication/warning of changes, including schedules and a description of reasonably anticipated effects, provided to all relevant internal and external stakeholders

  • Documentation of all emergency changes and subsequent review

  • A process for remediating unsuccessful changes

Capacity Management

The use of processing resources and system storage shall be monitored and adjusted to ensure that system availability and performance meets ecoPortal requirements.

Human resource skills, availability, and capacity shall be reviewed and considered as a component of capacity planning and as part of the annual risk assessment process.

Scaling resources for additional processing or storage capacity, without changes to the system, can be done outside of the standard change management and code deployment process.

  • No labels