bimo_t_moignage_idc_2012_10_23.pdf
TRANSCRIPT
IDC IT Security
Roadshow 2012
Managing IT & Business
Processes Securely
@BIMO
Résumé BIMO
Création 1981
Fondateurs Familles Meskini et Ebbo
Forme juridique Société anonyme
Slogan
Exigez la qualité Bimo car seul
Bimo sait faire des Bimo
Siège social Casablanca (Maroc)
Direction Saïd MOUDAFÎ (PDG)
Actionnaires Kraft Foods (100 %)
Activité Biscuiterie
Produits
Tagger, Merendina, Tango,
Tonik, Golden, Okey, Prince...
Société mère Kraft Foods
Effectif 1600
Site web www.bimo.ma
Chiffre d’affaires 840 millions de MAD (2011)
Historique
• Créé en 1981 par Driss Meskini et René Ebbo,
Bimo s'est rapidement constitué en leader de
l'industrie biscuitière au Maroc, rejoignant le
giron du Groupe ONA et Danone en 1999.
• Au fil des années, Bimo a construit son succès
sur l'innovation et la qualité et étendu ses
structures industrielles, passant d'une unité de
production en 1994, à 2 usines modernes
actuellement en production à Aïn Sebaâ.
• Kraft Foods, le géant de l'agroalimentaire est
devenu actionnaire avec 50 % après avoir
racheté la branche biscuiterie de Danone.
• En septembre 2012, Kraft Foods rachète les
parts de la SNI, et devient alors l'unique
actionnaire de Bimo.
Autres Applications
GRH, GMAO, EDI, …
ERP Backup,
Test&Devlp
Messagerie
Fichiers : Mes Documents
ERP : Adonix
Annuaire / Gestion Accès
/ Sécurité / AntiVirus / Patchs
HelpDesk
Relais SMTP
Supervision Réseau
Sauvegarde
Serveurs SI
SERVICES APPLICATIFS
Services Offerts aux utilisateurs
IS Health Check
• Prepare network diagram, LAN+WAN+ servers with IP addresses of
units and networks
• List file servers, note the application, assess impact
(High/Medium/Low)
• Make an inventory of all IS assets including mobile phones,
computers, CD ROMs etc. Every user that received an asset into
his/her responsibility should sign off a form (e.g. I received this and
this from the company with serial numbers…. I am fully aware of
company policy with regard to information system assets handling,
usage and protection.
• Procedure must be written about annual inventory check. Inventory
check to be signed off by IS Manager and Chief accountant or
Financial Controller. Evidence of the annual review should be
present and signed off as mentioned
• Write plans on further infrastructure development: e.g. setup second
computer room, links etc., put the objective of developments.
• Network infrastructure is the part of Disaster Recovery Manual
• Configurations of all important server components and network
devices (routers, switches, firewalls) are printed out and filed into
Disaster Recovery Manual
Systems
environment
IS Health Check
• Ensure that servers are kept in restricted areas, with minimum
clearance of 30 mm from the actual floor.
• Ensure that there are automatic power shut when fire / water is
detected in the room.
• Ensure that there are water detection sensor installed on the floor.
• Ensure that there are smoke detector installed on the ceiling.
• Ensure that there is independent air conditioning unit installed for
the computer room.
• Ensure that there is automatic alert via phone to IS staff sent from
the computer room.
• Ensure that there are UPSes with minimum of 30 minutes duration
of power supply in place for all critical application/file servers in case
of power supply problem occurs.
• It is preferred to have the computer room installed with 2 hours fire
rated walls.
• Door to computer room is always closed
• Prepare and approve list of people who has access to computer
room. Fix the card access to computer room. Log the access from
the card system.
Physical
Security of
Servers
IS Health Check
• Prepare access request for every user of network/e-mail etc. Can
be one sheet per user listing needed services. Signed by manager
and IS Manager
• Same file with sheet per user for ERP system (access request
forms) with needed access rights listed, signed by manager and IS
Manager
• Same file with sheet per user for each other application (access
request forms) with needed access rights listed, signed by manager
and IS Manager
• Write a procedure for monthly dormant user checkup (who didn't
use the system for a long time), lock down users that didn't use their
logins for 90 days or more.
• Prepare a procedure, get management signatures: HR should send
a notification to IS Manager at every case of position change or
termination from the company.
• Prepare sign-off form for everyone leaving the company: both
physical assets return and closing of accounts. Procedure should
be approved by HR and management including IS Manager: user
must not be able to leave the company before this sign off form
completed
System Access
Procedures
IS Health Check
• Ensure that all settings are as following:
– All accounts must have a passwords and obey the password
rules
– Force periodic change of passwords for all systems every 45
days.
– Limit the number of grace log in s to be 3 times.
– Reset of the locked user accounts must be manual.
– Ensure that all temporary employees' accounts are created
with an expiration date.
– ABSOLUTELY no shared system accounts must be in use.
Unique account per physical person
– Guest account must be disabled, however it may remain in
the system.
– Ensure all default passwords (e.g. power on passwords) are
being changed immediately after handing over the system to
user
– Initial password assigned to users on all systems must be set
to 'automatic expire' upon first time sign on.
– No automated user logons are allowed.
– User Ids and passwords must not be displayed on or near the
workstation areas where can be found easily.
OS security
parameter
settings
IS Health Check
• Ensure that there are adequate daily backup procedures in place
and being executed by the system administrator for all servers.
• Ensure that there is an adequate 4 daily, 5 weekly, and 12 monthly
backup tape cycle in place to meet statutory requirements, and
ensure that the backed up tapes are verified (either read after
backup, or duplicate of backup tapes for reading later if constrained
by backup time).
• Ensure that the backup log is reviewed and signed off daily
following the successful/unsuccessful backup.
• Ensure that the backup tape is stored at a secured off-site location.
• Ensure that there are written procedures in place for backup tape
retrievals in emergency situation.
• Local IS management is responsible to verify that the off-site
backup tapes can be retrieved within the disaster recovery
requirement timeframe. Ensure to review this on a yearly basis with
the storage company.
System Backup
IS Health Check
• A copy of the DRP must be stored together with the off-site tapes
for use in emergency situation. In addition, a copy of the DRP must
be distributed and safe kept by each of the key contact DR
personnel. The distribution list is to be revised and updated on
yearly basis.
• A full DR test must be conducted to recover all critical system
servers yearly. Identify any changes of the procedures and
instructions and update the DRP immediate following the test.
Ensure to identify all Intel servers and applications within each
country's network, and document all course of actions for each
servers in the DRP.
Disaster
Recovery
IS Health Check
• All upgrade / maintenance work must be logged by the IS Manager:
it must include reason for change, approval of appropriate
application users and IS Management , testing result prior changes
made, and changed date, as well as performed by whom.
Systems
Upgrade/maint
enance
• Ensure that procedures are in place to monitor system usage (eg.
Disk storage utilization rate vs. transaction growth rate) and CPU
performances, etc to enable early planning to capacity upgrade.
Capacity
Planning
IS Health Check
• Where purchase of software (may it be applications, development,
or systems software) are done, ensure that all software licenses are
obtained prior installation. IS manager must be able to demonstrate
proof of licenses for all software installed, as well as tracking their
installation locations and components.
• Yearly review of all software licenses against the total number of
users must be performed in order to action any discrepancy
identified.
Software
Licenses
Hardware
Asset Tracking
• IS manager must establish a central computer hardware asset
register to track all computer equipments and their components. In
particular, yearly review must be conducted to ensure that all
record of assets and their locations are up to date.
IS Health Check
• Where third party contractors are used for programming, technical
support or maintenance, ensure that contracts have been
established and include the scope and duration of work, basis of
billing, confidentiality clause, and guaranteed call out time.
• All contracts must be approved by legal department as well as the
General Manager.
• Also IS managers need to monitor the work progress to ensure that
work is being carried out and accurately billed.
Contractors
Engagement