IDC IT Security

Roadshow 2012

Managing IT & Business

Processes Securely

@BIMO

Résumé BIMO

Création 1981

Fondateurs Familles Meskini et Ebbo

Forme juridique Société anonyme

Slogan

Exigez la qualité Bimo car seul

Bimo sait faire des Bimo

Siège social Casablanca (Maroc)

Direction Saïd MOUDAFÎ (PDG)

Actionnaires Kraft Foods (100 %)

Activité Biscuiterie

Produits

Tagger, Merendina, Tango,

Tonik, Golden, Okey, Prince...

Société mère Kraft Foods

Effectif 1600

Site web www.bimo.ma

Chiffre d’affaires 840 millions de MAD (2011)

Historique

• Créé en 1981 par Driss Meskini et René Ebbo,

Bimo s'est rapidement constitué en leader de

l'industrie biscuitière au Maroc, rejoignant le

giron du Groupe ONA et Danone en 1999.

• Au fil des années, Bimo a construit son succès

sur l'innovation et la qualité et étendu ses

structures industrielles, passant d'une unité de

production en 1994, à 2 usines modernes

actuellement en production à Aïn Sebaâ.

• Kraft Foods, le géant de l'agroalimentaire est

devenu actionnaire avec 50 % après avoir

racheté la branche biscuiterie de Danone.

• En septembre 2012, Kraft Foods rachète les

parts de la SNI, et devient alors l'unique

actionnaire de Bimo.

Autres Applications

GRH, GMAO, EDI, …

ERP Backup,

Test&Devlp

Messagerie

Fichiers : Mes Documents

ERP : Adonix

Annuaire / Gestion Accès

/ Sécurité / AntiVirus / Patchs

HelpDesk

Relais SMTP

Supervision Réseau

Sauvegarde

Serveurs SI

SERVICES APPLICATIFS

Services Offerts aux utilisateurs

IS Health Check

• Prepare network diagram, LAN+WAN+ servers with IP addresses of

units and networks

• List file servers, note the application, assess impact

(High/Medium/Low)

• Make an inventory of all IS assets including mobile phones,

computers, CD ROMs etc. Every user that received an asset into

his/her responsibility should sign off a form (e.g. I received this and

this from the company with serial numbers…. I am fully aware of

company policy with regard to information system assets handling,

usage and protection.

• Procedure must be written about annual inventory check. Inventory

check to be signed off by IS Manager and Chief accountant or

Financial Controller. Evidence of the annual review should be

present and signed off as mentioned

• Write plans on further infrastructure development: e.g. setup second

computer room, links etc., put the objective of developments.

• Network infrastructure is the part of Disaster Recovery Manual

• Configurations of all important server components and network

devices (routers, switches, firewalls) are printed out and filed into

Disaster Recovery Manual

Systems

environment

IS Health Check

• Ensure that servers are kept in restricted areas, with minimum

clearance of 30 mm from the actual floor.

• Ensure that there are automatic power shut when fire / water is

detected in the room.

• Ensure that there are water detection sensor installed on the floor.

• Ensure that there are smoke detector installed on the ceiling.

• Ensure that there is independent air conditioning unit installed for

the computer room.

• Ensure that there is automatic alert via phone to IS staff sent from

the computer room.

• Ensure that there are UPSes with minimum of 30 minutes duration

of power supply in place for all critical application/file servers in case

of power supply problem occurs.

• It is preferred to have the computer room installed with 2 hours fire

rated walls.

• Door to computer room is always closed

• Prepare and approve list of people who has access to computer

room. Fix the card access to computer room. Log the access from

the card system.

Physical

Security of

Servers

IS Health Check

• Prepare access request for every user of network/e-mail etc. Can

be one sheet per user listing needed services. Signed by manager

and IS Manager

• Same file with sheet per user for ERP system (access request

forms) with needed access rights listed, signed by manager and IS

Manager

• Same file with sheet per user for each other application (access

request forms) with needed access rights listed, signed by manager

and IS Manager

• Write a procedure for monthly dormant user checkup (who didn't

use the system for a long time), lock down users that didn't use their

logins for 90 days or more.

• Prepare a procedure, get management signatures: HR should send

a notification to IS Manager at every case of position change or

termination from the company.

• Prepare sign-off form for everyone leaving the company: both

physical assets return and closing of accounts. Procedure should

be approved by HR and management including IS Manager: user

must not be able to leave the company before this sign off form

completed

System Access

Procedures

IS Health Check

• Ensure that all settings are as following:

– All accounts must have a passwords and obey the password

rules

– Force periodic change of passwords for all systems every 45

days.

– Limit the number of grace log in s to be 3 times.

– Reset of the locked user accounts must be manual.

– Ensure that all temporary employees' accounts are created

with an expiration date.

– ABSOLUTELY no shared system accounts must be in use.

Unique account per physical person

– Guest account must be disabled, however it may remain in

the system.

– Ensure all default passwords (e.g. power on passwords) are

being changed immediately after handing over the system to

user

– Initial password assigned to users on all systems must be set

to 'automatic expire' upon first time sign on.

– No automated user logons are allowed.

– User Ids and passwords must not be displayed on or near the

workstation areas where can be found easily.

OS security

parameter

settings

IS Health Check

• Ensure that there are adequate daily backup procedures in place

and being executed by the system administrator for all servers.

• Ensure that there is an adequate 4 daily, 5 weekly, and 12 monthly

backup tape cycle in place to meet statutory requirements, and

ensure that the backed up tapes are verified (either read after

backup, or duplicate of backup tapes for reading later if constrained

by backup time).

• Ensure that the backup log is reviewed and signed off daily

following the successful/unsuccessful backup.

• Ensure that the backup tape is stored at a secured off-site location.

• Ensure that there are written procedures in place for backup tape

retrievals in emergency situation.

• Local IS management is responsible to verify that the off-site

backup tapes can be retrieved within the disaster recovery

requirement timeframe. Ensure to review this on a yearly basis with

the storage company.

System Backup

IS Health Check

• A copy of the DRP must be stored together with the off-site tapes

for use in emergency situation. In addition, a copy of the DRP must

be distributed and safe kept by each of the key contact DR

personnel. The distribution list is to be revised and updated on

yearly basis.

• A full DR test must be conducted to recover all critical system

servers yearly. Identify any changes of the procedures and

instructions and update the DRP immediate following the test.

Ensure to identify all Intel servers and applications within each

country's network, and document all course of actions for each

servers in the DRP.

Disaster

Recovery

IS Health Check

• All upgrade / maintenance work must be logged by the IS Manager:

it must include reason for change, approval of appropriate

application users and IS Management , testing result prior changes

made, and changed date, as well as performed by whom.

Systems

Upgrade/maint

enance

• Ensure that procedures are in place to monitor system usage (eg.

Disk storage utilization rate vs. transaction growth rate) and CPU

performances, etc to enable early planning to capacity upgrade.

Capacity

Planning

IS Health Check

• Where purchase of software (may it be applications, development,

or systems software) are done, ensure that all software licenses are

obtained prior installation. IS manager must be able to demonstrate

proof of licenses for all software installed, as well as tracking their

installation locations and components.

• Yearly review of all software licenses against the total number of

users must be performed in order to action any discrepancy

identified.

Software

Licenses

Hardware

Asset Tracking

• IS manager must establish a central computer hardware asset

register to track all computer equipments and their components. In

particular, yearly review must be conducted to ensure that all

record of assets and their locations are up to date.

IS Health Check

• Where third party contractors are used for programming, technical

support or maintenance, ensure that contracts have been

established and include the scope and duration of work, basis of

billing, confidentiality clause, and guaranteed call out time.

• All contracts must be approved by legal department as well as the

General Manager.

• Also IS managers need to monitor the work progress to ensure that

work is being carried out and accurately billed.

Contractors

Engagement