Vous êtes sur la page 1sur 12

IDC IT Security

Roadshow 2012
Managing IT & Business
Processes Securely
@BIMO

Historique

Rsum BIMO
Cration

1981

Fondateurs

Familles Meskini et Ebbo

Forme juridique

Socit anonyme

Slogan

Exigez la qualit Bimo car seul


Bimo sait faire des Bimo

Sige social

Casablanca (Maroc)

Direction

Sad MOUDAF (PDG)

Actionnaires

Kraft Foods (100 %)

Activit

Biscuiterie

Produits

Tagger, Merendina, Tango,


Tonik, Golden, Okey, Prince...

Socit mre

Kraft Foods

Effectif

1600

Site web

www.bimo.ma

Chiffre daffaires

840 millions de MAD (2011)

Cr en 1981 par Driss Meskini et Ren Ebbo,


Bimo s'est rapidement constitu en leader de
l'industrie biscuitire au Maroc, rejoignant le
giron du Groupe ONA et Danone en 1999.
Au fil des annes, Bimo a construit son succs
sur l'innovation et la qualit et tendu ses
structures industrielles, passant d'une unit de
production en 1994, 2 usines modernes
actuellement en production An Seba.
Kraft Foods, le gant de l'agroalimentaire est
devenu actionnaire avec 50 % aprs avoir
rachet la branche biscuiterie de Danone.
En septembre 2012, Kraft Foods rachte les
parts de la SNI, et devient alors l'unique
actionnaire de Bimo.

Services Offerts aux utilisateurs

Annuaire / Gestion Accs

Sauvegarde
Supervision
Rseau

Relais SMTP

Serveurs SI

S
E
R
V
I
C
E
S
A
P
P
L
I
C
A
T
I
F
S

/ Scurit / AntiVirus / Patchs

Messagerie

Fichiers : Mes Documents

ERP : Adonix

HelpDesk

Autres Applications
GRH, GMAO, EDI,

ERP
Backup,
Test&Devlp

IS Health Check

Systems
environment

Prepare network diagram, LAN+WAN+ servers with IP addresses of


units and networks
List file servers, note the application, assess impact
(High/Medium/Low)
Make an inventory of all IS assets including mobile phones,
computers, CD ROMs etc. Every user that received an asset into
his/her responsibility should sign off a form (e.g. I received this and
this from the company with serial numbers. I am fully aware of
company policy with regard to information system assets handling,
usage and protection.
Procedure must be written about annual inventory check. Inventory
check to be signed off by IS Manager and Chief accountant or
Financial Controller. Evidence of the annual review should be
present and signed off as mentioned
Write plans on further infrastructure development: e.g. setup second
computer room, links etc., put the objective of developments.
Network infrastructure is the part of Disaster Recovery Manual
Configurations of all important server components and network
devices (routers, switches, firewalls) are printed out and filed into
Disaster Recovery Manual

IS Health Check

Physical
Security of
Servers

Ensure that servers are kept in restricted areas, with minimum


clearance of 30 mm from the actual floor.
Ensure that there are automatic power shut when fire / water is
detected in the room.
Ensure that there are water detection sensor installed on the floor.
Ensure that there are smoke detector installed on the ceiling.
Ensure that there is independent air conditioning unit installed for
the computer room.
Ensure that there is automatic alert via phone to IS staff sent from
the computer room.
Ensure that there are UPSes with minimum of 30 minutes duration
of power supply in place for all critical application/file servers in case
of power supply problem occurs.
It is preferred to have the computer room installed with 2 hours fire
rated walls.
Door to computer room is always closed
Prepare and approve list of people who has access to computer
room. Fix the card access to computer room. Log the access from
the card system.

IS Health Check

System Access
Procedures

Prepare access request for every user of network/e-mail etc. Can


be one sheet per user listing needed services. Signed by manager
and IS Manager
Same file with sheet per user for ERP system (access request
forms) with needed access rights listed, signed by manager and IS
Manager
Same file with sheet per user for each other application (access
request forms) with needed access rights listed, signed by manager
and IS Manager
Write a procedure for monthly dormant user checkup (who didn't
use the system for a long time), lock down users that didn't use their
logins for 90 days or more.
Prepare a procedure, get management signatures: HR should send
a notification to IS Manager at every case of position change or
termination from the company.
Prepare sign-off form for everyone leaving the company: both
physical assets return and closing of accounts. Procedure should
be approved by HR and management including IS Manager: user
must not be able to leave the company before this sign off form
completed

IS Health Check

OS security
parameter
settings

Ensure that all settings are as following:

All accounts must have a passwords and obey the password


rules

Force periodic change of passwords for all systems every 45


days.

Limit the number of grace log in s to be 3 times.

Reset of the locked user accounts must be manual.

Ensure that all temporary employees' accounts are created


with an expiration date.

ABSOLUTELY no shared system accounts must be in use.


Unique account per physical person
Guest account must be disabled, however it may remain in
the system.
Ensure all default passwords (e.g. power on passwords) are
being changed immediately after handing over the system to
user
Initial password assigned to users on all systems must be set
to 'automatic expire' upon first time sign on.
No automated user logons are allowed.
User Ids and passwords must not be displayed on or near the
workstation areas where can be found easily.

IS Health Check

System Backup

Ensure that there are adequate daily backup procedures in place


and being executed by the system administrator for all servers.
Ensure that there is an adequate 4 daily, 5 weekly, and 12 monthly
backup tape cycle in place to meet statutory requirements, and
ensure that the backed up tapes are verified (either read after
backup, or duplicate of backup tapes for reading later if constrained
by backup time).
Ensure that the backup log is reviewed and signed off daily
following the successful/unsuccessful backup.
Ensure that the backup tape is stored at a secured off-site location.
Ensure that there are written procedures in place for backup tape
retrievals in emergency situation.
Local IS management is responsible to verify that the off-site
backup tapes can be retrieved within the disaster recovery
requirement timeframe. Ensure to review this on a yearly basis with
the storage company.

IS Health Check

Disaster
Recovery

A copy of the DRP must be stored together with the off-site tapes
for use in emergency situation. In addition, a copy of the DRP must
be distributed and safe kept by each of the key contact DR
personnel. The distribution list is to be revised and updated on
yearly basis.
A full DR test must be conducted to recover all critical system
servers yearly. Identify any changes of the procedures and
instructions and update the DRP immediate following the test.
Ensure to identify all Intel servers and applications within each
country's network, and document all course of actions for each
servers in the DRP.

IS Health Check

Systems
Upgrade/maint
enance

Capacity
Planning

All upgrade / maintenance work must be logged by the IS Manager:


it must include reason for change, approval of appropriate
application users and IS Management , testing result prior changes
made, and changed date, as well as performed by whom.

Ensure that procedures are in place to monitor system usage (eg.


Disk storage utilization rate vs. transaction growth rate) and CPU
performances, etc to enable early planning to capacity upgrade.

IS Health Check

Software
Licenses

Hardware
Asset Tracking

Where purchase of software (may it be applications, development,


or systems software) are done, ensure that all software licenses are
obtained prior installation. IS manager must be able to demonstrate
proof of licenses for all software installed, as well as tracking their
installation locations and components.
Yearly review of all software licenses against the total number of
users must be performed in order to action any discrepancy
identified.

IS manager must establish a central computer hardware asset


register to track all computer equipments and their components. In
particular, yearly review must be conducted to ensure that all
record of assets and their locations are up to date.

IS Health Check

Contractors
Engagement

Where third party contractors are used for programming, technical


support or maintenance, ensure that contracts have been
established and include the scope and duration of work, basis of
billing, confidentiality clause, and guaranteed call out time.
All contracts must be approved by legal department as well as the
General Manager.
Also IS managers need to monitor the work progress to ensure that
work is being carried out and accurately billed.