WSB Policy: IT Operations & Maintenance

Have more questions? Submit a request

Purpose

The World Scout Bureau (WSB) is highly dependent on technology to perform its activities on a daily basis. As a result, the WSB has adopted a formal approach to operating and maintaining its Information Technology (IT) systems and resources.

  1. Dedicated resources are required to support IT systems in production and ensure effective operations and troubleshooting when necessary. These include:
  2. Sufficient system capacity (processing power, network access and bandwidth, data storage, etc.).
  3. Monitoring procedures to proactively detect system issues or disruptions.
  4. Procedures to answer users’ service requests, as well as system problems, incidents or disruptions, in a timely manner.
  5. Contracts with third party IT service organisation(s) where it makes economic sense and allows for efficiencies to address the WSB’s needs, compared to using internal resources.
  6. Fully trained IT staff.

The objective of this policy is to define the roles, responsibilities and critical elements for the efficient operations and support of IT systems at the WSB.

 

Scope

This policy represents the WSB’s official position and works in conjunction with all other relevant policies which may be developed at a local level. This policy applies to:

  1. All WSB Offices globally.
  2. All WSB Responsible & Relevant IT support staff.
  3. All IT systems or applications managed by WSB that stores, processes or transmit informations, including network and computer hardware, software and applications.

Definitions

A list of terms used throughout this policy are defined in Appendix A.

 

Policy

Guiding Principles – IT Helpdesk & User Support

The IT Help Desk will act as the central point of contact for all IT technical requests. The IT Help Desk will use the following guidelines to prioritise its response to requests:

Priority

Criteria

Response Time[1]

Urgent

Requests for issues having a significant and immediate impact on the WSB’s operations. For example:

An issue affecting all or a large number of users.

An issue preventing users to access critical applications or data or impacting critical functions (e.g. access to network shares, email, or academic courses).

An information security incident or vulnerability with a critical/high severity/risk.

An issue affecting the ability of a class to be delivered or a meeting to take place.

Other as directed (removal of access rights for an unscheduled terminated user for example).

Within 10 mins

High

Requests for issues having an important impact on the WSB’s operations. For example:

An application error affecting a small group of users.

An issue impacting important functions in a system.

An information security incident or vulnerabilities with a medium/high severity/risk.

Other as directed.

Within 2 hours

Normal

Requests for issues having a limited or non-immediate impact on the Institution’s operations. For example:

An issue affecting one person only.

An issue impacting a non-critical function in a system (reporting for example).

A security incident or vulnerability with a low/medium severity/risk.

A question on how to use a non-critical functionality.

Within 4 hours

Low

Issues that have no material or immediate impact on the Institution’s operations. For example:

A “cosmetic” request, to improve a system functionality “look and feel” or a minor non-functional change to a system.

Within 36 hours

The assigned IT Staff will respond to all requests submitted to the IT Help Desk within a 48 period where possible. If a request cannot be processed within a that timeframe, the IT Staff should inform the user who submitted the request

 

Guiding Principles – IT Problem & Incident Management

  1. Where possible, the WSB will take preventative measures to prevent problems from occurring and minimise the impact of incidents that do occur by addressing identified problems as quickly as possible. Examples of preventative measures include the implementation of high availability and redundant systems and back-up solutions.
  2. Problems and incidents with a priority of urgent or high must be reported within two hours of detection to contain the issue, and if possible, prevent any further impact.
  3. WSB Relevant IT personnel will conduct investigations into problems and incidents with priorities of urgent or high to determine the root cause of the issues, to remediate the issues and return to a normal situation in a timely manner.
  4. WSB Relevant IT personnel will communicate with internal and external stakeholders impacted by the problem or incident including staff, contractors, consultant, interns and volunteers and/or law enforcement personnel (if needed in the event of a security breach).
  5. IT Personnel should endeavour to respond to all Service Request in accordance to the table listed in above

 

Guiding Principles – IT Asset Management

  1. The use of non-standard equipment, applications or technology services must be approved by the WSB Responsible IT personnel.
  2. A list of IT assets will be prepared and maintained at all times. Where possible, it is strongly recommended to use an electronic Asset Management system (e.g. Asset Tiger).
  3. All IT hardware resources (e.g. notebooks, desktops, monitors, etc) must be tagged with an asset code.
  4. The following equipment should be included in the list:
    • Computer and network hardware (desktops, notebooks, servers, external monitors and network devices)
    • Mobile computing devices (smartphones, tablets, and external hard drives)
    • Computing storage media (tapes and backups)
    • Software (applications, software sources and licenses)
    • Notebook accessories (e.g. dongles, cables, etc.)
    • Video conferencing equipment and digital cameras
  5. All stakeholders must protect IT assets against the threats of: unauthorised access, theft, loss, or destruction.
  6. Mobile computing devices (as defined above) must never be left unattended without physical security protection in place, such as: security cable attached to the equipment, locked in a secure cabinet, in a locked office, storage area, or vault.
  7. In addition to preparing and maintaining a list of IT assets per section iii, the WSB will document the following information for each IT asset:
    • Asset description and usage.
    • WSB DRP operations.
    • If the asset processes or stores sensitive information (personal or confidential data).
    • Status of the IT asset (storage, in use, decommissioned) and location (where possible).
    • Name of the asset primary user (where applicable).
    • Name of the asset manager / administrator (where applicable).
  8. The list of IT assets will be updated whenever an asset’s status, location or ownership is changed.
  9. Before disposing or recycling IT assets, the WSB will ensure all sensitive information is securely and safely removed in accordance to industry standards on information disposal and record the following information:
    • Disposal date and time.
    • Method used to remove sensitive data.
    • Status and location of the IT asset after recycling (i.e. asset destroyed, asset sold or given to another organisation/entity, etc.).
    • Name of the person(s) who removed sensitive data and recycled the IT asset.

 Guiding Principles – Systems Replacement / Upgrades.

  1. For IT systems that will no longer be supported by a vendor (including operating systems and application versions), the WSB will upgrade or replace the system at least one year prior to the end of the vendor’s support, where possible.
  2. The WSB will replace IT systems and / or equipment that no longer provide an acceptable level of performance as follows:
    • Desktops and laptops should be replaced every 3 years
    • Servers and Networking components should be replaced every 5 years.
    • Smartphones should be replaced every 3 years
    • Commercial applications must be upgraded to the latest version available periodically.
  3. The operating system of the Servers & Networking, Desktops, Notebooks, Mobile computing components should be upgraded to the latest O/S version whenever a stable version is available.

 

Guiding Principles – Notebooks & Desktop Deployment.

  1. All WSB employees will be issued with either a notebook or desktop system
  2. Prior to issuing the notebook, the following actions will need to be undertaken by the WSB Responsible IT person:
    • Unpack, inspect and tag the notebook/desktop
    • Power on the system and complete the initial vendor specific notebook/desktop set up process including:
      • Creating an Admin level account and separate Admin / Power User / Standard User account
      • Install and configure network printer drivers.
    • Install Standard software, including but not limited to:
      • MS Office 365
      • Dropbox
      • Zoom
      • Slack
      • And any other related software needed for job specific roles.
    • Prepare the IT Asset Handover form complete with the notebook make, model, serial number, asset tag and include any additional peripherals or accessories.
  3. Update the Asset Register once the handover form has been duly signed and returned.
  4. Provide support and guidance on using the notebook and/or usage of the standard applications.

 

Guiding Principles – IT Infrastructure & Networks.

  1. The WSB will ensure its IT infrastructure availability and performance is continuously monitored.
  2. This will include:
    • Setting up monitoring tools on critical components of the network and systems.
    • Configuring the monitoring tools to ensure that:
      • The appropriate level of information is detected.
      • Events detected are communicated immediately to the WSB Responsible IT personnel.
    • Follow this section of this policy to react to any network infrastructure availability or performance issue.
    • The configuration of systems backups and the recovery processes will follow the IT Continuity, Backup and Recovery Policy. 
    • The IT Team will be involved in defining the IT technical requirements (i.e. IT and security) for new WSB projects, including new technology, new or renovated buildings, etc.
    • Planned maintenance will occur during the scheduled maintenance window, according to the IT Maintenance Windows Schedule in Appendix B.

 

Guiding Principles – Vulnerability & Patch Management

  1. The following activities will be carried out to assist the WSB in the identification of vulnerabilities to systems and applications:
      • Scanning of web applications that are publicly accessible at a minimum every year.
      • Scanning of web applications that are not publicly accessible at a minimum every two years.
      • Network vulnerability scanning at a minimum every year.
      • Penetration testing, including a detailed review of the system security configuration, at a minimum every five years.
  1. Identified vulnerabilities must be addressed in a timely manner. Specifically, all critical and high vulnerabilities must be addressed in full within a 30-day maximum period of time, where possible.
  2. Systems security updates and patches will be applied in a timely manner after they have been published by the vendor. Critical security patches must be applied no later than a month after they have been made available, where possible.
  3. Patch management, and remediation of identified vulnerabilities, will occur during the scheduled maintenance window, according to the IT Maintenance Windows Schedule in Appendix B.

 

Guiding Principles – Application Management

  1. Only authorised software and licensed products must be used and installed.
  2. The development of new applications must follow the Project Management Policy (where applicable).
  3. The purchase of software or commercial off the shelf (“COTS”) applications must follow the Purchasing Policy.
  4. All changes to applications must follow the IT Change Management Policy.
  5. User access to an application must follow the IT Access Control and User Access Management Policy.
  6. Planned maintenance will occur during the scheduled maintenance window, according to the IT Maintenance Windows Schedule in Appendix B.

 

Roles & Responsibilities

Stakeholders

Responsibilities

Senior Management Team

Review, Approve and formally support this policy

Users

  • Contact the IT Service Desk for any problem, issue or needs related to the technology. When a problem, issue or needs cannot be addressed by the IT Service Desk, they contact their supervisor or representative
  • Contact their supervisor or manager for any request related to access rights and privileges or needs for IT equipment.
  • Complying with instructions issued by the IT Coordinators on behalf of the WSB.
  • Reporting all misuse and breaches of this policy to their line manager.

IT Department (Senior Manager, Digital & IT Services, IT Coordinators)

  • Ensure normal operations of the network infrastructure (Network hardware and services).
  • Ensure normal operations of the data-centre and data-rooms.
  • Ensure the normal operations and maintenance of the WSB applications.
  • Assist in the registration of domain names (for websites).
  • Define the standards and make recommendations on approved development coding standard and libraries.
  • Ensure security scanning of web applications is performed regularly, and vulnerabilities are addressed in a timely manner.
  • Communicate with the application owners, the application developers, the IT infrastructure team, and the hosting service company (where applicable), to ensure that formal procedures for the development, implementation and changes to applications are followed.
  • Develop and maintain this policy.
  • Review and approve any exceptions to the requirements of this policy.
  • Take proactive steps to reinforce compliance of all stakeholders with this policy.
  • Communicate with the WSB, directly or through WSB representatives, in informal or formal instances, to understand the Institution needs and expectations, explain the capabilities of the existing technology in production, report on any issues, incidents or disruptions impacting the WSB and how they are addressed, and facilitate the response to any requests from the WSB.
  • Support the WSB’s representatives in expressing their needs, evaluating and proposing the most efficient solutions, and training users.
  • Manage IT projects, IT Service delivery, IT operations, IT incidents and IT security.
  • Ensure any disruption to the technology is addressed in a timely manner.
  • Report to the Senior Management Team any and all issues, changes, deviations, exceptions, breaches and general problems related to the IT DRP and BCP.

Information Application Owners

  • Define the business needs for the application, including for new applications and changes to existing applications.
  • Define the level of access for each type of user profile in a formally documented users’ authorisation matrix.
  • Review and approve (or modify or reject) user requests related to the application they are responsible for.

Application Administrators

  • Implement requests that are approved by the application owner or the IT application team, where applicable.
  • Monitor the status of the applications they are responsible for.
  • Maintain the performance level of applications, working as required with the IT application team, or the IT infrastructure team.

 

Policy Distribution & Awareness

This policy and it's supporting policies, standards and guidelines will be published on the WSB Dropbox.

Soft copies of the policy and its supporting policies, standards and guidelines will be available on WSB Staff Support Center.

The IT Personnel and/or the Senior Manager, Digital & IT Services may make periodic policy announcements by email.

WSB line managers will ensure that all existing and new staff, contractors, consultants, interns, volunteers and third-party commercial service providers who report to them are made aware of and have access to the policy and its supporting policies, standards and guidelines.

Individuals requiring clarification on any aspect of the policy and its supporting policies, standards and guidelines and/or advice on general I.T. security matters may email their queries to the Senior Manager, Digital & IT Services or the local IT Personnel.

 

Exceptions to this Policy

Exceptions to the guiding principles in this policy must be documented and formally approved by the Global Director, Communications , with evidence of support from the appropriate Senior Management Team.

Policy exceptions must describe:

  • The nature of the exception.
  • A reasonable explanation for why the policy exception is required
  • Any risks created by the policy exception.
  • Evidence of approval.

 

Policy Enforcement

The WSB reserves the right to take such action as it deems appropriate against individuals who breach the conditions of this policy. WSB staff, contractors, consultants, interns and volunteers who breach this policy maybe subject to disciplinary action, including suspension and dismissal as provided for in the WSB disciplinary procedure.

Breaches of this policy by a third-party commercial service provider, may lead to the withdrawal of WSB information technology resources to that third party commercial service provider and/or the cancellation of any contract(s) between the WSB and the third-party commercial service provider.

The WSB reserves the right to refer any use of its IT resources for illegal activities to the relevant Authorities.

 

Review & Update

This policy will be reviewed and updated annually or more frequently if necessary, to ensure any changes to the WSB’s organisation structure and business practices are properly reflected in the policy.

 

Appendix A: Definitions

Information: Any data in an electronic format that is capable of being processed or has already been processed.

Information Technology (I.T.) resources: Includes all computer facilities and devices, networks and data communications infrastructure, telecommunications systems and equipment, internet/intranet and email facilities, software, information systems and applications, account usernames and passwords, and information and data that are owned or leased by the WSB.

IT Personnel: These are the individuals responsible for the day to day management of a WSB network domain. Also includes WSB personnel who have been authorised to create and manage user accounts and passwords on a WSB network domain

IT Problems: Conditions or situations (known or unknown) that can result in an incident.

IT Incidents: Unplanned events which cause an interruption to, or a reduction in, the quality of the IT operations or services.

Line manager: The individual a user reports directly to.

Security Vulnerabilities: IT problems that present specific risks to cyber security. Vulnerabilities that have a high probability of being exploited and that will highly impact the Institution (risk of operation disruption, data breach, etc.) are often labelled as “Critical” or “High”.

Users: Any authorised individual who uses the WSB’s IT resources.

 

 

Appendix B: IT Maintenance Window Schedule

  1. Regular Planned Maintenance and Minor Updates will be scheduled to occur between Monday - Wednesday nights. Maintenance may start as early as 6:00 PM and may run as late as 6:00 AM morning. If possible, disruptive activities will be delayed until after 10:00 PM.
  2. Emergency Maintenance and remediation of identified vulnerabilities will occur as-soon-as-possible and scheduled to reduce impact on operations when possible. Affected users will be notified in advance when possible.
  3. Maintenance related to a Project, such as scheduled go-live dates, may occur outside of the regular maintenance window (section 1). Project-related maintenance windows will be scheduled with and approved by the system owners. Affected users will be notified a minimum of one week in advance of the scheduled date.
  4. Maintenance in a test environment is considered to be of minimal impact to users and maintenance can be scheduled as needed. Only the affected team or project resources need to be notified.

 

[1] The response time corresponds to the time to process the request, including analysing and classifying the request, attributing a ticket to the IT specialist, and dispatching of the IT specialist. This time does not indicate when the ticket must be resolved

Articles in this section

Was this article helpful?
0 out of 0 found this helpful