Information Technology has greatly reformed the modern world and is considered very essential and significant. Information may exist in any form, electronic, paper or intellectual, in general hardcopy or softcopy format. Like any other important business assets, information assets are of utmost value to our organization “AlBabtain Group”, and they need to be appropriately protected.

AlBabtain Group, as a part of its strategy needs to maintain adequate and effective controls to ensure its data, information, operating systems, applications, databases and devices are adequately protected from any risks (inherent or residual) / accidental threats, malicious threats, unauthorized access. These policies determine the minimum “base-level” of technology and security controls in our business environment to establish and achieve Group strategic objectives.

Policies and procedures contained in this manual are intended to serve as a technology and security guideline to the AlBabtain Group (management, staff, locally/overseas branches and its subsidiaries or any people affiliated with third parties.) In-addition, to follow local regulations in each territory (if any) in relation to IT systems and controls compliance.

This (IT Manual) or (Manual) sets out the Information Technology “IT” and Information Security “IS” procedures operated by AlBabtain Group IT department in order to ensure its compliance with the applicable International and local IT and IS controls and standards, following best practices such as “ITIL, ISO27001, CoBIT”. To ensure appropriate usage of Information Technology resources and that all employees, assets, intellectual property, computer systems, data and equipment are adequately protected from all threats, whether internal or external, intentional or accidental on a cost effective basis. This should be achieved with minimum inconvenience to operations or authorized users.

The implementation of this policy is important to maintain and demonstrate AlBabtain Group’s integrity, security and confidentiality in its data and dealings with its stakeholders, partners and third party.

1. Polices developed for Information Security/Information Technology within AlBabtain Group should be approved by the Group Chief Executive Officer or Group Chief Information Officer “CIO” or Group Chief Financial Officer “CFO” and formally adopted for use in the AlBabtain Group.
2. Group Executives “CxO’s” or Information Security Committee (ISC) is responsible for providing proper direction and ensuring support for all security initiatives and plans.
3. Information Security Officer (ISO) or his replacement based on CIO/CFO directions is responsible for developing, updating and communicating information security policies and implementation standards and procedures, throughout the organization.
4. Head of IT is responsible for ensuring the development of underlying standards, procedures and rules for managing security, or his replacement based on CIO directions.
5. The Group Audit Department is responsible for monitoring adherence to policies and ensures compliance.
6. CxO’s, GM’s, Head of Departments, Business unit managers are responsible for implementing the requirements defined in the IT/IS policies and procedures.
7. AlBabtain Group employees are responsible for adhering to the security requirements established for the resources they use.
8. All personnel and contracted suppliers “3rd parties” should follow the procedures to maintain the information security policy.
9. All personnel have a responsibility for reporting security incidents and any identified weaknesses, threats, vulnerabilities or issues.

AlBabtain Group management considers the information contained in this manual to be of confidential nature. The distribution of the manual should be controlled and be made available only to persons authorized by the AlBabtain Group Board , Chief Executive Officer “CEO”, Chief Information Officer ”CIO”, Group Chief Financial Officer “CFO” or their deputies. No content of this manual shall be copied or otherwise reproduced except with a prior written approval from the Group CIO.

1. All employees of AlBabtain Group and its subsidiaries (full-time and part-time employees).
2. All independent contractors or other third parties who work on AlBabtain Group’s premises or who remotely connect their networks to AlBabtain Group’s network.
3. On-premises and off-premises outsourcing organizations.
4. Trainee, students, internship who join AlBabtain Group for short period.

The policies are supported by standards and procedures, which detail the technology specific requirements and implementation process for complying with the policies. The policies would be applied in accordance with the Standards, Procedures and Guidelines.

The policies are reviewed and evaluated by Head of Information Security referred and/or Head of IT, once a year to ensure its effectiveness in controlling risks due to changes in business and technology environment of the Group. The approval of the Group CEO/CIO will be taken again for its enforcement. Once in 3 years, the CEO/CIO would formally review the policies. The review will evaluate the effectiveness of the policies and approve appropriate changes in the policies. For exception, the CIO can delegate this task to another senior staff in the Technology team.

Exceptions to the AlBabtain Group IT Manual and its content will be permitted only with the written permission of CEO, CFO or CIO. All exceptions should be requested in writing and the associated risks should be documented. If an exception is granted, the requesting division/department acknowledges and accepts the risk associated with the exception.

All violations of IT/IS policies and/or standards are subject to disciplinary action. The specific disciplinary action depends upon the nature of the violation, the impact of the violation on AlBabtain Group’s reputation, informational assets, financial loss …etc. This action could range from a verbal warning up to discharge from the organization and/or criminal prosecution.

The primary purpose of the “Service Desk” management process is to optimize services on behalf of the business and oversee IT functions which include Incident control and Life cycle service management i.e. Service requests and escalations. This process will also provide support for AlBabtain Group IT operations and produce the required set of reports to assess the effectiveness and efficiency of the IT operations.

The Change Management Process is the process that controls the IT infrastructure changes through standardized, repeatable methods and procedures. The Change Management process can ensure standardized methods, processes and procedures facilitating efficient and prompt handling of all changes and maintain the proper balance between the need for changes and the potential impact of changes. The primary goal of the Change Management process is to manage the initiation, review, approval, implementation and documentation of all proposed changes to the IT infrastructure.

To protect the live environment by ensuring the efficient deployment of changes, by correctly planning, designing, building and testing hardware and software components and to release them in forms that are compatible, licensed and authorized. Release Management works within Change Management to ensure the integrity of the live environment is protected, ensuring compatibility of all hardware and software where they are to be used together, and the correct components are released.

Configuration Management tracks all of the individual Configuration Items (CI) in an IT system and provides the information required to manage IT and the quality of cost effective services. It delivers by identifying, controlling, auditing and providing access to the structured, controlled, accurate and up-to-date database information about controlled items, their status, lifecycles and relationships.

The purpose of the Service Level Management process is to determine the IT services and level required for supporting and enabling the business to ensure that committed service levels are being met. The goal for the Service Level Management process is to maintain and improve IT Service quality through a constant cycle of agreeing, monitoring, reporting and improving the current levels of services in line with the business and cost justification.

Capacity Management ensures that the capacity of IT services and the IT infrastructure is able to handle, store and manage in a cost effective and timely manner. Another aspect of the Capacity Management responsibility is to identify appropriate new technology, and propose its adoption where this will be cost-beneficial to the AlBabtain Group. The capacity of a system is its maximum performance or output. Understanding the performance and storage requirements of the IT services and knowing the capacity of the systems in the Group will enable assessment of whether the resources required to provide the required IT services are available or not.

The goal for “ITSCM” is to support the overall Business Continuity Management process by ensuring that the required IT technical and services facilities (including computer systems, networks, applications, telecommunications, technical support and Service Desk) can be recovered within required, and agreed, business timescales at a pre-defined point.

IT Service Availability Management is the proportion of time that a customer is able to access a particular service. Availability is measured from the customer’s point of view and is recorded in the SLA. Availability Management defines plans, evaluates and improves all aspects of the availability targets which includes the people, process and technology factors of availability, thus optimizing IT services.

The main purpose of the Problem Management process is the long-term rectification of errors in the IT services. Problem Management minimizes/prevents the impact of problems on the organization. It detects and provides solution to problems (Work around and Known errors) In addition, to prevent recurrence of incidents related to these errors.

IT assets refer to tangible or intangible assets that are held for use in serving the business through use of applications, network and other programs that reside on them and are expected to be used for more than three years.

This policy defines the requirements for asset classification and controls. This includes both logical assets; such as intellectual property and data, or physical assets; such as hardware and equipment. This policy applies to all employees and non-employees associated with AlBabtain Group.

Systems Development Life Cycle (SDLC) is a process used to develop an information system, including requirements, validation, training, and user ownership. An SDLC should result in a high quality system that meets or exceeds customer expectations, within time and cost estimates, works effectively and efficiently in the current and planned Information Technology infrastructure.

This policy covers standards relating to systems development and maintenance. The objective of this policy is to ensure that security is considered to build into information systems in order to control over system development and maintenance processes. This policy applies to AlBabtain Group’s employees and non-employees who are involved in design, development, implementation and maintenance of AlBabtain Group’s information systems.

The purpose of this policy is to reduce the risk of errors occurring during systems processing by the careful control of system operations. This policy applies to all employees of AlBabtain Group, especially those in an operational function relating to information systems.

The risks associated with outsourcing of IT services, software development & business processes must be assessed and managed to an acceptable level and adequate controls should be built to ensure that the outsourced vendor meets business requirements of AlBabtain Group. All outsourcing contracts should detail security requirements and vendor should be able to demonstrate compliance with such requirements.

The procurement process for IT hardware, software and IT services should ensure that procurement is carried out in the best possible terms of business benefits, quality and cost in a transparent manner that make economic and efficient use of the AlBabtain Group’s resources. Information security requirements in hardware, software and services being procured, should be identified, and included in the specifications during procurement. Major procurements should be evaluated to determine the resultant extent of business benefits achieved from procurement.

This policy defines the IT Security various roles and responsibilities that are found throughout AlBabtain Group, as well as Third Party vendors, outsourcing contractors and external auditors’ access, pertaining to the protection of information assets of AlBabtain Group. This policy applies to all employees and non-employees associated with AlBabtain Group. In addition, these policies will describe the related business and technology zone such as and not limited to:

1. Organizational Security Policy
2. Personnel Security Policy
3. Physical and Environmental Security Policy
4. Access Control Policy
5. Application & System Security Policy
6. Operating System Security Policy
7. Database Security Policy
8. Network Security Policy
9. Password Policy
10. Router/Switch Security Policy
11. Cryptographic Controls Policy

Electronic mail application should be protected against risks of malicious code, spam and unauthorized access, Also should be managed to ensure high availability. E-mail account ID will be provided to users with business requirement after authorization.

Mobile devices, such as smartphones and tablet computers or any future mobile device technology that hold business data/information, are important tools for the AlBabtain Group and their use are supported to achieve business goals. However, mobile devices also represent a significant risk to information security and data security, if the appropriate security applications and procedures are not applied; there is a chance for a channel for unauthorized access to the organization’s data and IT infrastructure. This can subsequently lead to data leakage and system infection. AlBabtain Group has a requirement to protect its information assets in order to safeguard its employees and customers, intellectual property and reputation.

All Data and software, which are essential to the continued operations of AlBabtain Group, should be backed up and periodically tested for recovery. The security controls over the backup data and media should be strictly allowed.

The Internet service is provided to AlBabtain Group staff to facilitate their daily job and business tasks, controlling and monitoring the usage of this facility is necessary to make sure of utilizing it in the proper channel. The standard should be defined to include safe usage of the internet service.

All servers, desktops, laptops, tablets and access points to AlBabtain Group network must be protected against malicious code with anti-virus software and processes must ensure early detection, efficient containment and destruction of malicious code within the network of AlBabtain Group.

All critical applications should be protected by firewall from both external users and internal users of AlBabtain Group. All firewalls should be configured and managed to limit access to data only to authorized users.

AlBabtain Group Data Centers or Server rooms should have adequate physical, environmental and logical protection for the IT assets accommodated within and secure processes must be followed for server deployment, administration and monitoring within the Data Centers.

The design, operation, use and management of information systems may be subject to any regulatory/body. Appropriate policies should be defined and followed to ensure such compliance. The objective of ensuring compliance is to avoid any breaches. It also ensures that the technology implemented in AlBabtain Group is compliant against a standard/best practice by conducting periodic reviews and audits.