Itp Final102518

Gwynn Store IT Policies and Procedures Manual
1. Acceptable Use Policy

A set of rules applied by the business to safeguard the usage of networks, websites
or any services. The policy restricts the ways in which the network, website or system
may be used and sets guidelines on how it should be used.
Gwynn Store Policy #:1

Effective Date: 2018 Revised: October 2018
1.1 System Accessibility Policy

1.1.1 Policy Statement
Access to the Merchandising Management System is controlled using user IDs and
passwords. All user IDs and passwords are to be uniquely assigned named individuals
and consequently, individuals are accountable for all actions on the Merchandising
Management System.
Reason for Policy:

Access to the Merchandising Management System is controlled using user IDs
and passwords. All user IDs and passwords are to be uniquely assigned named
individuals and consequently, individuals are accountable for all actions on the
Merchandising Management System.
Policy Statement:
Vulnerability of information is caused by the person who access the system. Thus,
it is practical to have measures in access role in the system.
The Gwynn Store System shall ensure that all person who access the system have
valid credentials given by the authorized personnel. Once the credentials are acquired,
the employee/s shall keep their passes and restrict them from sharing it. The Gwynn Store
System shall audit all the employee who uses the system to track the responsible person
in case system error occur.
This policy let Gwynn Store System to prevent unauthorized person to access the
information and system of the organization.
1
Scope:
The policy applies to all endpoint, mobile devices or application which a user can
access the system and all personnel affiliates to the firm’s organization.
Policy Terms:
Access Role – refers to the role of the employee in the organization. The user
interface that the employee can access will depend on the role he/she acquire/
Audit – refers to the list of users who access the system
Credentials – refers to confidential data in accessing the system
Enforcement:
This policy will enforce the implementation of rules and regulations in terms of
accessing the system. Only authorized personnel shall access the system. Every
employee shall be given credentials to access the system depending on their role
Violation of this policy may result of disciplinary action or dismissal/termination
depending on how the action damage the organization.
Related Information:
System Accessibility Policy
Internet and Email Usage Policy
Personal Use Policy
Ethical Responsibility
2
1.1.2 Policy Procedure:

It is the policy of Gwynn to ensure that:
1. Personal Information shall be protected from unauthorized disclosure.
2. Confidentiality of Personal Information shall be a high priority.
3. Integrity of Personal Information shall be maintained.
4. Unauthorized use of personal information shall be prohibited.
5. Personal Information will be used by the firm, once the personal information
owner gives approval or consent.
6. The Software System used by the firm shall provide encryption and
decryption for personal information.
Sensitive Personal Information refers to the following:
1. Basic Information such as: Name, Age, Birthday, Address, Contact Number,
Email Address;
2. Individual’s marital status, color, religion; and
3. Issued by government agencies peculiar to an individual which includes, but
not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns
Acquiring Personal Information
1. Personal Information Controller shall provide a terms and condition when

acquiring Personal Data as a proof that the Data Subject agreed to give
their confidential information;
2. Data Subject shall agree to the terms and condition before acquiring their
personal information.
Using Personal Information
1. Data subject shall have a control to their personal information.

2. If incase, the business firm need to use personal information, the Personal
Information Controller shall request a consent to Data Subject to use their
personal information;
3
3. Requisition can be sent thru: email, message and, phone call;

4. Requisition Letter should include the following: information that the firm will
use, purpose of using the information;
5. The purpose shall of requisition shall be clearly stated;
6. Using Personal Data is strictly limited to information stated in the request
letter and shall not exceed to the agreement. Any breach of this policy shall
accuse of unauthorize use of personal data;
7. Unauthorize using of personal data shall condemn according to the
respective punishment depending on the weight of the offense;
8. Personal Information Holder bears responsibility for and consequences of
misuse of Personal Information.
Disposal of Personal Information
1. Customer has an authority to dispose their personal information.

2. Requisition of Disposal shall be granted after the customer file the request
letter.
3. An employee is not authorized to request disposal of personal information.
4. Personal Information from former employee shall be disposed after
departure to the firm.
4

1.2 Internet and Email Usage Policy

There can be an instance, where employees will be disregarding their work and be
overly distracted by browsing. This policy states that internet browsing shall be conducted
in support of store's business needs. Any personal browsing must be minimal and on
personal time. All Internet browsing is subject to monitoring to protect the interests of the
business premises.
Reason for Policy:

There can be an instance, where employees will be disregarding their work and be
overly distracted by browsing. This policy states that internet browsing shall be conducted
in support of store's business needs. Any personal browsing must be minimal, on
personal time and for business purposes only. All Internet browsing is subject to
monitoring to protect the interests of the business premises.
Policy Statement:
This Internet Usage Policy applies to all employees of Gwynn General
Merchandise who have access to computers and the Internet to be used in the
performance of their work. Use of the Internet by employees of Gwynn General
Merchandise is permitted and encouraged where such use supports the goals and
objectives of the business. However, access to the Internet through Gwynn General
Merchandise is a privilege and all employees must adhere to the policies concerning
Computer, Email and Internet usage.
Scope:
The policy applies to all endpoint, employees or the owner.
Policy Terms:
Internet – refers to the network which allow the user to connect world wide.
5
Email – refers to the message received using internet. It allow the user have a format in
their content. This is mostly use for business transaction like ordering, delivery and etc.
Browsing – refers to the act of searching through a browser.
Enforcement:
Violation of these policies could result in disciplinary and/or legal action leading up
to and including termination of employment. Employees may also be held personally
liable for damages caused by any violations of this policy. All employees are required to
acknowledge receipt and confirm that they have understood and agree to abide by the
rules hereunder.
System Accessibility Policy
Internet and Email Usage Policy
Personal Use Policy
Ethical Responsibility
6
1.2.2 Policy Procedure

Resource Usage
Access to the Internet will be approved and provided only if reasonable business
needs are identified. Internet services will be granted based on an employee’s current
job responsibilities.
Allowed Usage
Internet usage is granted for the sole purpose of supporting business activities
necessary to carry out job functions. All users must follow the corporate principles
regarding resource usage and exercise good judgment in using the Internet. Questions
can be addressed to the IT Department.
Acceptable use of the Internet for performing job functions might include:
 Communication between employees and non-employees for business purposes;

 IT technical support downloading software upgrades and patches;
 Review of possible vendor web sites for product information;
 Reference regulatory or technical information.
 Research
Prohibited Usage
Information stored in the wallet, or any consequential loss of personal property.
Acquisition, storage, and dissemination of data which is illegal, pornographic, or

which negatively depicts race, sex or creed is specifically prohibited.
The company also prohibits the conduct of a business enterprise, political

activity, engaging in any form of intelligence collection from our facilities, engaging in
fraudulent activities, or knowingly disseminating false or otherwise libelous materials.
Other activities that are strictly prohibited include, but are not limited to:
 Accessing firm’s information that is not within the scope of one’s work. This
includes unauthorized reading of customer account information, unauthorized
7
access of personnel file information, and accessing information that is not

needed for the proper execution of job functions.
 Misusing, disclosing without proper authorization, or altering customer or
personnel information. This includes making unauthorized changes to a
personnel file or sharing electronic customer or personnel data with
unauthorized personnel.
 Deliberate pointing or hyper-linking of company Web sites to other
Internet/WWW sites whose content may be inconsistent with or in violation of
the aims or policies of the company.
 Any conduct that would constitute or encourage a criminal offense, lead to
civil liability, or otherwise violate any regulations, local, state, national or
international law including without limitations US export control laws and
regulations.
 Use, transmission, duplication, or voluntary receipt of material that infringes
on the copyrights, trademarks, trade secrets, or patent rights of any person or
organization. Assume that all materials on the Internet are copyright and/or
patented unless specific notices state otherwise.
 Transmission of any proprietary, confidential, or otherwise sensitive
information without the proper controls.
 Creation, posting, transmission, or voluntary receipt of any unlawful,
offensive, libelous, threatening, harassing material, including but not limited to
comments based on race, national origin, sex, sexual orientation, age,
disability, religion, or political beliefs.
 Any form of gambling.
Unless specifically authorized, the following activities are also strictly

prohibited:
 Unauthorized downloading of any shareware programs or files for use without
authorization in advance from the IT Department and the user’s manager.
 Any ordering (shopping) of items or services on the Internet.
 Playing of any games.
8
 Forwarding of chain letters.

 Participation in any on-line contest or promotion.
 Acceptance of promotional gifts.
E-mail Confidentiality
Users should be aware that clear text E-mail is not a confidential means of
communication. The company cannot guarantee that electronic communications will be
private. Employees should be aware that electronic communications can, depending on
the technology, be forwarded, intercepted, printed, and stored by others. Users should
also be aware that once an E-mail is transmitted it may be altered. Deleting an E-mail
from an individual workstation will not eliminate it from the various systems across
which it has been transmitted.
9

1.3 Personal Use Policy

There can be an instance that employees will be using the business's equipment
and devices for personal use and it can be a risk for the business's equipment and
devices. This policy states that using the business' device an equipment for personal
use must be minimal and have a consent for using it. All devices and equipment is
subject to monitoring to minimize the probability of risk of the equipment and devices.
Reason for Policy:

There can be an instance that employees will be using the business's equipment
and devices for personal use and it can be a risk for the business's equipment and
devices. This policy states that using the business' device an equipment for personal use
must be minimal and have a consent for using it. All devices and equipment is subject to
monitoring to minimize the probability of risk of the equipment and devices.
Policy Statement:
Every business involves the use of some sort of equipment which employees need
to do their job, and this equipment is generally provided by the business. While some
personal use of business equipment is realistically to be expected, problems can arise
when the personal use is excessive.
Scope:
The policy applies to all endpoint, employees or the owner.
Policy Terms:
Device – refers to technology equipment that make manual work automated.
Internet – refers to the network which allow the user to connect world wide.
Email – refers to the message received using internet. It allow the user have a format in
their content. This is mostly use for business transaction like ordering, delivery and etc.
10
Enforcement:
Violation of these policies could result in disciplinary and/or legal action leading up
to and including termination of employment. Employees may also be held personally
liable for damages caused by any violations of this policy. All employees are required to
acknowledge receipt and confirm that they have understood and agree to abide by the
rules hereunder.
Acceptable Use Policy
11

Using company computer resources to access the Internet for personal purposes,
without approval from the user’s manager, may be considered cause for disciplinary
action up to and including termination.
Computer, email and internet usage includes:

1. Employees are expected to use the Internet responsibly and productively.
Internet access is limited to job-related activities only and personal use is not
permitted.
2. Job-related activities include research and educational tasks that may be found
via the Internet that would help in an employee's role.
3. All Internet data that is composed, transmitted and/or received by Gwynn
General Merchandise computer systems is considered to belong to Gwynn
General Merchandise and is recognized as part of its official data. It is therefore
subject to disclosure for legal reasons or to other appropriate third parties.
4. The equipment, services and technology used to access the Internet are the
property of Gwynn General Merchandise and the company reserves the right
to monitor Internet traffic and monitor and access data that is composed, sent
or received through its online connections.
5. Emails sent via the company email system should not contain content that is
deemed to be offensive. This includes, though is not restricted to, the use of
vulgar or harassing language/images.
6. All sites and downloads may be monitored and/or blocked by Gwynn General
Merchandise if they are deemed to be harmful and/or not productive to
business.
7. The installation of software such as instant messaging technology is strictly
prohibited.
12
Unacceptable use of the internet by employees includes:
1. Sending or posting discriminatory, harassing, or threatening messages or

images on the Internet or via Gwynn General Merchandise email service.
2. Using computers to perpetrate any form of fraud, and/or software, film or music
piracy.
3. Stealing, using, or disclosing someone else's password without authorization.
4. Downloading, copying or pirating software and electronic files that are
copyrighted or without authorization.
5. Sharing confidential material, trade secrets, or proprietary information outside
of the organization.
6. Hacking into unauthorized websites.
7. Sending or posting information that is defamatory to the company, its
products/services, colleagues and/or customers.
8. Introducing malicious software onto the company network and/or jeopardizing
the security of the organization's electronic communications systems.
9. Sending or posting chain letters, solicitations, or advertisements not related to
business purposes or activities.
10. Passing off personal views as representing those of the organization.
13

1.4 Ethical Responsibility Policy

Ethical Responsibility Policy is intended to have an equivalent value for every

violation done by any company’s employee. It lists down here what are those company
properties that need to be protected and secured from the hand of any individuals who
have bad motives. This policy will maintain the security of company’s asset because for
every violation, there will be corresponding consequences to be faced by the violator.
Reason for Policy:

Violation of a certain policy is inevitable especially if it’s committed unintentionally
or accidentally, but still it must have corresponding consequences to maintain the
company’s integrity. This policy will impose the equivalents for every violation.
Scope:
The policy applies to all employee of the Gwynn Store that serve the company’s
client and customers to maintain the company’s asset and properties securely protected
as well as its consistency and integrity.
Policy Terms:
Violation–any unethical act of a human.
Termination–a forced removing of employees due to violation of the company’s
implemented rules and regulations.
Unethical–act of not doing the right thing that could cause harm to other people.
Asset –any company’s property from manpower up to infrastructure.
Enforcement:
14
Violation of this policy may result to instant termination and in worst a lifetime
imprisonment once the unethical employee brought an enormous damage to the
company that may result to a loss of asset’s and property.
Security Awareness Policy
Surveillance Policy
15
1. Company’s Asset and Properties Rule

1.1. Any company’s asset must be maintained by the authorized personnel only.
1.2. Any company’s employee needs to ask for permission first before getting any of
the company’s important files in the system.
1.3. Any company’s employee needs to ask for permission first before getting any of
the company’s asset and properties.
1.4. Any employee who brought someone outsider in the company will receive a
punishment for his/her unethical act.
1.5. Any employee who exported products illegally or without asking for any
permission from the authority will also receive a consequence for his/her unethical
act.
1.6. Any employee who will serve customers impolitely will be a candidate for
termination since it is a company’s main ethical value, to make their customers
satisfied with the service they’re giving. To ensure the quality of service as it is the
key for their improvement and betterment because customer relationship was one
of their main cores.
2. General Implementation of Punishments
2.1. Whoever violates will receive an equivalent consequence regardless of their
position in the company.
2.2. The violator will then receive a warning for the first violation of their unethical act.
2.3. For the second time, violator will then be given a three days of suspension.
2.4. For the third time, violator will be given a one week of suspension from the
company service.
2.5. For the fourth time of their unethical act, they will be given a month of suspension.
2.6. And for the last time, the company will have no choice but to terminate that
employee who’s continuously violating the rules provided by the company.
2.7. Their punishments will depend on the level of violation.
2.8. Aside from warning to termination, unethical employee may also be sentenced to
imprisonment if they have committed serious damage to the company and loss of
assets and property.
16
3. Monitoring of Employee’s Act

3.1. Through surveillance camera, authority may be able to monitor the daily act of
their employees.
3.2. Evidences must be provided by a third-person of who have witnessed the violation
done by other employee.
3.3. Evidences could be documents, recorded videos, and other media files that could
prove its validity of unethical act.
3.4. Any employees who have reported wrong accusations may be also a candidate
to termination as the company’s maintain the harmonious relationship of the
employees.
17
2. Security Awareness
Security and privacy awareness and training is an important aspect in protecting
the Confidentiality, Integrity, and Availability (CIA) of sensitive information. Employees
are the first line of defense and must be made aware of the security risks associated with
the work performed at Gwynn Store.

2.1 Security Awareness and Training Policy

According to ISO/IEC 27000, an information security awareness program should
ensure that all workers achieve and maintain at least a basic level of understanding of
information security matters, such as general obligations under various information
security policies, standards, procedures, guidelines, laws, regulations, contractual terms
plus generally held standards of ethics and acceptable behavior. This policy will enforce
the employees to have proper training regarding security awareness, and to train them
to handle proprietary information appropriately to avoid legal issues and to be resilient in
case of occurrence.
Reason for Policy:

The awareness training is administered by the Information Security Officer. All the
university’s community must attend the training. The content of the training must be
updated and held annually. The officer must ensure that every member has attended the
training the chief directs the implementation of the enterprise information security
program.
Scope:
This policy applies to all Gwynn Store employees and contractors and anyone else
needing access to Gwynn Store information and its systems.
18
Policy Terms:
Training – teaching a person a particular skill or behavior
Information Security Officer - responsible for establishing and maintaining vision
strategies and program to ensure information assets and technologies are protected.
Annually – once a year, every year
Enforcement:
Violation of this policy may result in loss of system usage privileges, disciplinary
action, up to and including the termination or expulsion
Security Awareness and Training Policy
19

All employees, contractors, and anyone accessing [Company] information systems
must understand how to protect the CIA of information and information systems.
Gwynn Store will ensure that all employees and contractors are given security and privacy
awareness training during the new hire process and before accessing any Gwynn Store
systems.
This training reflects common security and privacy awareness specific to the firm’s
environment including, but not limited to the following:
a) physical access,
b) restricted areas,
c) potential incidents,
d) how to report incidents,
e) laptop best practices, and
f) how to spot a phishing scam.
In addition to the initial security training provided in the new hire orientation, all
employees must take a security and privacy awareness course and pass the posttest
within 30 days of hire. This course and test is provided and tracked by the Learning
Management System (LMS).
Gwynn Store will provide ongoing training through the Security and Privacy
Awareness and Training (SPAT) Team activities. The SPAT provides information on a
monthly basis on selected topics. An initial SPAT Chat presentation is conducted at the
beginning of the month to give information, demonstrations, and general Q&A for all
attendees. The SPAT also provides information via posters in designated areas
throughout the facility and weekly articles posted on the internal intranet page.
Gwynn Store will also conduct annual refresher training for all employees and anytime
there are significant changes to the environment. This will be administered via the LMS
and tracked for completeness and passing grade to show adequate understanding of the
material.
This policy will be reviewed on an annual basis or whenever there are significant
changes to the environment.
20
All employee with a job-description related to accessing the system is required to

attend the trainings and seminar. If incase the employee will not or did not attend, they
must comply to the following:
a) Excuse Letter containing the title of seminar or training they a not going to
attend and the reason.
b) Apology Letter containing the reason of not attending
Employee will be granted depending on their manager’s decision. If the given letter is not
accepted, the employee must attend the seminar and training or will impose disciplinary
action.
Disciplinary Actions:
a) First Offense
a. Employee shall give Excuse or Apology Letter to the manager
b. If the reason found out invalid, Employee will have a first offense record
b) Second Offense
b. If the reason found out invalid, Employee second offense record
c. Employee shall give a research for the seminar and training they failed
to attend.
d. Employee shall present the research to the manager.
e. Council with the manager
c) Third Offense
b. If the reason found out invalid, Employee will have a third offense record
c. Employee shall give a research for the seminar and training they failed
to attend.
d. Employee shall present the research to the manager.
e. Council with the manager, may involve dismissal depending on the
manager’s judgement.
Employee may be exempt only if:
a) The employee documents supporting the excuse or apology letter given.
b) Life and Death situation such as:
21
a. Environment Calamity
b. Accidents
c. Disease, present health document
d. Family or relative’s emergency will depend on the judgement of the
manager.
c) Employee already attended same seminar and training. In this case, employee
shall present a certificate similar to the topic of the seminar and training.
22
3. Information Security
Information is vitally important asset in a Firm. Thus, it is the firm's responsibility to
make sure that information is kept safe and used appropriately. Failure to protect
information may result to breaches of confidentiality, failures of integrity, or interruptions
to the availability of that information, causing the Firm financial and reputational
damage.
Therefore, the Firm has adopted an Information Security Policy that complies with
stringent legal requirement and provides the necessary assurance that data held and
processed by the Firm is treated with the highest appropriate standards to keep it
secure.
Information Security Policy consists of System Accessibility Policy, Personal Data

Privacy Policy and, External Devices Policy.
The main objective of this Information Security Policy is to ensure the

confidentiality, integrity and availability of information within the organization.

3.1 Information Access Policy

Any personal data are protected by the Data Privacy Act. The information in the
system includes personal data so the access must be minimized and monitored. This is
for the safety of information contained by the system.
Reason for Policy:

This policy will define the system's database degree of right to use of the
accredited employees.
Scope:
23
The business’ policy is implemented to any endpoint, mobile devices or

application which necessitates submission of information through the system, as well as
all users of the system.
Policy Terms:
Asset - the property of a deceased person subject by law to the payment of his or
her debts and legacies
Firm - a business unit or enterprise
Breach- infraction or violation of a law, obligation, tie, or standard
Confidentiality - limited to persons authorized to use information, documents, etc.,

so classified
Data Privacy Act- comprehensive and strict privacy legislation “to protect the
fundamental human right of privacy, of communication while ensuring free flow of
information to promote innovation and growth.” (Republic Act. No. 10173, Ch. 1, Sec.
2).
Database - a usually large collection of data organized especially for rapid search
and retrieval (as by a computer)
System - collects and stores data
Enforcement:
Defilement of this policy may come to the consequence of penalizing action, up
to and counting the dissolution or dismissal, as well as personal and civil and/or
criminality.
Information Access Policy
Authorization for Information Modification Policy
Personal Data Privacy Policy
Password Policy
24

1. Confidential information received from the customers will be highly secured
through the help of encryption.
2. Decryption key will only be given to authorized users such as administrator or
any assigned personnel.
3. Once a customer has given their personal information, it must be approved first
by them, the purpose why they’re getting such information. It is for the
compliance to the Republic Act. 10173 or the Data Privacy Act.
3.1. Access to the information are always controlled and managed.
3.2. The breached information must be sensitive personal
information
3.3. Company has to employ one or more encryption method such
as file encryption, application architecture, column-level
database encryption, and full-disk virtual machine encryption.
25

3.2 Authorization for Information Modification Policy

Modification of any information in the system mustn’t be done by anybody. Any
information in the system especially the personal information of the members and the
employees of the company are protected by the Data Privacy Act. Modification of any
information in the system must be treated with confidentiality and also must obtain
proper authorization before modifying.
Reason for Policy:

This policy will restrict the company to go beyond access of modifying the
personal information of the consumers, customers, and employees without their
authorization.
Scope:
Policy Terms:
Modification - the making of a limited change in something
Access - permission, liberty, or ability to enter, approach, or pass to and from a place or
to approach or communicate with a person or thing
Enforcement:
criminality.
26

Password Policy
27

1. All of the modifications wished to be done must be discussed with the authority to
decide in the business
a. if the modification is minor, such as voiding products with on-counter receipts,

the manager should be called on
b. if the modification is major, such as changing transactions and modifying user

interface, this should be discussed and approved by the deciding committee, group, or
individuals in the company.
2. Any changes in the company, if it would affect wide operation of the system like
changing business model, it should be all planned after the initial approval.
3. All the planned changes must be discussed or checked if ready for implementation
and wait for final approval
4. On roles and responsibilities of the managers, there should be included that they
must be overseeing all of the modifications that are going to be done in the system.
28

3.3 Personal Data Privacy

Data Privacy Act RA 10173. As sensitive data is inputted throughout the use of
system the application of proper data privacy is necessary in securing supplier details,
customer details, and employee details.
Reason for Policy:

Philippines is considered as social networking capital of the world. Filipinos shares
their activity, location, life style and even confidential information in the internet through
social media, causing susceptible to cyber-attacks such as identity theft and, financial
theft. Leakage of personal information may also result of physical crime attack.
Because of increasing problem in committing crime using personal information,
Government of the Philippines implemented the RA 10173 or the Data Privacy Act of
2012. The Policy ensures that Personal Information of the citizen is protected by the public
and private department, institution of the Philippines
Scope:
The policy applies to all endpoint, mobile devices or application which a user
acquires personal information.
Policy Terms:
Personal Information/Data – refers to the basic information of a person (such as:
name, birth date, address, salary)
Enforcement:
Any breach of these policies will be deemed an infringement and dealt with
accordingly which could result in suspension of access privileges or in severe cases, legal
authorities will be involved.
29
Password Policy
30

It is the policy of Gwynn to ensure that:
1. Personal Information shall be protected from unauthorized disclosure.
2. Confidentiality of Personal Information shall be a high priority.
3. Integrity of Personal Information shall be maintained.
4. Unauthorized use of personal information shall be prohibited.
5. Personal Information will be used by the firm, once the personal information
owner gives approval or consent.
6. The Software System used by the firm shall provide encryption and
decryption for personal information.
Sensitive Personal Information refers to the following:
1. Basic Information such as: Name, Age, Birthday, Address, Contact Number,
Email Address;
2. Individual’s marital status, color, religion; and
3. Issued by government agencies peculiar to an individual which includes, but
not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns
Acquiring Personal Information
1. Personal Information Controller shall provide a terms and condition when

acquiring Personal Data as a proof that the Data Subject agreed to give
their confidential information;
2. Data Subject shall agree to the terms and condition before acquiring their
personal information.
Using Personal Information
1. Data subject shall have a control to their personal information.
31
2. If incase, the business firm need to use personal information, the Personal
Information Controller shall request a consent to Data Subject to use their
personal information;
3. Requisition can be sent thru: email, message and, phone call;
4. Requisition Letter should include the following: information that the firm will
use, purpose of using the information;
5. The purpose shall of requisition shall be clearly stated;
6. Using Personal Data is strictly limited to information stated in the request
letter and shall not exceed to the agreement. Any breach of this policy shall
accuse of unauthorize use of personal data;
7. Unauthorize using of personal data shall condemn according to the
respective punishment depending on the weight of the offense;
8. Personal Information Holder bears responsibility for and consequences of
misuse of Personal Information.
Disposal of Personal Information
1. Customer has an authority to dispose their personal information.

2. Requisition of Disposal shall be granted after the customer file the request
letter.
3. An employee is not authorized to request disposal of personal information.
Personal Information from former employee shall be disposed after departure to the
firm.
32

3.4 Password Policy

Username and password are the two main user confidential information that must
be fully protected by both the user and administrator to avoid unauthorized access of
accounts by the malicious user like hacker. User needs to maintain his password
confidential. And most especially, the system and database administrator must also
guarantee the safety of the user password through different encryptions. This policy will
surely.
Reason for Policy:

Password is one of the user’s identification that he cannot proceed to the system
and provide transactions to customers without it. This policy is implanted to ensure that
system accessibility is secured and is vulnerable from any attack.
Scope:
The policy applies to all employees of the Gwynn Store, System and Database
administrator that are responsible for keeping the password secured and limited to the
authorized and the user itself.
Policy Terms:
System Administrator –the one who manages the configurations of the system.
Database Administrator –responsible for keeping data securely protected in back end
of the system.
System User –any company employee who use the system.
Password –an identification of system user.
Enforcement:
Any violation of this policy may result to loss of data and company’s confidential
information. Whoever is responsible for this violation may result to termination and
33
imprisonment to System and Database Administrator once they’ve broken the company
trust by giving confidential data such as password to non-employee or outsiders.
Password Policy
34

1. System User
1.1. User must maintain the password confidentiality.
1.2. User must then immediately change their password once account was created by
the administrator.
1.3. User must provide password with combination of characters and numbers but not
symbols.
1.4. User must seasonally change their password to avoid the hacking temptation.
1.5. User must immediately approach the system administrator once their password
was changed by other system user.
1.6. User must keep the password away from those strangers and even to their
relatives and families as its only limited to them.
2. System and Database Administrator
2.1. System administrator must provide account to company users with password
limited only to them.
2.2. System administrator must be able to track the user’s logon location if an
employee’s password was hacked by someone outsider.
2.3. Database administrator must encrypt the passwords once account created.
2.4. Database administrator must ensure the high security when it comes to user
accounts.
2.5. Decryption techniques must only be limited to authorized database administrators.
35
4. Disaster Response/Business Continuity Plan

When business is disrupted, it will cost the firm lost of revenue and expenses for
the damage which result to reduced profits. The [insert title] is implemented to provide a
systematic approach to prepare and to follow in the event of an emergency or disaster
and the process of recovery.
Emergencies, disasters, accidents and injuries can occur at any time and without
warning. Being prepared physically and mentally to handle emergencies is an individual
as well as an organizational responsibility.
The purpose of this Policy is to minimize the critical decisions to be made in a

time of crisis, and to facilitate the timely recovery of the Gwynn Store business
functions.

4.1 Disaster Awareness and Preparedness Policy

Brownouts during typhoons is one of the common disasters that can affect the
business, this policy ensures the continuity of operations and transactions if any
disasters or unexpected interruptions occur. The policy complies on A.10.5 of ISO
27001 that includes back up regulations.
Reason for Policy:

Recognize that disaster preparedness should be one of the primary activities of
the members of the company; this is the most effective way of reducing the impact of the
disaster or a calamity.
Scope:
36
It applies to all types of disaster preparedness activities. This policy tells what
should do before, during and after the disaster. Problems encountered by the system that
is not being affected by the disaster is out of this scope.
Policy Terms:
Impact – how disaster can damage the business process of the system.
Enforcement:
Being not aware in this policy may lead to serious damage to the system, like
backing-up etc. and it may cause panic to employee.
Disaster Awareness and Preparedness Policy
37

1. System Data Recovery
1.1. Once a typhoon struck the company’s electric wire, new transactions that
have been added should be automatically retrieved once the electric power
is back.
1.2. Data information will be highly secured and protected from any malicious
software that wants to destroy it.
1.3. Authorized user can then recover the files that have been exported or
imported after the calamity struck.
1.4. Authorized user should be well oriented on how the data will be recovered
or retrieved
2. After-the-calamity
2.1. Any employees should be able to communicate with the people who have
been affected from the inevitable instant catastrophe like customers and be
able to explain them the subsequent actions after the calamity.
2.2. Employee should guarantee the customers return of money once the
transaction has been made before the calamity struck.
2.3. The employee should immediately call any medical assistance once their
co-employee and customers were hit by the calamity.
2.4. The medical expenses of all affected employees and customers should be
carried by the company.
2.5. Any loss from the customer’s asset will be also carried by the company.
2.6. Any transactions made from the day when the calamity struck the store
should have a real-time backup from other branches since it is generic.
38
5. Change Management
The policy is designed to provide a managed and orderly method in which
changes to the information technology environment are requested, tested and approved
prior to installation or implementation. The purpose of this is to ensure that all elements
are in place, there is no negative impact on the system, and to inform parties for the
modification.
Because the technology doesn’t stop from developing, the system is still a work
in progress in terms of securing it and making it more efficient. As the time goes by,
there are many practices and techniques are developed. Changes would be inevitable.
Changes would be often. The changes could affect the company and the system. The
changes that would be done must be managed to maintain the organization of all.

5.1 Change Authorization Policy

This policy identifies changes within the within the business that affects the
production services by having a service not available, the change is a risk for security,
security profile change, or causing an outage of a service, and a change in the
experience of an end user. These changes must first be approved by the Change
Advisory Board and must be known by the stakeholders before implementation.
Reason for Policy:

Change management policy is premeditated to deliver a succeeded and arranged
way in which vicissitudes to the IT milieu are demanded, verified and permitted preceding
to setting up or application. The intention is not to interrogate the justification of a
modification, but to safeguard that all rudiments are on point, there is no undesirable
impression on the infrastructure, all the compulsory parties are informed in advance and
the timetable for application is synchronized with all other undertakings.
39
Scope:
The policy applies to all changes to infrastructures, tools, other policies,
management, and process, transactions, and service provided of the firm.
Policy Terms:
Training – teaching a person a particular skill or behavior
Information Security Officer - responsible for establishing and maintaining vision
strategies and program to ensure information assets and technologies are protected.
Annually – once a year, every year
Enforcement:
Modification of the steps in this policy may result in loss of system usage privileges,
disciplinary action, up to and including the termination or expulsion. This would be
prevented with the proper permission from the owner.
Change Authorization Policy
Modification of Transaction Policy
40

Change priority level
This is needed for routine priority for the end user
Emergency – A change that, if not instigated instantaneously, will leave the
business open to substantial peril (for example, smearing a safekeeping reinforcement).
Urgent – A change that is significant for the business and must be instigated
momentarily to avert an important adverse influence to the aptitude to demeanor
business.
Routine – A change that will be instigated to get advantage from the altered
service.
Low – A change that is not persistent but would be beneficial.
2. Roles and Responsibilities
The roles and responsibilities of each user must be followed. The system administrator is
the only role in the system who could configure anything in the system. The owner must
be the one who could view all the analytics that are responsible for the profit gain and for
the stability of the business. The manager should be the one who could be contacted with
the future conflicts such as voiding items on receipt and etc, above any other non-
managerial employees.
Only the people assigned to the said roles are the one who are allowed to use and access
the system and each parts allotted.
3. Change to be done
The changes to be done must be planned, evaluated, review, approved,
disseminated, implemented, documented, and have post-changed review.
Planning – plan the change to be done
Evaluation – evaluated the change planned to be done
Review - review the change plan with peer or business board
Approval – Get approval for the reviewed change by management or other appropriate
parties or business board
Dissemination – Communicate the approved changes with the appropriate audience
Implementation – implement the approved change
Document – document any change and any review and approval information
41
Post-changed review – review the changes done for future improvements

4.On the process of changing
The change will only take place if the following are already done:
- The business process of the client in that specific branch must be
shutdown to prevent parallel data entry and also to give way on the back-
upping.
- The system must be backed up (externally, other location)
- The change to be done followed the steps of number 3 policy of this
policy procedure.
5.The change process must only be done on the same day after the system was backed-
up.
6. The changes that fall into the approval stage (see this policy’s policy procedure number
3), all of it must be accumulated and batched until the day of backing up.
7. Must state clearly in the documentation (reference, this policy’s policy number 3) :
- When the change did took place?
- What was changed in the system?
- Why the change/s were done?
42

5.2 Modification of Transaction Policy

In this policy, because of the importance of the transactions in the system, if there
are plans of changing or adding new transactions must be approved by the owner itself
for the legitimacy of modification.
Reason for Policy:

This policy identifies changes within the business that affects the production
services by having a service not available, the change is a risk for security, security profile
change, or causing an outage of a service, and a change in the experience of an end
user. These changes must first be approved by the Change Advisory Board and must be
known by the stakeholders before implementation.
Scope:
The policy applies to all endpoint, employees or the owner which a user can access
the computer. It also covers the modification in the system, major or minor.
Policy Terms:
Transaction: an instance of buying or selling something; a business deal
Modification: the act of modifying something; a change made
Stakeholders: a person with an interest or concern in something, especially a
business
Credentials: a qualification, achievement, personal quality, or aspect of a person’s
background, typically when used to indicate that they are suitable for something
Access: means of approaching or entering a place
Module: a software component or part of a program that contains one or more
routines.
43
Enforcement:
The employees have their roles and must have credentials to log in on the system
according to their role. Every user must only access their part on the system. The access
of other user’s module is prohibited without authorization. Employees who deliberately
violate this policy will be subject disciplinary action up to and including termination. Not
following the steps on modification without any proper permission from the owner should
result to either disciplinary action, loss of access to the system, up to termination. Not
following the guidelines on modification could lead into the big risk of loss of data in the
system
Change Authorization Policy
Modification of Transaction Policy
44
1. The minor or major modification in the transaction such as change of mode of

payments used in the system and such, are expected to be discussed with the
owner and system administrator first before modification.
2. Transactions been made and needed some modifications will be shown in the
history of modified transactions in the system.
3. Authorized user will assist the one who made the transaction for the
modification to avoid some unauthorized changes to be made.
4. Owner of the company will be notified if there are some changes made in
transactions. Owner will receive a message from any of the authorized user
who did the modifications.
5. Customer who asked for the modification will be also recorded in the system
for the purpose of saving their credentials for the system reports.
6. Any changes that will be made in the selected transaction should be approved
by both the customer and the cashier to avoid the wrong generation of
transaction receipts.
7. On the process of major modification
The change will only take place if the following are already done:
- The business process of the client in that specific branch must be
shutdown to prevent parallel data entry and also to give way on the back-
uping.
- The system must be backed up (externally, other location)
- The change to be done followed the steps of number 3 policy of this
policy procedure.
8. The major modification process must only be done on the same day after the
system was backed-up.
9. The major modification that fall into the approval stage (see this policy’s policy
procedure number 3), all of it must be accumulated and batched until the day
of backing up.
45
10. Must state clearly in the documentation (reference, this policy’s policy number
3) :
- When the modification did took place?
- What was modification in the system?
- Why the modification/s were done?
11. Major modification can be classified as modification that could affect the system
widely, such as changing the credit card mode of payment into visa or debit
card only.
46
6. Bring Your Own Device (BYOD)

Most people are using mobile for their everyday life, this helps them to do work
faster and efficient. BYOD policy allows the employees of the firm to use their personal
devices in the store premises such as mobile phone and laptop. This policy helps the
firm to lessen the expense of the store since people have their own mobile devices.
This policy contains the guidelines on the scenario where employees are allowed
to use the devices and not. It also ensures that the personal devices of the employees
cannot be use to cause damage to firm's reputation.

6.1 Device Responsibility Policy

This policy will impose the proficient integrities of the personnel in terms of usage
of personal device(s) inside the business' premises. This intend to include all the devices
permitted and accepted and the quantity of these devices each personnel could use.
Reason for Policy:

This policy will let all the individuals involved to be well-informed of all the devices
that are valid to be connected to the business and what shall be done with such devices.
Scope:
The business’ policy implements to all endpoints, from all the personnel involved
to any varieties of devices that necessitates association to the business’ equipment and
services.
Policy Terms:
Devices - a piece of equipment or a mechanism designed to serve a special
purpose or perform a special function
47
Equipment - the implements used in an operation or activity
Enforcement:
criminality.
Device Responsibility Policy
External Device Use Policy
48

Personal devices can be use within the store premises. During work hours, employee
shall ensure that they are using their devices for work-related only. Any personal-related
act during work hours will be result to breach of this policy.
The devices permitted to use are the following:
1. Smartphones Devices for checking emails and message or visiting firm’s

mobile application or firm’s system.
2. Laptop for checking emails and message or visiting system.
Devices that can be used for work-related is acceptable.
While using personal device, the employees are:
1 Restricted to use the camera of their smartphone to photograph document

business transaction inside the store.
2 Restricted to use the sound recorder of their smartphone to record business
transaction in the store.
3 Restricted to use the video application of their smartphone to video business
transaction in the store.
4 Restricted to use any video recording equipment or devices inside the store such
as Digital Camera, DSLR, Spy Camera Pen.
5 Restricted to use any photographic devices inside the store.
6 Restricted to use sound recorder devices inside the store.
7 Restricted to plug personal external storage devices such as: flash drive, external
hard drive and etc. Refer to External Device Use Policy in terms of using storage
devices.
49

6.2 External Device Use Policy

In some cases, employees are having their own device that can save data from
the business property. This policy will enforce the implementation of rules and
regulations in terms of using external devices to unauthorizedly acquire information in
the system. The policy will restrict the employee to plug external hard drives, flash
drives and other medium to have a copy of firm’s document.
using external devices to unauthorizedly acquire information in the system. The policy will
restrict the employee from plugging storage medium that will allow them to seize a copy
of the organization’s document such as: flash drives, external hard drives, Data Cable.
This will ensure that the software system used by the firm is harm-free from worms
and viruses and cannot be used as a medium of theft of firm’s confidential information.
Reason for Policy:

External Devices are truly helpful for storing file. But like other devices it can also
cause harm to the firm’s business. There are some case that a storage device cause
malfunction to the system by plugging, the investigation then figured out that the storage
contains viruses deleting the software system’s data. The firm spend million dollars to fix
the damage caused by the plugged storage device that contains virus.
Plugging external storage devices can also lead to unauthorized copy of a
sensitive document. Employee can easily access the system, thus, having a copy of
confidential document is easy. These insiders may have personal agenda in the firm and
may cause damage to firm’s reputation through the sensitive document they
unauthorizedly copied.
Scope:
50
This policy applies to all storage medium devices that can store files and contains
harmful files such as viruses and may be used as a medium of unauthorizedly acquiring
confidential information and document of the business organization.
Policy Terms:
Storage Medium – refers to the devices that can store files such as flash drives,
external hard drives, and data cable.
Viruses, Worms, Trojan Virus – refers to computer viruses that can cause
malfunction to the system.
Enforcement:
Any breach of these policies will be deemed an infringement and dealt with
accordingly which could result in suspension of access privileges, disciplinary action or in
severe cases, legal authorities will be involved.
Device Responsibility Policy
External Device Use Policy
51
The firm ensure to abide the following:

1. Personal external storage devices is prohibited to plug to any computer where
firm’s software system is installed;
2. External Storage Devices such as:
a. Flash Drive
b. External Hard Drive
c. Data Cable
d. Other storage devices;
3. If incase, an employee or any personnel plugged an external device, it must
immediately report to the management.
4. The firm’s system shall detect the plugged flash drive and must immediately record
and report the incident to the management.
5. Any damage to the firm caused by the plugged external device shall deemed
penalties such as termination and criminality depending on the investigation.
6. Unauthorizedly obtaining a copy of firm’s confidential document may result to a
case of criminality and may involve legal authorities.
7. If incase the system is damaged, the current system will stop the transaction and
the latest backup will be used by the store. Refer to Change Management for the
modification in the system and Back up Policy for the backup processes.
52
7. Vendor Access
Third parties may play an important role in the support of software and
operations. They ma remotely view, copy, modify data, and monitory system
performance. Setting limits and controls on what can be seen, copied, modified, and
controlled by the third parties will reduce the risk of loss of revenue, liability, loss of
trust, and embarrassment of Gwynn Store.
This policy establishes vendor access procedures that address information

resources and support services, vendor responsibilities, and protection of confidential
information.

7.1 Vendor Responsibility Policy

The vendor should be able to be aware of the things that are happening on the
system, such as the owner using 3rd party apps and other things as the system is
concerned. In that way, a malfunction or a failure on a system can be fixed and can be
look into by the vendors. as of the ISO 12.6, Technical vulnerability management should
be implemented in an effective, systematic, and repeatable way with measurements
taken to confirm its effectiveness, which in this case, implemented by the vendor.
Reason for Policy:

using system by firm’s vendors. The policy will restrict the retailer from unauthorized
accessing the Gwynn Store System.
Scope:
The Gwynn Store Vendor Access Policy applies to all personnel or organization
outside that can access the Gwynn Store Management System.
53
Policy Terms:
Third party access – refers to the personnel or organization outside the firm that
access the system.
Vendor – Person or Firm who exchanges goods or services for money.
Enforcement:
Violation of this Policy may result in disciplinary action which may include
termination for employees, termination of business relationships for contractors or
consultants, dismissal for interns and volunteers, or suspension or expulsion for students.
Additionally, individuals are subject to loss of Gwynn Information Resources access
privileges and civil and criminal prosecution.
Vendor Responsibility Policy
54

Vendors Responsibility are the following:
1. Access the system with given credentials to the Gwynn Store Manager. Refer to
the System Accessibility Policy on how to acquire and use Gwynn Store System
Credentials.
55
8. Media Destruction, Retention and Backups

This policy provides procedures for handling the obliteration, preservation and
backups of the serious electronic data and management hazards by providing
contingency plans that will be use.

8.1 Media Destruction Policy

Republic Act No. 10173 data privacy the state protecting and ensuring any
personal information in information and communication system. his policy allows the
personal data to be disposed throughout the system. It ensures that the Personal
Information of the Data Subject cannot be used on any transaction, studies and other
agenda of the firm once the information is deleted.
Reason for Policy:

When a file is deleted the system does not completely remove the file from the
disk. These data can be retrieved with specialized software which is referred to as deleted
file retrieval. Between the time of media containing the business sensitive data is removed
from service, and the time it is sanitized or destroyed, it must be safeguarded. To facilitate
secure sanitization of electronic media. Employees can bring digital media to this area for
secure disposal however proper procedures must be followed for regulatory and
compliance reasons.
In accordance to RA 10173 or the Data Privacy Act of 2012, Personal Information
must be destroyed if the Data Subject wishes to depending on the case scenario.
Scope:
This policy applies to all firm’s officers, directors, employees, affiliates, contractors
that may collect, process, or have access to Data. It is the responsibility of all above to
56
familiarize themselves with this Policy and ensure adequate compliance with it. The policy
covers all data processed or control in whatever medium such data is contained in.
Policy Terms:
Destruction – refers to the destroying of data.
Retention – refers on the time span of controlling the data.
Backups – refers on having more than one record or file of a system or information.
Enforcement:
Violator shall receive appropriate penalties and any breach of this policy shall be
referred to the owner or whoever authorized to handle the incident. Violation of this policy
may result to loss of the firm’s system data and important information needed and
termination of employment depending on the decision of the owner.
Media Destruction Policy
Back-up Policy
57

Prior to transferring media over to IT for destruction, users must ensure:
1. Management approval of the removal and destruction of media
2. All information is wiped completely. Even if data is deleted the information remains
in some form and is possible to be recovered.
The following levels must be considered before the destruction of media:

1. Level 1 is for Confidential Data and this pertains to the most classified information
such as personal information.
2. Level 2 is for Public Data and this pertains to public and general information to be
a lower security.
58

8.2 Back-up Policy

The data in the system must be maintained. As the time goes by, many data are
being stored and accumulated by the system. The data should be backed up for records,
inventory, and history of transactions. The validity of data backed up and its expiration
must be included in this policy.
Reason for Policy:

The policy was made for the management of back-ups of the system. Managing
the backups would make the system efficient, at the same time this makes the system
have the files or data that it needs. It keeps the data in the system up to date.
Scope:
The policy covers all data processed or control in whatever medium such data is
contained in. Including the personal data, transactions, process in the system.
Policy Terms:
Back-up- the stored copy of somewhat in the system
Data- information stored in the system.
Enforcement:
Not following the procedures for backing up in the policy procedure, would harm
the data that should be contained and retained by the system. The back-up saves mustn’t
be disclosed with other people who’s not responsible and not part of the business and not
part of the decision-making individuals. The back-up data should be stored properly and
should be secured. Any violation in this policy would lead into, disciplinary actions, loss
of access in the system, termination, up to criminal offense.
59
Media Destruction Policy
Back-up Policy
60

The back-up operation must be approved and discussed with the decision-
making committee, group, or individual in the company first before making it happen.
2. The “back-up operation” must planned, evaluated, review, approved,

disseminated, implemented, and documented.
Plan- must plan to make sure anything is organized. Must include the following:
a) Permission to perform back-up operation for the system

b) Reason why the back-up must be done
c) When would be the back-up take place
d) The involved in the back-up operation. Every item must be specified.
Evaluate- must be evaluate the plan for back-up
Review- review the parts of the system or data that would be backed up
Approve- must be approved before implemented
Disseminate- the plan about backing up must be disseminated for the knowledge of all
the involved.
Implement- the back-up operation must be implemented on the day when it is planned
to be implemented.
Documented- the operation done must be documented for bookkeeping. Also for future
data referencing.
3. The data that are going to be backed up must have validity of 5 years from the
very day of the data being saved.
4. The business process of the specific branch must be shutdown to prevent
parallel data entry.
5. The back-up operation should be done weekly and be done after business hours.
6. If the data that are backed-up came to its expiry, the data would be archived, and
should be deleted after another 5 years from the day it was archived.
61
9. Incident Response
Incident response is an organized approach to addressing and managing the
aftermath of a security breach or cyber-attack, also known as an IT incident, computer
incident or security incident. The goal is to handle the situation in a way that limits damage
and reduces recovery time and costs.
Any incident that is not properly contained and handled can -- and usually will --
escalate into a bigger problem that can ultimately lead to a damaging data breach or
system collapse. Responding to an incident quickly will help an organization minimize
losses, mitigate exploited vulnerabilities, restore services and processes, and reduce the
risks that future incidents pose.
This Incident Response Plan is documented to provide a well-defined, organized

approach for handling any potential threat to computers and data, as well as taking
appropriate action when the source of the intrusion or incident at a third party is traced
back to the Gwynn Store’s private network.

9.1 Surveillance Policy

With regards to an incident that may occur, this policy is to monitor each
employees and customers within the business premises. This policy governs the use of
video recording and surveillance equipment when utilized for the purpose of ensuring
the safety of persons and property on the business premises including such equipment
and products when used for the deterrence and the investigation and potential
prosecution of criminal behavior.
Reason for Policy:
62
This policy will help the business on informing all individuals of the business
about the incidents that happened or might happen and the proper action when those
incidents occur.
Scope:
Policy Terms:
Camera Surveillance - is surveillance by means of a camera that monitors or
records visual images of activities on premises or in any other place;
Computer surveillance - is surveillance by means of software or other equipment

that monitors or records the information input or output, or other use of a
computer (including but not limited to the sending and receipt of e-mails and the
accessing of Internet websites);
Tracking surveillance - is surveillance by means of an electronic device the

primary purpose of which is to monitor or record geographical location or
movement (such as Global Positioning System tracing device).
Surveillance Information - information obtained, recorded, monitored or

observed as a consequence of surveillance of an employee.
Surveillance Record - a record or report of surveillance information.
Enforcement:

criminality.
Gwynn Merchandising may:
63
a) rely on information gathered by surveillance activities in administering employee

management decisions, including any disciplinary action to be taken;
b) restrict access to internet facilities and/or sites of any kind;
c) prevent the sending and/or receiving of emails;
d) disclose any data it collects through monitoring and auditing activities to support
(company) policy or law enforcement.
e) Take any other disciplinary action, which may include termination of employment.
Surveillance Policy
Information Security Incident Response Policy
64

Policy Procedure:
1. For employees, from beginning of their employment, carry out ongoing,

intermittent surveillance of their use of Gwynn Merchandising computer systems,
phone systems and mobile communications or computing devices (including by
way of real time monitoring and recording) – including emails, internet and files
(including files stored on the work computer or mobile communication or
computing devices).
2. The surveillance is carried out by all means available to Gwynn Merchandising
which may include, without limitation:
a.) auditing, logging, monitoring or accessing email accounts, emails, instant
messaging;
b.) accessing files;
c.) accessing the work computer and mobile communication or computing
devices;
d.) accessing records of internet usage (including sites and pages visited, files
downloaded, video and audio files accessed and data input);
e.) camera surveillance;
f.) tracking surveillance.
3. Due to activities of the administrative staff video may not be monitored

continuously. Devices used to view live and recorded video will have secure
access and be located out of open view of the public and staff. Visitors, students
and staff should be aware that an administrator is not watching most cameras
most of the time and they should not have an expectation that they are under
continuous surveillance whey they are in the range of a camera.
4. All personnel with access rights will be provided video and data protection training.
Training is provided for each new member of the staff and periodic workshops on
video and data protection compliance issues are carried out at least once every
65
two years for all employees with success rights. After the training each employee
member signs a confidentiality undertaking.
5. All transfer of video content and disclosures outside administration are
documented and are subject to a rigorous assessment of the necessity of such
transfer and the compatibility of the purpose of the transfer with the initial security
and access control purpose of the processing.
6. The images or video content are retained for a maximum of 30 days. Thereafter,
all images are deleted or overwritten. If any images/video or records content
needs to be stored for further investigation or evidence in a security incident, it
may be retrieved as necessary
66

9.2 Information Security Incident Response Policy

This policy will inform the individuals of the business on the incident/s that
happened or might happen in the business and what action to do if an incident happens
so that the individuals will be prepared and will respond to incidents properly.
Reason for Policy:

According to Republic Act No 10121 an act strengthening the Philippine risk
reduction and management system. Requiring every establishments to have their own
disaster and incident plan. This policy will help the business on informing all individuals
of the business about the incidents that happened or might happen and the proper action
when those incidents occur.
Scope:
Policy Terms:
Information security incident - a suspected, attempted, successful, or imminent threat
of unauthorized access, use, disclosure, breach, modification, or destruction
of information; interference with information technology operations
Enforcement:
criminality. Failure to report an information security incident may subject the user to
disciplinary action including, but not limited, to suspension of the user’s access to
electronic information resources. Users also should be aware of other possible
67
consequences under Gwynn Merchandising, particularly those related to computer

crime.
Surveillance Policy
Information Security Incident Response Policy
68

1. Detecting Information Security Incident the business’s staff must ensure that the
business assets are appropriately protected. The steps needed to accomplish
this will include:
a) Compliance and Monitoring
b) Proactive threat discovery e.g. system and network monitoring of current
and new threats
c) Intrusion Detection and Prevention
d) Vulnerability Prevention
2. On becoming aware of an Information Security Incident of the employees an

Information Security Incident Reporting form must be completed and submitted
to the Information Security Incident Manger. Where completion and/or electronic
submission of the form is not possible, alternative contacts will be provided within
the business.
3. Breaches of physical security must be reported to the business’ security services.
Examples of these types of breaches include:
a) Presence of unauthorized access in sensitive areas/buildings
b) Secure or sensitive storage areas found unsecured
4. All reasonable endeavor shall be made to ensure that appropriate technical and
organizational measures are taken to ensure the security and integrity of
business’ data. All measures implemented will take into account the sensitivity
and volume of data involved, the actual or potential risks posed by the incident,
and the operational and needs of the business.
5. Information is a critical asset for any incident response plan. Because of that, a
cloud-based endpoint security solution typically provides with the most
comprehensive tools for mitigating attacks in the quickest manner, including
access to key data through:
a) Unfiltered data capture provides response teams with insights into endpoint
behavior, not just previously discovered attack patterns and behaviors.
69
b) External threat intelligence helps rapidly identify threats you haven’t seen yet,
but other companies have. Once again, if you know what you are dealing with,
you can respond more quickly.
70
Table of Content
1. Acceptable Use Policy ...................................................................................................... 1
1.1 System Accessibility Policy ............................................................................................................ 1
1.1.1 Policy Statement................................................................................................................. 1
1.1.2 Policy Procedure: ..................................................................................................................... 3
1.2 Internet and Email Usage Policy ............................................................................................... 5
1.2.1 Policy Statement....................................................................................................................... 5
1.2.2 Policy Procedure ...................................................................................................................... 7
1.3 Personal Use Policy ...................................................................................................................... 10
1.3.1 Policy Statement..................................................................................................................... 10
1.3.2 Policy Procedure .................................................................................................................... 12
1.4 Ethical Responsibility Policy ................................................................................................... 14
2. Security Awareness .........................................................................................................18
2.1 Security Awareness and Training Policy.................................................................................... 18
3. Information Security ........................................................................................................23
3.1 Information Access Policy ............................................................................................................ 23
3.1.2 Policy Procedure .............................................................................................................. 25
3.2 Authorization for Information Modification Policy ................................................................ 26
3.3 Personal Data Privacy ............................................................................................................. 29
3.4 Password Policy ....................................................................................................................... 33
4. Disaster Response/Business Continuity Plan ...............................................................36
4.1 Disaster Awareness and Preparedness Policy ......................................................................... 36
71

5. Change Management .......................................................................................................39
5.1 Change Authorization Policy ........................................................................................................ 39
5.2 Modification of Transaction Policy .............................................................................................. 43
6. Bring Your Own Device (BYOD) ......................................................................................47
6.1 Device Responsibility Policy ........................................................................................................ 47
6.2 External Device Use Policy .......................................................................................................... 50
7. Vendor Access .................................................................................................................53
7.1 Vendor Responsibility Policy ....................................................................................................... 53
8. Media Destruction, Retention and Backups ...................................................................56
8.1 Media Destruction Policy .............................................................................................................. 56
8.2 Back-up Policy ............................................................................................................................... 59
9. Incident Response ...........................................................................................................62
9.1 Surveillance Policy ........................................................................................................................ 62
9.2 Information Security Incident Response Policy ........................................................................ 67
72
73

Itp Final102518

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Itp Final102518

Uploaded by

Copyright:

Available Formats

Gwynn Store IT Policies and Procedures Manual

1. Acceptable Use Policy

Gwynn Store Policy #:1

1.1 System Accessibility Policy

Reason for Policy:

1.1.2 Policy Procedure:

Sensitive Personal Information refers to the following:

Acquiring Personal Information

1. Personal Information Controller shall provide a terms and condition when

Using Personal Information

1. Data subject shall have a control to their personal information.

3. Requisition can be sent thru: email, message and, phone call;

Disposal of Personal Information

1. Customer has an authority to dispose their personal information.

Gwynn Store Policy #:2

1.2 Internet and Email Usage Policy

Reason for Policy:

1.2.2 Policy Procedure

 Communication between employees and non-employees for business purposes;

Acquisition, storage, and dissemination of data which is illegal, pornographic, or

The company also prohibits the conduct of a business enterprise, political

access of personnel file information, and accessing information that is not

Unless specifically authorized, the following activities are also strictly

 Forwarding of chain letters.

Gwynn Store Policy #:3

1.3 Personal Use Policy

Reason for Policy:

1.3.2 Policy Procedure

Computer, email and internet usage includes:

Unacceptable use of the internet by employees includes:

1. Sending or posting discriminatory, harassing, or threatening messages or

Gwynn Store Policy #:4

1.4 Ethical Responsibility Policy

Ethical Responsibility Policy is intended to have an equivalent value for every

Reason for Policy:

1.4.2 Policy Procedure

1. Company’s Asset and Properties Rule

3. Monitoring of Employee’s Act

Gwynn Store Policy #:5

2.1 Security Awareness and Training Policy

Reason for Policy:

2.1.2 Policy Procedure

All employee with a job-description related to accessing the system is required to

Information Security Policy consists of System Accessibility Policy, Personal Data

The main objective of this Information Security Policy is to ensure the

Gwynn Store Policy #:6

3.1 Information Access Policy

Reason for Policy:

The business’ policy is implemented to any endpoint, mobile devices or

Firm - a business unit or enterprise

Breach- infraction or violation of a law, obligation, tie, or standard

Confidentiality - limited to persons authorized to use information, documents, etc.,

System - collects and stores data

3.1.2 Policy Procedure

Gwynn Store Policy #:7

3.2 Authorization for Information Modification Policy

3.2.2 Policy Statement

Reason for Policy:

Information Access Policy

3.2.2 Policy Procedure

a. if the modification is minor, such as voiding products with on-counter receipts,

b. if the modification is major, such as changing transactions and modifying user

Gwynn Store Policy #:8

3.3 Personal Data Privacy