C TPAT Audit Guidelines for IT Part:

 Password need to logon to be set up to control employees to access to network

and sensitive information system
 Conduct periodic and regular inner audits of the IT systems
 Employees are required to change passwords on a ordered basis
 System in place to identify the abuse of IT including improper access for
tampering or altering of business data system
 All system violators are treated to appropriate disciplinary actions for abuse.
 All system violators should flow C TPAT audit guideline and need to be reported
to the management and to be noted.  All records should be kept for at least 10
months
 All illegal actions must be reported to the management and police of the country
 Need to cancel user ID, Email ID & Internet address when any
worker/staff/Manager resign, Dropped out & Termination.
 Computer password change record. Should change within every 90 days.
 Individual user wise password. Pass word should assign individually.
 CD back up register. CD backup record.
 CD sending record file.
 Internal IT security audit report. IT internal security audit.
 IT training record register. IT training record.
 Weekly invalid pass word check record. Weekly invalid password check.
 Unauthorized file access check record.
 CC-TV camera and PC maintenance/repair record. CCTV camera and PC
maintenance/repair record.
 Monthly IT development meeting records.
 Visitor in/out register IT room.
 Disciplinary action record against IT abuse.
 List of PC user.
 Authorized person list of PC user.

C TPAT Audit Checklist – More about Password 

 The password definition parameters ensure that minimum password length is

specified according to the company’s IT security policy of the company (at least
6 characters, combination of uppercase or lowercase & numbers).
 The maximum validity period of password is not beyond the number of days
permitted in the company’s IT Security policy (maximum 30 days cycle).
 The parameters to control the maximum number of invalid logon attempts is
specified properly in the system according to the if security policy (at least 3
consecutive limes
 Password history maintenance is enabled in the system to allow same passwords
can be used again after at least 4 times.
 Password entries must be masked.
  The terminal inactive time allowable for users should be set in accordance with
the company’s policy.
 Operating time schedule for the users is to be defined where necessary.
 Sensitive passwords have to be preserved itt a sealed envelope with movement
records for usage in case of emergency.
 Audit trail should be available to review the user profile for maintenance
purpose.

Information Security Standard

The objective of this part is to specify Information Security Policies and Standard to be
adopted by all department of PROJECT STITCH using Information Technology for
service delivery and data processing. It covers the basic and general information
security controls applicable to all functional groups of a business to ensure that
information assets are protected against risk.

C tpat Information Security

Access Control for information systems

User ID Maintenance

 Each user must have a unique User ID and a valid password.

 The User ID will be locked up after 3 unsuccessful log-in attempts.
 There need to have a control to ensure that user ID and password are not same.
 The User ID Maintenance Form with access privileges is duly approved by the
appropriate authority.
 Access privileges are changed or locked within 24 hours when use rest status
changed or left the office.

Security Seals:

 Valid and allowed User ID and Password is mandatory to access any system in
the company.
 There should keep detail profile for every correspondent User ID.
 For every logon attempts should be kept in the history for future reference.
Access Controls for Outside Service Providers

There are rules for access of outside service provider. Very limited outsiders and only
few listed service providers may have that permission. Authorized persons should
review the access record on periodic basis to ensure only authorized service provider
personnel has access to the appropriate data. The review periods should be as below:

 Monthly review,
 Half yearly review,
 Yearly Review,
 At the end of contract or before renewal of any contract with the service
provider.

Review should be done by:

 IT Administrator and authorized IT personals

 Correspondent department head and users.

Network Security

 The Network Design and its security are implemented under a documented plan.
 Physical security for the network equipment should be ensured. Specifically
access should be restricted and controlled and these should be housed in a
secure environment.
 The sensitive information should be kept in restricted area in the networking
environment.
 Unauthorized access and Electronic tampering is to be controlled strictly.
 Security of the network should be under dual administrative control.
 Firewalls are in place on the network for any external connectivity.
 Redundant communication links are used for WAN.

Firewall Policy:

The LAN of PROJECT STCH is behind a world well reputed and trusted System LAN
firewall named ‘Check Point’.  is a licensed system firewall policy and  updates about all
the threats automatically from the origin Organization and help the network pilfer proof
every moment.
Firewall

 Security Check:
o System firewall should be latest regularly.
o Authorized person should check the rules of the system LAN firewall
regularly! Periodically to diminish risk.
o Rules should be well documented and each of every change in rules
should be insanely latest in the log book.

 Manipulators:
1. Authorized net user administrator or expert of the Organization.
2. No outsider or supplier is allowed.
3. Review Period:
1. Weakly
2. Monthly review

 Half yearly review

1. Yearly Review
2. As the need arises or in response to any threats.

Other Firewall Policy:

All the sewers, workstations, laptop or notebooks, etc. are using original operating
system; all of them are protected who the latest system firewall policy provided by the
operating system supplier.

 Secure Policy:
1. Organization should use original operating system and software.
2. All the system firewall that comes who the operation system should be
enabled.
3. All the operation system should be latest that the system firewall policy
wall can work suitability.
4. Except net user administrator, no System user should be able

C-TPAT Security Questionnaire Access Controls:

 Does the garment factory have procedures in place to limit access to keys, key
cards and computer systems to only those persons who have a job related need
for such access? Are terminated employees immediately denied access to keys,
computer system, etc.?
 Are information systems is password protected, and are relevant employees
provided with individually assigned IT system accounts?
  Are passwords subject to regular forced changes as a part of C-TPAT security
questionnaire?
 Is there an established procedure to conduct periodic unannounced information
access control security checks to ensure that all information access control
security procedures are being performed properly?

CCTV:

 Are closed circuit television cameras (CCTV) utilized to monitor the activity
inside/outside the factory?
 List of CC-TV camera as per location. List of CCTV camera with location.

Physical Security Policy for Desktop and Laptop or notebook

computers

 Desktop and laptop or notebook computer should be connected to UPS to protect

damage of data and hardware.
 When leaving a desktop or laptop or notebook computer unattended, System
users shall apply the “Lock Workstation “feature (ctrl/alt/delete, enter) where
systems allow.
 Password protected screen brand saver should be used to protect desktop and
laptop or notebook from unauthorized system access.
 Automatic screen brand saver should be activated after a period of inactive. This
period should not be more than five (5) minutes.
 Laptop or notebook computers that store confidential or sensitive information
must have encryption technology. Desktop and laptop or notebook computers
and manors shall be turned off at the end of each workday.
 Laptop or notebook computers actively connected to the network or information
systems must not be left unattended.
 Laptop or notebook computers, computer media and any other forms of
removable storage (e.g. diskettes, CD ROMs, zip disks, PDAs, flash drives) shall
be stored in a secured location or locked cabinet when not in use.
 Other information storage media containing confidential data such as paper,
files, tapes, etc. shall be stored in a secured location or locked cabinet when not
in use.
 Individual System users shall not install or download software applications and/or
executable files to any desktop or laptop or notebook computer without prior
authorization.
 Desktop and laptop or notebook computer System users shall not were, compile,
copy, knowingly propagate, execute, or attempt to introduce any computer code
designed to self-replicate, damage, or otherwise hinder the performance of any
computer system (e.g. virus, worm, Trojan etc).
 Any kind of virus should be reported immediately.
 Virus shall not be deleted without expert assistance
  System user identification (name) and authentication (password) shall be
required to system access all desktop and laptop or notebook whenever turned
on or restarted.
 Standard virus detection software must be installed on all desktop and laptop or
notebook computers, mobile, and remote device and shall be configured to check
files when read and routinely scan the system for virus.
 Desktop and laptop or notebook computers shall be configured to log all
significant computer secure relevant events. (e.g., password guessing,
unauthorized system access attempts or modifications to applications or systems
software.)
 On holiday occasions computers should be removed from floors and away from
windows.

Physical Secure Policy for Other System and Device

includes:

 Printers,
 Scanners,
 Fax Machine,
 Video Conference,
 CC Cameras,
 Controlling &t Monitoring Device,
 Time Attendance & Door System access System, etc.

The secures measures need to follow for these system and device should be followed
are as below

 All the device should be locked and secured by password, pin no. or any kind of
physical attachments.
 The device that are connected through LAN, should be system access
retransformation Communication Technology through DNS system access control
rules or others.
 The device that use WAN should be behind the system land firewall. For these
kinds of device there should be special rules in the system lane firewall that are
carefully sated and suitability minored time to time.
 The output of these device should only go to only the authenticated employee of
the Organization.
 There should have time to time monitoring and documentation for if the outputs
of these device are going to suitable hand or not

C TPAT Audit Checklist:

 Are the users change their password regularly?

 Are the users try to illegal access to computer system
 Are all UPS give power backup well?
 Are the necessary applications in all computer run well?
 Does the users keep data backup on server?
 Does the users can access or share unauthorized data of the server?
 Does the users can access or share authorized data of other user on server
frequently?
 Are the computers locked automatically after 5 minutes when the computer stay
idle situation
 Is email ID deleted when a user resign from factory?
 Is computer user ID deleted from server when a user resign from company?
 Is any monitor damaged ?
 Is computer power system sparking?
 Is user computer system wired with standard network structured system ?
 Is user computer connected with central network?
 Is user computer integrated with domain network ?
 Is the user browsing internet improperly?
 Does the users can print their documents efficiently?
 Is anybody trying to illegal login?
 Is computer locked if any user attempt to invalid login more than 3 times
 Is password policy of client/server complex?
 Are the users trained about IT security?
 Is CCTV working well?
 Is PABX working well?
 Is the network server controlled by IT officer?
 Is antivirus updated every week in all user computers?
 Is mail server controlled by IT Manager?
 Does anybody get internet/email connection without permission?
 Does the email users change their email password?
 Are the users connected with network by different password ?
 Does anybody can change server administrative password without IT officer/ IT
manager?
 Are all computer controlled by IT officer in factory?
 Are all security policy applied for all users ?
 All user should flow the above C TPAT audit checklist.