From 4d03a878a91e5e54187ff1947c7b996049cfab7c Mon Sep 17 00:00:00 2001 From: Dennis Eichhorn Date: Thu, 30 Jun 2022 15:30:33 +0200 Subject: [PATCH 1/7] Update Backup and Datarecovery.md --- .../IT/Backup and Datarecovery.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/Policies & Guidelines/IT/Backup and Datarecovery.md b/Policies & Guidelines/IT/Backup and Datarecovery.md index e69de29..21093b8 100644 --- a/Policies & Guidelines/IT/Backup and Datarecovery.md +++ b/Policies & Guidelines/IT/Backup and Datarecovery.md @@ -0,0 +1,53 @@ +# Data and Datarecovery + +The loss of data can have detrimental effects on the activities of the organization. Additionally, there are mandatory rules and regulations regarding data storage, which must be upheld. There are many possible reasons for data loss. Some could be: + +* Faulty data storage device +* Accedential deletion or modification of files/data +* Malicious deletion or modification of files/data +* Force majeure +* Malware + +## Goal + +A complete mitigation of the risks is almost impossible. However, measures must be implemented which mitigate the risks as low as reasonably possible. Data backup should allow the organization to resume its activities as quickly as possible (ideally within 1-2 hours) without substential loss of data. + +## Implementation + +The organization performs 3 types of backups: + +* Backup to external data storage (NAS RAID 5 System): Daily +* Backup to an external service provider: Daily +* Manual backup (cloning): Quarterly + +In addition to the above mentioned backup methods the server file system also uses RAID 5 providing additional redundancy in case of data storage failure. With raid 5 it's possible for 1 drive to fail without interupting the file storage. + +Another data redundancy is implemented for the most valuable aspect of the organization, the source code. All source code is additionally stored at github.com which can be accessed globally and organization members may continue to work on the source code by pulling the latest version of the source code from this service provider. + +### External data storage + +A backup of the entire data is done to external data carriers (NAS RAID 5 System) in the server room. The backup software used is Borg. The software allows among other to encrypt the backup data and upload it to a remote server. The backup runs fully automated and time-controlled through cron jobs. This type of backup is conducted outside of the hours with the highest activity (2:00 am). The data recovery is possible at any time. + +This type of backup is done incrementally, meaning only changes are stored. + +### External service provider + +In addition to the local backup a remote backup protects against local disasters such as a fire which could also destroy the local backup systems. The backup software used is Borg. The backup runs fully automated and time-controlled through cron jobs. This type of backup is conducted outside of the hours with the highest activity (2:00 am). The data recovery is possible at any time with some added delay due to download latency from the remote server. + +This type of backup is done incrementally, meaning only changes are stored. + +### Manual backup + +Once a quarter a full data backup (clone) is created and stored on an external hard drive. The purpose of these backups are to provide long term backups which are not replaced/overwritten. Additionally, these backups provide some fall back solution for sleeper malware or malware which encrypts backup files. Only 4 quarters at a maximum are allowed to be stored on the same hard drive. The backup is stored in a separate building than the main backup or in a bank vault. + +## Responsibility + +The responsibility for the data backup lies with the head of IT. Other IT employees may only take over these tasks if the head of IT consideres these employees sufficiently trained in this area. The responsible employees must control the data integrity of the backups once a quarter. + +## Data storage + +The data should be stored in such a way that only authorized personnel has access to the backup files. Authorized in this case means IT department and management. The data backups should be marked or labelled so that it is easily possible to identify the contents of the backup (i.e. Backup 2022-01.01 2:00:01). + +## Reconstruction + +The data reconstruction is documented in a reconstruction tutorial in the IT processes. During the reconstruction it may be necessary to put a higher priority on files and data which are more important for the ongoing organization activities (e.g. customer data, source code data). From 31bf2503c6c921c9e1857e0cbe5f7a2e2f7c166b Mon Sep 17 00:00:00 2001 From: Dennis Eichhorn Date: Thu, 30 Jun 2022 15:30:50 +0200 Subject: [PATCH 2/7] Update Backup and Datarecovery.md --- Policies & Guidelines/IT/Backup and Datarecovery.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Policies & Guidelines/IT/Backup and Datarecovery.md b/Policies & Guidelines/IT/Backup and Datarecovery.md index 21093b8..e2de7cb 100644 --- a/Policies & Guidelines/IT/Backup and Datarecovery.md +++ b/Policies & Guidelines/IT/Backup and Datarecovery.md @@ -1,4 +1,4 @@ -# Data and Datarecovery +# Backup and Datarecovery The loss of data can have detrimental effects on the activities of the organization. Additionally, there are mandatory rules and regulations regarding data storage, which must be upheld. There are many possible reasons for data loss. Some could be: From ae8054cc168b07a47e4e937e53d1dcab4c4165a1 Mon Sep 17 00:00:00 2001 From: Dennis Eichhorn Date: Thu, 30 Jun 2022 15:31:20 +0200 Subject: [PATCH 3/7] Create Documentation Overview.md --- .../Documentation Overview.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 Policies & Guidelines/Documentation Overview.md diff --git a/Policies & Guidelines/Documentation Overview.md b/Policies & Guidelines/Documentation Overview.md new file mode 100644 index 0000000..e1d885a --- /dev/null +++ b/Policies & Guidelines/Documentation Overview.md @@ -0,0 +1,25 @@ +# Documentation Overview + +1. Process: +1.1. Describes what needs to be done +1.2. Describes who needs to do it +1.3. Describes how it needs to be done +1.4. Describes why it needs to be done / which risks exist / how does it affect the risk +1.5. Describes the overall goal +1.6. Defines goals / KPIs + +2. Process-Flowchart +2.1. Describes visually the order of actions in a process + +3. Process-Risk-Control-Matrix (RCM) +3.1. Describs risks from a process +3.2. Describes controls/measures for risks + +4. Tutorials +4.1. Describes in detail/step-by-step how actions **can** be performed + +5. Policies & Guidelines +5.1. Describes rules and responsibilities + +6. Forms +6.1. Forms to be used for certain organization activities From d543b877205508c9188b3b90595b7583ae794ec0 Mon Sep 17 00:00:00 2001 From: Dennis Eichhorn Date: Thu, 30 Jun 2022 15:31:46 +0200 Subject: [PATCH 4/7] Create Travel & business expenses.md --- .../Travel & business expenses.md | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 Policies & Guidelines/Travel & business expenses.md diff --git a/Policies & Guidelines/Travel & business expenses.md b/Policies & Guidelines/Travel & business expenses.md new file mode 100644 index 0000000..c0c298a --- /dev/null +++ b/Policies & Guidelines/Travel & business expenses.md @@ -0,0 +1,63 @@ +# Travel & business expenses + +## Booking + +Every employee except the head of a department or the management is responsible for booking their own travels. Head of departments and management may deligate the booking to the secretariat. + +## Costs + +Costs must be below the cost break down below. If costs are more expensive for example due to: + +* Trade fairs +* Events which require to stay in the same hotel as customers +* More expensive travel destinations (e.g. more expensive cities) + +The following costs are only general guidelines and maximum amounts. Please note that even costs below this limits can be challenged if they are deemed inappropriate by the finance department. + +## Hotels + +| Type | Employee | Head of department | Management | +| ------------------ | ----------------- | -------------------- | --------------- | +| Germany | < 100 EUR | < 250 EUR | < 350 EUR | +| International | < 120 EUR | < 300 EUR | < 450 EUR | + +## Travelling + +| Type | Employee | Head of department | Management | +| ------------------ | ----------------- | -------------------- | ---------------- | +| Flight < 300 km | not allowed | Economy | Premium Economy | +| Flight >= 300 km | Economy | Premium Economy | Business | +| Flight >= 3.000 km | Premium Economy | Business | Business | +| Train | 2nd class | 1st class | 1st class | +| Private car | not allowed | 0.30 EUR per km | 0.30 EUR per km | +| Company car | approved by HOD | allowed | allowed | +| Taxi | only within city | only within city | only within city | + +## Per diems + +The per diems are paid according to the German regulation regarding per diems (Verpflegungsmehraufwendungen). + +For Germany they are: + +| Type | Employee | Head of department | Management | +| ----------------- | ----------- | -------------------- | ----------- | +| > 8 and < 24 h | 14.00 EUR | 14.00 EUR | 14.00 EUR | +| 24 h (full day) | 28.00 EUR | 28.00 EUR | 28.00 EUR | + +The German [Bundesfinanyministerium](https://www.bundesfinanzministerium.de/Content/DE/Downloads/BMF_Schreiben/Steuerarten/Lohnsteuer/2021-09-27-steuerliche-behandlung-reisekosten-reisekostenverguetungen-2022.pdf?__blob=publicationFile&v=2) provides a list with per diems per country. + +## Presents + +| Type | Employee | Head of department | Management | +| ---------------------| --------------- | -------------------- | ----------- | +| No special occasion | not allowed | not allowed | not allowed | +| Special occasion | approval by HOD | 35.00 w/o approval > 35.00 approval by management | <= 1,000.00 EUR | + +## Entertainment + +Entertainment expenses are calculated per day and are only paid if they are realized together with customers or other business partners. + +| Type | Employee | Head of department | Management | +| ---------------------------- | ----------- | -------------------- | ----------- | +| per business partner per day | 50.00 EUR | 120.00 EUR | 200.00 EUR | + From 65e472af58a8460e55478ae29dd36c802f364c17 Mon Sep 17 00:00:00 2001 From: Dennis Eichhorn Date: Thu, 30 Jun 2022 15:32:05 +0200 Subject: [PATCH 5/7] Create Car pool.md --- Policies & Guidelines/Car pool.md | 43 +++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 Policies & Guidelines/Car pool.md diff --git a/Policies & Guidelines/Car pool.md b/Policies & Guidelines/Car pool.md new file mode 100644 index 0000000..1cacf50 --- /dev/null +++ b/Policies & Guidelines/Car pool.md @@ -0,0 +1,43 @@ +# Car pool + +## Eligable positions + +| Position | Amount (gross) | +| -------------------- | ----------------- | +| Management | < 80,000.00 EUR | +| Head of Department | < 65,000.00 EUR | +| Travelling sales rep | < 50,000.00 EUR | + +## Other conditions + +* Car manufacturers: Audi, Volkswagen, Seat, Skoda +* Base configuration: Business package (incl. navigation), summer + winter tires + +## Service + +The employee is responsible for the service of their car. This includes but is not limited to: + +* Maintenance +* Tire changing +* TÜV +* Emission test (AU) + +### Cleaning + +Cleaning is paid by the company with up to 30 EUR per month. + +## Fuel + +Every company car has its own card for refueling. Employees must only use this card only for refuling this company car. + +## Drivers + +Only employees or the spouse of an employee is allowed to drive the company car. The driver of a company car must have a valid drivers license. This drivers license must be shown to the fleet management once a year. If a driver loses the driver license the car must be returned to the fleet manager. + +## Traffic violations + +All drivers are responsible for their traffic violations. This includes also being held responsible for all traffic fees, criminal charges etc. committed by the driver and the company car. + +## Return + +The car must be returned in good condition by the end of the lease term or if the employement at the organization ends. Gross negligence including repairs for unreported damages must be paid by the employee. From ff09d6165b7e08aea7b415ade7cd9ba50e5991ab Mon Sep 17 00:00:00 2001 From: Dennis Eichhorn Date: Thu, 30 Jun 2022 15:32:56 +0200 Subject: [PATCH 6/7] Create IT Equipment & Software.md --- .../IT/IT Equipment & Software.md | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 Policies & Guidelines/IT/IT Equipment & Software.md diff --git a/Policies & Guidelines/IT/IT Equipment & Software.md b/Policies & Guidelines/IT/IT Equipment & Software.md new file mode 100644 index 0000000..e51e94c --- /dev/null +++ b/Policies & Guidelines/IT/IT Equipment & Software.md @@ -0,0 +1,30 @@ +# IT Equipment & Software + +## Equipment + +| Type | Employee | Head of department | Management | +| ----------------------------------- | ----------------------------------------------- | -------------------- | -------------- | +| Smartphone | Iphone 13 (only sales reps) | Iphone 13 | Iphone 13 | +| Laptop (incl. docking station) | < 2,000 EUR | < 2,500 EUR | < 2,500 EUR | +| PC | < 2,000 EUR (if no laptop) | < 2,500 EUR | < 2,500 EUR | +| Monitor(s) | < 500 EUR per Monitor (if < 2 monitors at desk) | < 1,500 EUR | < 1,500 EUR | +| IT equipment (e.g. mouse, keyboard) | < 300 EUR | < 500 EUR | < 500 EUR | +| Printer & Scanner | < 500 EUR (only sekretariat) | < 500 EUR | < 500 EUR | + +## Software + +| Position | Office / Adobe PDF / Outlook / Typora / WinRar | Teams / Skype / Team Viewer | Firefox / Edge / Chrome / Opera | Sublime Text / Visual Studio Code / CMake / g++ / composer / npm / git / php | Borg | Datev / Crefo / Coface | Adobe Illustrator / Adobe Photoshop | Sanction Monitor | +| ----------------- | ------ | - | ------------------------------- | - | - | - | - | - | +| Management | x | x | x | x | | | | | +| CTO | x | x | x | x | | | | | +| CSO | x | x | x | x | | | | | +| CFO | x | x | x | x | | | | | +| Support & Service | x | x | x | x | | | | | +| Developer | x | x | x | x | | | | | +| Purchasing | x | x | x | | | | | x | +| Sales | x | x | x | | | | | x | +| IT | x | x | x | x | x | | | x | +| Finance | x | x | x | | | x | | x | +| HR | x | x | x | | | x | | x | +| Marketing | x | x | x | | | | x | | +| Sekretariat | x | x | x | | | | | x | From fd99ee89a8ae28a650aa7f8a01b41bde03cf33bd Mon Sep 17 00:00:00 2001 From: Dennis Eichhorn Date: Thu, 30 Jun 2022 15:34:31 +0200 Subject: [PATCH 7/7] Update Documentation Overview.md --- .../Documentation Overview.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/Policies & Guidelines/Documentation Overview.md b/Policies & Guidelines/Documentation Overview.md index e1d885a..ec49368 100644 --- a/Policies & Guidelines/Documentation Overview.md +++ b/Policies & Guidelines/Documentation Overview.md @@ -1,25 +1,25 @@ # Documentation Overview -1. Process: -1.1. Describes what needs to be done -1.2. Describes who needs to do it -1.3. Describes how it needs to be done -1.4. Describes why it needs to be done / which risks exist / how does it affect the risk -1.5. Describes the overall goal -1.6. Defines goals / KPIs +* Process: + * Describes what needs to be done + * Describes who needs to do it + * Describes how it needs to be done + * Describes why it needs to be done / which risks exist / how does it affect the risk + * Describes the overall goal + * Defines goals / KPIs -2. Process-Flowchart -2.1. Describes visually the order of actions in a process +* Process-Flowchart + * Describes visually the order of actions in a process -3. Process-Risk-Control-Matrix (RCM) -3.1. Describs risks from a process -3.2. Describes controls/measures for risks +* Process-Risk-Control-Matrix (RCM) + * Describs risks from a process + * Describes controls/measures for risks -4. Tutorials -4.1. Describes in detail/step-by-step how actions **can** be performed +* Tutorials + * Describes in detail/step-by-step how actions **can** be performed -5. Policies & Guidelines -5.1. Describes rules and responsibilities +* Policies & Guidelines + * Describes rules and responsibilities -6. Forms -6.1. Forms to be used for certain organization activities +* Forms + * Forms to be used for certain organization activities