Handbook of Requirements: Ge GDC Program

GE GDC PROGRAM
PROGRAM GOVERNANCE FRAMEWORK

HANDBOOK of
REQUIREMENTS
Version
1

GE PROPRIETARY & CONFIDENTIAL RELEASE V1.6.1 1 of 185


GE PROPRI ETARY & CONFI DENTI AL

This document with its contents, terms and notations are the sole property of GE and is being
published to GE GDC partners to enable them to understand GEs requirements and implement
mature practices that enables proactive governance and provides for a low-risk operating
environment.
The information contained in this document is GE PROPREITARY & CONFIDENTIAL and is not to be used
for any purpose other than the purposes for which this document is furnished by the General Electric
Company, nor is this document (in whole or in part) to be reproduced or furnished to other third parties
or other agencies without the explicit written approval of the GE GDC Program Office

VIEWERSHIP RESTRICTIONS
This document is restricted to GE's Certified GDCs, GE Employees and GE Certified External Auditors on
the GE GDC Program. Use of this document in any shape or form, by all other parties requires an
explicit approval from GE GDC Program Office


REVI SI ON HI STORY

Revision Date Version/ Revision
No.
Types of Changes Author
Dec 2009 Draft Program Maturity Model Handbook Draft Uma Mohan
Mar 22, 2010 Draft Integrated inputs from Bithal Bithal Bhardwaj, Uma
Mohan
Mar 24, 2010 Draft Updates to Sections based on Reviews Bithal Bhardwaj, Uma
Mohan
Apr 8, 2010 Draft V 1 Updates to Sections based on Reviews Bithal Bhardwaj, Uma
Mohan
April 9, 2010 Draft V 2 Updates to Governance Maturity Model Section,
Network & Systems Security, Data Security
Bithal Bhardwaj, Uma
Mohan
April 12, 2010 Draft V 3 Updates to linkages diagrams, practice
classifications, Minimum Audit Requirements for
Resource sharing practice, Contractual
Management
Mohan
May 3, 2010 Draft V 3.01 Corrections & Inclusions of Operations
Management Practices
Mohan
May 5, 2010 Draft V 3.02 Correction in SSD, NSS and DS sections Bithal Bhardwaj, Uma
Mohan
May 13, 2010 Draft V 3.03 Corrections to sub-requirements based on GDC
inputs
Mohan
May 17, 2010 RELEASE V 1.0 FIRST FORMAL RELEASE Uma Mohan
January 2011 DRAFT V 4 Changes to handbook for 2011 incorporated Bithal, , Ting Ting,
Nachiket, Uma Mohan
January 31
2011
RELEASE V 1.5 VERSION RELEASED Uma Mohan
February 15,
2011
RELEASE 1.6 Version release with changes Uma Mohan
March 3, 2011 RELEASE 1.6.1 Incorporated weekly SSO ID reconciliation and GE
email for GDC resources requirements
Uma Mohan


TABLE OF CONTENTS

1.0 I ntroduction __________ 5
1.1 Program Governance Vision _____________ 5
1.2 Objectives of the Handbook _____________ 5
1.3 How to use this Handbook _______________ 6
1.4 Abbreviations, Acronyms & Terms _______ 6
1.5 Roles & Responsibilities _____________ 8
2.0 Governance Maturity
Model _________________ 10
3.0 Organization Process
Management ____________ 20
3.1 Organization Governance Structure
(ELEMENTARY) _______________________ 21
3.2 Organization Policy & Process Definition
(ELEMENTARY) _______________________ 26
3.3 Organization Awareness &Training
(ELEMENTARY) _______________________ 31
3.4 Organization Process Performance
Measurement (MATURE) _________________ 34
3.5 Internal Audits & Assessments
(ELEMENTARY) _______________________ 38
3.6 Incident Management (ELEMENTARY) _ 42
3.7 Risk Management (ELEMENTARY) ____ 46
3.8 Organization Innovation & Technology
Deployment (ADVANCED) _______________ 50
4.0 Resource Management _ 55
4.1 Non-Solicitation (ELEMENTARY) ______ 56
4.2 Background Check (ELEMENTARY) ___ 60
4.3 GDC Resource On-Boarding/Off-Boarding
(ELEMENTARY) _______________________ 64
4.4 SSO Id GOVERNANCE (ELEMENTARY) 70
4.5 Sub-contractor Management
(ELEMENTARY) _______________________ 75
4.6 GE Site Contractor Management
(ELEMENTARY) _______________________ 79
4.7 Work VISA Management (ELEMENTARY)
_______________________________________ 83
4.8 Resource Retention Management
(ELEMENTARY) _______________________ 86
5.0 Physical Security & Safety
______________________ 89
5.1 Environment, Health & Safety
(ELEMENTARY) _______________________ 90
5.2 Physical Security (ELEMENTARY) _____ 94
6.0 Delivery Management _102
6.1 Secure Software Delivery (ELEMENTARY)
______________________________________ 102
7.0 Network & Systems
Security _______________107
7.1 Vulnerabilities Management
(ELEMENTARY) ______________________ 108
7.2 Systems Management (ELEMENTARY) _ 112
7.3 Supplier Connectivity (ELEMENTARY)_ 117
7.4 Resource Sharing (ELEMENTARY) ____ 121
8.0 Data Security ________123
8.1 Data Classification, Privacy, Confidentiality
& IP Protection (MATURE) ______________ 124
8.2 GE Knowledge Management
(ELEMENTARY) ______________________ 134
9.0 Contractual Management
______________________136
9.1 Communication & Media Management
(MATURE) ____________________________ 137
9.2 Contractual Performance Reporting
(ELEMENTARY) ______________________ 141
9.3 Working for Competitors (MATURE) ___ 144
10.0 Operations Management
______________________147
10.1 Site Communications Infrastructure
Management (ELEMENTARY) ___________ 148
10.2 GDC Site Management (ELEMENTARY)
______________________________________ 152
10.3 Assets Governance (ELEMENTARY) __ 159
10.4 Software Governance (ELEMENTARY) 163
10.5 Business Divestiture Management
(ELEMENTARY) ______________________ 167
10.6 No PO, No WORK (ELEMENTARY) __ 169


10.7 Invoice & Outstanding Management
(ELEMENTARY) _______________________171
10.8 Business Continuity Management
(MATURE) _____________________________174
10.9 Engagement Closure / Termination
Management ( ELEMENTARY) ___________179
11.0 APPENDI X _______ 183
11.1 Reporting __________________________183
11.2 GE Coreload ________________________184
11.3 Additional Scope for External Audits____184

P R OGR A M G O V E R NA NC E F R A ME WOR K
GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 5 of 185
1.0 Introduction
overnance in the GE GDC Program has evolved over a period of time and has come to a
stage where the basics are in place for a steady GDC operations. From maintaining basic
network security and workplace security, the Program has evolved to include multiple
dimensions of Contractual, Information Security and Operational Security. Changing
business needs, increased focus on globalization and new technologies are leading to
emergence of innovative engagement models, new solutions and ever increasing threats are no
longer far and few in-between. This changing landscape with its new set of threats necessitates
an increased focus on Proactive Governance with the objective of ensuring a safe and secure
operating environment while delivering increased value at optimal costs to the GE Businesses.
1.1 Program Governance Vision
Continuously deliver Increased Value to GE Businesses in a cost-effective, safe
and secure environment through innovative solutions and proactive risk
management
1.2 Objectives of the Handbook
The Handbook aims to provide the audience with a complete view of the Program Governance
Framework, its components and the detailed requirements of the framework. The Handbook is
organized into multiple chapters as follows
Chapter 1: Introduction to the Handbook
Chapter 2: Program Governance Framework An Overview
Chapter 3 to Chapter 10: Dedicated to Governance Focus Areas and Practices within
each of these Focus Areas
Chapter 11: Governance Reporting Requirements & Tools
Chapter 12: Additional References
The Handbook is intended for use by
G
GEGDC Team to understand GEs requirement so as to design and implement mature
practices & controls that help in maintaining a safe and secure GDC operating
environment while delivering increased value to GE in a cost-effective manner
GE Business GDC Leaders, Business Stakeholders across IM/Engineering/Business
Organization (who use GDC) to understand GEs requirement and facilitate GDC
Governance through increased awareness of GEs responsibilities and collaboration with
GE GDC Program Office to identify and mitigate risks for GE
1.3 How to use this Handbook

The Icon Key provides a quick reference to symbols being used
within this Handbook. A Practice has Goals and these are articulated
using Practice Goals symbol. GDC and GE Responsibilities for a Practice
are articulated using the specific symbols outlined here.
Operating Guidelines are GE specific guidelines/requirements to be met
for a given Practice.
Minimum Audit Requirements provides pointers to evidences required.
Related Practices articulate inter-dependencies between the practices.
eGDC Toolset highlights the eGDC Toolset module (where applicable)
relevant to the practice. MSA Linkage establishes references (where
applicable) to MSA Sections pertaining to the requirements. Online Resources point the Audience
to additional references and guidelines associated with the practice.
1.4 Abbreviations, Acronyms & Terms

TERM Description
AOR Assignment of Rights
AUG Acceptable use guidelines
BCP Business Continuity Planning
BGC Background Check
I C O N K E Y
Practice Goals
GE Responsibilities
GDC Responsibilities
Related Practices
Min. Audit Requirements
MSA Linkage
eGDC Suite Linkage
Online References
Best Practices
C&S/CnS Compliance & Security
CPR Cost per Resource
DRP Disaster Recovery Planning
FTE Fulltime Equivalent
GDC Global Development Centre; refers to Certified GDC
Partners
IR Incident Response
KPI Key Performance Indicator
LCC Low Cost Country
NCS Net Compliance Score
NIS Net Improvement Score
PO Purchase Order
PSA Purchased Services Agreement
RPO Recovery Point Objective
RTO Recovery Time Objective
SIA Secrecy Inventions Agreement
SLA Service Level Agreement
SOP Standard Operating Procedure
SoW Statement of Work
SSO Id Single Sign-On Id
TO Task Order
TOD Tests of Design
TOE Tests of Effectiveness
DLP Data Leakage Prevention
HPA Highly Privileged Account
GE Data It includes data (inclusive of documents) provided by GE
to GDC as well as all data (inclusive of documents)
created by GDC during the life of a project/relationship
Shall The word shall used in conjunction with a compliance
handbook requirement indicates that the GDC is
obligated to perform the designated effort or adhere to
requirement. This is a mandatory requirement on the
GDC, failure of which may potentially be deemed
sufficient reason to invoke Consequence model
Should The word should used in conjunction with a compliance
handbook requirement indicates a desire or preference
by GE for a particular method, technique, product,
technology, option, or other feature. While the GDC is not
obligated to perform the designated effort or provide the
designated services or use the designated products in the
exact fashion expressed by GE, the GDC shall provide
equivalent capabilities
May The word may used in conjunction with a Compliance
Handbook requirement indicates that GE has no specific
desire or preference for a particular method, technique,
product or other feature. The GDC is free to use
discretion in performing the effort or adhering to
requirement.

1.5 Roles & Responsibilities

Role Description & Responsibilities
GE GDC Director Individual within GE Organization with overall
responsibility for GE GDC Program
GE GDC
Program
Governance
Leader
Individual within GE Organization with overall
responsibility for GDC Program Governance
GE GDC
Program
Security Leader
Individual within GE Corporate and a member of GE
Information Security Organization, with responsibility for
Information Security within GE GDC Program
GE Business
Security Leader
Individual within GE Business and a member of GE
Information Security Organization, with responsibility for
Information Security within the GE Business
GE Business
GDC / VMO
Leader
Individual within a GE Super Business with responsibility
for GDC engagements across all Businesses at the Super
Business level
GDC C&S
Leader
Individual within GDC Organization with responsibility for
Compliance & Security within GEGDC Organization
GDC Global
Relationship
Manager
Relationship between the GDC Organization and GE
Businesses across the globe
GDC Global
Governance
Manager
overall Governance of the Program inclusive of
Compliance, Security, Delivery & Operations across the
globe
2.0 Governance Maturity Model

FIGURE 1 Governance Model.

The Governance Maturity Model is based on the GDC Master
Services Agreement (ITSA), the GDC Hygiene Factor Addendum (HFA) and
the GE Information Security Guidelines. The components of this model
are
Governance Focus Areas
Behavior demonstrated (Spirit as perceived by GE) in performing /
operating on these areas
External Audits
GE Assessment of GDC
Maturity Certification of GDC based
Assessment of Business Impact of GDC Maturity on GE Business
Post Assessment Planning
Governance
Components

There are 8 Key Process areas that serve as the backbone of the
Governance Maturity Model. Each of these process areas is further
divided into Practices that shall be implemented by the GDC Organization.
Practices fall into one of three classifications

FIGURE 2 Practice Classifications

Elementary Practices are the basic founding blocks of Governance required for a GDC
Organization
Mature Practices are the pillars of Governance that together with the fundamentals
create a strong operating environment within the GDC Organization
Advanced Practices form the roof that together with the strong pillars and fundamentals
create a proactive, reliable & secure operating environment within the GDC Organization
Most practices are specific in nature and address specific requirements of a process area. There
are a few generic practices that are applicable across all the practices. Practices have a
purpose, a set of goals, GDC responsibility statements, GE responsibility statements (where
applicable) and requirements that must be fulfilled in designing and implementing the practice.
Given below is a high level view of the 8 process areas and the associated practices.
Organization Process Management focuses on Organization-wide practices that are
generic in nature and are critical for the performance of all other focus areas. There are 8
practices within this focus area as follows

Governance
Focus Areas
ELEMENTARY
MATURE
ADVANCED
Process Area Practice Area Classification Type
Organization Process
Management
Organization Governance
Structure (OGS)
ELEMENTARY SPECIFIC
Organization Policy &
Process Definition (OPD)
ELEMENTARY GENERIC
Organization Awareness &
Training (OAT)
ELEMENTARY GENERIC
Organization Process
Performance Measurement
(OPM)
MATURE GENERIC
Organization Innovation &
Technology Deployment
(OIT)
ADVANCED GENERIC
Incident Management (OIM) ELEMENTARY GENERIC
Risk Management (ORM) ELEMENTARY GENERIC
Internal Audits &
Assessments (IAA)
ELEMENTARY SPECIFIC

Resource Management focuses on 8 practices that are resource centered and applies to all
human resources associated with GE GDC
Resource
Management
Non-solicitation (NS) ELEMENTARY SPECIFIC
Background Check (BGC) ELEMENTARY SPECIFIC
GE GDC Resource On-
boarding/Off-boarding
(GOO)
ELEMENTARY SPECIFIC
SSO Id Governance (SIG) ELEMENTARY SPECIFIC
Sub-contractor
Management (SCM)
ELEMENTARY SPECIFIC
GE Site Contractor
Management (GCM)
ELEMENTARY SPECIFIC
Work Visa Management
(WVM)
ELEMENTARY SPECIFIC
Resource Retention
Management (RRN)
ELEMENTARY SPECIFIC

Physical Security & Safety focuses on 2 Practices that pertain to the GE GDC physical
infrastructure security and safety.
Physical Security &
Safety
Environment, Health &
Safety (EHS)
ELEMENTARY SPECIFIC
Physical Security (PS) ELEMENTARY SPECIFIC

Delivery Management focuses on 3 Practices that are critical to ensuring consistent delivery
excellence
DELIVERY
MANAGEMENT
Secure Software Delivery
(SSD)
ELEMENTARY SPECIFIC
Software/Service Quality
Management (SQM)
MATURE SPECIFIC
Process & Productivity
Management (PPM)
MATURE SPECIFIC

Network & Systems Security focus area is made up of 4 practices that are critical to
safeguard GEs networks
NETWORK & SYSTEMS
SECURITY
Vulnerabilities Management
(VM)
ELEMENTARY SPECIFIC
Systems Management (SM) ELEMENTARY SPECIFIC
Supplier Connectivity (SC) ELEMENTARY SPECIFIC
Resource Sharing (RS) ELEMENTARY SPECIFIC

Data Security comprises 2 Practices that together ensure protection of GE Data, Knowledge &
Information. These practices are
Data Security Data Classification,
Confidentiality, Privacy & IP
Management (DCP)
MATURE SPECIFIC
GE Knowledge
Management (GKM)
ELEMENTARY SPECIFIC

Operations Management focuses on 9 Practices that are operational in nature and are
central to the operational success of the GDC
OPERATIONS
MANAGEMENT
Communications
Infrastructure Management
(CIM)
ELEMENTARY SPECIFIC
GDC Site Management
(GSM)
ELEMENTARY SPECIFIC
Assets Governance (AGN) ELEMENTARY SPECIFIC
Software Governance (SGN) ELEMENTARY SPECIFIC
Engagement
Termination/Closure
Management (ETM)
ELEMENTARY SPECIFIC
No PO, No WORK (NPO) ELEMENTARY SPECIFIC
Invoice & Outstanding
Management (IOM)
ELEMENTARY SPECIFIC
Business Continuity
Management (BCM)
MATURE SPECIFIC
Business Divestiture
Management (BDM)
ELEMENTARY SPECIFIC

Contractual Management focuses on 3 Practices that are contractual in nature and do not
necessarily qualify to be a part of any of the above process areas. These practices are
CONTRACTUAL
MANAGEMENT
Communication & Media
Management (CMM)
MATURE SPECIFIC
Contractual Performance
Reporting (CPR)
ELEMENTARY SPECIFIC
Working for Competitors
(WFC)
MATURE SPECIFIC

The Program Maturity Model lays emphasis on the
SPIRIT demonstrated in implementing the LETTER. This SPIRIT
is seen as a key differentiator in driving proactive and generative solutions that are
innovative, cost effective and are oriented towards maintaining a safe and secure
Spirit & Letter
environment. Key characteristics that define this SPIRIT are Alignment, Openness
and Initiative. The VALUES thus demonstrated are
External Acceptance at a superficial level without a clear engagement or understanding
Does not engage in dialogue Lacks openness and transparency in communication; high degree of
resistance / unwillingness to validate assumptions or look at new perspectives
Reactive in nature, does not take any tangible / visible actions unless it is mandated by GE
PASSIVE
Primarily focuses on Letter based on feedback, seeks to understand the Spirit behind GEs requirements;
Organization culture is primarily focused on compliance to stated requirements without adequate insights
of the Spirit
Dialogues on need basis to understand stated requirements; shares information to the extent defined /
necessitated by GEs stated requirements; does not actively look for new insights/feedback/learning
opportunities
Demonstrates commitment to meet stated requirements; waits to be told what to do & how to do once
defined, does what is required to be done
PARTICIPATIVE
Focuses on Spirit & Letter accepts and engages with GE to uncover new perspectives that may create a
deeper understanding and appreciation of GEs requirements; seeks to share this understanding with its
people in a focused manner
Builds dialogue to understand and reach consensus open to changing viewpoints / assumptions; shares
risks and actively seeks feedback & works on it
Primarily focused on driving performance results;voluntary problem-solving culture; engages actively and
takes visible & tangible actions towards new ideas and opportunities, when pointed to in that direction
COLLABORATIVE
Focuses on Spirit & Letter shows understanding of GEs requirements and proactively enrolls people in
the Spirit & Letter mode, making it a DNA of the GDC Organization
Builds dialogue based on active listening and deep understanding of GEs requirements complete
transparency & pro-activeness in Operations promotes trust & long term relationship
While continuously driving performance results, uses insights & expertise to identify new ideas &
opportunities, predict and invest for future
Maps future based on changing business environment
Mines exceptions to gain valuable insights
Seeks and promotes breakthrough ideas that creates multiplying positive value to GE and GDC
STRATEGIC
DEMONSTRATED BEHAVIOUR VALUES RATING
External Acceptance at a superficial level without a clear engagement or understanding
Does not engage in dialogue Lacks openness and transparency in communication; high degree of
resistance / unwillingness to validate assumptions or look at new perspectives
Reactive in nature, does not take any tangible / visible actions unless it is mandated by GE
PASSIVE
Primarily focuses on Letter based on feedback, seeks to understand the Spirit behind GEs requirements;
Organization culture is primarily focused on compliance to stated requirements without adequate insights
of the Spirit
Dialogues on need basis to understand stated requirements; shares information to the extent defined /
necessitated by GEs stated requirements; does not actively look for new insights/feedback/learning
opportunities
Demonstrates commitment to meet stated requirements; waits to be told what to do & how to do once
defined, does what is required to be done
PARTICIPATIVE
Focuses on Spirit & Letter accepts and engages with GE to uncover new perspectives that may create a
deeper understanding and appreciation of GEs requirements; seeks to share this understanding with its
people in a focused manner
Builds dialogue to understand and reach consensus open to changing viewpoints / assumptions; shares
risks and actively seeks feedback & works on it
Primarily focused on driving performance results;voluntary problem-solving culture; engages actively and
takes visible & tangible actions towards new ideas and opportunities, when pointed to in that direction
COLLABORATIVE
Focuses on Spirit & Letter shows understanding of GEs requirements and proactively enrolls people in
the Spirit & Letter mode, making it a DNA of the GDC Organization
Builds dialogue based on active listening and deep understanding of GEs requirements complete
transparency & pro-activeness in Operations promotes trust & long term relationship
While continuously driving performance results, uses insights & expertise to identify new ideas &
opportunities, predict and invest for future
Maps future based on changing business environment
Mines exceptions to gain valuable insights
Seeks and promotes breakthrough ideas that creates multiplying positive value to GE and GDC
STRATEGIC
DEMONSTRATED BEHAVIOUR VALUES RATING

FIGURE 3 Values Assessment
Performed annually by GE Certified Global Audit Firms, the
External Audits are a critical component of the Governance Maturity
Framework. External Audits shall be performed in accordance with GE
guidelines for these audits and reports submitted in a timely fashion to facilitate GE Assessment
of GDC Maturity.
GE Guidelines for External Audits shall be published ahead of the Audits and GE shall facilitate
discussion with Auditors to develop a common understanding of GEs expectations across
Auditors and GDC
With a view of performance as a continuous function, the GE
Assessment process is focused on identifying gaps in GDC Operating
environment that could be potential risks/threats to GE. Assessments
would be carried out at frequent intervals over the year. The final
External Audits
GE Assessment
Process
assessment leading to certification of the GDC, considers as inputs the findings from External
Audits as well as the performance view obtained from GE Spot Audits, Monthly reporting,
Incidences, Customer Complaints, Innovations and Best practices implemented in GDC operating
environment. It also lays emphasis on assessing
The SPIRIT demonstrated by the GDC in implementing the LETTER (measured through the
VALUE indicators discussed in Figure3 above)
Risks in the GDC Operating Environment based on all the above sources.
Like in any formal assessment, the findings and observations shall be shared with the GDCs. The
GE assessment phase plays a critical role in determining the maturity and consistency of
practices in the GDC Operating environment

Recognition of GDC Organizations maturity of practices and
controls in maintaining a safe and secure operating
environment while continuously delivering increased value to
GE Businesses. The 5 possible levels of Maturity are as follows
FIGURE 4 Program Governance Maturity Levels
The maturity level shall be determined based on the GE Assessment process and formally
communicated to the GDC.

GDC Maturity
Certification
With a view to understanding the impact of GDC Maturity on
GE Businesses, this GE internal phase focuses on mapping the
business exposure to the GDC with the Maturity level of the GDC to arrive
at the GDC Profile as
shown here. As can be
seen from the matrix,
$ Spend with GDC and
the nature of work
done by the GDC
influence the Profile of
the GDC

FIGURE 5 GDC PROFILING
This GDC Profile is further mapped to the Maturity level of the GDC to arrive at a risk impact score
as shown here

FIGURE 6 Business Risk Impact

The risk impact score along with qualified risk statements by Practice area shall be published to
the Businesses for their planning.

Business Impact
Assessment
As the final phase in one cycle of the Maturity Model
Assessment, this phase focuses on both GDC Action Planning as well as
GE Action planning.
GDC Action plans shall be reviewed and corrective actions closed with the GE GDC Program
Office as per schedule below
Maturity Level Action Closure Period
LEVEL 1 (AD-HOC) 90 Days
LEVEL 2 (BASIC) 60 Days
LEVEL 3 (DEFINED) 30 Days
LEVEL 4 & 5 Case to case basis based on observations

GE Action plans shall focus on risk mitigation, changes to requirements and internal process
improvements and may result in changes to the Handbook and guidelines.

Post Assessment
Planning
3.0 Organization Process Management
Organization Process Management is the one focus area that differentiates a mature
organization with proactive, reliable and secure operating environment from the others. This
focus area calls for an organization to invest in people, processes and tools which together
enable an organization to establish and maintain a proactive, reliable and secure operating
environment that benefits its employees, customers and stakeholders.
The diagram below gives a perspective on the practices within the Organization Process
Management focus area and the relationship between the practices


FIGURE 7 Organization Process MANAGEMENT Practices & Linkages

3.1 Organization Governance Structure (ELEMENTARY)

GDC Organization shall have a formal governance program in place. A senior
member of the GDC Organization shall head this Governance Program.
The purpose of this Practice is to establish and maintain a Governance Organization structure
that has the accountability and appropriate authority for managing the Governance Program
and achieving the desired outcome of maintaining a safe and secure operating environment
POLICY

Organization Governance Program is led by a Senior Leader and has Organization
Management sponsorship
Governance Organization is staffed by the right people on the right roles and who have
the accountability and authority to perform their roles
GDC Organization resources are fully aware of the roles and responsibilities of the
members within the GDC Governance Organization

As the primary owner of this Practice, GDC is responsible for ensuring that appropriate focus and
attention goes into setting up the governance organization. The specific responsibilities are
OGS 1.0 Establish and maintain an effective Governance Organization Structure
OGS 2.0 Establish and maintain Management Review rhythm
GDC shall share the Governance Organization structure with the GE Businesses so as to create
awareness on the structure, members in key roles and responsibilities
GOALS
RESPONSIBILITIES

OGS 1.0 Establish and maintain an effective Governance Organization Structure
GE GDC Governance Organization structure shall exist and be documented
The Governance Organization shall be headed by a Senior Leader with
accountability for the desired outcome of maintaining a safe and secure GDC
Operating environment
The Governance Organization Leader shall have appropriate authority
to perform the activities required to meet the role expectations
The Governance Organization Leader shall have a reporting
relationship to the GDC Parent Organizations Compliance Leader (or
an equivalent role)
At a minimum, the GDC Organization shall have the following critical roles
defined for Global Operations and staffed appropriately
Governance Leader
Information Security Leader/ GDC Security Leader
Data Privacy Leader
Physical Security Leader
Crisis Management Leader
Application Security Leader
Product Quality Leader
Ombuds Person
Internal Audits Leader
Risk Leader
OPERATING GUIDELINES
These roles shall have accountability for performance and shall also have
appropriate authority to perform the activities required to meet the role
expectations
Roles of Ombuds Person and Internal Audits Leader shall be defined in a
manner to minimize conflict of interest and potential controllership issues
Where appropriate, the Organization Governance structure shall also define
GDC Site level roles
Linkages to Parent Organizations key roles in the respective areas
All Committees like Risk Council, Management committee and their
linkages with governance roles.
GDC shall formally publish the Governance Organization structure to the entire GDC
Organization and to GE GDC Program Office
Any changes to staffing or the structure itself shall be formally communicated
to the GDC Organization and to GE GDC Program Office
GDC shall ensure that secondary or backup resources are identified for all critical roles.
OGS 2.0 Establish and maintain Management Review Rhythm
GDC Governance Organization priorities and performance shall be periodically reviewed
by Organization Management Committee for effectiveness of the Governance Program
Organization Management Committee shall at a minimum include the Global
Relationship Leader, Global Delivery & Operations Leader, Parent
Organizations Information Security Leader and the Parent Organizations
Governance/Compliance Leader
Formal Management Review meetings shall be held Quarterly, at a minimum
The Management Review meetings shall be well represented by all the key
roles of the Governance Organization; specifically, the Internal Audits team
and the Ombuds Person shall be permanent members of these meetings
Organization Management Committee shall set the Vision and Operating goals for the
GDC Governance Organization, thereby facilitating formal reviews of performance
Actions arising out of Management review meetings shall be clearly
documented and monitored for closure
GDC shall also clearly define the Communication & Escalation Methods with Organization
Management Committee
Minimum Audit Requirements
Evidence of communication on GDC Governance Organization Structure to GDC Organization
Evidence of Change communication (where changes have been effected in the Organization)
Evidence of Management Reviews on performance and priorities of Governance
Organization, follow-up actions and closure of the same
MSA Linkage
Not Applicable
Related Practices
All practices within the Organization Process Management
eGDC Suite Linkage
GDC Contacts Module
Online Resources
Not Applicable

3.2 Organization Policy & Process Definition (ELEMENTARY)

GDC Organization shall have well-defined operating procedures in place to meet
the policies and the requirements of the various practices.
The purpose of this Practice is to establish and maintain well-defined Operating procedures that
meet the spirit and letter of GEs requirements on Governance, are specific to the Organization,
usable by GDC Users, and promotes consistency of practice across the GDC Organization

GDC Organization shall have a formal process in place to define policy, process and
operating procedures for GDC Organization
GDC Organization shall have well-defined Standard Operating procedures that clearly
define GDC Organizations implementation of GEs policy and requirements on
Governance
0 defects in coverage (process design)
GDC Organization shall ensure uniform and consistent implementation of the practice
across all global operations covering all functions, services and global locations of GDC
Organization

As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate
policies, processes, procedures and controls are designed and implemented within the GDC
Organization to meet the policies and goals of this governance framework. The specific
responsibilities are
OPD 1.0 Establish and maintain a process for policy & process definition
OPD 2.0 Establish and maintain Standard Operating Procedures for all practices
OPD 3.0 Deploy the Standard Operating Procedures across GDC Organization
POLICY
GOALS
RESPONSIBILITIES

OPD 1.0 Establish and maintain a process for policy & process definition
GDC shall have a well-defined process in place for New Process Introductions and
Revisions to existing processes (collectively referred to as New process introductions
hereafter)
The process shall clearly define the review, approval and release protocols for new
process introductions
The process shall clearly define the communication protocols, publishing mechanisms
and orientation procedures associated with new process introductions
The process shall clearly define the change management triggers and guidelines
associated with revisions to existing processes
The process shall clearly articulate the structure for documenting the Standard Operating
procedures by clearly defining the mandatory components of the documentation and the
optional aspects
The process shall clearly articulate preventive, detective & corrective controls. The
process shall clearly articulate tailoring & customization guidelines
The process shall clearly identify the repository for storage of all process artifacts
associated with the GDC Organization and the access control mechanisms for the same

OPD 2.0 Establish and maintain Standard Operating Procedures
GDC Organization shall have a well-defined, documented and easy to use set of Standard
Operating Procedures
Standard Operating Procedures shall at a minimum cover all requirements outlined in this
Handbook
Standard operating procedures may be defined at any level by the GDC Organization
Functional/Process Level GDC may choose to have a single SOP that covers the
requirements across multiple practices pertaining to the function /process area
(as an example, GDC may choose to have a single SOP for entire Resource
Management function)
Practice Level GDC may choose to have individual SOP associated with a single
practice (as an example, GDC may choose to have a SOP for Sub-contractor
Management practice and another SOP for GE Site Contractor Management)
Hybrid approach GDC may choose to have a combination of functional and
practice level SOPs, as appropriate to the GDC Organization
Traceability to requirements outlined in the handbook shall be established
irrespective of the approach used
GDC Organization may choose to maintain a separate policy document or maintain the
policies as a part of the Standard Operating Procedures
Standard Operating Procedures shall depict the complete process/practice design and
detail out the implementation aspects of the process/practice, to the level of detail
required to implement the process in an uniform and consistent manner across the GDC
Organization (with its global locations and range of services)
Standard Operating Procedures shall at the minimum describe the following
Purpose & Performance Objectives
Entry Criteria
Inputs to the process/practice
Process Design
Applicable procedures, methods, tools and resources
Applicable standards (if any)
Control mechanisms in place (preventive control, corrective control or contingent
control)
Verification points and parts
Process performance and product performance measures and measurement
points
Interfaces & Dependencies, inclusive of linkages to parent organization processes
& procedures
Exit Criteria
Certain process/practice steps may require to be
Tailored to meet the needs of a country and/or a GE Functional Division (ITO,
Engineering or BPO) or a Business.
Customized based on GDCs design and/or implementation of the specific
requirements
For example,
Background Check practice steps may require tailoring/customization to a
country and the GE Business
Sub-contractor Management practice steps may require
tailoring/customization based on GE Functional Division (ITO, Engineering or
BPO)
All such needs for tailoring/customization shall be discussed with GE GDC Program Office
and undertaken with approval from the GE GDC Program Office
The Standard Operating Procedure shall clearly identify all such tailored/customized
processes
GDC shall ensure that there is appropriate integration between the various processes and
procedures
At a minimum, SOPs shall adhere to document management guidelines of the GDC
Parent Organization and follow the GE Data Classification guidelines

OPD 3.0 Deploy Standard Operating Procedures across GDC Organization
GDC shall deploy the standard operating procedures across the entire GDC organization
in a planned manner. The deployment shall be uniform across all global sites of the GDC
GDC shall maintain a plan for deployment of standard operating procedures to new GDC
Sites within a month of the site becoming operational
GDC shall ensure that appropriate training material and orientation plan is in place to
ensure that new process introductions, changes to procedures are introduced in the right
manner at the start of deployment
GDC shall monitor the implementation of the processes, practices and procedures across
all its sites to ensure that the performance objectives are met


Evidence of New Process Introductions in alignment with GDC Organization process for new
process introductions
Evidence of Process Change communication
Evidence of GE approvals for tailoring/customization
MSA linkage
Not Applicable
Related Practices
eGDC Suite Linkage
Not Applicable
Online Resources
Not Applicable

3.3 Organization Awareness &Training (ELEMENTARY)

GDC Organization resources are trained on the governance framework and
standard operating procedures before being assigned to GE GDC
The purpose of this Practice is to establish and maintain well-defined training and orientation
program and plan for training that ensures all resources are trained and made aware of the GE
Governance framework and their role in maintaining a safe and secure operating environment
that delivers value in a cost-effective manner

100% of GDC resources are trained on Governance framework and the Standard
Operating Procedures before being assigned to a GE Engagement
0 incidents due to GDC resources lack of awareness of policy/practice

As the primary owner of this Practice, GDCs are responsible for ensuring that every resource
belonging to GDC Organization is trained adequately and in a timely manner on the appropriate
policies, processes, procedures and controls of this governance framework. The specific
OAT 1.0 Establish and maintain a training policy & plan for training / orientation
OAT 2.0 Develop Training material
OAT 3.0 Deliver training/orientation as per plan
As a key stakeholder, GE shall provide additional inputs to GDC where there are business-specific
guidelines (or) more stringent controls that need to be adhered to meet business-specific
regulatory requirements and/or handling of business sensitive information
OAT 4.0 Provide direction/inputs to GDC on additional training required to meet regulatory
requirements and/or handling of business sensitive information

POLICY
GOALS
RESPONSIBILITIES

OAT 1.0 Establish and maintain a training policy & plan for training/orientation
GDC shall clearly establish a training/orientation policy
The training policy shall at a minimum identify the scope, coverage and timing of the
training and orientation program applicable to all resources. At a minimum, GDC shall
have the New Joinee Orientation Program and Annual Refresher Program on Governance
framework
The training policy shall also identify additional contexts/situations (if any) where add-on
trainings/orientations become applicable. For example, GDC may choose to mandate
resources working on projects dealing with Sensitive data or IP go through an additional
course on Data Privacy & Confidentiality, just before the start of the engagement
The training policy shall include the minimum qualification criteria on each program and
the period within which the qualification must be obtained. For example, GDC may
stipulate that a minimum score of 80% is mandatory to qualify
GDC shall maintain an annual plan for training and orientation. The plan shall be formally
published to the GDC Organization and tracked. Any changes to the plan shall be
formalized and shall follow the communication rhythm for process change
GDC may additionally plan role-specific training programs to provide in-depth orientation
on appropriate requirements to specific roles, inclusive of GDC resource roles at GE Sites
OAT 2.0 Develop Training Materials
GDC shall have appropriate training material for each of the programs. The training
material shall cover the policy and the governance requirements as well as the
implementation aspects
The training program may be delivered in one or more of many approaches like
Classroom Training, Online Training, Guided Self-study, Facilitated Videos
GDC shall choose the most appropriate training approach for the various
programs and shall develop appropriate material
GDC shall maintain multi-language support of the training material to ensure
training of resources across its global locations

OAT 3.0 Deliver Training/Orientation as per plan
GDC shall conduct the training in a manner that makes it effective.
The training shall also focus on contextual case studies so as to ensure a better
understanding of the policy and the requirements
GDC shall analyze incident data to ascertain opportunities for improvement of
awareness training & orientation programs
GDC shall maintain records of training, inclusive of training date, participants list
GDC shall assess training effectiveness and participant performance in Certification
process
Evidence of Training Policy being published
Evidence of Annual Training Plan (in alignment to training policy) and execution of the
training plan
Evidence of training effectiveness assessment, identification of improvement opportunities
Evidence of on-boarding to GE GDC post the certification
MSA Linkage
Sections 3.7, 3.8
Related Practices
eGDC Suite Linkage
Not Applicable
Online Resources
Not Applicable
3.4 Organization Process Performance Measurement
(MATURE)

GDC Organization shall have formal practices in place to measure the effectiveness
of their practices and ensure that process/practice improvements are planned and
executed
The purpose of this Practice is to establish and maintain a well-defined quantitative program that
measures the effectiveness of the process design as well as the effectiveness of the
implementation across the GDC Organization, with the objective of continuously improving the
process/practice and associated set of standards, guidelines, tools and resources towards
maintaining a low-risk environment that consistently delivers high value at optimal cost

Every process/practice area has tangible effectiveness measures defined and
documented
Quantitative process/practice management is a part of the Organization DNA

As the primary owner of this Practice, GDCs are responsible for defining performance measures
and monitoring their performance to plan improvements and institutionalize these
improvements. The specific responsibilities are
OPM 1.0 Establish and maintain performance measures and performance objectives
OPM 2.0 Perform periodic performance assessments
OPM 3.0 Review performance with GDC Organization Steering Committee, plan and deliver
on improvements

POLICY
GOALS
RESPONSIBILITIES

OPM 1.0 Establish and maintain Performance Measures and Performance
Objectives
GDC shall ensure that every process/practice has clearly defined performance measures
Performance measure description shall at the minimum include the metric, the
measurement criteria, frequency of measurement, data collection mechanism
Performance measures shall include both process measures and product
measures
GDC shall perform baseline assessment and gain an understanding of their baseline
performance level
Based on the current performance baseline and the expected performance, GDC shall
define their performance objectives
Performance objectives shall include the metric, the measurement criteria (it shall
be defined and accessible to GE and GDC), the target/objectives and the timeline
for achieving the target
GDC Organization Steering Committee shall review and approve the Performance
Measures and Performance Objectives
Performance Objectives shall be reviewed for applicability at least once in 6
months
GDC shall establish and maintain a formal measurement plan. The plan shall at the
minimum identify data sources, methods of data collection, frequency of collection,
consolidation & analysis mechanisms, assessment frequency

OPM 2.0 Perform periodic performance assessment
GDC shall ensure that every practice/process is assessed as per the measurement plan
The data collected thus shall be maintained in a repository for analysis purpose
Alignment to performance objectives shall be assessed and strengths, weaknesses and
risks shall be identified
OPM 3.0 Review performance with GDC Organization Steering Committee, plan
and deliver on improvements
GDC shall share the performance assessment report with the GDC Organization Steering
committee
Based on the assessment, GDC shall identify performance risks and shall review the same
with GDC Steering Committee
GDC shall proactively conduct RCA on the existing control mechanisms and identify
opportunities for improvement.
Such opportunities for improvement shall be reviewed with GDC Steering Committee and
improvement initiatives shall be signed off with Steering Committee
Where the proposed improvement modifies/alters GEs
policy/practice/requirements (as stated in the Handbook or its source documents),
GE GDC Program Office sign-off shall be obtained before commencing the
initiatives
GDC shall monitor the progress on all these improvement initiatives and validate the
performance of these improvements
GDC shall communicate the progress/status of these initiatives on a monthly
basis to GE GDC Program Office

Evidence of Performance measures and performance objectives being defined
Evidence of periodic assessments across global sites and Evidence of process improvement
initiatives being taken up
MSA Linkage
Not Applicable
Related Practices
eGDC Suite Linkage
Ad-hoc Approvals
Online Resources
Not Applicable
3.5 Internal Audits & Assessments (ELEMENTARY)

GDC Organization shall have a formal practice of internal audits and assessments
in place to assure that GEs requirements of Governance is established and
implemented to maintain a safe and secure operating environment that
consistently delivers high value
The purpose of this Practice is to establish and maintain an internal audits & assessment practice
that verifies and validates the performance of the GDC Organization and provides early warning
signals to GDC Organization Leadership on gaps and risks due to incomplete process/practice
design or inadequate rigor in implementation

0 surprises in External Audits
0 surprises in GE Assessment of Maturity Level

As the primary owner of this Practice, GDCs are responsible for establishing their Internal Audits
& Assessment team, plan and performing the audits and assessment to meet the policy and
goals of this practice. The specific responsibilities are
IAA 1.0 Establish an Internal Audits and Assessment practice
IAA 2.0 Perform Internal Audits & Assessments

IAA 1.0 Establish an Internal Audits & Assessment Practice
GDC Organization shall establish an Internal Audits & Assessment practice
POLICY
GOALS
RESPONSIBILITIES
The practice shall be staffed appropriately with qualified and dedicated team
members
The GDC Organization may choose to engage a third party audit firm as its
internal auditors. However, the selection of such an audit firm shall be
reviewed and approved by GE GDC Program Office
The team shall have independence of organizational reporting to increase
effectiveness of the audits & assessments
The team shall have a well-defined audit & assessment framework that shall be
well documented. The framework shall also clearly articulate the roles and
responsibilities of the IAA team, the Governance team, and all other parts of the
GE GDC Organization
The IAA practice team shall establish an annual plan for audits & assessment with the
scope, coverage, approach clearly defined
Internal Audits & Assessments shall be carried out on a quarterly basis covering at
least 3 quarters, at all Sites that are used to deliver GE engagements. Any
exceptions to this schedule shall be discussed and signed off with GEs GDC
Program Office
IAA team can determine whether there are practices that are centrally managed
from a single site and therefore the scope of audit at the individual sites for such
practices
IAA team shall clearly document the Audit & Assessment methodology to be used
for each audit/assessment
The Annual plan of Audits & Assessments shall be signed off by the GDC
Organization Steering Committee
The IAA practice team shall publish the Audits & Assessment plan for the year to GE GDC
Program Office, on creation as well as on change
The IAA practice team shall collaborate with the Governance Leader to identify External
Auditors and ensure that external audits are carried out as per GE guidelines
Only GE approved external auditors are permitted to be used for external audits
External audits shall be performed within the timelines expected by GE and
reports published to GE

Where contractual regulatory external audits or Business-specific regulatory
external audits are required, GDC shall work closely with the GE GDC Program
Office to ensure that all the requirements of the regulatory audit are covered
IAA 2.0 Perform Internal Audits & Assessments
The IAA practice team shall conduct Internal Audits & Assessments as per plan
Audit checklists shall be customized to meet the GDC Organization specific design
and customization of practices
The Audits & Assessment shall cover all sites of GDC and partner sites (where the
GDC uses partners to deliver work for GE)
GDC shall ensure that a full scope internal assessment is carried out once at a
minimum during the year
Deviations from plan shall be approved by the GDC Organization Steering
Committee
Detailed documentation of the Audits & Assessments shall be maintained
Formal report of performance shall be prepared and discussed with the GDC
Organization stakeholders (the Governance team, the GDC Organization Steering
Committee and any other critical member of the GDC Organization)
The IAA team shall carry out an assessment of the GDC Organization maturity level as per
GE guidelines and identify the maturity of individual practices at each site and at
organization level
The Assessment report shall be shared with GE GDC Program Office along with
the action plan for closures
GDC Organization shall identify corrective actions and process/practice improvements
based on the Audit/Assessment findings. All action items shall be tracked for closure and
signed-off by IAA team


Evidence of Internal Audits & Assessments Plan (creation, review & sign-off by GDC Steering
committee, communication to stakeholders)
Evidence of internal audits and assessments being carried out as per plan across global sites
Evidence of closures on action items being reviewed and signed-off by IAA team
MSA Linkage
Sections 3.2, 4.5 and 6.1
Related Practices
eGDC Suite Linkage
Not applicable
Online Resources
Not Applicable
3.6 Incident Management (ELEMENTARY)

Customer complaints, non-compliances to any of the 38 practices of the
Governance framework and any physical event that compromise confidentiality,
security and safety shall be considered as an incident. GDC shall report any incident
associated with its Organization or an occurrence observed at a GE Site/Business to GE GDC
Program Office. Material Incident occurrences shall be reported within 2 hours to GE GDC
Program Office and non-material incidences within 48 hours. GDC shall establish and maintain
Incident Management framework that enables identification, reporting & management of
different types of incidents to meet the GE SLAs on Incident Management
The purpose of this Practice is to establish and enforce Incident reporting and Incident Response
planning (IR Plan) as it relates to computer & non-computer related incidents, incorporating
timely detection, reporting, acknowledgement, containment, root cause analysis, and closure
within GE SLAs.

100% adherence to GE Incident management SLAs
0 instances of repeat incidents related to non-compliances or governance lapse
Reduction in Critical/High impact incidents due to effectiveness of Risk Management & IR
Plans

procedures and controls are implemented within the Incident Response plan of GDC
Organization to meet the policy and goal of this practice. The specific responsibilities are
OIM 1.0 Establish and maintain Incident Response (IR) plan for different types of incidents
OIM 2.0 Report Incidents to GE and adhere to defined SLAs
As a stakeholder, GE shall be responsible for
OIM 3.0 Report GDC incidents to GE GDC Program Office
POLICY
GOALS
RESPONSIBILITIES
OIM 4.0 Investigate incidents raised by GDC on GE and take corrective actions

OIM 1.0 Establish and maintain Incident Response (IR) plan for different types of
incidents
Material incident may occur due to violation of any of the 38 practice areas across the
focus areas or due to failure in meeting customer commitments and not essentially
because of the security or natural/artificial disaster
Incidents may be reported by GDC for their sites (or) may be raised by GE on GDC
GDC shall maintain IR plans for different categories of incidents. These IR Plans shall be
specific to the severity of the incidents
GDC may choose to define the IR plans as a part of the SOP on Incident
Management (or) have these as separate documents with clear references in the
SOP
Computer Incident Response plans shall be treated separately and designed to
incorporate GE GDC projects, services and assets. The plan may be a part of the
parent company IR plan, but should have a section specifically for GE GDC
The GE GDC IR Plan must have clear definitions for monitoring, vulnerability
management and endpoint hardening as per GE GDC requirements
GDC IR Plan shall support handling of incidents reported by GE
GDC shall clearly identify a Single Point of Contact/Owner for each IR Plan. The owner
may be a part of the governance team or be a part of an extended governance support
team. The owner shall be aware of their responsibility on the IR Plans
GDC IR Plans shall be reviewed on a periodic basis to ascertain validity of the plan and to
identify potential risks/gaps with the plan. Corrective actions shall be executed basis this
assessment
GDC IR Plans must have a clear path on communication and escalation with the GE GDC
Program Office and other GE Stakeholders, as the case may be
GDC resources shall be trained on relevant IR Plans
GDC shall encourage all members of the GDC Organization to raise an incident without
the fear of retaliation. GDC may have mechanisms for employees to raise incidents
anonymously

OIM 2.0 Report Incidents to GE and adhere to GE SLAs
Material Incident occurrences shall be escalated within 2 hours of the occurrence of the
incident and other type incidents should be escalated within 2 days
Material Incidences shall be communicated through phone and/or email and
followed up with eGDC Toolset reporting within a week
All computer related incidents reported by GE must work within the SLA per the GE
Incident Response Plan in the following manner

All other categories of Incidents that are classified as Critical / High impact shall be
contained within 4 hours or as agreed with GEs GDC Program Office. Low/medium
impact incidents shall be contained as per the plan agreed with the Program Office
Regular updates shall be sent to all the stakeholders till the operations are back to normal
Root cause analysis and corrective action plans shall be shared before closing the
incidence as well as updated to the risk register (see Section 3.7 Risk Management)
In case of Critical/High impact incidents, GDC shall obtain approval from GE GDC
Program Office on RCA and Corrective actions
GDC shall assess the effectiveness of their risk management and IR processes and
provide feedback to process owners on gaps identified
Repeated occurrences of an incident shall be further investigated for potential threats
and appropriate treatment executed
GDC shall report non-compliances observed at GE Business level to the Business VMO
Leader and GE GDC Program Office through the eGDC Toolset
Evidences of IR Plans in place for all categories of Incidences
Training records on IR Plans to GDC resources
Evidence of Incident reporting as per GE guidelines
Evidence of Incidence resolution as per GE guideline/agreement with GE
MSA Linkage
Section 4.25
Related Practices
eGDC Suite Linkage
Incident Management Module
Online Resources
Not Applicable
3.7 Risk Management (ELEMENTARY)

GDC Organization shall have a formal integrated risk management practice in
place. Risks associated with the GDC Organization shall be managed and reported
to GE GDC Program Office at a minimum on a monthly basis
The purpose of this Practice is to establish and maintain an integrated risk management practice
that enables the GDC Organization to become more aware of the possible threats, weaknesses
or gaps in the operating environment and deal with these in a proactive manner in order to
maintain a safe and secure operating environment that consistently delivers high value at
optimal costs

0 instances of identified risks materializing as high/medium impact incidents
(effectiveness of risk mitigation)
0 instances of communication failure on high risk items to appropriate stakeholder in GE
(effectiveness of proactive communication)
0 instances of high/medium impact incidences that have not been identified as risks
(effectiveness of risk identification)

procedures and controls are implemented within the GDC Organization to meet the policy and
goal of this practice. The specific responsibilities are
ORM 1.0 Establish a framework & process for managing risks at GDC Organization level
ORM 2.0 Manage risks
As a key stakeholder, GE shall be responsible for escalating any risks that they may see with the
GDC Organization and collaborating with the GDC Organization to mitigate those risks that GDC
may escalate to GE. The specific responsibilities are
ORM 3.0 Report risks seen at GDC Organization
POLICY
GOALS
RESPONSIBILITIES
ORM 4.0 Collaborate with GDC Organization to mitigate risks that are co-owned by GE

ORM 1.0 Establish a framework and process for managing risks
GDC Organizations integrated risk management framework shall cover all functions,
operations and locations of the GDC Organization
Risk Management shall be an integral part of all practices within the GDC Organization
The framework shall encourage all members of the GDC Organization to raise a risk
without the fear of retaliation. GDC may have mechanisms for employees to raise risks
anonymously
Accountabilities and responsibilities for risk management shall be established
appropriately for different levels of management/leadership at GDC Organization
Risk hierarchy is established and is understood by stakeholders
Performance objectives of key resources and practice owners shall include the
risk management objectives (for specific practices that they are
accountable/responsible for)
External and Internal risk factors are supported by the framework
External risk factors include (but are not limited to) Geo-Political Environment,
Legal, Regulatory, Financial, Technology Advancements, Economic, Competitive
Landscape, Natural Calamities, Cultural, Perceived Brand & Values
Internal risk factors include (but are not limited to) Organizational capabilities
(human resources, technology areas, organization resources like tools, standards,
frameworks), Organizational systems & procedures, Organization Objectives and
Strategies, Internal Stakeholders, Organization Structure (roles & responsibilities),
Organization culture & values
Organizational context (internal and external) is supported by the framework
External context represents alignment to GE in terms of the Business structure
(Super Business, Business and sub-business structure), Location (globalization
regions) and divisions (ITO, BPO and Engineering)
Internal context represents alignment to GDC Organizations internal structuring
inclusive of its sites, Business Units, partners, COEs
The framework shall support a robust process of risk management covering the key
activities of Risk Identification, Risk Analysis & Evaluation, Risk Treatment, Risk Monitoring
and Review, Communication on Risk information
GDC may choose to use a Risk Council approach as a fundamental element of
their Risk Management process. If so chosen, the roles & responsibilities of a Risk
Council and the context shall be clearly defined
The framework shall provide visibility on relevant risk information to key internal
stakeholders in order to help them perform their responsibilities
The framework shall support communication, reporting & escalation on risk information
to appropriate internal and external stakeholders based on pre-defined business rules
GDC shall escalate risks seen at GE Business to Business VMO Leader and GE GDC
Program Office through eGDC Toolset
ORM 2.0 Manage risks
GDC Organization shall establish a Risk Management Plan (a live document) that
articulates clearly the operational aspects of the integrated risk management based on
the framework and process the plan shall clearly articulate the context, performance
objectives, risk criteria, risk management process, tools available, ownership &
responsibilities, communication & escalation plans, monitoring and review rhythms
Risk Management process shall be applied in all areas of operations, delivery and
management across all functions and services
GDC Organization wide Integrated Risk Register shall be maintained
Risks identified via any source ranging from either a GDC /GE stakeholder/3rd
Party Auditors as it relates to continuity of operations in GE GDC engagements
shall be reported to risk register
Risk Analysis & Evaluation shall be consistent with the framework & process
defined
Any decisions to accept a risk (and not treat it/mitigate it) that may have a
potential impact on GE shall be discussed and reviewed with GE GDC Program
Office and sign-off obtained
Treatment plans shall be put in place for all risks identified above and tracked to
closure
Risk Register shall be reviewed on a periodic basis (minimum Quarterly) with GDC
Organization Steering committee
Periodic assessment of the risks and effectiveness of treatment plans shall be carried out
by the GDC and critical, high risks shall be escalated to GE GDC Program Office

Evidence of Risk Management framework and process being established and in consistent
USE
Evidence of Integrated Risk Register in practice
Evidence of Critical/High Risk items being shared/published to GE
MSA LINKAGE
Not Applicable
Related Practices
eGDC Suite Linkage
Risk Register
Online Resources
Not Applicable

3.8 Organization Innovation & Technology Deployment
(ADVANCED)

GDC may choose to deploy validated technology platforms and innovative
practices within the GE GDC Operating Environment that delivers high quality, high
value solutions in a cost-effective manner and in a safe and secure environment
with 0 surprises
The purpose of this practice is to encourage selection and deployment of proactive, generative
solutions/practices that measurably minimizes risks and is cost-effective, delivers increased
value to GE Businesses.

Deploy appropriate technology solutions within GDC Operating environment to
strengthen performance of practices within GDC Operating Environment
Demonstrate consistent & continuous value-creation through deployment of innovative
solutions that are of high quality and deliver increased value to Businesses while reducing
risks and costs for the Business
Conceptualize, pilot and deploy at a minimum 1 generative solution (per year) that
reduces governance risks and overheads significantly for GDC and GE

procedures and controls are implemented within the GDC Organization to support and
accelerate use of appropriate technologies and innovative practices in meeting the purpose and
goals of this practice. The specific responsibilities are
OIT 1.0 Establish and maintain a process for new technology/innovative practice
recommendations
OIT 2.0 Deploy new technology/innovative practice to GDC Operating Environment
POLICY
GOALS
RESPONSIBILITIES
As the beneficiary of this practice, GE shall be specifically responsible for validating, verifying and
approving any such new technology, innovative practices deployment
OIT 3.0 Verify, Validate and approve recommendation for pilots, deployment of new
technology and/or innovative practices

OIT 1.0 Establish and maintain a process for recommending new
technology/innovative practices
GDC shall define a framework that enables new technology and innovation ideas to be
proposed, assessed and piloted
The framework shall enable any member of the GDC Organization to participate /propose
potential incremental improvements or innovations to processes/practices/procedures
/work products
Innovative improvements are game changers and have a significant impact on
the way a process/practice or technology is viewed and deployed, resulting in
benefits that are of much higher magnitude. Innovative improvements are
generative in nature and may be adaptable across the entire ecosystem of GE
and/or its partners
Incremental Improvements or innovation proposals may at a minimum, focus on one or
more of the following
Minimizing risk of Governance
Increasing effectiveness/efficiency of a process/practice
Increasing product /process quality
Increasing reliability of service
Reducing cycle time
Reducing time to deliver
Increasing productivity
Decreasing Total cost of Ownership
Decreased cost/unit
Increased Business Value to GE
Improvements/Innovation proposals shall focus on innovative practices and/or use of
technology to achieve one or more of the above benefits
The framework shall at a minimum support the submission of the business context along
with an initial assessment of risks and benefits of the proposed incremental improvement
or innovation. Where the deployment of this proposal is likely to have a monetary impact,
a cost-benefit analysis shall also be included
GDC Organization may choose to define an Innovation Council that is responsible for
screening proposals, assessing the merit of these proposals and making
recommendations for pilot
GDC Organization shall have minimum qualification criteria to select proposals for
detailed assessment and pilots
GDC Organization shall perform detailed assessment of selected proposals. At a
minimum, the assessment shall focus on risks & benefits from a short-term (<12 months)
and medium-term (12 to 36 months) perspective, change barriers and strategies for
overcoming these barriers. The success measures shall be clearly defined
Where the proposed solution may have an impact on GE or is a change to GEs existing
processes/practices/expectations, the proposal shall be submitted to GE along with the
detailed assessment report for approvals
Decision for deployment/pilot may be taken by Innovation Council (where GE approvals
are required, the GE team shall decide the need for Pilots/Direct deployment)
Where pilots are required to be performed, GDC Organization shall have a formal plan to
monitor, track and report progress and results.
Critical parameters to be tracked and reported shall be formally published
Pilot reports shall be formally published to Innovation Council, pilot results evaluated
against proposed risks & benefits
GDC Organization Steering Committee shall be a primary stakeholder in deciding
on deployments of the pilots
Where GE is involved in proposal approval, GE shall be the final authority in
determining the deployment of the proposed solution
GDC Organization shall maintain a repository that enables tracking, analysis and
reporting on the above activities
OIT 2.0 Deploy new technology/innovative practices
GDC shall assess the context of the deployment and formulate a specific deployment
plan that takes into consideration the context, scope and potential impact of the change.
GDC shall formally communicate and collaborate with stakeholders on deployment to
minimize disruptive impact while working towards meeting the goals of the plan
Where the deployment touches end users, GDC shall invest on end user education
to minimize impact while increasing awareness
GDC shall manage the deployment by monitoring the risks, impact that may arise during
the deployment face
GDC shall report the progress of the deployment to GDC Organization Steering
Committee and to GE GDC Program Office on a regular basis
GDC Organization shall measure the outcome of the deployment for the minimum period
defined in the plan and perform assessment of benefits compared to the proposed
benefits

Evidence of framework & process for new technology/innovation proposal assessment &
deployment
Evidence of assessments being carried out and review, approvals by Innovation Council and
GDC Steering Committee
Evidence of GE approval where innovation/new technology/improvement proposal has an
impact on GE
Evidence of deployment planning and monitoring
Evidence of communication and status reporting on all new
technology/improvement/innovation proposals (to internal stakeholders and to GE)
MSA Linkage
Not Applicable


Related Practices
eGDC Suite Linkage
Adhoc Approvals
Online Resources
Not Applicable

4.0 Resource Management
Resource Management is a critical process area and is a basic building block of the entire
Governance framework. Resources play a vital role in the success of a GDC organization and
have a far-reaching impact. While most practices within this process area may be owned by the
Human Resource function, the Operations and Governance team have a key role to play in
ensuring that the Resource Management practices are defined keeping the GE Policies around
each of the practice areas and designing specific controls and procedures that meet the policies
in spirit and letter
The diagram below gives a perspective on the practices within the Resource Management
process area and the relationship between the practices


FIGURE 8 RESOURCE MANAGEMENT Practices & Linkages

4.1 Non-Solicitation (ELEMENTARY)

GDC shall not recruit resources who have worked for GE in the last 12
months without an explicit approval from GE GDC Program Office.
GDC shall also not recruit/allocate other GDC resources that have
serviced GE in the last 12 months
The purpose of this Practice is to establish and maintain the integrity (Spirit & Letter) of the MSA in
the GDC Organization in the context of hiring or allocating resources who may have served on a
GE Task Order (or) been a part of GE in the last twelve months

POLICY
GOALS
0 incidents associated with recruitment/allocation of other GDC resources or GE
resources to GDC

procedures and controls are implemented within the recruitment and resource allocation
processes of GDC Organization to meet the policy and goal of this practice. The specific
NS 1.0 Manage recruitment process across the Organization to minimize risk of hiring
resources who had been with GE in the last 12 months (or) hiring resources who may have
been a part of GE GDC with other GDCs in the last 12 months
NS 2.0 Manage resource allocation process to GE GDC to minimize risk of allocating
resources who had been with GE in the last 12 months (or) other GDC resources who may
have been a part of GE GDC in the last 12 months
As a stakeholder of this Practice, GE Businesses are responsible for ensuring that solicitation of
GDC resources is not recommended to another GDC nor are GDC resources hired by GE
NS 3.0 GE shall neither hire a GDC resource who may have been a part of GE GDC in the last
12 months nor shall it recommend the hiring of a GDC resource to another GDC

NS 1.0 Manage recruitment process
Recruiting or attempting to recruit past employee of GE, who had been with GE in the last
12 months, is not permitted
Exception to the above shall be brought to notice of GE GDC Program Office and
recruitment shall proceed only if formally signed off by GE GDC Program Office. GE
GDC Program Office shall provide an approval based on discussions with the
appropriate GE GDC Business leaders / GE HR manager
Resources (inclusive of sub-contractors) belonging to other GDCs or GE Business
specified third parties working on GE Engagements, cannot be recruited/contracted by a
GDC for GE GDC Engagements, for up to twelve months of their disengagement from GE
Task Orders
RESPONSIBILITIES
This norm shall apply even if the resource has exited the GDC and is a part of
another Organization
In exception cases, where a GDC wishes to recruit the resource ahead of the 12-
month norm, No Objection note shall be obtained from the Global Relationship
Manager/Global Delivery & Operations Leader, by the GDC who wishes to recruit
the resource
GDC Organizations Recruitment process shall have adequate controls to identify and
prevent or proactively mitigate risk of hiring a resource from another GDC thereby
impacting GDC Operations
GDC shall maintain evidences of exception approvals and verification for hiring
NS 2.0 Manage resource allocation process
GDC shall ensure that a resource who had served GE in the last 12 months as a part of
another GDC Organization or a Business-specified third party organization is not assigned
to a GE engagement, for a period of twelve months since their disengagement from GE
Task Orders
This norm shall apply even if the resource has exited the GDC and is a part of
another Organization
In exception cases, where a GDC wishes to recruit the resource ahead of the 12-
month norm, No Objection note shall be obtained from the Global Relationship
Manager/Global Delivery & Operations Leader, by the GDC who wishes to recruit
the resource
GDC shall have well defined practices and procedures to manage exception cases; clear
documentation of these exceptions and approvals obtained from GE GDC Program Office
or other GDC Organization shall be maintained
Evidence of Non-Solicitation verification in hiring and resource allocation
Evidence of exception approvals for on-boarding resources with GE association (either as an
employee of GE or as a resource in one of the GDC or business-specified third party
organizations) in the last 12 months
MSA Linkage
Sections 3.13 to 3.15
Related Practices
Background Check Management, GDC On-boarding/Off-boarding, Sub-Contractor
Management
eGDC Suite Linkage
Adhoc Approvals (for exception hiring of GE resources)
Incident Management Response to Incidents raised (if any) on hiring from another GDC
or GE
Online Resources
Not Applicable

4.2 Background Check (ELEMENTARY)

GDC Resources, irrespective of their work location or role shall be BGC Cleared as
per GE Guidelines by a GE Certified BGC Agency, before being deployed to GE GDC
The purpose of this practice is to establish and maintain integrity of background check
performance and clearance status (in spirit and letter) for every GDC resource associated with GE
(irrespective of their role)

100% of resources assigned to GE GDC are Background check cleared (as per GE
guidelines by GE Certified Background Check agencies) before being on-boarded to GE
GDC

procedures and controls are implemented to meet the policy and goal of this Practice. The
specific responsibilities are
BGC 1.0 Perform background checks as per GE guidelines on BGC
BGC 2.0 Deploy only BGC cleared resources to GE
BGC 3.0 Manage BGC to ensure timely deployment of resources to GE
As a stakeholder of this Practice, GE Businesses are responsible for ensuring that no resources
are permitted to work on GE engagements without being BGC cleared
BGC 4.0 Validate BGC Status prior to SSO Id Creation

POLICY
GOALS
RESPONSIBILITIES

BGC 1.0 Perform Background checks as per GE Guidelines on BGC
GE Authorized suppliers shall be used for conducting BGC
In exception cases, BGC may also be carried out by Government Agencies or by
the HR Staff of the GDC Organization, based on the practices of the
Region/Country
Standard operating procedures specific to a region shall be followed for the background
checks performed in that region
Exemptions to checks may apply in certain cases, as per the exemptions
document provided in the Online Resources.
In case of few states in India / few countries that do not permit criminal checks,
GDCs shall define the process to handle it and adhere to the same.
In case of GDC resources being placed at GE Site, additional Business-specific
requirements for BGC shall be understood and performed
In case of GDC resource/subcontractor getting allocated to GE engagements
after break in service, GDCs shall perform applicable additional checks as defined
in the GE BGC exception handling guidelines (part of GE BGC Exemptions
Document)
Well-documented procedures shall be in place to handle exceptions [inclusive of
unverifiable data or insufficiencies], be these reported by BGC agency or a decision taken
by GDC Organization. Clear documentation and evidence shall exist and auditable for
every case of exception
BGC 2.0 Deploy only BGC Cleared resources to GE
All GDC resources/subcontractors shall be deployed to GE only after they are BGC cleared
Includes new recruits, internal moves inclusive of re-allocations [as per BGC
Exemptions Document], sub-contractors, support staff, management staff and
any other resource requiring access to GEGDC area or other GE resources
Includes all roles examples BRM, Sales & Marketing, IT Security & Compliance,
Network & Infrastructure, Delivery, Leadership, PMO, Quality, HR & Finance
Support, Physical Security Staff, Facility Maintenance Staff and any others
involved in providing services to GEGDC
Includes resources working at GE Site, GDC Site or from any other location
Internal Support Staff of GDC Organization that are not full time members of
GEGDC Organization but who provide support services to GEGDC, shall also be
cleared on BGC
BGC shall be done before allowing physical or logical access to GDC area or before
requesting for SSO Id to GE Sponsor
Well-documented procedures shall be in place to handle exception decisions on
deployment of a non-GREEN case (as reported by BGC Agency). Clear documentation and
evidence shall exist and be auditable for every case of exception.
BGC 3.0 Manage BGC to ensure timely deployment of resources
GDC Organization shall monitor and manage the SLA with the agency to ensure timely
deployment of resources
Insufficiencies and non-GREEN cases shall be verified by GDC Organization and process
improvement initiatives shall be undertaken to minimize impact of these cases on timely
deployment to GE or on compromises to Quality of checks

Evidence of BGC Clearance report from GE Authorized BGC Agency shall be maintained for
every resource (as outlined in BGC 2.0)
Evidences of exception/exemption cases and adherence to Exception Handling guidelines
shall be maintained, for all exception cases. This shall include Clearance of non-GREEN cases,
decisions on insufficiencies, exemption cases and any others outlined in BGC 1.0 and BGC 2.0
MSA Linkage
Sections 3.17, 3.18

Related Practices
SSO Id Governance, GDC On-boarding, GE Site Contractor Management, Sub-Contractor
Management
eGDC Suite Linkage
BGC Dashboard
Online Resources
Following additional guidelines found at GE GDC Knowledge Center
http://supportcentral.ge.com/81973 Policies & Procedures Compliance & Security
HR/Staff Related Additional Guidelines
BGC Guidelines for India, Mexico, China, European Countries, US, Brazil, Japan
Guidelines on BGC Exemptions
GE Certified BGC Agency List

4.3 GDC Resource On-Boarding/Off-Boarding (ELEMENTARY)

GDC Organization shall have a formal on boarding, off boarding and transfer
process to enforce timely implementation of governance procedures related to the
on boarding of a resource, off boarding of a resource
The Purpose of this Practice is to enforce compliance to governance practices and procedures
when resources are on boarded, off boarded from a project/location/GE GDC

0 defects/incidences in On boarding of a resource
0 defects/incidences in Off Boarding of a resource

procedures and controls are implemented to meet the policy and goals of this practice. The
GOO 1.0 Maintain Resource Register
GOO 2.0 Manage On boarding of GDC Resource
GOO 3.0 Manage Off Boarding of GDC Resource
As a stakeholder of this Practice, GE Businesses are required to be aware of the on boarding and
off boarding requirements and participate, where specific requests are raised
GOO 4.0 Review requests for action and facilitate/perform authorized actions

POLICY
GOALS
RESPONSIBILITIES

GOO 1.0 Maintain Resource Register
GDC shall ensure that a complete resource register is maintained. The resource register
shall at a minimum track resource personnel information, employment details, GDC
organization on-boarding details, current deployment details, past deployment details
(within GE GDC), documents signed by GDC resource (linked to specific engagement or
practice), VISA details, details on Assets assigned to resource
Data shall be maintained for existing and off-boarded resources
GDC shall ensure that resource data is available to GE, on demand
GDC shall ensure that a minimum traceability of 7 years (data) is maintained for all
resources within GDC Organization
Data of resources who have been off-boarded from GDC Organization shall also
be maintained for a period of 7 years
GDC shall ensure that data is current and complete in all aspects
GOO 2.0 Manage Resource On-Boarding
GDC shall ensure that only BGC cleared resources are on-boarded to GE GDC irrespective
of their location of work
GDC shall also ensure that such resources have been cleared from a non-solicitation
perspective
GDC shall ensure that resources joining GE GDC read and acknowledges the AUG, SIA and
the Commitment to Integrity Spirit & Letter documents.
GDC shall ensure that the resources joining GE GDC are trained and certified on GE
Governance practices and their responsibilities in maintaining a safe and secure
environment
GDC shall ensure that the resources joining GE GDC are placed at GE Site only after the
above steps are completed
Physical and Logical access to GDC work area at GDC Site shall be granted to new joinees
only after the training and assessment is completed
GDC shall request for SSO IDs after the resource has cleared BGC and signed AUG SIA
documents. The resource shall also be certified as being trained on GE Governance
practices and are aware of their responsibilities as a GE GDC resource before the request
of SSO ID
If the resource is a sub-contractor, GDC shall ensure that appropriate approval is
obtained from GE Business VMO leader for on-boarding a sub-contractor resource
GDC shall maintain evidence of Resource assessment before requesting GE for
approval
Where the resources are being on boarded for sensitive locations, GDC shall ensure that
additional documents as required by GE Business (over and above the standard AUG, SIA
and Commitment to Integrity documents) are signed
GDC shall ensure that additional trainings (as seen appropriate to the engagement) are
discussed and provided to resources being allocated to critical/sensitive projects
Where resources are being on-boarded to GE site, GDC Organization shall ensure
verification and validation of resource status as given below,
Resource is trained and is aware of the guidelines to be followed for GE Site work
VISA required for WORK is of appropriate type and does not violate Immigration rules
VISA is valid for the entire duration of work and where the VISA expiry is before the
end date of engagement, the same is communicated formally to GE Manager with
plans for mitigating risk
Where the resource is deployed on a non-PSA engagement, the GE Site duration
completed is validated for potential risk of exceeding the threshold period (as defined
in GE Site contractor management). GDC shall not deploy resources whose GE Site
duration may fall into a Watch Period within 3 to 6 months of being deployed. In
other cases, GDC shall proactively communicate the risk and collaborate with GE
Business to mitigate the same
Assets provided to GDC Resource shall be in complete compliance with all the practices
on the GDC Program.
GDC shall upload the on-boarding information to eGDC Suite within a week of the
resource being on-boarded to GE GDC
GOO 3.0 Manage Resource Off-Boarding
Where a GDC resource is being off-boarded from GDC Organization (irrespective of
whether the resource is exiting the parent Organization or moving to another part of the
parent Organization), the following steps shall be adhered to
Resource shall sign the Assignment of Rights document with details about the
projects undertaken and the duration of service provided. The Assignment of Rights
document shall be counter-signed by a GDC authorized signatory.
Any data folders being maintained/owned by the resource shall be transferred to
appropriate Leadership within GDC Organization
GE Data residing on individual owned Folder/Shared drives/Local machine/GE
Libraries shall be validated and appropriate treatment provided
GDC Organization shall ensure that GE data is not misused (copy/upload to
online storage tools, attachment to emails)
Any work requests/tickets raised by the resource that may require follow-up shall be
assigned to successor, where applicable, and with appropriate approvals from GE
Business owner
GE Software and Hardware Assets (if any) assigned to resource shall be surrendered
GDC Organization assets assigned to SSO Id shall be surrendered and
desktops/laptops completely formatted
SSO Id shall be surrendered
Where a GDC resource is being off-boarded to a different project/role within the GDC
Organization, GDC shall adhere to the following
SSO Id shall be surrendered/transferred to appropriate sponsor as the case may be
In exception scenarios where the resource is expected to be assigned to a project
with the same sponsor (with the Business being the same), the SSO Id can be
retained
Where SSO Id is retained (same or different sponsor), GDC Organization shall
collaborate with GE Managers to ensure that all access associated with the SSO Id
for applications/sites related to project being off-boarded are removed
Any data being maintained/owned by the resource folders with data pertaining to
project from where resource is off-boarded, shall be transferred to appropriate
Leadership within GDC Organization and all such Folders/Libraries shall be deleted
GE Data residing on individual owned Folder/Shared drives/Local machine/GE
Libraries shall be validated and appropriate treatment provided
GDC Organization shall ensure that GE data is not misused (copy/upload to
online storage tools, attachment to emails)
Any work requests/tickets raised by the resource (and associated with the project
being exited) that may require follow-up shall be assigned to successor, where
applicable, and with appropriate approvals from GE Business owner
GE Software and Hardware Assets (if any) assigned to resource shall be surrendered
GDC Organization assets assigned to resource shall be surrendered and
desktops/laptops completely formatted
If the resource being off-boarded is a critical resource, project-specific BC/DR Plans shall
be updated to reflect the change (where projects are not closed/terminated)
Physical and logical access shall be removed for the resource according to the nature of
off boarding. This shall take into account Server room access, Restricted area access and
GDC Site access
If the resource is being off-boarded from GE Site, GDC Organization shall collaborate with
GE Business to ensure that the above are performed in a timely manner
GDC Organization shall validate the resource off-boarding as planned/unplanned and
update the resource register accordingly

Evidence of BGC Clearance being obtained prior to On-boarding
Evidence of AUG SIA and training/assessment documents signed prior to Physical/Logical
Access
Evidence of SSO Id request, Physical/Logical access being assigned after on-boarding

MSA Linkage
Not Applicable
Related Practices
Management, Assets Governance, Project/Engagement Termination/Closure, GE
Knowledge Management, GE Site contractor management
eGDC Suite Linkage
Contingent Worker Data*
Online Resources
Following template can be found at GE GDC Knowledge Center
Resource Register Template

4.4 SSO Id GOVERNANCE (ELEMENTARY)

Every resource associated with GE GDC shall have a valid SSO Id that is current and
applicable to the role and engagement for the individual. Accesses associated with
the SSO Id shall be relevant to the role and the engagements for the individual
The Purpose of this Practice is to ensure that appropriate controls are established to ensure
governance and proper use of SSO IDs issued to GDC resources, in alignment to the Policy
above.

100% of SSO Ids for GDC are current and with right sponsorship, access
0 instances of GDC resources without SSO ID
0 instances of shared SSO ids

procedures and controls are implemented to meet the goals of this practice. The specific
SIG 1.0 Manage SSO id Creation
SIG 2.0 Monitor and manage SSO Id USE
As a stakeholder of this Practice, GE Businesses are responsible for SSO Id Creation, assigning
appropriate access and deleting Ids when they are no longer required
SIG 3.0 Validate BGC Status and existence of SSO Id for GDC resource prior to Creation
SIG 4.0 Manage Access and SSO Id end date

POLICY
GOALS
RESPONSIBILITIES

SIG 1.0 Manage SSO id Creation
Every resource of the GDC Organization shall have a valid SSO Id
GDC shall request for SSO IDs only after the resource is BGC cleared and AUG, SIA are
signed. Evidence of such request shall be maintained by GDC
GDC shall ensure that the resource does not already have a SSO Id
Request for creation of SSO ids shall explicitly identify the GDC Organization name, BGC
Clearance status, the role of the individual in the GDC Organization, address of the
location at which the resource would be based, resource contact details
GDC resources shall only have GE email ID mapped to their SSO ID. No direct or in-
direct mapping of non GE email ID is permitted
Where there are business-specific guidelines to be followed in requesting SSO Id
creation, GDCs shall ensure that such guidelines are clearly documented and
followed
Evidences shared with GE for SSO id Creation shall be maintained as a part of the
SSO Id Inventory
SSO Id sponsor shall be relevant to current engagement for the resource
Sponsorship for shared resources within GDCs Leadership team, PMO, Compliance &
Governance and support functions like Quality, HR, Finance, IS, Network Management
and the like, shall be provided by the GE GDC Program Office
In exception scenarios, where shared resources are leveraged for project delivery across
multiple businesses, GDC shall communicate clearly the shared status to all the
businesses concerned and ensure that approvals are obtained from the businesses
concerned, for
Enabling additional access (pertaining to the new businesses) to an existing SSO Id
Issue of an additional SSO Id for the same resource
GDC shall ensure that such exceptions are tracked for proper USE and SSO ids,
accesses surrendered when no longer required
GDC shall report to GDC Program Office on a monthly basis all such exception
cases

SIG 2.0 Monitor and manage SSO id USE
Inventory of all SSO ids assigned to the GDC resources inclusive of support and project
personnel shall be maintained by the GDC for up to one year after its surrender. Beyond
the 1-year period, the details of such SSO Ids no longer in USE shall be maintained in
archive for a period of 7 years.
The inventory shall include: SSO Id, Email, Sponsor SSO Id, Location, Worker Type,
Person Type, Project Assignment, Role Description, Status, Date of Creation, Date
of Last Renewal and Surrender Date
GDC shall ensure that SSO id Sponsorship is current and validated to ensure the
resources assigned are under the current project sponsorship
In case of project transfers within the same Business, GDC shall ensure transfer of
sponsorship and surrender of access to applications and information that are not
relevant to the current project.
It is recommended that SSO Ids are surrendered and new SSO ID created for
transfers within the same business.
In case of movement across Businesses, GDCs shall surrender SSO Id before
requesting for new SSO id. GDCs shall follow-up with sponsor to ensure deletion
of Id
Assets linked to SSO ID (for e.g. VPN tokens for Software Licenses) shall be
surrendered immediately when ID is deleted or sponsorship is changed to
respective business
Requests for revoking access / deleting Ids shall be raised within a maximum
threshold period of 1 business day of the resource moving out of the engagement.
The GDC shall follow up to ensure the SSO ID is deleted within a maximum
threshold period of 5 business days of the resource moving out,
In exception cases, where the SSO Id has to be retained for an extended period,
explicit communication and approval from the sponsor is required. Retention of
access to applications / restricted sites that are no longer supported by the
resource or not relevant to current engagements would be seen as a violation of
SSO Id USE
Extension/Renewal of SSO Id shall be explicitly requested for based on the project need
and evidence of the same shall be maintained
SSO Ids shall not be shared between resources (irrespective of the reason or duration of
share) and where such group SSO Ids exist, GDCs shall escalate the same to the Business
VMO and GE GDC Program Office for resolution
GDC shall reconcile their SSO ID inventory with GE on a weekly basis, to ensure inventory
is accurate and correct. GDC shall take measures to correct any discrepancies found in
reconciliation.
GDC shall have well defined practices and procedures to manage exception cases; clear
documentation of these exceptions and approvals obtained from GE GDC Program Office
shall be maintained
Evidence of SSO Id Creation requests to Business shall be maintained
Evidence of transfer, deletion requests to businesses shall be maintained
Evidence of approvals for exception cases of Multiple SSO Ids for an individual or extension of
SSO Id use after off-boarding on an engagement and other such exception scenarios, shall
be maintained
Evidence of reconciliation of SSO ID inventory with GE on a weekly basis.
SSO id Inventory and archives shall be auditable
MSA Linkage
Not Applicable
Related Practices
Management, Assets Governance, Project/Engagement Termination/Closure
eGDC Suite Linkage
Contingent Worker Data *
Exception Reporting on SSO Id*
Online Resources
GE GDC Program Office Sponsorship Guidelines for SSO Ids
Business-specific submissions for SSO id Creation
4.5 Sub-contractor Management (ELEMENTARY)

USE of Sub-contractors in GE GDC shall be by exception only and cannot exceed a
threshold of 1% FTE. Sub-contracting shall not be permitted as a rule
The purpose of this Practice is to ensure that GDC use of sub-contractors or sub-contracting (in
services to GE) even when carried out on exception basis is managed, controlled and monitored
to minimize risks to GE and GDC

Minimize use of Sub-Contractors to < 1% of GDC FTE on GE Services
Proactive management of risks associated with Sub-Contractor USE/sub-contracting so
as to minimize or neutralize the same

procedures and controls are implemented to meet the goals of this Practice. The specific
SCM1.0 Manage Contractual Agreement with Sub-Contractor/Sub-Contracting Organization
SCM2.0 Manage Sub-Contractor USE
SCM3.0 Manage Sub-Contracting
As a stakeholder of this Practice, GE Businesses are responsible for ensuring that any requests
for USE of sub-contractor/sub-contracting is verified and validated from a business need and
risks to GE/GDC are understood before approving any such USE. The specific responsibilities of
GE are
SCM4.0 Approve every instance of USE of Sub-contractor/Sub-Contracting by reviewing the
business need, risk assessment and measures taken to minimize risks in compliance with GE
stated requirements
POLICY
GOALS
RESPONSIBILITIES
SCM5.0 Support periodic risk assessment and mitigation

SCM1.0 Manage Contractual Agreement with Sub-Contractor/Sub-Contracting
Organization
Sub-Contract companies shall be selected based on formal due diligence/assessments
that are conducted as per the established process of the GDC Organization
GDC Organization shall have contractual agreements in place with Sub-Contractor
companies
Contracts shall incorporate sub-contract companys responsibilities with respect to
protecting GDC Organization and its Clients information and assets
Contracts shall also incorporate appropriate clauses that enable GDC Organization to
audit Sub-Contract company for compliance to the Contractual requirements
Periodic assessments/re-evaluation (defined based on the criticality of the services
offered by the Sub-Contract company) of Sub-Contract companies shall be undertaken
as per the established process of the GDC Organization. Such assessments include work
performance, competency and capability assessment and organization performance
SCM2.0 Manage Sub-Contractor USE
Sub-contractors (for use on GE GDC services) shall be selected from Companies that have
a formal contractual relationship with the GDC Organization
Every instance of use of sub-contractors by GDC towards service to GE shall be approved
by appropriate GE Leaders, prior to on boarding of the individual sub-contractor resource
to GE GDC; request for approval shall indicate the business case for use of sub-
contractors along with risk assessment (if any)
GE Business VMO Leaders shall be the approving authority for sub-contractor use
on GE Business engagements
GE GDC Program Office shall be responsible for approving all other cases of sub-
contractor use
GDC shall obtain explicit approval from appropriate GE Leaders for every instance of
Extension of use (beyond the originally approved period
Change of project/location of use shall warrant a fresh approval to be obtained
Sub-contractors shall comply with all the compliance and security requirements
applicable to GDC employees, irrespective of their location of work
Placement of sub-contractors at GE Site shall be in compliance with the requirements on
GE Site Contractor Resource Management
Sub-contractor USE on GE GDC shall not exceed 1% of GDC FTE, unless otherwise
explicitly approved by GE GDC Program Office
GDCs shall practice Strategic forecasting of sub-contractor use (inclusive of sub-
contractor use at third party locations). As a part of such forecasting practice, GDCs shall
set their thresholds and define the use scenarios. If the GDC defined threshold exceeds
the default 1% limit, GDC shall proactively seek approval from GE GDC Program Office by
submitting formal business case and risk assessment.
GDC shall monitor and manage their sub-contractor use within their default/pre-
approved thresholds
SCM 3.0 Manage Sub-Contracting
GDC shall ensure that resources working out of any sub-contracting sites (be it sub-
contractor resources or GDC employees) adhere to all the compliance and security
requirements, as per the GDC MSA with GE; use of such resources shall be monitored and
managed as per the guidelines above
Use of third party locations for delivering services to GE shall not be permitted as a rule.
Exceptions to this rule shall require to be submitted to GE GDC Program Office for
approvals
One-off USE for specific project scenarios shall be approved by GE Business VMO
Leader & GE GDC Program Office based on a business case and risk assessment
Strategic Use of third party locations for servicing GE shall be forecasted by GDC
using business case, risk assessment and approval obtained from GE GDC
Program Office. Depending on the nature of USE, the site may require to be
certified for USE as per the GE GDC Site Optimization process guidelines
Every instance of such use of third party locations shall be explicitly specified in response
to proposals (even if location is certified)
MINIMUM AUDIT REQUIREMENTS
Evidence of first-time selection and periodic performance assessment of Agency and
individual sub-contractor resources
Contracts with Sub-contractor agencies and sub-contracting companies are auditable
GE GDC Resource database is auditable
Evidences of adherence to sub-contractor on-boarding & USE requirements
Evidences of adherence to sub-contracting (to third-party locations) requirements shall be
maintained this is inclusive of audit evidences of sub-contracting sites
MSA Linkage
Sections 5.1 to 5.4
Related Practices
SSO Id Governance, GDC On-boarding, GE Site Contractor Management, Background
Check, Work Visa Management, Non-Solicitation, Working for Competitors, Site Management
eGDC Suite Linkage
Sub-contractor Management module
Online Resources
Not Applicable

4.6 GE Site Contractor Management (ELEMENTARY)

GDC Resources on non-PSA engagement shall not remain deployed in a GE Site or
across GE sites for more than twelve months in total (without a cool off period of a
minimum of 6 months)
The purpose of this Practice is to ensure that GDC deployment of resources at GE Sites is done in
a controlled manner keeping in perspective the compliance risks and the business needs.

0 instances of GDC Resources (employees/sub-contractors) remaining deployed at one or
more GE sites for more than twelve months in total (without a cool off period of a
minimum of 6 months), under engagements other than PSA

GCM1.0 Collaborate with Business to manage Project Classification
GCM 2.0 Manage Deployment & USE of GE Site Contractor resources
GCM3.0 Collaborate with Business to mitigate GE Site Contractor risks
As a co-owner of this Practice, GE Businesses are responsible for ensuring that the risks of
continued use of a contractor resource at GE Sites are understood and mitigated. The specific
responsibilities of GE are
GCM4.0 Ensure Projects are clearly classified as being a PSA or non-PSA
GCM5.0 Support periodic risk assessment and mitigation

POLICY
GOALS
RESPONSIBILITIES

GCM1.0 Collaborate with Business to manage Project Classification
Every engagement shall be clearly classified as being a PSA or non-PSA.
GDC shall have an established process to identify PSA from a non PSA
Where the classification has not been explicitly defined by the Business as a part
of the SOW or PO, the GDC shall assess the engagement based on their
established process and obtain formal approval from the Business VMO Leader
for the classification
GCM 2.0 Manage Deployment & USE of GE Site Contractor resources
A GDC resource (inclusive of sub-contractor) shall be deployed at GE Site on non-PSA
engagements for a maximum period of 12 months of Total Duration
Total Duration is the cumulative period spent by the GDC resource at one or
more GE Sites on non-PSA engagements with one or more Businesses
(irrespective of Country or Manager)
Total Duration for a GDC resource, increases for every deployment period
(however small), on a non-PSA engagement to a GE Site
Total Duration is reset to 0 when a resource has a minimum period of
continuous 6 months of break, away from a GE Site (either through movement to
a GDC Site or away from GE GDC)
GDCs shall track allocation of all resources to GE Sites, irrespective of their allocation to a
PSA or non-PSA engagement
GDC shall ensure that resources deployed to GE Site (irrespective of whether they work on
PSA or non-PSA) are aware of the guidelines associated with working from a Customer
Location and the organizational responsibility associated with working at a Customer
Location
GDC Organization shall continue to maintain managerial control over the
resources and sub-contractors it deploys at any GE site
GDC Organization shall continue to be responsible for the resources awareness
on the Governance requirements and compliance to the same
For every instance of a GDC resource being deployed to a GE Site, the GDC shall assess
the nature of project (PSA/non-PSA) and for every non-PSA deployment assess potential
risk, plan mitigation and communicate the same to GE in a proactive manner
In cases where transitions are required, GDC Resource Managers shall plan in
advance for such transition of resources/sub-contractors and shall collaborate
with Business stakeholders to effect the transition in a smooth manner
GCM3.0 Collaborate with Business to mitigate GE Site Contractor risks
GDCs shall implement proactive planning and monitoring mechanisms to identify
potential risks
GDCs shall proactively collaborate with Business VMO Leaders to communicate and
mitigate/minimize risk of overstays on a non-PSA engagement or practices that increases
a risk on a non-PSA engagement or a PSA engagement operating in a non-PSA mode
All such risks shall be proactively and formally communicated to Business VMO
Leaders
Extensions up to a maximum period of 18 months of Total Duration may be
permitted in exception cases on approval from the Global CIO/Global VMO Leader
for the Business
Any exceptions that may require a Business to continue with the resource or a
practice even with the inherent risks, shall be approved by the Global CIO/Global
VMO Leader
Evidence of Contracts with PSA/non-PSA classification (or) Business approved GDC
assessment of Classification
Evidence of the classification process being followed consistently
Evidence of assessment of Total Duration, risks on a continuous basis and proactive
communication to GE Businesses of risks, mitigation plans
Evidence of transitions being implemented in collaboration with Businesses
Evidences of adherence to sub-contractor on-boarding & USE requirements

MSA Linkage
Sections 3.12, 5.1
Related Practices
SSO Id Governance, GDC On-boarding, Sub Contractor Management, Background Check,
Work Visa Management, Non-Solicitation, Working for Competitors
eGDC Suite Linkage
eMeasure Project reporting as PSA/non-PSA
GE Site Contractor Management module
Online Resources
Non-PSA Guidelines

4.7 Work VISA Management (ELEMENTARY)

The right type of work VISA in accordance to the nature of work shall be obtained
and managed for GDC resources/sub-contractors servicing GE in a foreign country.
The purpose of this practice is to ensure that GDC adhere to the work VISA requirements of the
foreign country to maintain VISA regulatory compliance in servicing GE in a foreign country,
irrespective of the role of GDC resources/sub-contractors.

0 instances of violation of work VISA requirements of foreign country by GDC Resources
(employees/sub-contractors) servicing GE in foreign country.
0 instances of GDC Resources (employees/sub-contractors) using Business VISA or any
other non-work VISA for purposes of work towards servicing GE.
0 instances of GDC Resources (employees/sub-contractors) staying in the foreign country
beyond expiry date of VISA.
0 instances of impact on Project Delivery due to VISA expiry

WVM 1.0 Maintain integrity in obtaining correct VISA type
WVM 2.0 Manage work VISA processing, renewal & expiry process
As a co-owner of this Practice, GE Businesses are responsible for ensuring that the risks of
violation of work VISA regulations are understood. The specific responsibilities of GE are
WVM 3.0 Ensure clear scope of work is provided to GDC for VISA processing
WVM 4.0 Ensure any change in scope of work is informed to GDC immediately
POLICY
GOALS
RESPONSIBILITIES

WVM 1.0 Maintain integrity in obtaining correct VISA type
For every instance of a GDC Resources (employees/sub-contractors) being deployed in a
foreign country for GE work, the GDC shall assess the nature of work and process
appropriate work VISA as required by the VISA requirements of the foreign country
Business VISA shall not be used for purposes of any billable work towards servicing GE,
unless otherwise explicitly communicated by GDC Program office. They shall only be used
for the purpose of business meetings
For GDC Resources (employees/sub-contractors) already deployed on a work VISA, in the
event that the scope of work changes, GDC organization is required to validate VISA
requirements accordingly and take necessary steps
GE sponsorship for VISA processing shall not be sought. However, invite letters may be
issued on request - only for Port of Entry once travel itinerary is finalized
GDC shall not share GDC MSA/Business SOW with Consulates or other third
parties for VISA processing purpose. Where, additional documentation is required
by GDC for this purpose, GDC shall request GE GDC Program Office for the same
through an approval process.
WVM 2.0 Manage work VISA processing, renewal & expiry process
GDC shall track VISA type & validity status of all GDC Resources (employees/sub-
contractors) deployed in a foreign country for GE work
No GDC Resource (employee/sub-contractor) is permitted to stay beyond expiry date of
VISA
Procuring of relevant work VISA for GDC Resources (employees/sub-contractors) shall be
done in advance to avoid delays in deployment
In the event of foreseen VISA expiry, GDC Resource Managers shall plan in advance for
transition of GDC Resources (employees/sub-contractors) deployed. This shall be shared
with the GE Business with adequate notice in case resource needs to move out before the
completion of engagement
GDC shall proactively collaborate with Business VMO Leaders to communicate and
mitigate/minimize risk of any work VISA requirement violations
All such risks shall be proactively and formally communicated to Business VMO
Leaders
Evidence of VISA expiry monitoring and proactive communication to GE Managers
MSA Linkage
Sections 3.2, 5.12
Related Practices
GE Site Contractor Management, GDC On-Boarding/Off-Boarding
eGDC Suite Linkage
Contingent Worker Data*
Risk Register
Online Resources
Not Applicable

4.8 Resource Retention Management (ELEMENTARY)

GDC shall maintain retention of GDC Organization resources at the GE GDC level at
a minimum 85% while ensuring 0 misses on delivery/quality of deliverables due to
resource transitions/movements
The purpose of this practice to establish and maintain appropriate processes and controls in GDC
Organization to minimize risk and impact on GE engagements due to planned or unplanned
attrition of GDC resources.

Minimum 85% retention of GE GDC resources at the GE GDC level
0 instances of impact at a Project / Engagement level
100% adherence of retention targets at the project level and business level

RRN 1.0 Monitor and manage retention levels at Project, Business & GE GDC level
As a stakeholder of this practice, a GE Business is responsible for setting expectations (if any) on
project-specific retention requirements and collaborating with GDC Organization to execute on
transitions
RRN 2.0 Define Project/Engagement specific Retention Levels (in case of critical
engagements)
RRN 3.0 Collaborate with GDC Organization to execute on transition plans

POLICY
GOALS
RESPONSIBILITIES

RRN 1.0 Monitor and manage retention levels
GDC shall monitor and track retention at resource level for all resources on GE
Engagements to ensure that no service/delivery to GE is impacted due to attrition
Resource Register shall maintain retention status for every resource
GDC shall manage attrition to minimize risk of impact to service / delivery / quality
Scope of reporting to GE shall be specifically on T&M engagements and critical Resources
on Fixed Bid
For the purpose of reporting to GE, Retention shall be calculated as (1-(Unplanned
Attrition) / Total Workers in scope) * 100 where
Planned movement of resources (irrespective of exit/internal movements) shall be
communicated proactively to GE Managers and acknowledgement of transition
and date of release obtained
Exits and internal movements within GDC Organization or to parent organization
that are not communicated to GE/acknowledged by GE Manager shall be treated
as Unplanned Attrition
Deviations in planned movements that impact GE Engagement shall be treated as
Unplanned Attrition, unless otherwise approved by GE Manager to be a Planned
Attrition
GDC shall ensure that the Retention is calculated at GDC Program Level using the above
formula
GDC shall ensure that the retention at GDC program level is maintained at a minimum of
85% (as calculated using the above formula)
In the event of a particular Statement of Work explicitly specifying a retention
percentage, the same shall be met at that project level
In the event of business specified retention percentage as a part of a MTO or an
equivalent document, the same shall be met at a business level

Evidence of retention status tracking in Resource Register
Evidence of acknowledgement from GE Manager on Planned Attritions
Evidence of approval from GE Manager on Deviations in Planned Attritions
MSA linkage
Sections 2.4, 3.10
Related Practices
GDC On-Boarding/Off-Boarding, Engagement Termination/Closure Management,
Business Continuity Management
eGDC Suite Linkage
Contingent Worker Data *
Retention Reporting*
Online Resources
Not Applicable

5.0 Physical Security & Safety
Physical Security & Safety is an important aspect of secure GDC operations and is considered as
a first line of defense and a non-negotiable process area of the governance program. There are
many aspects and elements to implementing and maintaining physical security & safety. This
section outlines the minimum physical security & safety needs of GDC

FIGURE 9 Physical Security & Safety Practices and Linkages
5.1 Environment, Health & Safety (ELEMENTARY)

GDC facilities used for servicing GE shall adhere to requirements that ensure
Employee Health and Safety (EHS). GDC facilities that do not conform to EHS
requirements shall not be permitted to continue operations
The purpose of this Practice is to enforce compliance to the local infrastructure
norms/regulations and GE stated Employee Health and Safety (EHS) requirements

100% adherence to GE stated minimum Employee Health and Safety (EHS)
requirements for all GDC facilities. Where the Local Infrastructure norm/regulation
is superior to the GE Standard, the local standard shall apply

responsibilities are.
EHS 1.0 Establish and maintain compliance to EHS requirements for all GDC facilities
(new/existing)
EHS 2.0 Local infrastructure norms/regulations is periodically reviewed by GDC C&S leader to
ensure conformance
As a stakeholder, GE shall be responsible for reporting any potential risks or deviations to EHS at
GDC Site, observed or heard
EHS 3.0 Report Risk/Incident, in case of any observations/information of non-compliance

POLICY
GOALS
RESPONSIBILITIES

EHS 1.0 Establish & maintain compliance for all GDC facilities
GDC facilities shall adhere to the better standards of local infrastructure
norms/regulations (or) GE Stated minimum standards for facilities
GDC shall ensure that the flooring in the site is evenly laid out
In case of variations in level on flooring, GDC shall ensure that appropriate
marking of the floor is done so that the level variation is visible even in dark
GDC shall ensure that workstations are designed such that work area available to
every resource is at a minimum 6 foot by 5 foot (Common area shall not be
included in the calculation of this space)
GDC shall ensure that pathways (main and secondary pathways) and stairways
(main and emergency) shall be at least 5 feet in width
GDC shall ensure that no obstructive objects/artifacts shall be placed in pathways
or staircases, thereby ensuring safety of GDC resources in the site
GDC shall ensure that all electrical fittings, false ceiling and other equipments or
devices are fitted securely
GDC shall ensure that walls, doors, filing cabinets and other units in the GDC Site
do not have sharp corners or surface (that may impact a resource)
GDC shall ensure that staircases (main and emergency) are not steep or slippery
to prevent injuries during evacuation
GDC shall ensure that staircase (main and emergency) landing areas shall be even
flooring, marked clearly and shall be anti-skid proof
GDC shall ensure that staircase (main and emergency) railings shall be tested for
safety and stability
GDC shall ensure that staircase (main and emergency) shall be brightly lit
GDC shall ensure that electrical wiring shall be secured and no loose wiring in
place
GDC shall ensure the installation of appropriate number of smoke detectors and
water sprinklers across the GDC site
GDC shall ensure that adequate Fire-extinguishers shall be placed in the floor to
ensure easy accessibility and reach (at a minimum one every 2500 square-feet of
person area)
GDC shall have signage that clearly indicates the presence of the Fire Extinguisher
GDC shall ensure that these are placed in an area thats easily accessible
GDC shall ensure that fire extinguishers are not placed in locations that may
cause injury to resources during evacuation
GDC shall maintain Safe area (size in proportion to the number of personnel) at a
distance of approximately 100 meters from the main building. Any variations in
distance of the safe area shall be determined based on the local standards
adjusted for height of the building
GDC shall ensure that fuel storage area shall be adequately away from the main
building
GDC shall ensure that Vehicle-parking area is designated such that access of/to
Fire Engines and other emergency equipment is not obstructed
GDC shall ensure that exit signs are visible from all employee seats, corridors and
aisle ways in the facility. The exit signs shall be fluorescent and self-luminescent
for a minimum period of 4 to 6 hours
Server-rooms at GDC Sites shall be protected by smoke detection systems and
gas flooding systems. All ceiling, floor and wall openings shall be closed.
GDC shall ensure floor leveling, surface smoothness, safety of filing cabinets,
safety of electrical wiring, fastening of electrical fittings, equipments & devices to
ensure safety of resources operating in the server room
Where GDC owns/operates a facility, GDC shall adhere to local regulations on Air
Quality, Waste disposal and Water treatment
GDC Organization shall orient/train their resources on Environment, Health and
safety standards. It is mandatory for all resources in GDC Organization to be
trained in Safety standards
GDC Organization shall have the fire/emergency drill at least once every rolling
three months
GDC Organization shall have a framework / process in place for their resources to
raise concerns / suggestions on Health & Safety standards at the site
GDC organization shall plan preventive maintenance and periodic spot checks of
safety standards and take immediate corrective measures where gaps are seen
Where changes to local norms/regulations exceeds GE stated minimum
standards, GDC shall take immediate, appropriate steps to meet these
requirements after seeking approval from GE GDC Program office

Evidence of adherence to EHS norms in GDC sites
Evidence of safety training to all GDC resources
Evidence of preventive maintenance and spot checks being conducted at sites
Evidence of safety risk assessment being performed and actions being taken
MSA Linkage
Sections 5.13
Related Practices
Physical Security, GDC Site Management
eGDC Suite Linkage
GDC Site Management
Adhoc Approvals
Online Resources
Not Applicable

5.2 Physical Security (ELEMENTARY)

Third party area with access to GE network or from where work for GE shall be
executed/delivered shall be restricted to GDC personnel authorized for access.
The Purpose of this Practice is to ensure that appropriate controls are established and practiced
in GDC sites to safeguard GE/GDC information and assets that may be accessible from GDC Sites.

100% adherence to Physical Security norms
0 incidents of GE data access by unauthorized personnel at GDC sites
0 incidents associated with physical security

procedures and controls are implemented to meet the policy and goal of this practice. The
PS 1.0 Manage GDC Resource security
PS 2.0 Manage access control & Security at GDC facility
PS 3.0 Manage visitor security
PS 4.0 Manage computer room security
PS 5.0 Manage Security of Restricted Areas
As a stakeholder, GE is responsible for bringing to notice any risks/non-compliances in physical
security at GDC Sites
PS 6.0 Report risks and incidents associated with physical security practice at GDC Site

POLICY
GOALS
RESPONSIBILITIES

PS 1.0 Manage GDC Resource security
Badges shall be worn by all GDC resources and required personnel unless local
laws or regulations do not permit
Badges shall clearly identify GE GDC resources from other resources
Badges shall also differentiate GDC employees from their sub-contractors
Access to GE GDC area shall be restricted to BGC cleared and AUG, SIA
acknowledged GDC personnel
GDC shall have a formal process to identify and avoid any data/asset to be taken
out of the GDC area.
Access termination procedure shall be in place. Employment termination / Exit
from GEGDC or change in GDC location shall result in access termination
(immediate for administrator access)
GDC shall have a formal process for handling of access to resources on leave
from site for more than 21 days.
PS 2.0 Manage Access control & Security at GDC facility
Electronic access control shall protect entry and exit to GDC area
Software-based access control systems shall be secured, have proper backups
and be highly available
Identification Badge Systems shall generate a log of each entry. All door openings
shall generate a log entry
Every time the identification badge reader is used, it shall log date, time, room
location, badge number and employee Id
More sophisticated access control mechanisms may be deployed by GDC in
consultation with GE GDC Program Office
Entry and exit logging shall be done for all entry and exit points at GDC Site
Logs shall be maintained for at least one year in archive with past 30 days easily
accessible
All Entry points shall be staffed 24x7 and entry point security cameras shall be
installed and be monitored by the central security desk with recordings retained
for at least one month, accessible online/digitally, and be in archive for up to one
year.
Any Exit point that does not have an alarm door shall have security cameras
installed and be monitored by the central security desk with recordings retained
at least one-month, accessible online/digitally, and be in archive for up to one
year
Any restricted area within the GDC Site shall have security cameras installed and
be monitored by the central security desk with recordings retained at least one-
month, accessible online/digitally, and be in archive for up to one year
At every entry point of every GE GDC location, a notice shall be displayed
informing GDC resources and visitors, that the site is under electronic surveillance
Tailgating shall be avoided and communicated as a violation of policy. Notice
communicating the same shall be displayed at all the entry & exit points
GDC shall deploy tailgating prevention systems at the sites
Guidelines for assets that can be carried into GE GDC area shall be displayed at
entry point to GE GDC. List of prohibited assets shall be displayed at all the entry
points
GDC shall have formal identification mechanism for authorized USE of assets into
GE GDC and the same shall be verified (asset verification and USE authorization
verification) at entry on a regular basis
GDC shall ensure formal verification mechanism at entry and workstations for
USE of unauthorized assets
Secure printing (using access code) shall be implemented in all print stations
within the GE GDC Site
GDC shall monitor and maintain logs of all prints taken within the GE GDC Site.
Such logs shall be maintained for a period of 12 months
Clear desk and Clear screen policy shall be followed at all times
GE confidential and restricted documents shall be locked when not in use and
destroyed with a shredder when not needed
GDC shall not permit photography within the GDC Site
GDC shall undertake periodic checks and preventive maintenance to ensure that
security gaps are identified and corrective actions taken

PS 3.0 Manage visitor security
Approvals for any external visits shall be obtained from GEs GDC Program Office
and visit report filed with GEs GDC Program Office
Visitors (internal or external) to GE GDC Site shall be escorted by authorized GDC
resources only.
If continued access (beyond 1 week) to GDC site is required for internal visitors,
BGC shall be done and access permission shall be time bound
If continued access (beyond 1 week) to GDC Site is required for GE Employees who
are co-located with GDC and require physical access, GE Business VMO Leader
approval and HR acknowledgement that BGC is cleared, shall be obtained
GDC shall have a formal process to identify Visitors with long term access and
short term access
GDC shall have a formal process to identify and avoid any physical or electronic
device/data to be taken out of the GDC area
GDC shall have a formal Visitor badging process Visitor logbooks shall be
maintained which includes clear description of the visitor name, Organization,
purpose, person to meet, date of visit, arrival and leaving time, assets carried,
details of GDC escort and signatures of visitor and escort
GDC may choose to implement Visitor Identity access card systems
Log of Visitors shall be maintained for audit purpose for a minimum period of 12
months
PS 4.0 Manage computer room security
Computer room shall be isolated. GEGDC computer rooms cannot be shared with
the parent organization server rooms.
In case project specific servers are maintained in GEGDC computer room, GDCs
are expected to implement additional controls and training for those personnel
requiring access to these servers to maintain the compliance levels
Computer room doors shall be secured to prevent access into the room unless
otherwise authorized by the GDC Security Leader.
Computer room access shall have two factor authentications which can include:
Badge/Pin, Biometric/PIN, Biometric/Badge, etc. A physical key is not a form of
authentication
Each computer room door shall have signs on both sides indicating it is to be
closed and locked with a contact to notify if it is found unsecured. Server rooms
shall have solid walls on all sides with no glass window panes /doors
Server room shall have only 1 door with the signage RESTRICTED ACCESS TO
AUTHORIZED USERS only
Server room door shall have automatic closing mechanism with timing adjusted
to close immediately. GDC shall ensure installation & configuration of alarm to
alert Users if Server room door is open for more than 20 seconds
Server room shall be fitted with adequate cameras (2 at a minimum) for
surveillance purpose, to ensure that there are no blind spots. These shall be
monitored by the central security desk with recordings retained at least one-
month, accessible online/digitally, and be in archive for up to one year
GDC shall ensure that server room racks shall be locked with unique keys
GDC shall ensure that fire proof safe is available in server room to store backups
and other important media/information
GDC shall ensure that only named people (limited people) are provided access to
the server room and access log is maintained for all entry / exits. The logs shall be
available for a minimum period of 12 months
In case GE Data Servers (even if used for test purpose) are maintained in GEGDC
computer room, additional access controls shall be implemented at the server
room and such servers shall be maintained on separate racks with exclusive
access controls.
In case the Server room supports Data Servers pertaining to Export Control work
or GE IP work, such servers shall be maintained in separate racks with access
restricted to named people who are authorized for such access
Anyone having badge access to a computer room shall not give or loan their
badge to another to gain access to a computer room.
The air conditioning system supplying server rooms shall have dust filtration
systems in place and should provide alarm notification if the air quality degrades /
contamination increases.
Server room temperature shall be controlled and set to level within the
manufacturers suggested operating temperatures. It is suggested temperature
be controlled in the region of 20 - 22C with a +/-1C tolerance for alarm
notification.
Server room humidity shall be controlled and set to a level within the
manufacturers suggested operating levels. It is suggested humidity be controlled
in the region of 50% RH (Relative Humidity) with a +/- 5% RH tolerance limit for
alarm notification.
Temperature and humidity sensors shall be monitored in the 24 x 7 manned
centralized security control room
GDC shall have a formal process for approval and revocation of access to Server
room. The process shall at a minimum, capture for all authorized users, the badge
holders name, badge number, computer room location, reason for access,
validity period(start date and end date) along with authorizers details and actual
termination date,
Badge access must only be given to individuals who require long-term
access (those who are responsible for continuous administration or
maintenance of the equipment located in the room).
Visitors access and temporary access (For Ex: Housekeeping staff) to
the server room need to be approved by the GDC Security Leader in
advance and the access should be an escorted one.
Logs of access to computer room shall be maintained for a minimum period of 1
year
PS 5.0 Manage Physical Security at special restricted sites
GDC may have special restricted sites for export control work or Engineering IP work or otherwise
as identified with the program office. In such cases, GDC shall ensure additional level of Physical
security as per guidelines below
Each Restricted area within GDC Site shall be separated with access control
mechanisms. Two-factor authentication shall be implemented for access to
restricted areas
Restricted areas shall have only one entry/exit door and one emergency exit door
with the signage RESTRICTED ACCESS TO AUTHORIZED USERS only. Emergency
Exit Doors shall not be used for regular entry/exits
Emergency Exit door shall be fitted with alarm system to alert when the door is
opened
The entry/exit door to restricted area shall have automatic closing mechanism
with timing adjusted to close immediately. GDC shall ensure installation &
configuration of alarm to alert Users if this door is open for more than 20 seconds
Restricted area shall be fitted with adequate cameras (2 at a minimum) for
surveillance purpose, to ensure that there are no blind spots
Entry/Exit door and Emergency Exit door shall have security cameras fitted and
these shall be monitored by the central security desk with recordings retained at
least one-month, accessible online/digitally, and be in archive for up to one year
GDC shall ensure that only named people (limited people) with authorization (from
GE) to access the restricted areas are provided access to the restricted area and
access log is maintained for all entry / exits. The logs shall be available for a
minimum period of 12 months
GDC shall have a formal process for approving access to restricted sites
Internal/External Visitors (inclusive of GE Visitors) to restricted sites shall not be
permitted unless otherwise authorized by GE GDC Program Office
GDC shall prohibit any physical or electronic device/data to be taken in or out of
the special restricted area (by employees or visitors) unless approved by the GE
GDC Program office. Logs of all assets permitted to be carried in or out will have to
be maintained for a minimum period of 12 months.

Evidence of GE approval on physical security reviews
Evidence of Visitor Logging, CCTV logs, access logs, print logs
Evidence of adherence to access assignment to Server room and Restricted areas
MSA Linkage
Sections 1, 4.8
Related Practices
EHS, Data Security
eGDC Suite Linkage
GDC Site Management
Adhoc Approvals
Online Resources
Physical Security Additional Guidelines
New Site Approval Process-Guidelines
Guidelines for Restricted Site
EHS Guidelines

6.0 Delivery Management
Delivery Management is one of the basic focus areas of the Program Governance Maturity Model
and comprises 3 Practices Secure Software Delivery, Software/Service Quality Management,
and Process & Productivity Management.
GDC shall follow industry standards like ITIL, Six Sigma, ISO 27001, to name a few, for
Software/Service Quality Management (MATURE) and Process & Productivity Management
(MATURE) for executing GE engagements.
6.1 Secure Software Delivery (ELEMENTARY)

GDC shall deliver all software as developed or maintained by GE GDC
(Applications) that are free of any known Critical, High and medium Application
Security Vulnerabilities as detailed per GE Guidelines
GE has the right to have the code reviewed for security flaws anytime during the engagement.
GDC shall provide necessary support to the review team by providing source code and access to
test environments. Security reviews shall cover all aspects of the Applications delivered, including
custom code, components, products, and system configuration
The purpose of this Practice is to establish secure software development lifecycle practices used
by GDC and ensure vulnerability free code development

0 Critical/high/medium vulnerabilities in code delivered to GE
100% engagements involving software development/enhancement/change adhering to
GE Secure Software development / delivery requirements covered in this practice.

POLICY
GOALS
RESPONSIBILITIES
SSD 1.0 Use Secure Software development lifecycle practices in software development
projects
SSD 2.0 Secure Software delivery
SSD 3.0 Track & report Secure software delivery metrics
As recipient of the deliverables from the GDC, GE is responsible for ensuring that the deliverables
are aware of the Secure software delivery practices and enforce the same in GE GDC
SSD 4.0 Establish Ownership and performance targets on secure software delivery

SSD 1.0 Use Secure Software development lifecycle practices in software
development projects
Application Security controls apply to all GE GDC engagements
(Development/Enhancement/RTS/Support).
For RTS or Support the evaluation will not be at a release level but will be
required periodically (at a minimum bi-annually or as indicated by business)
unless the release is more than 40 person hours.
GDC Organizations Standard Operating Procedure should comply at a minimum with GE
Secure SDLC guidelines for integration of Application Security checks with the SDLC
process or equivalent. Any deviation or exception from GE Secure SDLC guidelines for any
project(s) shall be reviewed and agreed upon with GE Application Security Leader.
Development (inclusive of enhancements) shall at least be done in accordance with the
GE Best Practices for Secure Coding and all developers shall have awareness of this
practice. Any deviations to the GE specified Secure Coding practices shall be disclosed to
GE Application Security Leader and signed off prior to implementation
Quantitative feedback on common vulnerabilities found along with prevention and
remediation measures shall be shared with developers
Each GDC shall have a lead representative and active participant on the GDC AppSec
Working Group led by the GE GDC Application Security Leader. Participation and
representation on bi-weekly meetings is required.
Developers shall be trained on Application Security practices and web developers should
have access to and be encouraged to complete the available Computer Based Training
(CBT1 & CBT2) and Guidance materials at the Secure Software COE site. The completion of
trainings shall be tracked by the GDC
GDC shall at a minimum follow GE Secure Architecture & Deployment Guidelines in design
and provide documentation to GE that clearly explains the design for achieving each of
the security requirements.
GDC Organizations internal Application Security team shall be responsible at a minimum
for ensuring adherence to GE Secure Coding practices on all deliverables to GE. This team
shall be responsible for finding and remediation of security vulnerabilities in addition to
training developers in the use of the available Guidance, Education and Tools to drive
defect prevention.
GDC shall at a minimum promote the use of available GE tools like GE Secure COR and
GEEAS in all the web application projects and track the usage.
GDC shall ensure that all applications are On-boarded as per the SSD v2 guidelines
SSD 2.0 Secure Software delivery
GDC shall execute the Application security test against the security requirements and
Secure coding guidelines and fix all the High & Critical vulnerabilities found in the code
before releasing code to GE.
GDC shall track the final Internal Application Security Assessment results and share it with
GE Application team at the time of releasing code to GE.
GDC shall disclose the tools used in the software development environment to encourage
secure coding when requested by GE.
Security issues uncovered after application release will be reported to the GDC. The GDC
shall remediate and retest all the identified High and Critical vulnerabilities for any
application they own as per GDC Application ownership process or any application they
develop. All the Medium, Low or Informational Security issues discovered after
delivery shall be handled in the same manner as other bugs and issues as specified in the
SOW. Any exceptions to the above should be fully documented by GDC upon delivery of
the application(s).
GDC shall appropriately protect information regarding security issues and associated
documentation, to help limit the likelihood that vulnerabilities in operational software are
exposed.
GDC shall follow GDC Vulnerability Remediation Ownership process at the time of
transition of project or application from other vendor or GDC.
SSD 3.0 Track and Report Secure software delivery metrics
GDCs shall report the
% Of GE applications which have had a security assessment performed by an
internal application security team prior to delivery to GE on a monthly basis
Internal security assessment results for all initial and subsequent releases
Root cause corrective actions for all high/critical vulnerabilities found by GE
AppSec COE.
% Of developers trained upon Secure Coding practices on a quarterly basis
Quarterly report on Vendor adherence with the requirements outlined in the
Application Security Framework
GDC shall track all security issues uncovered during the application lifecycle
under its engagement scope, whether a requirements, design,
implementation, testing, deployment, or operational issue. The risk associated
with each security issue should be evaluated, documented, issue fixed and
reported to GE as soon as possible after discovery.
Common vulnerabilities for all the platforms GDC work with should be documented;
maintained current and posted on shared repository
Evidence of Security Reviews & Testing on all deliveries to GE
Evidence of exception approvals from GE Business Security leader for releasing code with
Critical/High Vulnerabilities to GE (where code is released with Critical/High vulnerabilities)
MSA Linkage
Section 4.10
Related Practices
Quality Management
eGDC Suite Linkage
Application Ownership Process
Online Resources
Application Security guidelines at http://sc.ge.com/@SSCOE

7.0 Network & Systems Security
GDCs are connected to GE internal network in a manner identical to any GE office so it is critical
that GDC networks and systems are secure, safe and not pose any threat to GE network and
data. GDCs should adhere to GE Third Party Information Security Policy; follow the guidelines
listed out this section and have appropriate controls & rigor in place to mitigate any risk to GE
network and data.

FIGURE 10 Network & Systems Security Practices and Linkages
7.1 Vulnerabilities Management (ELEMENTARY)

All GDC systems shall be minimally patched with all GE trackable patches and any
other patches relevant in the environment. All GDC systems shall have GE standard
client firewalls and antivirus deployed to prevent threats. GDC shall proactively find
and fix any vulnerability in all GDC systems and networks.
The purpose of this Practice is to enforce controls to protect systems and networks from threats
through implementation of Sophos antivirus & client firewall and proactive vulnerabilities
scanning using Qualys.

0 Critical/High/Medium security vulnerabilities in network & systems across all GDC sites
100% systems patched within 7 days of GE trackable patch release
100% coverage of vulnerability scanning across all GDC subnets
100% of GDC servers and workstations with antivirus running with latest policies &
signatures

VM 1.0 Track & implement GE trackable patches on all GDC systems
VM 2.0 Manage Qualys network scanning and vulnerability remediation
VM 3.0 Manage Sophos deployment on all GDC systems and mitigate threats
As a co-owner of this Practice, GE Businesses are responsible for providing patching notification,
Qualys access and Sophos to GDC. The specific responsibilities of GE are
POLICY
GOALS
RESPONSIBILITIES
VM 4.0 Ensure patch releases by GE security council is communicated to GDC
VM 5.0 Ensure Qualys console access is provided to GDC
VM 6.0 Ensure Sophos license & software is provided to GDC

VM 1.0 Track & implement GE trackable patches on all GDC systems
GDC shall be part of GE Security council patch release notification list
GDC machines shall be minimally patched with GE trackable patches.
All GE trackable patches shall be applied on all machines in less than 7 days.
Patches shall be tested on test boxes before applying in production.

In case Critical patches conflict with the applications, it shall be discussed with the
business/corporate security leaders and approvals obtained. GE GDC Program Security
Leader shall be notified of all such approvals and any exceptions.
Emergency patching process shall be defined and documented.
GDC shall maintain their own security bulletin and process to identify and remediate new
vulnerabilities and threats related to software & hardware in their environment.
VM 2.0 Manage Qualys network scanning and vulnerability remediation
GDC shall leverage GE provided Qualys tool to run vulnerability scans
GDC shall configure Qualys with account(s) having appropriate privileges to run
successful authenticated scans for all GDC systems
Each GDC shall maintain and communicate updates to subnet inventory to the GE GDC
Program Security Leader through monthly reporting
All networks including partner locations, shall be scanned every week or as agreed with
GE GDC Program Security Leader and missing patches shall be applied
Any vulnerability with no patch or remediation available will require a machine rebuild
and any exceptions shall be approved by GE GDC Program Security Leader
It is the responsibility of the GE GDC to close all vulnerability related incidents in a timely
manner. This should be no more than 2 business days unless the RCA and Action Plan
states the reason for a longer time period and is approved by GE
GDC Security Leader shall do weekly monitoring of Qualys dashboard in
http://securitymetrics.ge.com to measure the patching process health.
Review and remediate newly discovered security vulnerabilities using repeatable process.

VM 3.0 Manage Sophos deployment on all GDC systems and mitigate threats
GDC shall install GE provided Sophos antivirus on all the servers and workstations
(desktops & laptops). Sophos client firewall shall be installed on all workstations. Latest
version recommended by GE shall be used.
GDC shall ensure all Sophos clients are able to communicate with the centralized Sophos
server and have signature/policy/engine updates no more than 1 week old
GDC resources shall not have privileges to disable, stop services or uninstall Sophos
antivirus or client firewall on their systems
GDC shall review and implement all policy changes, updates and upgrades as required by
GE.
Sophos console in conjunction with Sophos defect report in http://securitymetrics.ge.com
shall be reviewed daily and infected assets shall be investigated and closed within a 48-
hour timeframe.
GDC shall maintain Sophos CMV console access. Only appropriate personnel should have
access, GDC is responsible for maintaining personnel list and requesting access creation
and removal through correct processes.
Machines infected with any form of malicious code (virus, trojan, malware, logic bombs,
worms) or critical patch missing shall be removed from network immediately and shall be
cleaned / patched before connecting back on network.

GDC shall review and remediate newly discovered security vulnerabilities using
repeatable process. Appropriate tracking should be done to detect any potential threats
and policy violations.

Sophos CMV console access is maintained and up to date with current identified GE GDC
security personnel
Management review of defects and opportunities against the goals of Vulnerabilities practice
Records shall be maintained for weekly network scans and patching cycle time
Evidence of approval in case of critical patch conflict and adherence to resolution plan
agreed shall be maintained
Evidence of coverage of 100% GDC Systems in Qualys
Evidence of vulnerability fixes as reported through Sophos & Qualys
MSA Linkage
Section 4.25
Related Practices
Software Governance, Secure Software Delivery, Systems Management, Supplier
Connectivity
eGDC Suite Linkage
Not Applicable
Online Resources
Sophos Community- http://supportcentral.ge.com/products/sup_products.asp?prod_id=37974
Qualys Community - http://supportcentral.ge.com/products/sup_products.asp?prod_id=89136

7.2 Systems Management (ELEMENTARY)

GDC shall secure all endpoints (i.e. desktops/laptops/workstations/servers/mobile
computing devices), access accounts and implement data leakage prevention
controls to protect GE data.
The purpose of this Practice is to establish and enforce controls to secure endpoints, access
accounts and GE/GDC assets to prevent any threats to GE data.

0 incidents of system management requirements violations

SM1.0 Secure GE GDC endpoints
SM2.0 Implement secure Account & password management practices
SM3.0 Implement Secure Servers and operating systems practices
SM4.0 Implement secure Server Administration practices
As a co-owner of this Practice, GE Businesses are responsible to identify endpoint security
controls and take Business Security Leader approval before allowing GDC to have machines in
GE Domains. The specific responsibilities of GE are
SM 5.0 Ensure necessary end-point security controls & business security leader approvals are
in place before approving any machines located in GDC site in GE domain

POLICY
GOALS
RESPONSIBILITIES

SM 1.0 Secure GE GDC endpoints
All GE GDC endpoints shall meet GE requirements for Antivirus, Personal Firewall,
Vulnerability Patching and Network Access Control. This includes the health, reporting
and signature updates of the required client as mandated by GE.
In cases, where exception has been granted by GE Business Security Leader to have GDC
system in GE domain, GDC shall take appropriate actions to make sure that such systems
meet the above requirement.
USB Ports/DVD burners/any other removable media ports shall be disabled. For cases
where exception has been granted by GE GDC Program office, removable storage media
shall be encrypted
Laptop disk shall be encrypted using GE recommended version of Safeboot
Back up tapes shall be encrypted.
Laptop computers or other portable computing devices shall primarily be used for access,
not storage
GE Data should not be stored on GDC systems
GDC shall have preventive and detection controls to prevent data leakage from GDC/GE
systems assigned to GDC resources irrespective of the location (excluding GE sites),
specifically laptop or any portable computing devices that can be taken out of GDC
facility.
No personal devices shall be allowed to execute GE engagements from any location
Procedure to deal with stolen laptops, workstations or any computing/storage device
used to execute GE engagement shall be well defined
GDC shall ensure data confidentiality and privacy of each user assigned to the shared
system from other users assigned to the same shared system.
SM 2.0 Implement secure Account & password management practices
Password-protected screen savers shall be activated upon a maximum of 15-minute
timeout on all systems with a monitor.
Automated account lockout shall be enabled after a minimum of 3 and maximum of 7
attempts, with authentication failures and successes logged and reviewed for security
violations
Accounts shall have an expiration date and are reviewed periodically.
Logical access control shall be in place to Identify a user
Sharing of user id and password is prohibited.
VPN hard tokens and soft tokens shall not be shared. Hard token can be re-allocated to
another individual upon release of resource from project/program, unless otherwise
explicitly required by the Business to surrender the token. GDCs shall maintain
traceability and record of all VPN token allocations and re-allocations centrally
GE GDC Password policy shall be at a minimum as strong as the GE password policy
Initial password shall be forced to be changed during first logon
GDC shall ensure that the users are given access privileges with the minimum
requirements as per their job requirements. Non-administrative users shall not have
access to administrative system software or utilities. Privileged or administrative
accounts shall only be given to the persons responsible for managing systems, databases
& applications and shall be tracked centrally by GDC
Local administrator access and rights shall be disabled. Exceptions to this shall be time
bound and approved by GDC security leader.
GE domain administrator access shall not be given to offshore resources. Exceptions to
this shall be time bound and approved by GE GDC or business security leader.
SM 3.0 Secure Servers and operating systems
The following minimum requirements for server and operating system lockdown shall be
expanded upon based upon industry best practices
Only the minimum/necessary set of applications and services shall be installed.
Source code of server-side executables and scripts shall not be viewable by
external users.
Packet filters (such as host-based firewall and TCP wrappers) shall be installed to
restrict connections to necessary hosts on necessary services and log incoming
requests. Users shall not be able to modify configuration of the filters
Synchronize time to a trusted time service.
Services that require different access shall use different accounts IDs.
No SNMP accessibility from the Internet. It is recommended to disable all SNMP.
There shall be legal notice warning of unauthorized access penalties where
applicable.
The password database shall be encrypted.
SM 4.0 Follow secure Server Administration practices
The following minimum requirements for server administration lock down using industry
best practices are:
If GDC has the capability to remotely administer servers (GE & GDC), the remote
connection shall take place over an encrypted tunnel, and shall require two-factor
authentication.
All administrator accounts shall have IP address restrictions, two-factor
authentication or be limited to console login.
All administrative traffic shall be encrypted. Encryption level shall be defined
based on the needs of the application.
All default accounts shall be renamed or removed and all default passwords
changed.
Access to devices involved in the provision of services shall be granted only on a
need to have basis. Server administration permissions are typically granted to a
limited number of individuals within an organization.
More than one person shall approve the granting of new administrator account
access, and the addition/removal of account access shall be auditable.
Shared administrative accounts shall not be used. Instead, use individual
accounts with an auditable method to escalate privileges for administration
(example: PowerBroker, sudo) where possible. Admin passwords may also be
checked out for a period of time then reset.
System and service account passwords used by automated and batch processes
shall only be granted restricted access. The account shall be single purpose, non-
interactive login, from controlled sources such as a fixed source IP as a second
login factor. If account shall have more access, the GE Sponsor shall be made
fully aware of their account responsibilities with the account description field
annotating the contact.
Success and failure for all user account logins, system logins
(desktops/laptops/servers), and administrative requests must be logged.
General server event logs, utilization logs, and application events and errors must
be periodically verified as functioning in case of a forensics investigation.
GDC must maintain record for all hardware problems, operating system crashes
and system formatting
Authentication failures and successes must be reviewed (at least weekly) for
security violations.
Unless required otherwise by law, GDC must, at a minimum maintain server logs
for a period of no less than 180 days from origination.
Evidence of approval and monitoring of local admin access
Evidence of 100% machines coverage for end point security
Evidence of implementation of secure account & password management practices
Evidence of servers & operating systems security and secure server administration practices
being followed across all GDC sites
Evidence of end point security for GDC machines in GE Domain along with exception
approval from GE Security Leader
MSA Linkage
Section 4.25
Related Practices
Business Continuity Management, GDC Site Management, Asset Governance, SSO id
Governance, GDC Resource On-boarding/Off-boarding
eGDC Suite Linkage
Adhoc Approvals, Systems on GE Domain*, Local Admin Rights Reporting*
Online Resources
Not Applicable
7.3 Supplier Connectivity (ELEMENTARY)

GDC shall have trusted third party connectivity to GE i.e. a physically and logically
isolated segment of the GDC connected to GE network in compliance with GE
Trusted Third Party Security Policy. GDC shall ensure that there are no risks to GE
network.
The purpose of this Practice is to enforce compliance to GEs trusted third party connectivity
requirements

100% GDC site in compliance with GE trusted third party connectivity requirements

SC 1.0 Ensure every GDC resource signs AUG (Acceptable use guidelines) before granting
physical access to GE GDC area.
SC 2.0 Implement and maintain compliance to logical network connectivity requirements
SC 3.0 Implement and maintain compliance to Proxy requirements
SC 4.0 Implement and maintain compliance to secure Emails system requirements
SC 5.0 Monitor & respond to any intrusions and unexpected network & system behavior

POLICY
GOALS
RESPONSIBILITIES
SC 1.0 Ensure every GDC resource signs AUG (Acceptable use guidelines)
before granting physical access to GE GDC area.
AUG shall be signed by every individual GDC resource (inclusive of subcontractors) before
granting physical access to GE GDC area or logical access to GE network
Annual re-acknowledgment shall be done by every individual GDC resource (inclusive of
subcontractors)
SC 2.0 Implement and maintain compliance to logical network connectivity
requirements
Logical network connectivity of any GE Extension Segment to networks other than GE
shall not exist.
All current and new interconnections between GDC network and any other non GE
network, including the Internet, parent and other companies, shall be managed by GE
and it shall meet all GE standards and requirements
VPN Gateways and Remote User Gatewaysincluding two-factor authentication for dial-
up, VPN, shall be managed by GE only. Third Party-managed gateways including GDC
parent organization VPN is not allowed
Inbound modems shall not connect to GDC network.
Outbound modems should only be implemented in exception approval basis by GE GDC
Program Security Leader and tracked under Asset Governance guidelines.
Inbound Gateways (hosting) shall subscribe to an existing GE shared service for gateway
access.
Outbound Gateways (Internet access) shall be either through GE shared service for
gateway access or through GE GIS managed firewall & proxy if using GDC parent
gateway access
GDCs shall not use Wireless LAN (GE network or GDC parent network) in GDC areas
Connections and LANseparate Layer-2 switch infrastructure for IP, but may use shared
ISP connectivity for site-to-site VPN transport
GDC shall not permit/use FTP, Peer to peer network, Bluetooth or any other file
transfer mechanisms between systems/networks
GDC shall not permit work from unauthorized remote locations to service GE
Physical access to the network devices (routers, hubs, switches, etc.) shall be protected to
allow access only by named network administrators GDC shall not extend GE network
outside the certified GDC area without approval from GDC Program office or following
appropriate GE process
GDC shall track all the changes in the logical environment.
GDC shall have process to track expiry of time bound connection approvals and shall
work with GE to revoke or extend any expired connections on time.
For any special restricted sites for export control work, the site shall be in compliance with
GE Export Control guidelines. For special IP work restricted sites, the site shall be in
compliance with the applicable business policies/guidelines.
SC 3.0 Implement and maintain compliance to Proxy requirements
GIS-managed proxy shall be used for Internet access.
Proxy servers shall comply with GE Outbound proxy standard and recommended build
Proxy change should be disabled for all GDC resources. Exceptions to this should be time
bound and approved and monitored by GDC security leader
GDC shall not use any GE business proxy or proxy script (Pac file) for individuals or sites
without approval from GE GDC Program office
Periodic Audits shall be conducted and reviewed quarterly for resources for whom proxy
is not disabled
GDC laptop users shall not be able browse any internet sites before signing into GE VPN
from non GDC locations.
GDC shall restrict access to internet-based email sites and data storage/sharing sites to
prevent data leakage.
SC 4.0 Implement and maintain compliance to secure Emails system
requirements
Emails to/from GDC-GE shall not transit public networks (like the Internet) in unencrypted
form. TLS shall be enabled for email communication.
Auto forward from GE email account to non-GE email accounts is not permitted.
GE GDC Extension Segment email servers should at minimum filter GE standard
attachment extensions.
SC 5.0 Monitor & respond to any intrusions and unexpected network & system
behavior
GDC shall have Intrusion Prevention System (GE Standard device) for inappropriate
activity monitoring and prevention for the networks/sites identified by GE GDC Program
Office; IPS devices shall be managed by GE and shall have signature updates no more
than 1 week old.
Monitor systems and servers.
Use automated tools to filter logs, identify security incidents, and provide automated
alerts.
Intrusion Detection Coverage on network entry points (non GE) and mission critical
servers
Monitor and respond to high alerts in IDS/IPS logs on a 24x7 basis
Records of IDS/IPS log review and action of every high alert shall be maintained
Evidence of approval and monitoring of proxy change rights
Records and evidence of GE GDC Program Security leader approval for any change
implemented in the GDC site network
MSA Linkage
Section 4.25
Related Practices
GDC Site Management, Business Continuity Management
eGDC Suite Linkage
Site Proxy Data, Client Proxy*, New Site Approvals
Online Resources
GE Export Control Guidelines
http://libraries.ge.com/download?entity_id=3869850101&fileid=48218071101&sid=101
GE Outbound proxy standard -
http://libraries.ge.com/download?fileid=76455681101&entity_id=13957680101&sid=101

7.4 Resource Sharing (ELEMENTARY)

Any non-GE or non-GE GDC resources like people, applications, & systems, used
to execute or facilitate GE engagements shall not compromise confidentiality
and integrity of GE data, Intellectual property.
The purpose of this Practice is to establish and manage controls to mitigate risks of
compromising Confidentiality & Integrity of GE data & IP due to resource sharing

0 incidents of any unauthorized shared resources
0 incidents of unauthorized GE data & IP residing in any shared resource

RS 1.0 Identify shared resources
RS 2.0 Establish and manage confidentiality and integrity of GE data on shared resources

RS 1.0 Identify shared resources
GDC shall limit shared resources to minimum and shall have process to do risk
assessment and seek approval from GE GDC Program Office for any shared resource
before using them.
POLICY
GOALS
RESPONSIBILITIES
GDC shall maintain inventory of all the shared resources. This includes resources provided
by GE and GDC for the use within GE GDC. (i.e. Email, Project Management Tools). This
inventory should depict the ownership of the resource being used.
RS 2.0 Establish and manage confidentiality and integrity of GE data on shared
resources
GDC shall perform periodic risk assessment of all shared resources
GDC shall implement logical or systematic data leakage prevention controls for all shared
resources.
All data relevant to shared resources must follow the Classification, Confidentiality & IP
protection.
Inventory of shared resources
Evidence of Access controls in place for all the shared resources
MSA Linkage
Section 4.25
Related Practices
Data Classification, Confidentiality, Privacy & IP Protection, Knowledge Management,
eGDC Suite Linkage
Adhoc Approvals
Online Resources
Not Applicable

8.0 Data Security
GE Data Security is the most important aspect of GDC program and the GE data needs to be
protected based on its need for secrecy, sensitivity, or confidentiality. While servicing GE, GDCs
will have access to different type of GE data and it is GDC responsibility to protect GE information
from disclosure to any unauthorized individual or entity. The practice areas covered in this
section outlines minimum requirements for GDCs to maintain Integrity, Confidentiality &
Availability of GE data.


FIGURE 11 Data Security Practices and Linkages

8.1 Data Classification, Privacy, Confidentiality & IP
Protection (MATURE)

Any data created/used/handled by GDCs shall be classified and shall be protected
using adequate measures as per GE Data Security guidelines. For a period of 7
years following the date of disclosure, the GDC shall not itself use or share with any
third party or sub contractor any GE confidential/restricted information
The purpose of this Practice is to formalize and enforce the practice of securing GE data based
on assigned labels of importance and sensitivity
POLICY

100% of GE data/information in any form tagged with appropriate data classification
0 instances of improper access control/unauthorized sharing/USE of GE
confidential/restricted data
0 incidents of IP / Data Privacy violations

DCP 1.0 Classify all GE data/information according to GE Data classification guidelines
DCP 2.0 Establish accountability to protect GE Data
DCP 3.0 Protect GE Data/Information according to Classification
DCP 4.0 Manage IP Use & Protection

As a co-owner of this Practice, GE Businesses are responsible for ensuring that all data
accessible/shared/processed/created by GDC have correct GE Data classification level tagged to
it. The specific responsibilities of GE are
DCP 5.0 Ensure all GE data/information shared with GDC carries correct GE Data
classification
DCP 6.0 Provide guidance to GDC to establish correct GE Data classification levels for the
data created/used by the GDC during the life of project/relationship - involve Business Data
Privacy Leader to identify specific controls that may be required to address country-specific
data privacy requirements
GOALS
RESPONSIBILITIES
DCP 7.0 Monitor & manage GDC access to Sensitive data on a need-to-know basis and
ensure that access is revoked when no longer needed
DCP 8.0 Identify and treat GDC IP, GE IP in appropriate manner involve Business Legal
teams in appropriate treatment of GDC IP

DCP 1.0 Classify all GE data/information according to GE Data classification
guidelines
GE data/information" here refers not only to the data provided to the GDC, but data
created by the GDC during the life of a project/relationship
Electronic/Non-electronic Data (documents, code, databases, concept papers, reports,
media, email and the like) shall be classified and encrypted as per GE data classification
guidelines.
In case of documents (irrespective of the nature of the document), all pages
shall contain the classification
Correct and consistent classification shall be ensured
Functional Ownership and classification of data shall follow the guidelines below
Classification indicates the type of data. Apart from information that is intended
for public disclosure, all other information shall be classified as Internal or
Confidential or Restricted based on guidelines below
Internal non-public information that is specific to an entity with access to a
larger group of authorized people consisting of employees and authorized
non-employees (examples: Organization Chart, Standards & Guidelines, to
name a few)
Confidential - Information that is sensitive or confidential within an entity and
intended for business use only by those with a need-to-know (examples:
sensitive personnel information, individually identifiable customer or client
information; cost or pricing information, to name a few)
Restricted - Information that is extremely sensitive or private, of highest value
to the entity, and intended for use by named individuals/entity only (examples:
strategic plans; intellectual property, financial results prior to release;
individually identifiable medical records; trade-controlled information; files
containing clear-text passwords, to name a few)
Ownership identifies the owner of the data
GE - a significant portion of the data being used or generated in the GE GDC
shall be owned by GE and hence tagged as GE Internal, GE Confidential or GE
Restricted. Any/All artifact(s) given by GE or are generated / used as part of the
GE project/program shall be considered as GE Ownership. This shall include all
deliverables/work products (inclusive of code, design documents, process
charts, test plans, development plans, KT documents, risk mitigation plans),
responses to RFP, status reports, project management documents, to name
a few
GE <GDC> - a small portion of the data generated in the GE GDC shall have
shared ownership between GE and the GDC team and hence tagged as GE
<GDC> Internal, GE <GDC> Confidential or GE <GDC> Restricted (examples:
GDC Standard Operating Procedures based on GE requirements, GDC specific
performance metrics report, to name a few)
<GDC> - a very small portion of the data generated/used in the GE GDC shall
be owned completely by the GDC (examples: GDC Organizations Financial
Information, GDC Employee Performance Report, GDC Organizations IP, to
name a few)
The below table provides a summary of the permissible 9 Classification possibilities in
addition to the PUBLIC classification

GE Confidential/Restricted information may include all information furnished or made
available to the GDC orally or in writing by any GE personnel in connection with the overall
Program or a specific Task Order, without limitation, non-public Intellectual Property, Deliverables,
ideas, concepts, procedures, agreements, notes, summaries, reports, analyses, compilations,
studies, lists, charts, surveys and other materials, both written and oral, in whatever form
maintained concerning the business of the Company and its customers and/or vendors, including
Material Non Public Information. Confidential Information shall also include, without limitation, any
reports, findings, conclusions, recommendations, or reporting data and analysis prepared by GDC
for GEs use
While using GE classification (GE Internal, GE Confidential and GE Restricted), GDC shall
adhere to Business specific classification requirements, if explicitly requested to do so.
This may involve identification of Business name in the tag (examples: GE Healthcare
Confidential, NBCU Restricted)
In cases where GDC receives data/information that are not classified by GE, GDC shall
follow exception guidelines for treatment/handling of such data. One or more of the
following treatment recommendations may be applied by the GDC
Such unclassified data belonging to GE shall not be stored on any other media
except on GE Systems residing in GE Data Centers
Printing of such unclassified data shall not be permitted
In exception scenarios where such data needs to be stored in GDC systems for
project needs, GDC shall post such data to Business-specific folders that are
configured in GDC configuration systems with appropriate classification and
access to named individuals on need to know basis
GDC shall raise an incident / risk alert (as seen appropriate) when unclassified data that is
perceived by GDC to be either GE Confidential/GE Restricted is provided to GDC for
use/information purpose
DCP 2.0 Establish accountability to protect GE Data
SIA (Secrecy and inventions agreement) shall be signed by every individual GDC resource
(inclusive of subcontractors) before granting physical access to GEGDC area. Annual re-
acknowledgment shall be done
In case confidential/restricted data pertains to GE Personal or financial data or GE IP
information, additional confidentiality agreements as required by the business shall be
signed by individual GDC resources
Every GDC resource shall physically (cannot be digitized) sign the Assignment of Rights
on an annual basis for work done in prior year. If during the course of the year, a GDC
Resource exits GEGDC, he/she shall sign this document for the duration he/she worked
with GEGDC in that year. Assignment of Rights documents shall carry counter signature
by GDC authorized signatory GDC shall have appropriate processes in place to identify
projects dealing with confidential/restricted information and educate resources on their
responsibility/accountability to adhere to Acceptable Use Guidelines and Non-disclosures
Where controls established by the Business are seen to be
inadequate/inappropriate, GDC shall proactively discuss the risks with the
Business and recommend appropriate controls to be implemented.
DCP 3.0 Protect GE data/information appropriately according to data
classification level
Data classified as GE Internal/Confidential/Restricted or GE <GDC>
Internal/Confidential/Restricted cannot be stored on a non-GE system, shared or used for
any purpose other than related to GE GDC
Storage/transmission/Disposal of both physical and electronic data shall be as per GE
Data classification guidelines and the business Document Retention Guidelines.
GE Confidential/Restricted information shall be stored in a secured manner on a GE
system residing in a GE Data Center with access provided to named individuals within GE
GDC Organization, on a need-to-know basis
No GE confidential/restricted data shall be shared in any location with public
access (including GE SupportCentral, Libraries, Folders)
Any requirement for storage of GE Confidential/Restricted data on a GDC system
or an external (to GE) system shall be explicitly approved by the GE Project
Manager and / or GE Business Security Leader
Such data shall be secured in the GDC server room with data level access controls
and encryption, where appropriate such data shall not reside on individual
resource systems
Access restrictions for confidential and restricted data shall be built in at the individual
artifact and folders or shared repositories that house these artifacts.
Access to restricted/business confidential (where additional agreements are
signed for confidentiality) artifacts shall be limited to those with valid SSO Ids, as
approved by the Business
Printing of classified documents shall be on secure printers only available within the
secured GE GDC area. The controls around printers can include but not be limited to: Pin
per print, key card per print, centralized printers.
Notices shall be posted that documents sent for printing shall be removed from
the print queue if not printed using the secure print key within a maximum time of
4 hours. Additionally, any printed documents that are left behind at printer
stations or unattended on desks or conference rooms for more than 2 hours, shall
be shredded
Treating GE Personal Information including information on GE Personnel, its Customers,
Suppliers, Vendors or other Affiliates (collection/storage/use/protection/disposal) shall be
in line with local applicable Privacy laws and compliant to GE policy AUDIT
REQUIREMENTS
Use/sharing of GE Confidential/Restricted data shall be in line with the Business approved
access list. This norm shall apply for USE/sharing of such data across GE Businesses. Any
exceptions to this shall be raised to Business VMO Leader/GE GDC Program Office for
approval
Archival of GE Confidential & Restricted data and GE GDC classified data shall be done
only if explicitly requested for by the Business and maintained for the specific duration
stated by the Business. Such archives shall be maintained in an encrypted form and in a
secured location with restricted access to named individuals within GE GDC
Personnel/Classified production data shall be scrambled/unidentified before using in
testing environment.
Employee awareness on GE data classification shall be ensured.
Classified data shall be treated appropriately in meetings/tele-conferences
Databases accessed for executing GE engagements shall be assessed for its
classification and appropriate classification guidelines shall be applied
GDC shall centrally maintain an inventory of all GE information assets that are accessible
by individual GDC resources. The inventory shall at a minimum contain information on the
name of the asset, type of asset, storage location, type of access along with the resource
details and engagement details (business case for access)
GDC shall ensure that the Access Inventory is accurate and current
GDC shall implement controls to protect accounts with increased rights above a standard
user and have processes to protect and manage Highly Privileged Accounts (HPA). At a
minimum, HPAs are accounts with the following:
System level administrative or super-user access to devices, applications or
databases
Administration of accounts and passwords on a system
Any additional accounts considered by the business or system owner to pose
a high risk

GDC shall identify and implement data leakage prevention controls to protect GE data in
its operating environment

DCP 4.0 Manage IP Use & Protection
Intellectual Property (IP) shall be defined as any and all Deliverables, work product or
results of Services and inventions, innovations, discoveries, designs, plans, models,
prototypes, computer programs (including source and object code and documentation),
know-how, techniques and specifications (whether patentable or not or copyrightable or
not and whether made solely by Contractor or jointly with others) that are conceived,
created, developed or discovered directly or indirectly as part of or in connection with any
work performed for GE or on behalf of GE
Intellectual Property may belong to GE, GDC or to a third party
Unless otherwise explicitly declared by GDC and agreed upon by GE, any IP that may be
used, developed or conceived while working on a GE engagement shall be treated as GEs
property
GDC shall ensure that any identification of a potential IP is notified to GE
immediately and appropriate action taken to classify and protect such IP
GDC shall ensure that any and all rights on work done by GDC resources (inclusive of sub-
contractors) is assigned to GE
Such assignment of rights shall be carried out at end of Task Orders, where explicitly
stated by a Business. In all other cases, such assignment shall be done on
An annual basis for all work carried out from the last assignment date/start date
in GE GDC (as applicable) to current date
At GDC Off-boarding point, if the resource is being off-boarded from GE
All such assignments shall be duly verified and validated for accuracy & completeness
by the appropriate authorized signatory of the GDC organization and signed off
GDC shall ensure that all such IP are fully documented, classified as GE Restricted and
treated as per the classification guidelines for such data.
Where the IP is specific to a Business, GDC shall ensure that the Business name is
used in the Classification as GE <Business> Restricted. Where seen appropriate,
additional tag of GE Proprietary shall be included
Any use/re-production/sharing (in any form) of such an IP shall not be permitted without
the explicit written approval of the GE Business Legal (facilitated by GE Business VMO
Leader or GE GDC Program Office)
This norm shall apply to sharing of IP across GE Businesses as well
Any proposed use of third party IP or GDC IP shall be declared upfront and clearance
obtained from GE Business Legal/Security team (facilitated by GE Project Manager and/or
GE Business VMO Leader) for use of such of IP in deliverables to GE
Prior to use of GDC IP or third party IP on GE deliverables, GDC shall ensure
verification of the scope and terms of USE. Such terms and scope shall be clearly
agreed upon and signed off by all parties involved.
In cases where Joint IP Development is undertaken by GDC with GE and/or with other
third parties, GDC shall ensure that the scope and terms of IP development, rights for USE
are discussed, documented and complied with
GDC shall educate its resources on proper treatment of IP and ensure that norms around
IP use are complied with. Any violations of IP (GE/GDC/third party) shall be treated as a
critical incident and handled appropriately

Classification of Data stored in GDC systems and on GE Knowledge repositories
Evidence of GE Data Access Inventory being available, accurate and current
Evidence of treatment/handling of Confidential/restricted data being handled/treated as per
GE guidelines for treatment of such data
Evidence of Business Legal sign-off for USE of GDC IP/Third Party IP in deliverables to GE
MSA Linkage
Sections 4.3, 8
Related Practices
GE Knowledge Management, GDC Resource On-boarding/Off-Boarding, Engagement
Termination/Closure, Business Divestiture Management, GDC Site Management, Software
Governance, Secure Software Delivery
eGDC Suite Linkage
Not Applicable
Online Resources
http://supportcentral.ge.com/81973 Policies & Procedures Program Governance
Data Security Additional Guidelines
GE Data Classification Guidelines
http://libraries.ge.com/download?fileid=16926504101&entity_id=2688000101&sid=101

8.2 GE Knowledge Management (ELEMENTARY)

Knowledge accumulated by GDC from and about GE engagements, shall be
retained in the GE Knowledge Management repository
The purpose of this Practice is to establish appropriate controls to ensure that Intellectual
property and knowledge developed/gained during the engagement lifecycle is retained in GE to
mitigate long-term operational risks of engagements.

100% engagements to have knowledge repository with complete information required
for vendor agnostic seamless operations

GKM 1.0 Establish knowledge management plan for all engagements
GKM 2.0 Manage completeness of engagement knowledge in knowledge repository through-
out the life of an engagement
As a key stakeholder, GE is responsible for ensuring that it encourages and validates the GDC use
of GEs Knowledge Management system for completeness, accuracy and effectiveness
GKM 3.0 Be aware of GE Knowledge Repository and ensure appropriate USE of the same for
information protection, engagement risk management and effectiveness of delivery

GKM 1.0 Establish knowledge management plan for all engagements
GE data" here refers not only to the data provided to the GDC, but data created by the
GDC during the life of a project/relationship
POLICY
GOALS
RESPONSIBILITIES
Knowledge accumulated by GDC from and about GE engagements, shall be retained in
the GE Knowledge Management (KM) repository
GDC shall maintain KM Plan for every GE engagement the plan shall clearly describe the
Knowledge assets that would be applicable to the engagement, KM Repository update
Plan, Review Plan, Access rights Management and Assessment of completeness and
accuracy of content
GDC shall proactively ensure the adoption and rigor of USE of GE KM across GE GDC
GKM 2.0 Manage completeness of engagement knowledge in knowledge
repository through-out the life of an engagement
GDC shall ensure that the engagement specific KM Plan is signed-off by the Governance
Leader of the GDC. Governance Leader can delegate this to named individuals within
extended governance team.
GDCs all update the GE KM Repository on a continuous basis and obtain periodic sign-off
from the GE Manager for the content and accuracy of the KM.
Transferring data from GE KM to the GDC KM is not permitted without an explicit approval
from the GE GDC Program Office
In the event of termination of the GE Task Order, GDC shall transfer any remaining
engagement knowledge to the GE KM Repository and ensure completeness of all
documentation.
Evidence of KM practice across all engagements of GE
MSA Linkage
Sections 5.23, 5.24
Related Practices
Data Classification, Confidentiality, Privacy & IP Management, Delivery Management,
Engagement Termination/Closure, Business Divestiture Management
eGDC Suite Linkage
Knowledge Gateway
Online Resources
Not Applicable
9.0 Contractual Management
Contractual Management is an important area with focus on contractual obligations that
emanate from the MSA that GDC has with GE. Many of these contractual obligations have been
covered in other process areas. The section therefore focuses only on those few practices that
are broad based but specific to GEs MSA and Business-specific contracts with GDC.

FIGURE 12 Contractual Management Practices & Linkages

9.1 Communication & Media Management (MATURE)

External or internal communications, USE, sharing of information related to GE
relationship or GDC Organization (inclusive of GE engagement information or GE
process) is not permitted without the prior approval of the GE GDC Program Office.

0 instances of unapproved (by GE GDC Program Office) sharing of GE information
0 instances of in-appropriate USE of GE Assets

CMM 1.0 Establish and maintain a verification & approval protocol for sharing of information
related to GE
CMM 2.0 Publish guidelines on acceptable USE of GE assets in internal and external
communications
As a co-owner of this Practice, GE Businesses are responsible for ensuring that the authorized
people handle requests for approval of information sharing in an appropriate manner. The
specific responsibilities of GE are
CMM 4.0 Forward requests for sharing of information on GE to Business VMO Leader and GE
GDC Program Office Decision for approval of request shall be taken by GE GDC Program
Office in collaboration with GE Business VMO Leader and appropriate Legal teams
POLICY
GOALS
RESPONSIBILITIES

CMM 1.0 Establish & maintain a verification protocol for sharing of information
related to GE
GDC shall ensure the existence of a formal process for review and approval of all
requests for publishing / sharing (commonly referred as USE) GE related
information
The process shall cater to internal and external USE
The process shall cater to all USE scenarios inclusive of technical papers
presentation, technical problem resolution, best practice sharing, media
announcements, external client visits, trade shows & conferences, third party
surveys, internal Knowledge repositories/portals, newsletters and the like
Requests shall clearly identify the scope of information, scope of USE along with
the media of USE and the timelines
As a part of the Verification process, GDC shall ensure that the content is sanitized
to prevent potential violations of Contractual obligations, Acceptable USE, Data
Classification guidelines
Where the content is seen as specific to GE and may violate the contractual
obligations, if used/shared/published, GDC shall ensure appropriate approvals on
content and use by authorized GE personnel
As a general guideline, where the information/content is seen as specific to a GE
Business (and is likely to compromise on Confidentiality/IP Protection), the GDCs
shall obtain an approval from the GE Business GDC Leader for publishing/sharing
of such information (inclusive of seeking technical expertise)
As a general guideline, where the information/content is at the overall GE
Relationship or pertains to a broad overview of the practices and processes
deployed within GE GDC, GDC shall obtain an approval from the GE GDC Program
Office for publishing/sharing of such information
Request for all such approvals shall be presented to GE with a clear business case,
intended audience, context and duration of information use, and details of the
publishing media. Approvals shall be granted at the discretion of GE GDC Program
Office and may contain additional norms/criteria of use
GDCs shall be responsible for ensuring that the information publishing/use is in
line with the approval conditions. Validation of the same is required at periodic
intervals (at a minimum once in 6 months)
GDCs shall be responsible for maintaining records of all approvals and
communication with GE
Establish and maintain a proactive detection mechanism to identify
unauthorized/unacceptable use (Inclusive of publishing on the internet/media) of
GE information and remediate the same. The GDC shall maintain a record all such
remediation actions taken.
CMM 2.0 Publish guidelines on acceptable use of GE assets in internal/external
communications
As a general guideline, GDC resources are expected to comply with the
Acceptable USE Guidelines
External or internal communication/sharing of information regarding the GE GDC
engagements (inclusive of delivery methodologies, technology usage, business
process knowledge, process improvement initiatives) is not permitted
External communications/sharing of information Press Releases, web-site
listings, blogs, mass-marketing campaigns, advertisements,
technology/business/analyst forum discussions and presentations that include
information about GE GDC or GE engagements or GE are not permitted
GE shall not provide endorsements for GDC
Internal communication/sharing of information/USE of GE specific information
regarding GE GDC (overall account information or engagement specific
information) to non-GEGDC audience is not permitted. Within GE GDC, such
information shall be shared only on a need to know basis
GDC resources shall not use the identity of GE GDC in their communication to non-
GE world
GE email-ids of GDC resources shall be used purely for communication within GE
and GE GDC - any need for use of a GE email-id beyond the GE and GE GDC
Program context shall be pre-approved by GE GDC Program Office / GE Business
VMO Leader for the respective Business
Email signatures shall clearly identify the GDC Organization of the resource
(example: Patni GE GDC); any request for deviation shall be pre-approved by GE
GDC Program Office
No GE related information inclusive of information available on GE intranet unless
classified as public shall be shared with non-GE audience
GE logo and typeset cannot be used in any external or internal
material/communications
Any need for use of GE information or GE assets beyond GE GDC, shall follow their
Review & Approval process. Exception approvals by GE GDC Program Office/GE
Business VMO Leaders shall be a part of this GDC Review & approval process
GDC shall ensure adequate awareness of the above guidelines across all GDC
resources (inclusive of sub-contractors)
GDCs shall escalate to GE (GDC Program Office) if any deviations from above are
observed
Evidence of GE/GE GDC Information use requests, review & appropriate action
Evidence of exception approvals from GE GDC Program Office/GE Business VMO Leaders for
deviations in USE
MSA Linkage
Sections 11.13, 16.11
Related Practices
Practices in Data Security, Delivery Management, Physical Security
eGDC Suite Linkage
Adhoc Approvals
Online Resources
Not Applicable

9.2 Contractual Performance Reporting (ELEMENTARY)

Contractual performance data shall be reported to GE in a timely and consistent
manner in the format as expected by GE. GDC shall be accountable for the integrity
of the data being reported to GE

0 misses on reporting contractual performance data
0 data integrity issues in data reported to GE

CPR 1.0 Publish guidelines and operating procedures for every Contractual performance
requirement within GE GDC to ensure consistency and validity of data capture, computations
(if any), verification and timely reporting
As a co-owner of this Practice, GE Businesses are responsible for verification & validation of data
being reported by GDC. The specific responsibility of GE is as shown below
CPR 2.0 Verify data being reported and escalate non-compliance to GDC and GE GDC
Program Office
POLICY
GOALS
RESPONSIBILITIES

CPR 1.0 Publish guidelines and operating procedures for every Contractual
performance requirement within GE GDC to ensure consistency and validity
of data capture, computations (if any), verification and timely reporting
Based on the Contractual requirements at the GE GDC Program level and the individual
Business or project level, GDC may have reporting requirements.
These reporting requirements may be defined explicitly as a part of the contract/SOW or
may have been communicated through other mechanisms inclusive of email, conference
calls.
The reporting requirements shall have scope of data being reported along with reporting
frequency
At the GE GDC Program level, GDCs are expected to report on Project, Resource and
Operations performance as per the Program Reporting Requirements provided in the
additional guidelines.
Online reporting of operations data using eGDC Toolset is expected to ensure that
data is current (and not accumulated for updates on monthly basis)
Projects data reported in eMeasure is expected to be reported by the 5
th
business
day of every month
Invoice and outstanding data is expected to be updated in the online tools
(eInvoice) at a minimum twice a week, if not daily
Manual reports (where explicitly mentioned) shall be submitted to GE by the 10th
calendar day of every month
Incidents are expected to be reported to GE GDC Program Office within the
stipulated time depending on the material/non-material nature of the incident
Remediation on Security vulnerabilities/incidents shall be completed and reported
within the timeframe allocated for specific vulnerabilities
GDC Competencies (in alignment with GE technology stack) shall at a minimum be
published on a Quarterly basis
Contract/SoW based or Project Delivery focused performance reporting as per business
requirements and as agreed with business project manager shall be published to GE
businesses as per agreed frequency
Financial performance of GDC Organization at the GE Engagement level as well as the
GDC parent organization level shall be submitted to GE GDC Program Office on a
quarterly basis
Anticipated or actual change in ownership or financial status, public listing, change in
constitution of the controlling board, mergers and acquisitions, upgrading/downgrading
of financial ratings shall be disclosed to GE GDC Program Office, as long as the disclosure
does not violate any Security and Exchange Commission rules, regulation or other
applicable laws
Merger and Acquisition of the GDC parent organization with any of the known
competitors of GE is not permitted without a prior notification to GE GDC Program Office
GDC shall ensure that any data being reported to GE is verified for completeness and
accuracy before being reported
Evidence of contractual data being published to GE in a timely manner
Evidence of pre-reporting verifications on completeness and accuracy of contractual data
being reported to GE
MSA Linkage
Section 4.5, 4.7. 4.21, 5.9, 5.20
Related Practices
All practices
eGDC Suite Linkage
EMeasure, eInvoice, Contacts, eGDC Toolset
Online Resources
Program Reporting Requirements - Additional Guidelines


9.3 Working for Competitors (MATURE)

Allocation of GDC resources/sub-contractors that have worked on a GE Task Order,
to a project with similar nature of work for a potential GE business competitor,
within twelve months of disengagement from GE Task Order is not permitted.

0 instances of resource allocation from GE to engagements with GEs competitors

WFC 1.0 Establish and maintain a process to identify, assess and treat potential conflict of
interest (COI) in allocating resources to non-GE engagements seek approval from GE for
potential COI cases
As a stakeholder of this Practice, GE Businesses are responsible for ensuring that the risks of
potential such placements are understood when reviewing GDC requests for placement of
resources in potentially conflicting accounts. The specific responsibility of GE is
WFC 2.0 Review/Assess potential COI cases raised by GDC and provide feedback/approval
POLICY
GOALS
RESPONSIBILITIES

WFC 1.0 Establish and maintain a process to identify, assess and treat potential
conflict of interest (COI) in allocating resources to non-GE engagements seek
approval from GE for potential COI cases
GDC shall ensure that no resource that has been off-boarded from GE is assigned to work
on a potentially conflicting engagement with a competitor of GE for a period of 12
months from the date of off boarding of the specific GE engagement.
The scope for this risk assessment includes all the business engagements that the
resource worked on in the 12 month period (and not just the last engagement)
The risk assessment will continued to be carried out for a period of 12 months
from the date of the last off-boarding from GE
In case resource has to be deployed on any engagement with a potential competitor of a
specific GE business from where the resource was off-boarded within the last 12 months,
GDC shall perform a detailed risk assessment that identifies the potential conflict and
seek an exception approval from the GE Business VMO Leader/GE GDC Program Office.
On formal written approval to deploy the resource, GDC may proceed with deployment. If
the request is rejected or is not responded to by GE, GDC shall not proceed with
deployment of the resource.
If no potential conflicts are seen with the deployment, GDCs may deploy the
resources without any prior approval from GE
All resources with less than 2 years of total work experience may be exempted
from approval unless the role involves GE business process or application
architecture exposure.
The GDCs affiliated companies may engage in work or business for GE competitors,
provided that such affiliated companies have not received or had access to any GE
Information
Sub-contractor organizations (inclusive of special partners to GDCs) shall conform to the
stated policy and guidelines on allocating resources to working with competitors of GE
GDC shall maintain evidences of formal assessment of conflict and approvals for
deployment
Evidence of identification of potential competitors to GE Businesses in the context of the GDC
Parent Organization environment
Evidence of formal assessment of conflict/risk of conflict for deployment into competitor
organization
Evidence of approval from GE for deployment in potential conflict scenario
MSA Linkage
Sections 3.16, 5.22
Related Practices
Practices of Data Security, Sub-contractor Management
eGDC Suite Linkage
Ad-hoc Approvals
Online Resources
Not Applicable

10.0 Operations Management

FIGURE 13 Operations Management Practices & Linkages

10.1 Site Communications Infrastructure Management
(ELEMENTARY)

GDC shall maintain appropriate communications infrastructure as required for
continued effective operations and delivery from its Certified Sites. This shall
include communications technology hardware, software and associated support
services, such as telephones, amenities, and communication facilities like video-conferencing
and adequate telephone lines and failure backup facilities. GDC is required to be linked to the
Companys locations via high speed data link(s) connecting to Companys recommended PoP or
Companys network service provider. GE GDC Network uptime shall be 100%. Sustained network
performance shall be as per GE expectations
The Purpose of this Practice is to ensure that GDC adhere to communications infrastructure
performance and availability requirements and establishes controls for proactive monitoring &
remediation of infrastructure health issues before it impact GE engagements.

100% Redundancy & Validity of all equipments & devices at all GDC sites
0 instances of performance bottlenecks or availability challenges due to inadequate
network bandwidth
0 instances of inadequate voice channels for communications
0 impact on GE engagements due to infrastructure performance & availability issues

CIM 1.0 Maintain equipment standards of GOLD Site ensure redundancy
POLICY
GOALS
RESPONSIBILITIES
CIM 2.0 Manage equipments & network for High performance & availability

CIM 1.0 Maintain equipment standards of GOLD Site ensure redundancy
A GDC Site supporting multiple businesses or at least 1 critical operation shall be classified
as a GOLD Site.
In exception cases, where a Certified Site caters exclusively to a single business
with non-critical operations ONLY (identified as a part of Site Certification and
signed-off as thus), the Site shall be classified as a SILVER site,
GOLD Sites shall maintain redundancy on network infrastructure (equipments, devices
and the link over the last mile). The backup devices and links shall be of same
specification as the primary one
In case of SILVER sites, while redundancy is mandatory across all devices,
equipments & links, the specifications may be varied for the secondary/backup
devices
GDC shall ensure high speed connectivity to GE recommended PoP
The Voice Channels shall be dedicated to GE GDC and redundancy shall be maintained
on voice infrastructure
CIM 2.0 Manage Equipments & Networks for High Performance & Availability
GDC shall monitor all equipments for performance to the expected standards
GDC shall ensure that appropriate Health checks are performed on all devices on a
periodic basis.
GDC shall have valid maintenance/warranty contracts in place to enable immediate
resolution should there be an incident involving any device.
GDC shall proactively monitor end of life of equipments and devices and ensure that no
device/equipment which has reached end of life is a part of the GE GDC Infrastructure
Link capacity utilization shall be monitored by GDC on a daily basis. Peak utilization shall
not exceed 60% over a fifteen minute time period over a 10-hour day. If threshold is
exceeded, GDC shall upgrade capacity
GDC shall have a formal planning & forecast process to assess capacity
requirements based on business plan. The process shall take into account the
size, the network design (dependencies for other sites needs to be taken into
consideration) and the applications being accessed
GDC shall proactively set policies to ensure proper use of network bandwidth for business
purpose and monitor bandwidth use
Where GDC introduces new services (Voice or Video) on the network, GDC shall
ensure appropriate estimation of bandwidth impact and proactively plan
mitigations to avoid impact on Use/Access/Delivery on GE Engagements
GDC shall proactively define performance thresholds that trigger analysis and/or change
management process
GDC shall monitor end user (GDC) experience performance of GE applications using
appropriate methods. If performance drops to a level where it impacts productivity of
GDC users at the site, Root Cause Analysis shall be undertaken for curative action and the
appropriate fixes applied
GDC shall ensure adequate phones/dialcoms are made available for project use. The
recommended ratio is 1 voice channel for every 4 projects/15 GDC resources
Evidence of equipments maintained as per GOLD Site standards
Evidence of equipment health & life monitoring as per plan
Evidence of network bandwidth planning, forecasting & monitoring
MSA Linkage
Sections 4.23
Related Practices
Incident Management, GDC Site Management
eGDC Suite Linkage
Site Equipment Information Report, GDC Site Management, Adhoc Approvals
Online Resources
GIS

10.2 GDC Site Management (ELEMENTARY)

GDC shall operate from GE Certified Sites. GDC shall ensure that any extension/de-
commission of sites is carried out in compliance with GE Guidelines for secure sites.
The policy also applies to GDC Partner sites
The purpose of this practice is to ensure that GDCs operate from certified sites that are fully
compliant

0 instances of GE related work being carried out from locations other than GE Certified
sites (or GE Sites)
0 violations on Site Compliance

GSM 1.0 Manage New Site Approvals (TG1 to TG4)
GSM 2.0 Manage Site Information
GSM 3.0 Manage Site Certifications (TG5)
GSM 4.0 Manage Site Extensions
GSM 5.0 Manage Site Surrender
As a co-owner of this Practice, GE Businesses are responsible for ensuring that potential risks of
USE of unauthorized sites are understood and avoided
GSM 6.0 Prevent risks for GE by not encouraging GDC resources to work from unauthorized
locations
POLICY
GOALS
RESPONSIBILITIES

GSM 1.0 Manage New Site Approvals
GDC shall provide off-site services to GE only from GE certified GDC sites
New sites may be planned for within host country (or) in new countries and may be set-up
to cater to growth, globalization, de-risk or as a transition from an existing site to a new
one
New sites may be Offshore, Nearshore or Proximity sites. Proximity sites are typically
those set-up in High cost countries with the objective of providing in-country support to
GE Businesses
Offshore and Nearshore sites are by default Regular sites (200+ FTE Operations).
Proximity sites may be a small site (up to 50 FTE) or a medium site (> 50 and < 200 FTE)
New sites may be used for broad-based services covering ITO, BPO and Engineering or be
used for specific combination of services
New sites may offer regular services or special services like Export Control, NPI, to name
a few. The special services may require a restricted area to be set-up within the scope of
the GE GDC
Certification of new sites shall follow a 4 stage Tollgate process the stages are as
follows
TG1 Business Case for setting up a new GDC site. GDC shall submit a proposal
that shall at minimum cover information on justification for a new site supported
by appropriate business sponsorships, forecasts for the proposed site, and site
strategy in terms of services, people, and technology. GE GDC Program Office
may choose to approve the Business Case, which enables the GDC to move to the
next tollgate. The Program Office may choose to reject the business case.
TG2 Compliance to Physical Infrastructure requirements focused on physical
security & safety. GDCs internal audit team shall conduct a physical verification of
the site readiness and report the same before GE undertakes physical verification.
GEs clearance of the sites readiness on physical security & safety is a must to
proceed to the next tollgate
If the site is proposed to offer special services requiring restricted access, the
guidelines on restricted access sites shall be followed
TG3 Compliance to Communication Infrastructure requirements and Designing
a secure network connection. This phase commences once GE formally approves
the TG2. GDC shall ensure that the local network infrastructure is set-up and in
compliance with GEs requirements. GDC shall work with GIS and GE Information
Security team to ensure that the network design is secure and the equipments are
as per GEs standards for connectivity to GE network
If the site is proposed to offer special services requiring restricted access, the
guidelines for network security on restricted sites shall be followed
TG4 Network Connectivity sign-off and uplink the final stage of the 4 step
process, this step is used as a validation point to ensure that open actions (if any)
associated with the previous stages are completed and risks are mitigated. Based
on approval from GE GDC Program Office, the uplink to GE Network is provided
A site is considered ready for Operations once it is TG4 approved by GE
GSM 2.0 Manage Site Information
GDC shall ensure that information related to every one of the Approved sites is updated
on GE repository
The information to be maintained current (to be updated as and when changes occur),
are
Site Contact List
Site capacity (GE GDC) & Utilization
Site Proxy Information
Equipments & Devices at the Site (Communications Infrastructure) along with
specifications, end of life information
Bandwidth subscription
Standard SLAs for Site recovery
Night Shift work applicability
Information and Evidence on External Certifications related to Physical
Infrastructure, Physical Security, EHS and the like, where applicable

GSM 3.0 Manage Site Certifications
GDC shall ensure that all sites that are approved for operations are certified within 3 to 6
months of the approval for operations (TG4 approval date)
Deviations on timelines for Certifications, shall be pre-approved by Program Office
GDC shall plan the TG5 Certification and communicate the same to GE GDC Program
Office at least a month prior to the start of the Certification process
The Certification process involves the following steps
A full audit of the Site by the GDCs Internal Audit team (or) the External Auditor
Post-Audit review with GE
Certification Audit shall cover all practice areas and shall be carried out as a formal audit
GDC Internal Audits team shall be responsible for completing the Self-Certification
Audit
Certification Audits may be included into scope of External Audits if the external
audits are due within a period of 6 months from the date of site approval
Audits shall additionally focus on closure of all pending action items from the Site
Approval process
Audit observations and findings shall be formally reported to GE
GEs Post-Audit Review of the Site may include one or more of physical site verification,
spot audit, Q&A session or a review discussion
Gaps/Deviations shall be reviewed and appropriate action plans agreed upon
GE shall certify the site if there are no major gaps/deviations identified as a part of
the Certification Audit
Where major gaps/deviations are found, GE may decide to provide GDC with
additional time to fix the challenges and get a re-certification done within a period
of 3 months


GSM 4.0 Manage Site Extensions
Site extensions process applies to the following scenarios
New physical area (within the same building or campus of an existing certified
site) to be included into GE GDC Program, including temporary arrangements.
Conversion of a part of an existing certified area to an access restricted unit for
performing business-sensitive work (Export Control (where applicable), IP
development and the like)
GDC Site extensions, if planned, shall follow the same process as a new site set-up (TG1 to
TG4)
Site extensions shall be initiated only after the Business case (TG1) is approved
Physical Security readiness (TG2) would be a mandatory requirement for all site
extensions
Depending on the scope of the extensions, GE may decide on the need for a
Physical Security Verification as well as the Network Security readiness (TG3) and
Network Connectivity readiness (TG4) process steps
Where seen as essential process steps, GDC shall follow the guidelines for a
new site and complete the TG2, TG3 and TG4 process steps
Where a process step is not seen as essential, GE shall provide a waiver
Site extensions become operational once they are TG4 approved or through the Waiver
process, approved for operations
Extended parts of certified sites shall be treated as certified units and would therefore not
require a separate Site Certification formality
GSM 5.0 Manage Site Surrender (Full/Partial De-Commissions)
Site surrender process applies to the following scenarios
Full De-commission of existing sites (Site shut down/Site transition)
Partial surrender of existing sites (conversion from GE access restricted to non-GE
access)
Conversion of restricted access GE GDC Sites to regular GE GDC Sites (restricted
work areas to regular GE GDC work area)
Site surrender shall follow the 3 step Tollgate process involving business case submission
(TG1), planning the surrender (TG2) followed by the actual surrender (TG3)
GDC shall submit the Business case for surrender, well in advance of the surrender to
enable proper planning. The business case shall clearly articulate the rationale for the
decision to surrender fully/partially/convert site status along with assessment of
potential impact to GE Businesses and the mitigation plans to minimize impact
Surrender planning shall involve the planning for surrender operations start and end.
GDC shall provide tentative dates for transition of delivery & operations, surrender of
assets (data/information and physical assets), network infrastructure and finally the
physical infrastructure at the site
This plan shall be discussed and agreed upon with GE before the surrender
operations commence
GDC shall continuously update GE on the status of the surrender operations. GDCs
internal audit team shall audit every stage of surrender and sign-off on the
completion of the surrender activities.
On completion of all the activities associated with the surrender, GDC shall submit to
GE a formal surrender report inclusive of the formal Internal Audit report of the site
surrender
GE may decide to perform physical verification of surrender operations at the final
stage of the surrender or during any of the interim stages
GEs approval of the site surrender shall be mandatory for the surrender operations to
be completed
Evidence of individual tollgate approvals for every new site established/in progress, site
extensions, site surrenders
Evidence of internal audit on TG2 prior to submission to GE for physical verification
Evidence of internal audit on Surrender Operations prior to submission to GE
Evidence of exception approvals for commencing operations at site prior to completion of the
4 tollgate process
MSA Linkage
Section 4.25
Related Practices
Physical Security, EHS, Systems Management, Business Continuity Management, Supplier
Connectivity, Vulnerabilities Management, Engagement Termination/Closure, Data
Classification, Confidentiality, Privacy & IP Management
eGDC Suite Linkage
New Site Approval
Site Extensions
Site De-Commission
Site Information Management*
Online Resources
Additional Guidelines for Site Management

10.3 Assets Governance (ELEMENTARY)

GDC shall be responsible for appropriate usage and controllership for all assets
(hardware, software and VPN tokens inclusive of those that are GE supplied) in use
towards servicing GE. An updated inventory of all assets shall be maintained.
The purpose of this Practice is to establish controls to track, monitor and report use of all
assets and to prevent violation of any Software license usage agreements, improper use of
GE supplied assets and other GDC assets used in servicing GE.

100% of assets in GE GDC are tracked, monitored for appropriate use
0 instances of controllership issues or asset loss/damage of GDC / GE Assets

AGN 1.0 Manage assets
AGN 2.0 Manage use of GE provided assets
As a key stakeholder of the practice, GE shall
AGN 3.0 Provide appropriate authorization documentation for temporary USE of GE Asset
while assigning the asset to a project/resource
AGN 4.0 Document & track GE Supplied assets allocated to GDC, for proper USE

POLICY
GOALS
RESPONSIBILITIES

AGN 1.0 Manage Assets
GDC shall be responsible for providing its resources with all hardware, software and any
other assets that may be required for the delivery of services to GE and as per GE
recommended build.
GDC shall maintain an updated inventory of all hardware assets in use by GDC resources,
irrespective of the location of use or the ownership of the assets
Assets belonging to GE shall be clearly identified in the inventory
Every Asset shall be uniquely identifiable and traceable to its physical location
Asset properties/characteristics, Asset location, user and use period shall be
clearly defined for every asset in the inventory
Shared Assets shall be clearly identifiable
GDC shall establish a formal process for hardware asset movement in/out of GE GDC and
asset allocation to GDC resources
GDC shall track physical movement of assets
Asset movement outside of GEGDC area is not permitted as a general rule unless
otherwise approved by Asset Governance Leader or an authorized person
Sharing of assets (beyond servers, printers and network equipments) is not
permitted. In exception cases, the controls shall be discussed with the GE GDC
program office and documented. Any logs/ evidences shall be maintained.
GDC computer systems shall be pre-loaded with GDC coreload that is in line with GE
Coreload. GDCs shall also ensure alignment to business specific coreload wherever
specified.
The GDC shall procure their own software licenses for the coreload (With the
exception of Sophos and WebEx connect)
GDC shall establish and follow a formal process for installation and use of software
licenses beyond the standard set of coreload software licenses
Every such installation shall be approved by an appropriate approving authority
within the GDC Organization
Software licensed to GDC shall be used only on GDC owned computer systems
GDC shall maintain an inventory of all software licenses deployed on individual GDC
systems within GE GDC or in use by GDC resources. Inventory shall clearly identify
software type, license ownership, license quantity (entitled and in use)
Physical reconciliation of all assets in use by GE GDC resources or at GDC locations, shall
be carried out at a minimum once in 6 months
AGN 2.0 GE Supplied assets governance
In exception cases, where GE provides any asset (hardware, software or other asset) to
the GDC for TEMPORARY USE, GDC shall ensure that such assets are tracked and
managed appropriately
Every asset (with the exception of VPN Tokens) supplied by GE, shall be received
along with appropriate documentation of the approval from GE (business
specified authorized person), along with terms of use, surrender and appropriate
commercial declarations (where applicable). Terms around usage, location of use,
purpose of use, period of use and return shall be explicitly understood
If assets are paid for GE but procured by GDC with the terms of surrender to GE at
the end of the USE period, clear documentation shall be maintained between GE,
GDC and the vendor (for example, in case of software licenses) on the
transferability, terms of transfer inclusive of transfer pricing, legalities and the like.
GDC shall ensure that terms of usage, surrender and end of use process shall be
agreed to up-front
Where there is a need to extend the use of these assets beyond the approved use
period or extend use beyond originally approved locations/purpose, GDCs shall
follow the renewal, change request processes
In cases where GE assets are issued to named resources, exit of resource or
completion of engagement, shall lead to surrender and end of use process being
initiated. In case of software licenses, such software shall be un-installed before
the system is handed over to another resource
GE supplied assets shall be tracked and monitored for its intended use at the approved
location from the time the asset comes into GDC custody to the time it is surrendered
Use of the Asset at a location beyond the approved locations shall be done only if
the use has been explicitly approved by an authorized GE Manager, in writing
Assets (for example, GE calling cards, where provided by GE) that are permitted for
use only from GE Sites, shall not be used by GDC resources for purpose other than
GE Business and from authorized locations only
Assets provided for use at GE Site shall be surrendered to GE on completion of
engagement at the specified site/business. In case assets are carried back to GDC
site, the handling and surrender responsibility lies with the GDC.
GE supplied assets [with exception of VPN Tokens] shall be returned to GE at the end of
the approved period of use
Release of asset shall be as agreed with the GE Business and evidence of such
agreements and release shall be maintained by GDC
VPN Tokens may be re-issued within the GE GDC as permissible by the GE
Business unit. Traceability of such reuse/re-allocations shall be enabled
GE supplied asset usage shall be tracked, monitored and reported to GE as per the
reporting requirements indicated by GE GDC Program Office
Asset Inventory
Evidence of approval addendums for GE Supplied Assets(with exception of VPN Hard Tokens)
Evidence of extension approvals, external use approvals and surrenders
MSA Linkage
Section 4.2, 4.5, 4.6
Related Practices
Physical Security, Systems Management, Business Continuity Management, Supplier
Connectivity, Vulnerabilities Management, GDC On-boarding/Off-boarding, Engagement
Termination/Closure
eGDC Suite Linkage
Hardware Assets Management
Software Assets Management
Online Resources
Additional Guidelines for GE provided Software Licenses use, GE Software USE Guidelines

10.4 Software Governance (ELEMENTARY)

GDCs shall only use authorized software to service all GE engagements.
The purpose of this Practice is to enforce Software governance compliance in GDCs
to prevent any legal risks to GE due to improper and unauthorized use of software

0 incidents of Software license usage agreement violation for all software
0 instances of freeware/shareware/trial-ware/opensource embedded in any
product/application delivery to GE
0 instances of any un-authorized software installation and usage

SG 1.0 Establish & manage software installation & usage
SG 2.0 Establish & maintain process for no-cost, low cost software installation use across GE
GDC organization (inclusive of use in GE deliverables)
SG 3.0 Restrict software that can pose risk to GE or GEGDC environment
As a co-owner of this Practice, GE Businesses are responsible for ensuring that
freeware/shareware/open source is not recommended for installation / use in GDC environment
or as a part of GE deliverables. The specific responsibilities are
SG 4.0 Be aware of GE Software USE Guidelines and adhere to GE Guidelines on GDC USE
of third party software licensed to GE
SG 5.0 Validate and verify with Software Governance Council on appropriate USE of no-
cost, low-cost software in GE applications/software
POLICY
GOALS
RESPONSIBILITIES

SG 1.0 Establish & manage software installation process
Software used in GE engagements shall be either procured by GDC organization or
formally approved by GE.
Download and installation of software shall be disabled by default. In case of an
exception, GDC information security leader shall approve request for
download/installation
Software governance leader for the respective business shall authorize GE Proprietary
software use
GDC coreload should be aligned with GE coreload. If the business has additional
requirements in terms of coreload, that also shall be incorporated. In case of deviations
from GE recommended coreload products; GE GDC Program security leader approval
should be obtained
Approval for all non-Coreload software installations shall be time bound
GE GDC security leader shall monitor that personal software is used appropriately
SG 2.0 Establish & maintain process for no-cost, low cost software installation
use across GE GDC organization (inclusive of use in GE deliverables)
Freeware/shareware/spyware/trial-ware/open source shall not be embedded in any
product/application delivery to GE. In case of exceptions, GE Business security leader
approval shall be obtained and all such use declared to GE GDC Program, for tracking
purposes
Any use of Open source / freeware/ shareware software in the GE GDC environment shall
be permitted only if such a software has been formally evaluated, security assessed and
approved for USE (on a periodic basis) by GDC Security Leader and GDC legal team.
GDC shall ensure that all such low cost, no cost software approved for use in GE
GDC environment are re-assessed for potential security vulnerabilities and
licensing, on a periodic basis (at least once in 6 months)
In the event that use of such software is required to be discontinued, GDC shall
ensure that use of such software is dis-continued and existing installations of
such software are removed totally
GDC shall report all such software approved for use in GE GDC environment
SG 3.0 Restrict software that can pose risk to GE or GEGDC environment
Use or installation of any software that can cause risk to GE or GEGDC environment is
prohibited. Few such software are listed below:
Spyware
Instant messaging or social networking software like Yahoo, GTalk, MSN etc.
Any tools that are designed to interfere with normal patching or management of
your PC or circumvent technology controls in the GE environment.
Non-authorized PC remote control software
Peerto-peer or other file sharing software
Skype or other voice-chat programs
Hacking tools (password crackers, web site fuzzers, packet sniffers, etc)

Use/installation of personal software (e.g. mobile, camera, iPods) in GE/GDC assets shall
be done with approval of GEGDC security leader
Installation of unlicensed software /copyright material for e.g. MP3 files videos, stock
photography is prohibited to be used in GDC and in any product/application delivery to GE
Inventory of Low cost, no cost software used in GE GDC environment
Evidence of assessment records (security and licensing) for such software use in GE GDC
Evidence of process adherence for use of low cost / no cost software in GE deliverables
MSA Linkage
Section 4.7, 4.12
Related Practices
Systems Management, Supplier Connectivity, Vulnerabilities Management, Secure
Software Delivery, Data Classification, Confidentiality, Privacy & IP Management
eGDC Suite Linkage
FOSS Repository
Embedded low cost, no cost software Projects Inventory *
Online Resources
Software Use Guidelines

10.5 Business Divestiture Management (ELEMENTARY)

Operations associated with a divested business shall be fully and formally
separated from GE GDC within the timeframe approved by GE. Such a separation
shall lead to the divested business being treated as a non-GE entity
The purpose of this Practice is to ensure that appropriate controls are designed and deployed to
enable a divested business to be formally separated while ensuring protection of GE networks, IP
and assets from potential non-GE access

Separation of divested business shall be completed on time, as per plan agreed with GE
No IP, information or physical assets belonging to the divested business shall be retained
in GE GDC, beyond what is contractually required from a retention perspective
No IP, information or physical assets belonging to GE shall be provided to the divested
businesses beyond what is formally approved by GE

BDM 1.0 Plan, implement and track the separation of the divested business from GE GDC
As a co-owner of this Practice, GE Businesses are responsible for the flow of communication to
ensure smooth separation of the divested business from GE GDC
BDM 2.0 Provide advance notification to GE GDC Program Office and GDC to ensure
adequate time for divestiture based separation planning and timely execution
BDM 3.0 Collaborate with GDC Program Office to ensure that the separation is done in
compliance to the Divestiture Agreement between GE and the Divested business

POLICY
GOALS
RESPONSIBILITIES

BDM 1.0 Plan, implement and track the separation of the divested businesses
On receipt of communication from GDC Program Office/GE Business VMO, GDC shall
respond to GE GDC Program Office with a high level plan for the separation of the
divested business from GE GDC
The high level plan shall at a minimum include the dates for Sign-off by GE Business VMO
and the Divested Business on the plan for separation, the transition start and end dates
GDC shall ensure that a detailed transition plan is submitted to GE GDC Program Office at
least a month prior to the transition commencement. The detail plan shall cover physical
separation, network separation, information separation and reporting isolation
GDC shall review the information separation plan with the GE Business VMO leader and
obtain sign-off on the same
GDC shall update GE GDC Program Office on the progress of the transition through the
transition phase
On completion of the transition, GDC shall submit a detailed report on the separation as
per the Divestiture guidelines
Evidence of separation planning and communication with GE GDC Program Office
Evidence of approval from GE Business VMO Leader on Information separation for the
divested business
Evidence of separation report submission
MSA Linkage
Not Applicable
Related Practices
Physical Security, Systems Management, Business Continuity Management, Supplier
Connectivity, Engagement Termination/Closure, Data Classification, Confidentiality, Privacy &
IP Management. Assets Governance
eGDC Suite Linkage
Business Divestiture Planning & Reporting
Online Resources
Additional Guidelines for Divestiture Planning

10.6 No PO, No WORK (ELEMENTARY)

Commencing work engagements (new/renewed/extended/change request)
without receipt of a valid PO (hard/soft copy of the actual Purchase Order
document) is not permitted.
The purpose of this Practice is to ensure that appropriate controls are designed and deployed at
GDC Organization to ensure that engagements are commenced with a valid PO

0 cases of new projects being commenced without a PO
0 cases of renewals being worked on without a PO for more than 30 calendar days

NPW 1.0 Establish PO Management process
As a co-owner of this Practice, GE Businesses are responsible for ensuring that no work is
initiated without a valid PO
NPW 2.0 Ensure that PO process is completed and PO shared with GDC before new
engagements are commenced or
NPW 3.0 Ensure that PO process is completed and PO shared with GDC within 30 days of the
previous PO expiry in case of renewals, extensions and change orders

POLICY
GOALS
RESPONSIBILITIES

NPW 1.0 Establish PO Management process
GDC shall ensure that any work undertaken by them for GE shall be done on the basis of
a valid PO
No new project can be initiated without a valid PO
In case of renewals, work can be continued on the engagement for a maximum period of
30 calendar days after the expiry of the PO
In case of businesses that provide short cycle POs under a long term SOW, GDC
shall collaborate with the business to ensure that early alerts are set up and PO
generated to avoid risk of operating without a valid PO
Any requests by GE Managers for continuing on projects without a valid PO shall
be escalated to the Global Business VMO. Such work cannot be undertaken unless
otherwise approved by the Global CIO or the Global Business VMO Leader, on an
exception basis
GDC shall ensure that change requests that impact the effort/schedule of a project
beyond the original contracted value/period is formalized
GDC shall report to the GDC Program Office all work undertaken without a PO,
irrespective of whether an exceptional approval had been obtained or not
Evidence of PO being received before a new project is commenced
Evidence of PO being received within 30 days of contract expiry, in case of a project being
renewed
Evidence of exception approval from GE Business VMO Leader for projects that need to be
initiated/continued without a valid PO
Evidence of reporting work carried out without a valid PO, to GE GDC Program Office
MSA Linkage
Section 2.7
Related Practices
GDC On-boarding/Off-boarding, Contractual Performance Reporting
eGDC Suite Linkage
eMeasure
Online Resources
Not Applicable

10.7 Invoice & Outstanding Management (ELEMENTARY)

GDC shall manage their invoicing and collections process in a manner that there
are no invoices outstanding beyond 150 days
The purpose of this practice is to ensure that GDCs manage their process for invoicing and
outstanding collections so as to minimize invoicing errors and outstanding beyond 150 days

0 invoices rejected by GE Business due to invoicing errors
0 invoices outstanding beyond 150 days

IOM 1.0 Establish and maintain robust process to proactively manage Invoicing &
Collections tracking
As a co-owner of this Practice, GE Businesses are responsible for ensuring that invoices are
verified for completeness and paid in a timely manner. The specific responsibilities of GE are
IOM 2.0 Ensure that Invoices are verified for accuracy and acknowledged on time
IOM 3.0 Ensure that Invoices are paid within the 120 day payment terms (or) if on TPS, with
the early payment agreement term with GDC
POLICY
GOALS
RESPONSIBILITIES

IOM 1.0 Establish and maintain robust process to proactively manage Invoicing
& Collections tracking
GDC shall ensure that invoices are raised in a timely manner as per the payment
schedules agreed with the business
Invoices shall be checked for completeness and accuracy
Invoices shall be sent to appropriate stakeholder as per the GE Business defined process
GDC shall track invoice acknowledgement and escalate to the GE Business VMO Leader
on those invoices which have not been acknowledged within the defined threshold time
for a business
Where invoices are not acknowledged due to conflict, GDC shall ensure that the same is
documented and taken up for resolution. Such invoices shall be identifiable
GDC shall ensure that invoices that are agreed to be paid through the Early Payment
discount term, are clearly marked so and are traceable as such
GDC shall ensure that invoices that are to be paid through service credits (either fully or
partly), clearly identify the service credit amount and the associated redemption
identification number on the invoice.
GDC shall ensure that payments are tracked and reconciled with invoices. Where
payments are made for specific invoices, GDC shall adjust the payment amount to the
invoice amount of the specified invoice only. Where a payment is made without any
reference to an invoice, GDC shall collaborate with the GE Business VMO Leader for the
reconciliation
GDC shall collaborate with GE Business VMO Leader for invoices that are not cleared
beyond the 120 days payment terms
Invoice Acknowledgement & Payment reconciliation
Service Credit redemption identification mapping to Invoice
MSA Linkage
Appendix A-1
Related Practices
Contractual Performance Reporting
eGDC Suite Linkage
EMeasure, eInvoice
Online Resources
Not Applicable

10.8 Business Continuity Management (MATURE)

Actionable Business Continuity Plan and Disaster Recovery Plan shall be maintained
at the GE GDC level as well as at the application level for each GDC location, to
ensure continuity of services to GE.
The purpose of this Practice is to identify risks that can impact service continuity to GE and have
effective disaster recovery plans to maintain the continuous operation of a business/service in
the event of an emergency/contingency situation.

0 impact on project delivery, service levels due to un-preparedness of GDC to react and
handle emergency/contingency situation or incident that may potentially impact
business continuity on GE engagements

BCM 1.0 Publish & Maintain up-to-date standards for Site-specific recovery
BCM 2.0 Ensure validity and adequacy of DR Site for each of the GDC Sites and publish the
same
BCM 3.0 Establish & maintain effective Business continuity & Disaster recovery plans that are
current and complete
BCM 3.1 Understand criticality of application being supported/project being
delivered and establish & maintain Project specific BC/DR Plan
BCM 4.0 Execute appropriate drills to assess effectiveness of plans and treat risks identified
POLICY
GOALS
RESPONSIBILITIES
BCM 4.1 Execute appropriate drills to assess effectiveness of project level plan and
treat risks identified
As a co-owner of this Practice, GE Businesses are responsible for ensuring that they understand
the criticality of GDC preparedness to provide continuous operations in case of emergencies. The
specific responsibilities of GE are
BCM 5.0 Be aware of GDC Site constraints and GDC BC/DR capabilities and state explicitly
BC/DR requirements for critical/high impact applications & projects
BCM 6.0 Ensure appropriate RTO/RPO definition and monitor the effectiveness of the drills
and potential risks for your engagement

BCM 1.0 Publish and maintain up-to-date standards for site recovery
GDC shall define for each of its certified GE GDC Sites, the standard operations recovery
SLAs that assure continuity of operations after an incident /disaster that impacts the
continuity of operations at the site
SLAs shall be defined for start of critical services and normal operations
GDC shall clearly define the default set of critical services that shall qualify as
Critical Services
GDC shall publish these standards to GE through the GDC Toolset and also ensure that
the standard SLAs for recovery are a part of its responses to RFPs from GE
BCM 2.0 Ensure validity and adequacy of DR Site for each of the GDC Sites and
publish the same
GDC shall define the DR Sites applicable for each of its certified GE GDC Sites
A regular site with > 100 FTE shall maintain at a minimum, an intra city and an
inter-city DR Site
A small site or a regular site with < 100 FTE shall maintain at a minimum, an intra
city or inter-city DR Site
A GDC with more than 500 FTE shall maintain a country DR Site
A GDC may choose to maintain multiple DR Sites for a specific site
A DR Site shall at a minimum be 25 Kms away from the candidate site
A Site named as a DR Site shall by default be a certified GE GDC Site belonging to the GDC
or to a partner in the GE GDC Program
In cases where certified sites are not available to be considered as DR Sites, GDC
shall propose to GE GDC Program Office, an alternate secure arrangement for a
DR Site. On exception approval, such proposals may be implemented by GDC
Where a GDC partners site is identified as a DR Site, GDC shall ensure that the DR
requirements are identified and agreed upon and a formal contract is signed with
the GDC Partner
GDC shall review on a periodic basis (at a minimum once in 3 months), the adequacy of
the DR Sites and the capacity at the DR Sites, based on the nature of GE engagements
and the SLAs with GE Businesses on specific engagements
GDC shall ensure validity of DR Site contract, where the DR Site belongs to a GDC Partner
GDC shall publish to GE the DR sites relevant to each of its Certified GDC Site and also
ensure that the data published to GE is current and up-to-date
BCM 3.0 Establish & maintain effective Business continuity & Disaster
recovery plans that are current and complete
GDC shall maintain actionable Business Continuity Plan and Disaster Recovery Plan
across different levels including Organization, Country, site and engagement
The GE GDC BCP/DRP shall at the minimum meet requirements stated in the GE GDC
Guidelines and include application level BC/DR plans
Business Continuity expectations at the individual application level shall be captured
explicitly from GE Businesses. This shall be in the form of clearly defined Recovery Time
Objectives (RTO), Recovery Point Objective (RPO) and Emergency SLAs.
Infrastructure and resources required towards offsite adequacy and readiness,
command center, maps, emergency exists, posters, safe area, Crisis Management
Team (CMT), emergency telephone numbers shall be provided
GDC shall ensure identification of critical resources at project level this shall be
done in collaboration with the businesses
A well defined and updated crisis notification protocol shall be set up including stake
holders from GE, GDC and local authorities
Detailed Backup and Recovery Procedures shall be maintained at secure offsite locations
Periodic Backup of all data related to conduct of work (assigned by GE) must be
carried out in compliance with GE Procedures (where specified) and as per
Industry standard (where not explicitly specified by GE)
Backups shall be available at more than one offsite location, in alignment with the
DR strategy to ensure availability
The off-site location shall be accessible 24x7 to facilitate disaster recovery
High availability / Multiple sources of retrieval of the following shall be maintained
at offsite:
SOPs for various crises
Inventory of the projects along with the project specific BC/DR Plan
Application-specific BC/DR plans must be drawn in collaboration with GE Businesses
(100% coverage of work being executed at GDC Site)
BC/DR Plans (Program level and Application-specific) must be available on Support
Central Site w/access to Specific GE Businesses and GE GDC Program Office
Plan must be reviewed for current applicability, on a monthly basis
BCM 4.0 Execute appropriate drills to assess effectiveness of plans and treat
risks identified
GDC shall perform different types of tests, inclusive of table top and cold tests, to assess
their preparedness for Business Continuity in wake of disasters
Evacuation drills for every site shall be performed at a minimum frequency of
once every rolling three months
Evacuation drills shall include all types of scenarios and crises levels
GDC shall assess potential failure points in their plan/preparedness to provide
business continuity, within the expected SLA period
Application level BCP/DR shall be tested at a frequency as agreed with business.
Effectiveness should be measured against agreed RTO, RPO and other SLAs.
Adequacy of BC/DR shall be validated at every GDC Site (at the minimum once in 3
months) for completeness of planning, feasibility, reliability, consistency of execution
continuity, recovery
Simulations (Validation Tests) must ensure a coverage of minimum 90% of GE GDC
Resources and at the minimum of 85% applications (all Mission-Critical applications must
be covered)
GDC shall report to GE the results of all BC/DR tests (site and application level tests)
Site BC/DR Plans, Application BC/DR Plans
Test/Drill Reports inclusive of Backup Performance & Retrieval
BC/DR Effectiveness Review records
Availability of BC/DR Plan on GE KM Repository
Reporting of BC/DR tests/drills to GE
Standard BC/DR SLAs being published to GE
DR Sites information being published to GE
Backup Process, Storage
MSA Linkage
Sections 2.4, 2.18, 4.26, 4.27
Related Practices
Physical Security & Safety Practices, Assets Governance, GDC Resource
eGDC Suite Linkage
eMeasure, eGDC Toolset (Site Information, BC/DR Plan, Drill Reports)
Online Resources
BC/DR Guidelines, GE GDC BC/DR Sample Template, Application BC/DR Template

10.9 Engagement Closure / Termination Management (
ELEMENTARY)

GDC shall ensure appropriate treatment of GE Assets (Information, Access, Software
& Hardware) in case of termination/closure of engagements. Retain contractual
data for 7 years after termination of contract
The purpose of this Practice is to ensure that GE assets related to the contract being
terminated/closed are treated as per GE guidelines/agreement with the concerned GE Business

0 contract violations on treatment of GE assets

ETM 1.0 Manage Engagement Closure/Termination (includes Project level, Business Level or
at GDC Program Level)
ETM 2.0 Manage Contractual Data Retention for GE Audit Purpose
As a co-owner of this Practice, GE Businesses are responsible for ensuring that critical assets that
are accessed/in custody of GDC are identified and special treatment requirements (if any) are
agreed upon, in a formal manner
ETM 3.0 Set expectations on USE and treatment of GE Assets for every engagement
ETM 4.0 Where IP or critical/sensitive information exists as a part of an engagement,
verify/audit the GDC treatment of GE Assets on termination/closure

POLICY
GOALS
RESPONSIBILITIES

ETM 1.0 Manage Engagement Closure/Termination
Closure/Termination may occur at project, business or GE MSA level
On closure of one or more engagements, GDC shall ensure that
Resource off-boarding process is followed as per the guidelines associated with
GDC resource off-boarding
If there are project /engagement specific documents that have been
maintained (like Assignment of Rights or Non-Disclosure Agreements), such
documents shall be transferred to an exclusive GE archive that is easily
accessible
GE assets (information & physical) associated with the engagement(s) are
surrendered/returned to GE. Information assets belonging to GE shall be moved to
the GE Knowledge Gateway
If there are engagement specific GE Folders/Libraries maintained by the GDC,
all such Folders/Libraries shall be transferred to the GE Business VMO leader
No GE asset shall be retained with the GDC, unless otherwise explicitly approved
by GE GDC Program Office or the GE Business VMO Leader
All references (related to the engagements) on the GDC Intranet/Internet site are
removed (even though the postings may have been approved by GE GDC
Program Office)
The desktops and laptops used in servicing the engagement shall be formatted
before they are released to other parts of GDC or to the Parent organization for
reuse
If closure of one or more engagements results in a certified site becoming
redundant, GDC shall ensure that appropriate actions are taken towards site de-
commission, in close collaboration with GE GDC Program Office
Sign-off is obtained from the GE Business VMO Leader on the proper
closure/termination of the Project/Business specific engagements
On termination of MSA, GDC shall ensure that they work closely with the GE GDC Program
Office to complete the engagement(s) specific closure activities. In addition, GDC shall
ensure that
Resource BGC, On-boarding data, Off-Boarding data, Contractual documents,
Project financials, invoices, GE payment receipts are archived and maintained for
a minimum period of 7 years from the date of termination of contract/MSA
GE software assets (like Sophos, WebEx Connect/Sametime), that are provided to
the GDC as a part of their special status with GE, is uninstalled from all the
machines and are surrendered to GE. Evidences of such uninstallations shall be
maintained.
GE Network access (as a Trusted Third Party) is dis-continued
In cases where the GDC would continue to operate as a third party supplier to
the business, GDC shall ensure that the network connectivity is reviewed with
the concerned business and GE GDC Program Office to ensure that the
connectivity is appropriate to the nature of engagement and level of
Governance
Certified sites shall be de-commissioned, unless otherwise approved by GE GDC
Program Office to continue operations from a certified site given the continuity of
engagements as a Business specific third party supplier
Program Office sponsored SSO Ids, access shall be surrendered; business
sponsored SSO ids shall be surrendered. In case, the GDC is required to continue
on Business specific engagements as a Business third party supplier, a fresh set of
SSO ids would require to be obtained from the concerned business for all
resources required to work on the business engagements
Any references (in the GDC organizations Intranet/Internet sites) to GE as a
customer or the organization being a preferred supplier (GDC) to GE shall be
removed
The termination activities completion sign-off is obtained from GE GDC Program
Office

ETM 2.0 Manage Contractual Data Retention for Audits
GDC shall ensure that all contractual data inclusive of Resource on-boarding information,
off-boarding information, contractual acknowledgement documents (AUG, SIA, Spirit &
Letter integrity document, Assignment of Rights), Project financials (eMeasure data loads,
SOWs, POs, Invoices, Payment Receipts) are maintained for a period of 7 years from the
date of termination of contract (inclusive of closure of engagement level contract)
In case of T&M engagements, the resource timesheet records shall be maintained
for a period of 3 years from the completion of the engagement
GDC shall maintain such contractual data as a GE RESTRICTED archive with access to
named individuals
GE may choose to audit a GDC on a closed/terminated contract at any point within the 7
year period

Evidence of GE Assets surrender and clean-up of GDC systems
Backup Storage
GDC intranet/internet sites
MSA Linkage
Sections 2.4, 2.18, 4.26, 4.27
Related Practices
Communications & Infrastructure Management, Physical Security & Safety, Data Security,
GDC Resource On-boarding & Off-boarding, Non-Solicitation, Communications & Media
Management, SSO id Governance, Site Management
eGDC Suite Linkage
eMeasure, eGDC Toolset (Site De-commission, Contract Termination*)
Online Resources
GDC Termination Checklist

11.0 APPENDIX
11.1 Reporting
Contractual and Operations performance Reporting has now become a part of the eGDC Toolset
(GDC Operations Portal) and is therefore not necessarily a monthly reporting exercise but more of
a regular discipline of keeping all operational data current. However, there are a few reports that
are in the process of being transitioned to eGDC Toolset and would therefore continue to be
reported manually, until further notifications.
The below list provides a view of the data that would be reported through eGDC Toolset and
those that would continue on manual mode
All manual Reports shall be delivered by the 10th of every month to GE GDC Program Office and
the online event based updates are to be submitted to the tool as and when an event occurs.
GDCs shall be responsible for the completeness and correctness of the data reported in the
prescribed format.
Online Resources
GDC Reporting Requirements
11.2 GE Coreload
All systems on the GE GDC Network are required to be compliant to the GE Coreload requirements on Hardware,
General OS and Certified Software. If there are Business specific coreload requirements, GDC shall ensure that such
requirements are adhered to
Online Resources
GE Standard Coreload
11.3 Additional Scope for External Audits
In order to complete the assessment of the GDC Operating environment, the following additional areas are being
included into the scope of the Annual External Audits. The findings from these areas shall not be included for Maturity
assessment of the GDC practices
Corporate Governance
Delivery Management
Software Quality Management
Service Quality Management (for RIM, BPO and Engineering Services)
Process Management (Service specific process areas)

Handbook of Requirements: Ge GDC Program

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Handbook of Requirements: Ge GDC Program

Загружено:

Авторское право:

Доступные форматы

GE GDC PROGRAM

PROGRAM GOVERNANCE FRAMEWORK

Вам также может понравиться